Abstract: Generally discussed herein are devices, systems, and methods for improving phishing webpage content detection. A method can include identifying first webpage content comprises phishing content, determining, using a reinforcement learning (RL) agent, at least one action, generating, based on the determined at least one action and the identified first webpage content, altered first webpage content, identifying that the altered first webpage content is benign, generating, based on the determined at least one action and second webpage content, altered second webpage content, and training, based on the altered second webpage content and a corresponding label of phishing, a phishing detector.

Abstract: A detection device and a detection method for a malicious HTTP request are provided. The detection method includes: receiving a HTTP request and capturing a parameter from the HTTP request; filtering the HTTP request in response to the parameter not matching a whitelist; encoding each character of the HTTP request to generate an encoded string in response to the HTTP request not being filtered; generating an estimated HTTP request according to the encoded string by using an autoencoder; and determining that the HTTP request is a malicious HTTP request in response to a similarity between the HTTP request and the estimated HTTP request being less than a similarity threshold, and outputting a determined result.

Abstract: A computer-implemented method according to one aspect includes determining and storing characteristics of a plurality of cloud vendors; dividing a workload into a plurality of logical stages; determining characteristics of each of the plurality of logical stages; and for each of the plurality of logical stages, assigning the logical stage to one of the plurality of cloud vendors, based on a comparison of the characteristics of the plurality of cloud vendors to the characteristics of the logical stage. Data migration between the cloud vendors is performed during an implementation of the workload to ensure data is located at necessary cloud vendors during the corresponding tasks of the workload.

Abstract: Disclosed is a new location threat monitoring solution that leverages deep learning (DL) to process data from data sources on the Internet, including social media and the dark web. Data containing textual information relating to a brand is fed to a DL model having a DL neural network trained to recognize or infer whether a piece of natural language input data from a data source references an address or location of interest to the brand, regardless of whether the piece of natural language input data actually contains the address or location. A DL module can determine, based on an outcome from the neural network, whether the data is to be classified for potential location threats. If so, the data is provided to location threat classifiers for identifying a location threat with respect to the address or location referenced in the data from the data source.

Abstract: An adaptive risk management application retrieves data corresponding to an asset. The asset is a computing device or software application of an enterprise system. The adaptive risk management application identifies a set of vulnerabilities of the asset. The adaptive risk management application determines, for each identified vulnerability, a likelihood of a threat actor successfully exploiting the vulnerability. The adaptive risk management application determines, based on the likelihoods, a risk score for the asset. The adaptive risk management application sends the risk score for display.

Abstract: One example method includes collecting container information concerning a container, analyzing the container information to identify a security tool needed to perform a vulnerability scan of the container, accessing the security tool from a knowledge lake, running the security tool on the container information to identify a security vulnerability of the container, based on the running of the security tool, generating an alert indicating that the container has the security vulnerability, capturing the security vulnerability and, based on the captured security vulnerability, updating a container image that was used to spawn the container.

Abstract: There is provided a computer system of runtime identification of a dynamic loading of a software module, the software module being associated with a first application framework, the system comprising a processing circuitry configured to: a) detect, in a first interposition function, an invocation of a first function, the first function being associated with loading of software-modules within a first application framework; b) identify a software-module being loaded, the identifying utilizing, at least, at least one of: i) parameter data supplied in the invocation of the first function, ii) a context of an operating system process invoking the first function, and ii) data that was stored responsive to detecting, by a respective interposition function, one or more prior invocations of respective functions associated with loading of software-modules within the first application framework; and c) add the identified software-module to a list of software-modules.

Abstract: A combination identification unit (27) identifies combinations of one or more components which constitute a target system and in each of which an intrusion detection system that detects unauthorized access can be installed. A combination reduction unit (28) extracts, from the combinations identified by the combination identification unit, a combination that satisfies an installation condition accepted by an installation condition input unit (22) and can detect unauthorized communications indicated by attack information accepted by an attack information input unit (24) at a rate higher than or equal to a threshold.

