Abstract: A system is provided for determining vulnerability metrics for graph-based configuration security. During operation, the system generates a multi-layer graph for a system with a plurality of interconnected components. The system determines, based on the multi-layer subgraph, a model for a multi-step attack on the system by: calculating, based on a first set of variables and a first set of tunable parameters, a likelihood of exploiting a vulnerability in the system; and calculating, based on a second set of variables and a second set of tunable parameters, an exposure factor indicating an impact of exploiting a vulnerability on the utility of an associated component. The system determines, based on the model, a set of attack paths that can be used in the multi-step attack and recommends a configuration change in the system, thereby facilitating optimization of system security to mitigate attacks on the system while preserving system functionality.

Abstract: A level of classification for each piece of data of one or more pieces of data is determined. A layer of encryption for each piece of data of the one or more pieces of data is determined. A type of encryption for each piece of data of the one or more pieces of data is determined. Other mechanisms applied to each piece of data of the one or more pieces of data is determined. A first constant for the layer of encryption, a second constant for the type of encryption, a third constant for the other mechanisms applied is determined. A risk factor for each piece of data of the one or more pieces of data is determined.

Abstract: Methods, systems, and computer program products for providing the status of model extraction in the presence of colluding users are provided herein. A computer-implemented method includes generating, for each of multiple users, a summary of user input to a machine learning model; comparing the generated summaries to boundaries of multiple feature classes within an input space of the machine learning model; computing correspondence metrics based at least in part on the comparisons; identifying, based at least in part on the computed metrics, one or more of the multiple users as candidates for extracting portions of the machine learning model in an adversarial manner; and generating and outputting an alert, based on the identified users, to an entity related to the machine learning model.

Abstract: Systems, computer-implemented methods, and computer program products that facilitate vulnerability and attack technique association are provided. According to an embodiment, a system can comprise a memory that stores computer executable components and a processor that executes the computer executable components stored in the memory. The computer executable components can comprise a map component that defines mappings between vulnerability data representing a vulnerability of a computing resource and attack data representing at least one attack technique. The computer executable components can further comprise an estimation component that analyzes the mappings to estimate a probability that the vulnerability will be exploited to attack the computing resource.

Abstract: Systems and techniques for providing security data points from an electronic message are presented. A system can determine a first interne protocol (IP) address of a computing device in response to a user of the computing device opening an email sent to an email address corresponding to a particular electronic account of the user, the email comprising an IP address tracking mechanism. The system can also compare the first IP address with one or more second IP addresses corresponding to one or more electronic accesses of the particular electronic account. Furthermore, the system can determine if an account access anomaly exists in regard to the particular electronic account based on a result of the comparing. The system can also implement a security measure impacting an ability of the particular electronic account to conduct one or more transactions in response to the account access anomaly existing for the particular electronic account.

Abstract: The disclosure describes systems and techniques for assessing risk of an open Wi-Fi network, at a consumer's request, before the consumer performs a transaction. The system receives a Wi-Fi network risk assessment request associated with a Wi-Fi network connection of a mobile device. Upon receiving the request, the system retrieves connection-related data from the mobile device. The connection-related data is associated with the Wi-Fi network connection. The system performs a Wi-Fi risk assessment of the Wi-Fi network connection. The system transmits a result of the risk assessment to the mobile device for presentation on the mobile device. The system also transmits the result of the risk assessment to an issuer server. The issuer server is associated with a payment account of the consumer. Moreover, the system transmits a step-up authentication alert to the issuer server.

Abstract: Systems, methods, and apparatus related to network security. In one approach, various endpoint devices communicate with a network gateway and/or API mode CASB over one or more networks. All communications by the endpoint devices with remote servers and clouds pass through the network gateway (and/or by cloud service access when using an API mode CASB). The gateway and/or CASB gathers metadata from the endpoint devices and/or network devices. The metadata indicates characteristics of the communications by the endpoint devices on the networks and/or processes running on the endpoint devices. The gateway and/or CASB identifies security risks using at least the metadata, and in response dynamically performs remediation actions for one or more of the networks in real-time to limit or block propagation of a cyber attack associated with one or more of the identified security risks.

