Aspects of the disclosure include replacing, by a DNS proxy in DNS responses, a cryptographic key associated with a client-facing server for an origin content server with another cryptographic key received from a TLS proxy. A device may encrypt an extension of a ClientHello message with the other cryptographic key, such that the encrypted ClientHello (ECH) extension can be decrypted by the TLS proxy. The TLS proxy can then allow or deny the connection using a TLS intercept policy and decrypted information in the ClientHello message, and if the TLS connection is allowed, re-encrypt the ECH with the cryptographic key in the DNS response for the client-facing server to decrypt for establishment of the TLS connection with the origin content server. To preserve selective intercept while using ECH, a TLS Intercept Policy may be used to decide whether the TLS proxy feeds an Application Layer Proxy.
The disclosed computer-implemented method for preparing a secure search index for securely detecting personally identifiable information may include (i) receiving, at a computing device, a dataset including a record, where the record has a field including a value describing personally identifiable information and (ii) performing, at the computing device, a security action. The security action may include (i) generating, using a perfect hash function, a respective hashed key from the value and (ii) adding, to the secure search index (a) the respective hashed key or (b) a subsequent hashed key created from the respective hashed key. Various other methods, systems, and computer-readable media are also disclosed.
G06F 21/62 - Protecting access to data via a platform, e.g. using keys or access control rules
H04L 9/32 - Arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system
H04L 9/06 - Arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for blockwise coding, e.g. D.E.S. systems
With invocations of a software development pipeline, organization specific remediations/fixes for a software project can be learned from scanning results of code submissions (e.g., commits or merges) across an organization for a software project(s). Fixes of detected program code flaws can be detected and/or specified across scans and associated with flaw identifiers and used for training machine learning models to identify candidate fixes for detected flaws. This ongoing learning during development propagates fixes created or chosen by experts (e.g., software engineers working on the software project) relevant to the software project. The experts can choose from suggestions mined from the learned fixes of the organization and suggestions generated from a pipeline created with the trained machine learning models. The selections are then used for further training of the machine learning models that form the pipeline.
42 - Scientific, technological and industrial services, research and design
Goods & Services
Computer software risk assessment services; computer
security services in the nature of network security
assessments; providing temporary use of non-downloadable
cloud-based software for detecting and identifying access to
computer networks and resources, performing vulnerability
scans, and/or penetration testing; computer software
consultation, namely, providing an online, automated,
on-demand service for identifying exploitable
vulnerabilities in software.
42 - Scientific, technological and industrial services, research and design
Goods & Services
(1) Computer software risk assessment services; computer security services in the nature of network security assessments; providing temporary use of non-downloadable cloud-based software for detecting and identifying access to computer networks and resources, performing vulnerability scans, and/or penetration testing; computer software consultation, namely, providing an online, automated, on-demand service for identifying exploitable vulnerabilities in software.
42 - Scientific, technological and industrial services, research and design
Goods & Services
Computer software risk assessment services; Computer
security services in the nature of network security
assessments; providing temporary use of non-downloadable
cloud-based software for detecting and identifying access to
computer networks and resources, performing vulnerability
scans, and penetration testing; Computer software
consultation, namely, providing an online, automated,
on-demand service for identifying exploitable
vulnerabilities in software.
7.
DEIDENTIFYING CODE FOR CROSS-ORGANIZATION REMEDIATION KNOWLEDGE
To preserve privacy when leveraging organization-specific remediation knowledge for flaw remediation across organizations, program code is deidentified to remove code which potentially identifies its source/origin. Deidentification operates based on structure of flaws and fixes at the level of source code constructs based on an abstract syntax tree (AST) or other structural context representation of a fix and corresponding flaw. Potentially identifying portions of a fix indicated in its AST are determined and modified (e.g., removed or obfuscated) without impacting AST structure. Deidentified remediation knowledge originating from different organizations is used to train a fix suggestion model(s) which learns structural context of fixes and corresponding flaws and, once trained, generates predictions indicating suggested fixes to flaws based on structural contexts of the flaws. Deidentification can occur before training of the fix suggestion model(s) or during prediction so potentially identifying program code is removed before suggested fixes are consumed by different organizations.
42 - Scientific, technological and industrial services, research and design
Goods & Services
(1) Computer software risk assessment services; Computer security services in the nature of network security assessments; providing temporary use of non-downloadable cloud-based software for detecting and identifying access to computer networks and resources, performing vulnerability scans, and penetration testing; Computer software consultation, namely, providing an online, automated, on-demand service for identifying exploitable vulnerabilities in software.
A method for securing cloud applications is described. The method may include establishing a connection between a cloud application isolation portal, a cloud access security broker, and a cloud application based on an indication of the cloud application and a set of credentials associated with an end user of the cloud application, and managing, via the cloud application isolation portal and the cloud access security broker, a session between the cloud application and a computing device associated with the end user based on the connection between the cloud application isolation portal with the cloud access security broker and the cloud application.