Abstract: Methods for securing an electronic communication is provided. Methods may include, in a registration process, creating and/or selecting an anti-phish, personalized, security token for a predetermined account. Methods may include, in the registration process, storing the token in a database. Methods may include, in an in-use process, generating an electronic communication at a channel. The database may be interposed along the channel. Methods may include, in the in-use process, forwarding the communication to a recipient. The recipient may be associated with the account. Methods may include, in the in-use process, intercepting the communication at the database. Methods may include, in the in-use process, selecting, from the database, the anti-phish, personalized, security token that is associated with the account. Methods may include, in the in-use process, injecting the selected token into the communication.

Abstract: Interactive interfaces and data structures representing physical and/or visual information are provided using smart pins (also called “pins” herein). Pins representing vectors of information may be provided. For instance, in the context of cybersecurity, each pin may represent an attack vector that an adversary can use to attack a system. Each pin may have a depth meter and may move up or down according to its value in an operating range. Each pin may also have a color, a number, or both, representing its current value in the operating range. Such pins may provide both a three-dimensional representation of data that is intuitive to users.

Abstract: Systems and methods are provided for implementing an adaptive machine learning platform for security penetration and risk assessment. For example, the system can receive publicly-available information associated with a client computer system, process the information to identify an input feature, and implement a machine learning model to identify the corresponding risk associated with the input feature. The system can recommend a penetration test for discovered weaknesses associated with the input feature and help make changes to the client computer system to improve security and reduce risk overall.

Abstract: In some examples, an electronic device includes a processor to allow installation of an untrusted executable code to a virtual machine, monitor the installation and execution of the untrusted executable code, and, responsive to a determination that an executed amount of the untrusted executable code is less than a threshold amount, prompt a user to continue the execution of the untrusted executable code.

Abstract: A system, method, and computer-readable medium are disclosed for performing a human factors risk operation. The human factors risk operation includes: monitoring an entity, the monitoring observing an electronically-observable data source; deriving an observable based upon the monitoring of the electronically-observable data source; identifying a security related activity, the security related activity being based upon the observable from the electronic data source; analyzing the security related activity, the analyzing the security related activity using a human factors framework; and, performing a human factors risk operation in response to the analyzing the security related activity.

Abstract: A system and method for predicting and acting on computer network vulnerabilities before they are actually breached or tampered with by malicious external actors. A monitoring computing device assesses the different components within a network and based on a ranking of the devices, a perceived threat analysis and weaknesses within the network, can take appropriate remediation actions for one or more of the devices within the network. Depending on the ranking of a particular computing device within the network and the determined risk, a remediation can include delaying the implementation of a fix for a weakness because the computing device cannot be taken offline at that particular time.

Abstract: A risk knowledge graph is created from information on risk events involving network entities of a private computer network. Each of the risk events is represented as a node in the risk knowledge graph. The nodes are connected by edges that represent the risk events. The nodes are grouped into communities of related nodes. A response action is performed against a community to mitigate a cybersecurity risk posed by the community.

Abstract: Systems and methods are disclosed to implement a network data interpretation pipeline to recognize machine operations (MOs) and machine activities (MAs) from network traffic data observed in a monitored network. In embodiments, a MO recognition engine is implemented in the network to recognize MOs from network sensor events (NSEs) based on defined recognition patterns. The MOs and any unrecognized NSEs are uploaded to a network monitoring system, where they are further analyzed by a MA recognition engine to recognize higher-level machine activities performed by machines. The NSEs, MOs, and MAs are used by the network monitoring system to implement a variety of security threat detection processes. Advantageously, the pipeline may be used to add rich contextual information about the raw network data to facilitate security threat detection processes.

Abstract: Program products, methods, and systems for simulating and/or preventing the dissemination of sensitive information over the internet are disclosed. Preventing dissemination of user-specific sensitive information over the internet may include analyzing content included in media posts, calculating a danger score for the media post, and determining if the calculated danger score exceeds a danger score threshold. Where the calculated danger score does not exceed the threshold, the media post has no or a low risk of disseminating sensitive information over the internet. However, if the calculated danger score does exceed the threshold, the user is alerted that the media post may undesirably disseminate sensitive information. The danger score may represent a sensitive information exposure risk for the media post is based on a variety of factors and/or characteristics of the media post and/or the user creating and attempting to disseminate the media post.

Abstract: Disclosed is an improved method, system, and computer program product for identifying malicious payloads. The disclosed approach identifies potentially malicious payload exchanges which may be associated with payload injection or root-kit magic key usage.