Abstract: A network-connected device service receives a request to authenticate a network-connected device. The network-connected device service determines, from a digital certificate identified in the request, a set of parameters of the digital certificate. The network-connected device service utilizes the set of parameters to identify, from a set of digital certificate clusters, a digital certificate cluster associated with the set of parameters. Through an audit of the digital certificate clusters, the network-connected device service determines whether the digital certificate cluster is indicative of the digital certificate being anomalous.

Abstract: An indication is received that a first online platform has undergone/is undergoing a first electronic attack made by one or more actors engaged in online malicious actions with the first online platform. Responsive to the indication of the first electronic attack, one or more vulnerability characteristics of the first online platform are determined, where the vulnerability characteristics are associated with the first electronic attack. A plurality of other online platforms are analyzed to identify a second online platform that shares at least one of the vulnerability characteristics with the first online platform. Based on the determining and/or the analyzing, the second online platform is predicted to be a potential target for a second electronic attack having an attack vector in common with the first electronic attack that corresponds to the shared vulnerability characteristics. An action is performed to mitigate potential damage of the second electronic attack.

Abstract: A method of generating a baseline of expected behavior on a single machine or endpoint to accurately fingerprint the native behavior of the NTLM protocol on that particular endpoint in a network. By limiting the scope of a baseline to a single endpoint, the scope of the baseline can consist of expected behavior (including supported hash functions, version strings and various feature flags). Deviations from these behaviors are considered evidence of a redundant implementation of NTLM utilized by an attacker and thus as evidence of an attempted PTH attack. Using this method it is possible to accurately detect PTH attacks originating from all publicly known non-standard implementations of NTLM existing in tools such as Impacket, Metasploit, and Invoke-TheHash.

Abstract: A system, method and program product for implementing a compound security platform for providing secure access to private data in an encrypted storage area. A disclosed system includes an application configured to receive queries from application users requiring access to encrypted private data; a middle security layer callable from the application to facilitate predefined access to the encrypted private data; a root security layer configured to receive a decryption request from the middle security layer, perform decryption on specified encrypted private data, and return decrypted data to the middleware layer; a hashing system that generates a content hash of the middle security layer and root security layer to ensure integrity of the middle security layer and root security layer; and an auditing detection system that detects malicious auditing of parameters.

Abstract: In some embodiments, reducing network traffic related to network operations may be facilitated. In some embodiments, information for an operation comprising a message to authenticate the operation may be received from a client device. A machine learning model trained on information regarding a plurality of historical operation and corresponding execution result may be obtained, where the plurality of historical operations were executed on a client device of a same type as the client device. Using the machine learning model, the information for the operation may be processed to predict an execution result for authenticating the operation. The execution result may be transmitted to the client device to prevent execution of the operation in response to the execution result indicating that authenticating the operation will be unsuccessful.

Abstract: A method, apparatus and product for assessing security threats from lateral movements and mitigation thereof. The method comprising statically analyzing the network to determine for each asset of a list of assets in a network, potential network lateral movements therefrom to other assets; dynamically analyzing the network to validate each potential network lateral movement identified by the static analysis; generating a graph of network lateral movements, wherein the graph comprises nodes and directed edges, wherein a node of the graph represents an asset of the list of assets, wherein a direct edge of the graph connecting a source node to a target node represents a validated network lateral movement from a source asset, represented by the source node, to a target asset, represented by the target node; and utilizing the graph of network lateral movements to assess security risk to the network.

Abstract: A system, method, and computer-readable medium are disclosed for performing a security operation. The security operation includes: monitoring an entity, the monitoring observing at least one electronically-observable data source; deriving an observable based upon the monitoring of the electronically-observable data source; associating a human factor with the entity; identifying an event of analytic utility, the event of analytic utility being derived from the observable from the electronic data source; analyzing the event of analytic utility, the analyzing the event of analytic utility taking into account the human factor associated with the entity enacting the event of analytic utility; generating a risk score in response to the analyzing, the risk score taking into account the human factor associated with the entity; and, performing the security operation when the risk score meets a security risk parameter.