H04L 67/60 - Scheduling or organising the servicing of application requests, e.g. requests for application data transmissions using the analysis and optimisation of the required network resources
H04L 67/10 - Protocols in which an application is distributed across nodes in the network
Machine learning adversarial campaign mitigation on a computing device. The method may include deploying an original machine learning model in a model environment associated with a client device; deploying a classification monitor in the model environment to monitor classification decision outputs in the machine learning model; detecting, by the classification monitor, a campaign of adversarial classification decision outputs in the machine learning model; applying a transformation function to the machine learning model in the model environment to transform the adversarial classification decision outputs to thwart the campaign of adversarial classification decision outputs; determining a malicious attack on the client device based in part on detecting the campaign of adversarial classification decision outputs; and implementing a security action to protect the computing device against the malicious attack.
42 - Scientific, technological and industrial services, research and design
Goods & Services
Computer software cybersecurity vulnerabilities risk assessment services; Computer security services in the nature of network security assessments; providing temporary use of non-downloadable cloud-based software for detecting and identifying access to computer networks and resources, performing vulnerability scans, and application security penetration testing; Computer software consultation, namely, providing an online, automated, on-demand service for identifying exploitable vulnerabilities in software
12.
Knowledge-aware detection of attacks on a client device conducted with dual-use tools
Knowledge-aware detection of attacks on a client device conducted with dual-use tools. A method may include obtaining dual-use tool data related to a plurality of dual-use tools; collecting from a client device, by the computing device, user input related to the use of a dual-use tool of the plurality of dual-use tools; determining that the user input contains a feature of the dual-use tool data; creating a behavioral index of the user input, the behavioral index stored on the client device; detecting new input on the client device; determining a similarity level between the user input and the new input; flagging a malicious attack on the client device based on determining that the similarity level does not satisfy a pre-determined threshold; and implementing a security action on the client device based on flagging the malicious attack.
42 - Scientific, technological and industrial services, research and design
Goods & Services
Computer software cybersecurity vulnerabilities risk assessment services; Computer security services in the nature of network security assessments; providing temporary use of non-downloadable cloud-based software for detecting and identifying access to computer networks and resources, performing vulnerability scans, and application security penetration testing; Computer software consultation, namely, providing an online, automated, on-demand service for identifying exploitable vulnerabilities in software
14.
Secure access to a corporate web application with translation between an internal address and an external address
Secure access to a corporate application with translation between an internal address and an external address. In some embodiments, a method may include receiving, at a secure access cloud point of delivery (PoD), from a client application on a client device, a request to access a corporate web application that is deployed in a corporate datacenter. The method may also include forwarding, from the secure access cloud PoD, to a connector that is also deployed in the corporate datacenter, the request to access the corporate web application. The method may further include brokering, by the connector and the secure access cloud PoD, authentication of a user, authorization of access by the user, and a secure communication session between the client application and the corporate web application by translating between an internal address of the corporate web application and an external address of the corporate web application.
09 - Scientific and electric apparatus and instruments
42 - Scientific, technological and industrial services, research and design
Goods & Services
(1) Downloadable computer programs for project management, product management, work collaboration, information technology portfolio management, and business process management (1) Non-downloadable, cloud-based computer programs for project management, product management, work collaboration, information technology portfolio management, and business process management
42 - Scientific, technological and industrial services, research and design
Goods & Services
(1) Software as a service (SAAS) services featuring software for project management, product management, work collaboration, and software development and implementation
09 - Scientific and electric apparatus and instruments
42 - Scientific, technological and industrial services, research and design
Goods & Services
Downloadable computer programs for project management, product management, work collaboration, information technology portfolio management, and business process management, all aforementioned goods only in the context of financial investment management software and not in the context of security, law-enforcement, defense and military software. Providing online, non-downloadable, cloud-based computer programs for project management, product management, work collaboration, information technology portfolio management, and business process management, all aforementioned services only in the context of financial investment management software and not in the context of security, law-enforcement, defense and military software.
42 - Scientific, technological and industrial services, research and design
Goods & Services
Software as a service (SAAS) services featuring software for project management, product management, work collaboration, and software development and implementation.
19.
Open source vulnerability prediction with machine learning ensemble
A system to create a stacked classifier model combination or classifier ensemble has been designed for identification of undisclosed flaws in software components on a large-scale. This classifier ensemble is capable of at least a 54.55% improvement in precision. The system uses a K-folding cross validation algorithm to partition a sample dataset and then train and test a set of N classifiers with the dataset folds. At each test iteration, trained models of the set of classifiers generate probabilities that a sample has a flaw, resulting in a set of N probabilities or predictions for each sample in the test data. With a sample size of S, the system passes the S sets of N predictions to a logistic regressor along with “ground truth” for the sample dataset to train a logistic regression model. The trained classifiers and the logistic regression model are stored as the classifier ensemble.