Abstract: The present disclosure provides a stability criterion for time-delay of cyber-physical power systems under distributed control, which relates to a field of cyber-physical power systems technologies.

Abstract: A multitenant infrastructure server (MTIS) is configured to provide an environment to execute a computer routine of an arbitrary application. The MTIS receives a request from a webtask server to execute the computer routine in a webtask container. The computer routine is executed in the webtask container at the MTIS. Upon successful execution of the computer routine, a result set is returned to the webtask server. If the execution of the computer routine is unsuccessful, an error notification is returned to the webtask server. The resources consumed during the execution of the computer routine are determined. The webtask container is destroyed to prevent persistent storage of the computer routine on the MTIS.

Abstract: Systems and methods for automatically managing and utilizing the uniform labeling of data packages are disclosed. Specification information can describe many aspects of a data package, and can be analyzed to automatically identify various product attributes and service attributes usable to define the data package. Each of the individual product attributes and service attributes can be encoded into an alphanumeric code, which can be concatenated together to form a single uniform package identifier (UPID) usable to describe the associated data product. Systems and methods can automatically generate UPIDs, automatically find data packages based on search UPIDs, automatically process invoices based on UPIDs, and otherwise leverage the UPIDs to automate the collection, creation, selling, purchasing, trading, redistribution, and/or using of data packages.

Abstract: Systems and methods for network security testing of target computer networks using AI neural networks. A command and control server controls a number of geographically separated processors running a number of neural networks. A central data hive is accessible to all the processors. The processors are organizable into logical hemisphere groupings for specific tasks and/or projects. For security testing, hemisphere groupings are created for the project. Based on data for the target system on the data hive, attacks are formulated by a hemisphere grouping and these potential attacks are tested against known characteristics of the target network. Validated potential attacks and, in some cases, random attacks, are executed and data generated by the executed attacks are stored in the data hive for use in formulating and executing other further attacks. Potential attacks may involve mining social media networks for data on users of the target system.

Abstract: Methods, systems, and apparatuses for risk analysis of web pages using a machine learning model are described herein. A computing device may receive a risk detection machine learning model trained to receive input corresponding to a web page and output an indication of risk associated with the web page. The computing device may execute a web browser application and collect user activity data by monitoring user activity associated with the web browser application. The computing device may access, via the web browser application, a first web page, and collect page data associated with the first web page. The computing device may calculate a risk level of the first web page. The risk level may be calculated by processing, using the risk detection machine learning model, both the user activity data and the page data. A security recommendation may be output based on the risk level.

Abstract: A method includes receiving, by a computer system, information related to device health of an electronic device, determining, by the computer system, a health status of the electronic device based at least in part on the received information related to the device health of the electronic device, requesting, by a switch having a port connected to the electronic device, the health status of the electronic device from the computer system, receiving, by the computer system, the request for the health status of the electronic device from the switch, transmitting, by the computer system, the health status of the electronic device to the switch, evaluating, by the switch, the transmitted health status of the electronic device using network access rules associated corresponding to health statuses, and applying, by the switch, a network access control configuration to the port of the switch based on the evaluating the transmitted health status.

Abstract: Methods, systems, and computer-readable storage media for receiving, by an operation guard system executed within a cloud platform, session information representative of a session of a user within the cloud platform, the session information including user information and operation information, determining, by the operation guard system, that the user is signed into a technical group for execution of an operation represented in the operation information, and in response, providing, by the operation guard system, a risk score associated with the operation, and determining, by the operation guard system and at least partially based on the risk score, that the operation is a risk-oriented operation based on the risk score, and in response, preventing execution of the operation and transmitting an alert.

Abstract: A scenario generation device (100) generates an attack scenario (32). An attack means storage unit (130) has stored therein attack means data (131) including a precondition and an attack effect of attack means. An edit screen display unit (110) arranges attack means to be included in the attack scenario (32) on a scenario edit screen (200). By using the attack means data (131), an attack scenario generation unit (20) extracts, from the attack means storage unit (130), another attack means whose attack effect is a precondition of attack means arranged on the scenario edit screen (200). The attack scenario generation unit (20) generates the attack scenario (32) by complementing the attack means arranged on the scenario edit screen (200) with the other attack means.