Abstract: A device may receive security data identifying assets of an entity, security issues associated with the assets, and objectives associated with the assets and may utilize a data model to generate, based on the security data, asset related data identifying mapped sets of security data. The device may process a first portion of the asset related data, with a first model, to calculate an asset risk likelihood score for an asset of the assets and may process a second portion of the asset related data, with a second model, to calculate an asset criticality score for the asset. The device may process a third portion of the asset related data, with a third model, to calculate an asset control effectiveness score for the asset and may combine the scores to generate a security risk score for the asset. The device may provide the security risk score for display.

Abstract: A system dividing unit (110) divides a target system into a plurality of sub-systems. A root system selection unit (122) selects a sub-system in which a threat on security occurs, as a root system from among the plurality of sub-systems. A root tree generation unit (131) generates an attack tree of the root system, as a root tree. A descendant system selection unit (132) selects one sub-system or more located on an intrusion course to the root system, as one descendent system or more from among the plurality of sub-systems. A descendant tree generation unit (133) generates one attack tree or more corresponding to the one descendent system or more, as one descendent tree or more. A sub-attack tree integration unit (140) integrates the root tree and the one descendent tree or more, to thereby generate an attack tree of the target system.

Abstract: Disclosed are implementations, including a method that includes monitoring dataflow streams in a network comprising multiple computing nodes, and determining network security characteristics for a dataflow stream, from the monitored dataflow streams, relating to security, authentication, and access events for accessing, via the dataflow stream, one or more of the multiple nodes. The method further includes determining potential violations by the dataflow stream of security policies defined for operation of the network, access functionality for the network, or identity attributes used by the network, based, at least in part, on the determined network security characteristics for the dataflow stream, and based on network-operation data comprising one or more of network security data, network identity data, and network access data. The network-operation data is stored in one or more data storage units in the network, and is configured to manage network access and operation for the multiple computing nodes.

Abstract: An operating method of a server to provide an advertisement, which includes: receiving HTTP request from a client; acquiring HTTP response to the HTTP request, which includes first advertisement information; amending the HTTP response—including obfuscating at least a partial field of the HTTP response including the first advertisement information; and transferring the amended HTTP response to the client.

Abstract: Systems, methods, and software described herein provide action recommendations to administrators of a computing environment based on effectiveness of previously implemented actions. In one example, an advisement system identifies a security incident for an asset in the computing environment, and obtains enrichment information for the incident. Based on the enrichment information a rule set and associated recommended security actions are identified for the incident. Once the recommended security actions are identified, a subset of the action recommendations are organized based on previous action implementations in the computing environment, and the subset is provided to an administrator for selection.

Abstract: A computing device comprising a secure browser extension for a web browser monitors for satisfaction of one or more operating conditions to identify whether one or more unauthorized applications are intercepting web browser communications. Based on satisfaction of at least one operating condition, the secure browser extension of the computing device sends an HTTPS request to a known service via the web browser. The secure browser extension receives an HTTPS response to the HTTPS request via the web browser. The secure browser extension determines whether the certificate included in the HTTPS response is trusted by the secure browser extension. Based on determining the certificate is not trusted, the secure browser extension terminates the web browser session and generates a notification for display at the computing device that indicates web browser communications are compromised.

Abstract: An attack estimation device includes a storage unit configured to hold an attack tree, an abstract attack tree, and log check management information, and a prediction unit configured to predict, when a detection alert is received, a range of compromise from the attack by referring to the information in the storage unit. The prediction unit is configured to: determine that an attack of an unknown pattern has occurred as the attack when indicators of compromise that correspond to the attack are not successfully identified; identify an abstract attack name by referring to the abstract attack tree; and predict a range of compromise from the attack of an unknown pattern by identifying a device in which indicators of the attack of an unknown pattern are likely to be left, and by identifying a specific place in the log of the identified device, by referring to the log check management information.