G06F 21/57 - Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
42 - Scientific, technological and industrial services, research and design
Goods & Services
Software as a service (SAAS) services featuring software for project management, product management, work collaboration, and software development and implementation
09 - Scientific and electric apparatus and instruments
42 - Scientific, technological and industrial services, research and design
Goods & Services
Downloadable computer programs for project management, product management, work collaboration, information technology portfolio management, and business process management; all aforementioned goods/services only in the context of financial investment management software and not in the context of security, law-enforcement, defense and military software Non-downloadable, cloud-based computer programs for project management, product management, work collaboration, information technology portfolio management, and business process management; all aforementioned goods/services only in the context of financial investment management software and not in the context of security, law-enforcement, defense and military software
22.
Systems and methods for producing adjustments to malware-detecting services
The disclosed computer-implemented method for producing adjustments to malware-detecting services may include (1) receiving, from a plurality of malware-detecting services executing on a plurality of client computing devices, a respective plurality of probability scores with corresponding model identifiers for an analyzed file and a plurality of respective identifiers describing the malware-detecting services, (2) building a training dataset from at least a portion of the received plurality of probability scores with corresponding model identifiers, and (3) performing a security action including (A) training, with the training dataset, a malware-detecting linear regression ensemble machine learning model that is specific to an identifier in the plurality of identifiers and (B) sending the trained linear regression ensemble machine learning model to one of the plurality of malware-detecting services executing on one of the client computing devices. Various other methods, systems, and computer-readable media are also disclosed.
Techniques are disclosed relating to increasing the amount of training data available to machine learning algorithms. A computer system may access an initial set of training data that specifies a plurality of sequences, each of which may define a set of data values. The computer system may amplify the initial set of training data to create a revised set of training data. The amplifying may include identifying sub-sequences of data values in ones of the plurality of sequences in the initial set of training data and using an inheritance algorithm to create a set of additional sequences of data values, where each one of the set of additional sequences may include sub-sequences of data values from at least two different sequences in the initial set of training data. The computer system may process the set of additional sequences using the machine learning algorithm to train a machine learning model.
Secure access to a corporate application in an SSH session using a transparent SSH proxy. In some embodiments, a method may include receiving, at a secure access cloud point of delivery (PoD), from a client application on a client device, a request to access a corporate application that is deployed in a corporate datacenter. The method may also include forwarding, from the secure access cloud PoD, to a connector that is also deployed in the corporate datacenter, the request. The method may further include brokering, by the connector and the secure access cloud PoD, authentication of a user, authorization of access by the user, and an SSH session between the client application and the corporate application using a transparent SSH proxy, with the client application being unaware that the SSH session is brokered by the connector and the secure access cloud PoD.
Secure access to a corporate application using a facade. In some embodiments, a method may include receiving, at a secure access cloud point of delivery (PoD), from a client application on a client device, a request to access a corporate application that is deployed in a corporate datacenter. The method may also include creating, at the secure access cloud PoD, a facade representing the corporate application. The method may further include forwarding, from the facade, to a connector that is also deployed in the corporate datacenter, the request. The method may also include brokering, by the connector and the facade, authentication of a user, authorization of access by the user, and a secure communication session between the client application and the corporate application via the facade, with the client application being unaware that the secure communication session is brokered by the connector and the facade.
The disclosed computer-implemented method for dynamically augmenting machine learning models based on contextual factors associated with execution environments may include (1) generating a base machine learning model and a supplemental set of machine learning models, (2) determining at least one contextual factor associated with an execution environment of a machine learning system that is configured to make predictions regarding a set of input data using at least the base machine learning model, (3) selecting, based on the contextual factor, a continuation set of machine learning models from the supplemental set of machine learning models, and (4) directing the machine learning system to utilize both the base machine learning model and the continuation set of machine learning models when making predictions regarding the set of input data. Various other methods, systems, and computer-readable media are also disclosed.
G06K 9/62 - Methods or arrangements for recognition using electronic means
G06F 21/53 - Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity, buffer overflow or preventing unwanted data erasure by executing in a restricted environment, e.g. sandbox or secure virtual machine
G06F 21/56 - Computer malware detection or handling, e.g. anti-virus arrangements
Secure access to a corporate application with translation between an internal address and an external address. In some embodiments, a method may include receiving, at a secure access cloud point of delivery (PoD), from a client application on a client device, a request to access a corporate web application that is deployed in a corporate datacenter. The method may also include forwarding, from the secure access cloud PoD, to a connector that is also deployed in the corporate datacenter, the request to access the corporate web application. The method may further include brokering, by the connector and the secure access cloud PoD, authentication of a user, authorization of access by the user, and a secure communication session between the client application and the corporate web application by translating between an internal address of the corporate web application and an external address of the corporate web application.