Abstract: According to an embodiment, a computer-implemented method can comprise: inspecting, using a processor, a set of container images respectively associated with pods; identifying, using the processor, a first subset of the pods that contain a vulnerability; classifying, using the processor, the first subset of the pods as primary-infected pods; generating, using the processor, a first list of namespaces in which the primary-infected pods are deployed within a network; checking, using the processor, network policies in connection with the first list of namespaces to determine secondary-suspect pods that have ability to communicate with the primary-infected pods; generating, using the processor, a list of secondary-suspect namespaces in which the secondary-suspect pods are deployed within the network; identifying, using the processor, one or more secondary-suspect pods that communicated with one or more primary-infected pods; and generating, using the processor, a list of secondary-infected pods.

Abstract: Systems and methods for side-channel monitoring a local network are disclosed. The methods involve generating a program trace signal from at least one of power consumption, electromagnetic emission, or acoustic emanation of a control processor connected to the local network and operating a monitoring processor to detect a communication of a message on the local network; identify at least one purported control processor related to the communication; analyze the program trace signal of the at least one purported control processor relative to the communication; and at least one of an authenticate or verify one or more purported control processors of the at least one purported control processor based on the program trace signal of the at least one purported control processor.

Abstract: A blockchain-enhanced open Internet of Things (IoT) access architecture includes an access point, a number of IoT devices, a hash access mechanism, a blockchain mining network, and a blockchain enabling mechanism that manages network access of the IoT device. The blockchain-enhanced open IoT access architecture provided in the present invention provides a secure, reliable, fair, and short-packet access service for a plurality of devices in an IoT network by using features of a blockchain such as distributed storage, tamper-proofing, and traceability, thereby promoting the trust and cooperation between the devices and ensuring the security and efficiency of the network in the large-scale untrustworthy IoT network. The blockchain-enhanced open IoT access architecture in the present invention can provide secure and reliable IoT access with low latency and a high value in practice.

Abstract: A method of detecting anomalous behaviour in data traffic on a data communication network having a first host and a second host being connected to the data communication network in which the data traffic on the data communication network forms a link between the first host and the second host.

Abstract: A system, method, and computer-readable medium are disclosed for performing a security operation.

Abstract: Systems and methods for managing a set of electronic assets from a single location are disclosed. The method includes providing a portal with a network security access control. The method includes determining that login credentials input to the access control are associated with a set of electronic assets corresponding to a plurality of third-party computing systems with application programming interface (API) gateways configured to accept API calls directed to changes in functionality of the electronic assets. The method includes presenting, via the portal, a virtual icon to identify a coordinated action with respect to the set of electronic assets and, in response to a selection of the virtual icon, executing a set of API calls that include an asset-specific API call to each third-party computing system in the plurality of third-party computing systems to implement the coordinated action on all electronic assets in the set of electronic assets.

Abstract: A fraud detection system may obtain a number of known fraudulent end-user profiles and/or otherwise undesirable end-user profiles. Using statistical analysis techniques that include clustering the end-user profiles by attributes and attribute values and/or combinations of attributes and attribute values, the fraud detection system identifies on a continuous, periodic, or aperiodic basis those attribute values and/or attribute value combinations that appear in fraudulent or otherwise undesirable end-user profiles. Using this data, the fraud detection system generates one or more queries to identify those end-user profiles having attribute values or combinations of attribute values that likely indicate a fraudulent or otherwise undesirable end-user profile.

Abstract: A method comprises acquiring anomaly data including a plurality of anomalies detected from streaming data, wherein each of the anomalies relates to an entity on or associated with a computer network. The method determines a risk score of each of the anomalies, and adjusts the risk score of an anomaly according to a set of factors. The method further determines, for each of a plurality of sliding time windows of different lengths, an entity score of the entity in relation to the sliding time window, based on an aggregation of risk scores of all anomalies related to the entity that were detected within the sliding time window, where the entity score corresponds to a risk level associated with the entity. An action to prevent the entity from performing an operation can be determined and caused to occur based on the entity score.