Abstract: An apparatus and method for analyzing organizational digital security are described. The apparatus includes at least a processor and a memory communicatively coupled to the at least a processor. The memory includes instructions configuring the at least a processor to receive organizational data associated with a plurality of organizational resources for an organization, analyze the organizational data, determine an integrity indicator based on the surveying of the organizational data, and generate a continuity indicator as a function of the integrity indicator.

Abstract: Systems and methods for computing times to remediate for asset vulnerabilities are described herein. In an embodiment, a server computer receives first vulnerability data for a plurality of entities identifying asset vulnerabilities and timing data corresponding to the vulnerability data indicating an amount of time between identification of an asset vulnerability and a result of the asset vulnerability. The server computer identifies a strict subset of the first vulnerability data that belongs to a particular category of a first plurality of categories. The server computer receives second vulnerability data for a particular entity identifying asset vulnerabilities. The server computer identifies a strict subset of the second vulnerability data the belongs to the particular category. Based, at least in part, on the strict subset of the first vulnerability data, the server computer computes a time to remediate the asset vulnerabilities in the strict subset of the second vulnerability data.

Abstract: Upgrade to a Trusted Application in a Trusted Execution Environment compliant to a Trusted Execution Environment standard to an as-a-server functioning by running, inside the Trusted Execution Environment, each instance of a Multi Instance/Single Session Trusted-Server Trusted Application compliant to the TEE standard in an infinite state-full loop polling a session of a Single Instance/Multi Session Trusted-Pipe Trusted Application, the single session of each of the instance of the Trusted-Server Trusted Application being adapted to perform a task as a server, said Trusted-Pipe Trusted Application being further polled by the Customer Application and opening session depending on command coming from the Customer Application.

Abstract: A computer-implemented method provides a requested medical data record to a receiving entity. The method includes receiving a set of medical data records and receiving or initiating a joint data index and, for each medical data record of the set, applying a plurality of hash functions to a patient identifier corresponding to the medical data record to determine a hash vector, the patient identifier corresponding to the medical data record identifying the patient being subject of the medical data record, and updating the joint data index based on the hash vector. Furthermore, it includes providing the joint data index to the receiving entity and receiving a request for a record, corresponding to a request patient identifier and being based on the joint data index, from the receiving entity. The method includes providing the requested medical data record to the receiving entity via a secure communication channel.

Abstract: Various aspects of methods, systems, and use cases for verification and attestation of operations in an edge computing environment are described, based on use of a trust calculus and established definitions of trustworthiness properties. In an example, an edge computing verification node is configured to: obtain a trust representation, corresponding to an edge computing feature, that is defined with a trust calculus and provided in a data definition language; receive, from an edge computing node, compute results and attestation evidence from the edge computing feature; attempt validation of the attestation evidence based on attestation properties defined by the trust representation; and communicate an indication of trustworthiness for the compute results, based on the validation of the attestation evidence. In further examples, the trust representation and validation is used in a named function network (NFN), for dynamic composition and execution of a function.

Abstract: Behavior report generation monitors the behavior of unknown sample files executing in a sandbox. Behaviors are encoded and feature vectors created based upon a q-gram for each sample. Prototypes extraction includes extracting prototypes from the training set of feature vectors using a clustering algorithm. Once prototypes are identified in this training process, the prototypes with unknown labels are reviewed by domain experts who add a label to each prototype. A K-Nearest Neighbor Graph is used to merge prototypes into fewer prototypes without using a fixed distance threshold and then assigning a malware family name to each remaining prototype. An input unknown sample can be classified using the remaining prototypes and using a fixed distance. For the case that no such prototype is close enough, the behavior report of a sample is rejected and tagged as an unknown sample or that of an emerging malware family.

Abstract: A device may receive, from a user device, a transaction request associated with a first entity and identify a distributed ledger associated with the first entity, the distributed ledger including a set of blocks recording work data associated with the first entity. The set of blocks may include: a first subset of blocks including data specifying work performed by the first entity, and a second subset of blocks including data verifying a portion of the work performed by the first entity and specified by the data included in the first subset of blocks. The device may determine that a transaction, associated with the transaction request, is associated with the first subset of blocks and the second subset of blocks. Based on predetermined instructions that correspond to the transaction and the distributed ledger, the device may perform the transaction.

Abstract: Disclosed herein are systems and methods for detecting potentially malicious changes in an application. In one aspect, an exemplary method comprises, selecting a first file to be analyzed and at least one second file similar to the first file, for each of the at least one second file, calculating at least one set of features, identifying a set of distinguishing features of the first file by finding, for each of the at least one second file, a difference between a set of features of the first file and the calculated at least one set of features of the second file, and detecting a presence of potentially malicious changes in the identified set of distinguishing features of the first file.

Abstract: According to an embodiment, an information processing apparatus comprises a device interface, a network interface, a power supply part, a battery and a control part. A power supply part is configured to supply electric power from an external power supply. A control part is configured to: perform a conversion process on data from a terminal device, and transmit the data to a network; and when the power supply from the power supply part is stopped, transmit, to another information processing apparatus through the network interface, a first message indicating that a pass-through mode in which data is relayed between the terminal device and the network without being subjected to the conversion process is set, and set the pass-through mode.

Abstract: A substantial learning curve is required to construct integration processes in an integration platform. This can make it difficult for novice users to construct effective integration processes, and for expert users to construct integration processes quickly and efficiently. Accordingly, embodiments for building and operating a model to predict next steps, during construction of an integration process via a graphical user interface, are disclosed. The model may comprise a Markov chain, prediction tree, or an artificial neural network (e.g., graph neural network, recurrent neural network, etc.) or other machine-learning model that predicts a next step based on a current sequence of steps. In addition, the graphical user interface may display the suggested next steps according to a priority (e.g., defined by confidence values associated with each step).

Abstract: One embodiment of the described invention is directed to a key management module and a consumption quota monitoring module deployed within a cybersecurity system. The key management module is configured to assign a first key to a subscriber and generate one or more virtual keys, based at least in part on the first key, for distribution to the subscriber. A virtual key is included as part of a submission received from the subscriber to authenticate the subscriber and verify that the subscriber is authorized to perform a task associated with the submission. The consumption quota monitoring module is configured to monitor a number of submissions received from the subscriber.

Abstract: Systems and methods for a machine-learning based approach for dynamically generating incident-specific playbooks for a security orchestration and automated response (SOAR) platform are provided. The SOAR platform captures information regarding execution of a sequence of actions performed by analysts responsive to a first incident of a first type. The captured information is fed into a machine-learning model. When a second incident, observed by the SOAR platform, is similar in nature to the first incident or the first type a recommended sequence of actions is generated based on the machine-learning model for use by an analyst in connection with responding to the second incident. In response to rejection of the recommended sequence by the analyst, revising the recommended sequence based on input provided by the analyst and storing the revised recommendation sequence in a form of a revised playbook for response to subsequent incidents that are similar to the second incident.

Abstract: A method, computerized apparatus and computer program product, the method comprising: obtaining user code; obtaining an indication of at least one vulnerability, the vulnerability associated with one or more sets comprising at least a first instruction type and a second instruction type; scanning the code using dependency analysis, to obtain for one set: one or more first instructions of the first instruction type, one or more second instructions of the second instruction type, and further instructions associated with entities relevant to the first instruction and the second instruction; eliminating instructions other than the first instruction, the second instruction and one of the further instructions, thereby obtaining a collection of instructions that behaves differently from the user code; and providing the collection of instructions for vulnerability detection.

Abstract: In an embodiment, a management system obtains a criticality rules table that includes a plurality of rules mapped to corresponding criticality scores indicative of a level of risk in the event that an associated asset of a managed network is compromised by a third party. The one embodiment, the criticality rules table is updated based upon machine learning and/or feedback from an operator of the managed network. In another embodiment, the criticality rules table is used to assign one or more criticality scores to one or more assets based on one or more attributes of one or more assets, and the criticality rules table.