Abstract: Systems and methods for root-level application selective configuration for managing performance of actions on files in a file system including an agent executed on a computing device. The agent can determine files stored in a particular folder and determine file metadata corresponding to the files based on a policy file. The agent can receive a selection of a particular file of the files that corresponds to one of the file metadata. The agent can determine an availability of one or more actions for the particular file as specified by file metadata. The agent can render a context menu that includes menu entries with one or more additional menu entry that corresponds to the actions based on the file metadata. The agent can perform an authentication of a current user account based on the policy file and cause the action to be performed based on privileges of the agent.

Abstract: Methods, systems, and computer readable media for network security testing using at least one emulated server are disclosed. According to one example method, the method comprises: receiving, from a client device and at an emulated domain name service (DNS) server, a DNS request requesting an Internet protocol (IP) address associated with a domain name; sending, to the client device and from the emulated DNS server, a DNS response including an IP address associated with an emulated server; receiving, from the client device and at the emulated server, a service request using the IP address; sending, to the client device and from the emulated server, a service response including at least one attack vector data portion; and determining, by a test controller and using data obtained by at least one test related entity, a performance metric associated with a system under test (SUT).

Abstract: Provided is process, including: obtaining interaction-event records; determining, based on at least some of the interaction-event records, sets of event-risk scores, wherein: at least some respective event-risk scores are indicative of an effective of a respective risk ascribed by a first entity to a respective aspect of a second entity; and at least some respective event-risk scores are based on both: respective contributions of respective corresponding events to a subsequent event, and a risk ascribed to a subsequent event; and storing the sets of event-risk scores in memory.

Abstract: A cyber security system for a cloud environment is disclosed. In some embodiments, a method is disclosed. The method comprises utilizing a cloud provider API to access a block storage volume of a workload maintained on a target account in a target system of a cloud storage environment, utilizing a scanner at a location of the block storage volume and on a secondary system other than the target system, scanning the block storage volume for malicious code using the secondary system, identifying malicious code based on the scan, and outputting a notification of a presence of malicious code in the target system from the secondary system.

Abstract: Systems and methods are provided for performing simulated phishing attacks using social engineering indicators. One or more failure indicators can be configured in a phishing email template, and each failure indicator can be assigned a description about that failure indicator through use of a markup tag. The phishing email template containing the markup tags corresponding to the failure indicators can be stored and can be used to generate a simulated phishing email in which the one or more markup tags are removed.

Abstract: A system is provided for quantification of cybersecurity module efficacy using Q-matrix based correlation analysis. In particular, the system may use Q-matrices to calculate adaptive correlation scores between cybersecurity module and expected and/or desired outcomes across one or more different dimensions. A first axis of the Q-matrix for a particular cybersecurity module may be populated with one or more key elements of the cybersecurity module, while a second axis of the Q-matrix may comprise the outputs or metrics that may be used to quantify the efficacy of the cybersecurity module with respect to the key elements as represented on the first axis. The correlation scores may then be used as inputs into a decisioning engine that may be used to drive entity-wide decisioning processes based on the outputs of the Q-matrix based analysis.

Abstract: An estimation device (10) receives a device ID for identifying a device in a network and an observation event that has occurred in the device from a user terminal (20) as an input. The estimation device (10) acquires attribute information of the device corresponding to the received device ID from a device information storage unit (13c), estimates a risk that the device in the network is subject to an attack on the basis of the acquired attribute information and the received observation event, and outputs the estimated attack risk to the user terminal (20).

Abstract: Aspects of the disclosure relate to spear phishing simulation using machine learning. A computing platform may send, to an enterprise user device, a spear phishing message. The computing platform may receive initial user interaction information indicating how a user of the enterprise user device interacted with the spear phishing message. Based on the initial user interaction information and using a series of branching message templates, the computing platform may generate additional spear phishing messages. The computing platform may receive additional user interaction information indicating how the user interacted with the additional spear phishing messages. Based on the initial user interaction information and the additional user interaction information, the computing platform may compute spear phishing scores.

Abstract: A level of classification for each piece of data of one or more pieces of data is determined. A layer of encryption for each piece of data of the one or more pieces of data is determined. A type of encryption for each piece of data of the one or more pieces of data is determined. Other mechanisms applied to each piece of data of the one or more pieces of data is determined. A first constant for the layer of encryption, a second constant for the type of encryption, a third constant for the other mechanisms applied is determined. A risk factor for each piece of data of the one or more pieces of data is determined.