Abstract: Systems and methods for providing user-induced variable identification of end-to-end computing system security impact information via a user interface are disclosed. The system receives at a graphical user interface (GUI), a user calibration of a graphical security vulnerability element. The system then determines a set of computing system components that interact with data associated with the network operation based on a transmission of the network operation associated with a computing system. The system then determines a set of security vulnerabilities associated with each computing system component of the set of computing system components using a third-party resource. The system then applies a decision engine on the set of security vulnerabilities to determine a set of impacted computing-aspects associated with the set of computing system components.

Abstract: An identifying device (10) includes a preprocessing (11) that extracts a communication connection pattern including a set of a communication source identifier and a communication destination identifier from traffic data, a comparing unit (131) that adds an ID to a communication connection pattern group including a new communication connection pattern not included in a whitelist when the new communication connection pattern is present in the communication connection pattern group, a graph feature amount generating unit (14) that generates a graph feature amount of the communication connection pattern group to which the ID has been added and adds this ID to the graph feature amount, an abnormality determining unit (16) that determines whether the generated graph feature amount is normal using a model (161) having learned the graph feature amount, and an identifying unit (132) that retrieves a new communication.

Abstract: Embodiments are directed to systems that attempt to establish trust in relation to operations on a customer endpoint of a computer network. The systems monitor, in real-time, operations to file systems, registries, application processes and threads, and OS kernels at the customer endpoint. The systems maintain compute components affected by the operation in a quarantine state. The systems then attempt to establish trust in the affected compute components (e.g., by applying rule-based policies). The systems remove the affected compute components from the quarantine state, if trust of the one or more affected compute components is established. The systems execute callback routines to mitigate results of the operation, if trust of the affected compute components is not established.

Abstract: This invention discloses a method for discovering vulnerabilities of operating system access control based on model checking. In this method, security attribute and security specifications of operating system access control module are analyzed to construct the access control model. To discover vulnerabilities in the model, security analysis is performed for access control functionality with theorem proving techniques, and consistency of abstract machine specification and correctness and completeness of the components are verified with model checking tools. This method provides theoretical and technical support for studies in the field of operating system security.

Abstract: Particular embodiments described herein provide for an electronic device that can be configured to identify a process running on the electronic device, assign a reputation to the process if the process has a known reputation, determine if the process includes executable code, determine a reputation for the executable code, and combine the reputation for the executable code with the reputation assigned to the process to create a new reputation for the process.

Abstract: A method for minimizing scan disruptions includes receiving a scan request requesting to scan a set of network-connected assets. Each network-connected asset is associated with corresponding network characteristics. The method includes partitioning the set of network-connected assets into a plurality of groups based on the corresponding network characteristics. For each respective group, simultaneously, the method includes determining an ordered list for scanning each network-connected asset in the respective group, scanning a first network-connected asset of the respective group based on the ordered list, and, after scanning the first network-connected asset, determining a post-scan health status of the first network-connected asset. The method includes determining, using the post-scan health status, that a health of the first network-connected asset is degraded.

Abstract: A deployment platform, computer-readable medium, and computer-implemented method for intelligent execution of a solution on a computer network, including receiving an instruction to execute a solution in a local runtime environment on the deployment platform, the solution including solution code written in a solution language, determining, by a helper program on the deployment platform, whether the solution is executable on the deployment platform based on the solution language and either launching, by the helper program, the solution on the deployment platform when the solution is executable on the deployment platform or launching, by the helper program, the solution on a remote platform on the computer network that is configured to execute the solution when the solution is not executable on the deployment platform, the helper program being configured to communicate with the launched solution to enable the launched solution to interface with the local runtime environment on the deployment platform.

Abstract: Systems, methods, and software described herein provide security actions based on related security threat communications. In one example, a method of operating an advisement system includes identifying a security threat within the computing environment, wherein the computing environment comprises a plurality of computing assets. The method further provides obtaining descriptor information for the security threat, and retrieving related communication interactions based on the descriptor information. The method also includes generating a response to the security threat based on the related communication interactions.