Abstract: A system is provided for determining vulnerability metrics for graph-based configuration security. During operation, the system generates a multi-layer graph for a system with a plurality of interconnected components. The system determines, based on the multi-layer subgraph, a model for a multi-step attack on the system by: calculating, based on a first set of variables and a first set of tunable parameters, a likelihood of exploiting a vulnerability in the system; and calculating, based on a second set of variables and a second set of tunable parameters, an exposure factor indicating an impact of exploiting a vulnerability on the utility of an associated component. The system determines, based on the model, a set of attack paths that can be used in the multi-step attack and recommends a configuration change in the system, thereby facilitating optimization of system security to mitigate attacks on the system while preserving system functionality.

Abstract: An integration manager identifies one or more services accessible by a computer system; determines a set of action components associated with the computer system, wherein each action component of the set of action components is configured to provide a functionality associated with at least one of the one or more services; receives, from a user of the computer system, a selection of a first action component from the set of action components; determines, based at least in part on the first action component, a second action component from the set of action components; links the first action component with the second action component, wherein an output of the first action component is linked to an input of the second action component; and generates an executable workflow, the executable workflow comprising the first action component linked with the second action component.

Abstract: Systems and techniques for providing security data points from an electronic message are presented. A system can determine a first interne protocol (IP) address of a computing device in response to a user of the computing device opening an email sent to an email address corresponding to a particular electronic account of the user, the email comprising an IP address tracking mechanism. The system can also compare the first IP address with one or more second IP addresses corresponding to one or more electronic accesses of the particular electronic account. Furthermore, the system can determine if an account access anomaly exists in regard to the particular electronic account based on a result of the comparing. The system can also implement a security measure impacting an ability of the particular electronic account to conduct one or more transactions in response to the account access anomaly existing for the particular electronic account.

Abstract: Methods, systems, and computer program products for providing the status of model extraction in the presence of colluding users are provided herein. A computer-implemented method includes generating, for each of multiple users, a summary of user input to a machine learning model; comparing the generated summaries to boundaries of multiple feature classes within an input space of the machine learning model; computing correspondence metrics based at least in part on the comparisons; identifying, based at least in part on the computed metrics, one or more of the multiple users as candidates for extracting portions of the machine learning model in an adversarial manner; and generating and outputting an alert, based on the identified users, to an entity related to the machine learning model.

Abstract: Systems, computer-implemented methods, and computer program products that facilitate vulnerability and attack technique association are provided. According to an embodiment, a system can comprise a memory that stores computer executable components and a processor that executes the computer executable components stored in the memory. The computer executable components can comprise a map component that defines mappings between vulnerability data representing a vulnerability of a computing resource and attack data representing at least one attack technique. The computer executable components can further comprise an estimation component that analyzes the mappings to estimate a probability that the vulnerability will be exploited to attack the computing resource.

Abstract: Systems, methods, and apparatus related to network security. In one approach, various endpoint devices communicate with a network gateway and/or API mode CASB over one or more networks. All communications by the endpoint devices with remote servers and clouds pass through the network gateway (and/or by cloud service access when using an API mode CASB). The gateway and/or CASB gathers metadata from the endpoint devices and/or network devices. The metadata indicates characteristics of the communications by the endpoint devices on the networks and/or processes running on the endpoint devices. The gateway and/or CASB identifies security risks using at least the metadata, and in response dynamically performs remediation actions for one or more of the networks in real-time to limit or block propagation of a cyber attack associated with one or more of the identified security risks.

Abstract: The disclosure describes systems and techniques for assessing risk of an open Wi-Fi network, at a consumer's request, before the consumer performs a transaction. The system receives a Wi-Fi network risk assessment request associated with a Wi-Fi network connection of a mobile device. Upon receiving the request, the system retrieves connection-related data from the mobile device. The connection-related data is associated with the Wi-Fi network connection. The system performs a Wi-Fi risk assessment of the Wi-Fi network connection. The system transmits a result of the risk assessment to the mobile device for presentation on the mobile device. The system also transmits the result of the risk assessment to an issuer server. The issuer server is associated with a payment account of the consumer. Moreover, the system transmits a step-up authentication alert to the issuer server.