Abstract: Systems and methods for determining and displaying platform-specific end-to-end security vulnerabilities via a graphical user interface (GUI) are disclosed. To provide users with visual indications of vulnerable computing aspects associated with a computing platform, the system identifies computing aspects associated with a platform. The system then obtains from a security entity, security-vulnerability descriptions that are associated with the platform. Using the security-vulnerability descriptions, the system then determines threat levels for each security-vulnerability description and then, using the determined threat levels, determines a computing aspect impact level for each computing aspect associated with the platform. The system then generates for display on a GUI, a graphical layout comprising each computing aspect impact level for each computing aspect associated with the platform.

Abstract: Systems and methods are provided for the classification of identified security vulnerabilities in software applications, and their triage based on automated decision-tree triage and/or machine learning. The disclosed system may generate a report listing detected potential vulnerability issues, and automatically determine whether the potential vulnerability issues are exploitable using automated triage policies containing decision trees or by extracting vulnerability features from the report and processing the extracted vulnerability features using machine learning models.

Abstract: The use of browser context in detecting malware is disclosed. A client device requests content from a remote server. Data received by the client device from the remote server is transmitted to an external scanner for analysis by the external scanner. The external scanner is configured to use a browser executed in an instrumented virtual machine environment to analyze the data provided by the client device. The client device is configured to request the content from the remote server using a browser extension configured to retrieve data and provide the retrieved data to the external scanner without rendering the retrieved data.

Abstract: An occurrence of an infection-spreading attack and an attack source thereof are detected with high accuracy. A first feature value is calculated based on traffic information regarding a packet forwarded by a forwarding device, and M partial address spaces to be monitored are specified based on the first feature value. A second feature value is calculated for each address of a terminal in a network, based on traffic information regarding the M partial address spaces, the second feature value is learned to classify terminal addresses into a plurality of clusters, and whether or not each of the clusters is an infection-spreading attack is determined to generate cluster information. Whether or not an infection-spreading attack has occurred and an address of a terminal that is an attack source are specified based on the second feature value and the cluster information.

Abstract: Techniques are disclosed relate to systems, methods, and non-transitory computer readable media for improved cybersecurity intelligence using custom trigger events. One system may include a non-transitory memory configured to store at least threat model data; and one or more hardware processors coupled to the non-transitory memory and configured to read instructions from the non-transitory memory to cause the system to perform operations comprising: receiving, over a communications network, the at least one custom trigger event for a threat model which identifies a cybersecurity threat; determining whether the cybersecurity threat triggers the performance of the orchestrated response based on the custom trigger event; and launching, when the cybersecurity threat triggers the performance of the orchestrated response, a first application and a second application of the plurality of applications of the orchestrated response.

Abstract: Techniques are described herein are related to managing deployment of a converged infrastructure (CI). Such techniques may include receiving a request to initiate a CI deployment; obtaining a CI information set; creating a CI deployment file using the CI information set; rendering a deployment user interface (UI) screen that allows a user to select to configure network devices or a CI cluster; receiving a first selection to configure a network device; rendering network device configuration screens to obtain network device configuration information; adding the network device configuration information to the CI deployment file; receiving a second selection to configure the CI cluster; rendering CI cluster configuration screens to obtain CI cluster configuration information; adding the CI cluster configuration information to the CI deployment file; and deploying the CI using the CI deployment file.

Abstract: A method, an apparatus, and a system are for evaluating code design quality. The method for evaluating code design quality includes: determining, based upon a result from static scanning of code, a probability of the presence of an error-prone pattern in the code; inputting the probability into an artificial neural network, and determining, based upon the artificial neural network, a prediction result for whether the code violates a preset design rule and for a quantized degree to which the design rule is violated; and based upon the prediction result, evaluating the design quality of the code. The present method is able to improve the accuracy of code design quality evaluation. By detecting a presence of an error-prone pattern in the code, whether or not a key design rule has been violated in a design process and a quantized degree to which the key design rule is violated are predicted.