G06F 15/16 - Combinations of two or more digital computers each having at least an arithmetic unit, a program unit and a register, e.g. for a simultaneous processing of several programs
The disclosed computer-implemented method for protecting a cloud computing device from malware may include (i) intercepting, at a computing device, a malicious attempt by the malware to (A) access sensitive information in an encrypted file stored on the computing device and (B) send the sensitive information to the cloud computing device and (ii) performing, responsive to the attempt to access the encrypted file, a security action. Various other methods, systems, and computer-readable media are also disclosed.
A method for identifying suspicious activity on a monitored computing device is described. In one embodiment, the method may include monitoring a local procedure call interface of the monitored computing device, identifying, based at least in part on the monitoring, a remote procedure call (RPC) of a suspicious process, the RPC being transmitted over a local procedure call message of the local procedure call interface, analyzing the RPC of the suspicious process, and performing a security action based at least in part on the analyzing.
The disclosed computer-implemented method for detecting code implanted into a published application may include retrieving a published version of an application and a source version of the application, and determining, based on an analysis of the source version and the published version, a transformation process for transforming from the source version to the published version. The method may also include performing the transformation process on the source version to produce a build version, comparing the build version with the published version, and identifying, based on the comparison, implanted code in the published version. The method may further include performing, in response to identifying the implanted code, a security action. Various other methods, systems, and computer-readable media are also disclosed.
The disclosed computer-implemented method for malware detection using localized machine learning may include (i) generating a global score for a file using a global machine learning model, (ii) generating a localized score for the file using a localized machine learning model, (iii) determining that the file is malware using the global score, the localized score, and the local conviction threshold, and (iv) in response to determining that the file is malware, performing a security action to protect the computing device against malware. Various other methods, systems, and computer-readable media are also disclosed.
e.ge.g., removed or obfuscated) without impacting AST structure. Deidentified remediation knowledge originating from different organizations is used to train a fix suggestion model(s) which learns structural context of fixes and corresponding flaws and, once trained, generates predictions indicating suggested fixes to flaws based on structural contexts of the flaws. Deidentification can occur before training of the fix suggestion model(s) or during prediction so potentially identifying program code is removed before suggested fixes are consumed by different organizations.
The disclosed computer-implemented method for managing a need-to-know domain name system may include (i) intercepting, by an agent of the computing device, network traffic received on the computing device, (ii) generating, by the agent, a one-time password based on a unique identifier of the agent of the computing device, (iii) wrapping, by the agent, the network traffic with the one-time password, and (iv) pushing, by the agent, the wrapped network traffic to a cloud server using a local domain name system (DNS) of the agent of the computing device, wherein the local DNS comprises a private domain name unpublished in a global DNS. Various other methods, systems, and computer-readable media are also disclosed.
With invocations of a software development pipeline, organization specific remediations/fixes for a software project can be learned from scanning results of code submissions (e.g., commits or merges) across an organization for a software project(s). Fixes of detected program code flaws can be detected and/or specified across scans and associated with flaw identifiers and used for training machine learning models to identify candidate fixes for detected flaws. This ongoing learning during development propagates fixes created or chosen by experts (e.g., software engineers working on the software project) relevant to the software project. The experts can choose from suggestions mined from the learned fixes of the organization and suggestions generated from a pipeline created with the trained machine learning models. The selections are then used for further training of the machine learning models that form the pipeline.
Telemetry data from client file reputation queries is collected over time. Directories/sub-directories under which files of queries are located are identified. The files including the reputations for the files under a given directory/sub-directory are identified and used to calculate the reputation score for the directory/sub-directory. The directory/sub-directory is then classified based on the calculated score for the directory/sub-directory. After the classification of directories/sub-directories, reputation for a file with unknown reputation is then determined based on the classification of the directory/sub-directory under which the file is located.
Pre-filtering detection of an injected script on a webpage accessed by a computing device. The method may include receiving an indication of access to the webpage at a web browser of the computing device; identifying a web form associated with the webpage; determining that the webpage has been previously visited by the computing device; recording at least one current domain associated with at least one current object request made by the web form; determining a difference of a count of the at least one current domain associated with the at least one current object request and a count of at least one historical domain associated with at least one historical object request previously made by the webpage; identifying the webpage as suspicious based on determining that the difference is greater than zero and less than a domain threshold; and initiating a security action on the webpage based on the identifying.
G06F 21/53 - Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity, buffer overflow or preventing unwanted data erasure by executing in a restricted environment, e.g. sandbox or secure virtual machine
Identifying and protecting against an attack against an anomaly detector machine learning classifier (ADMLC). In some embodiments, a method may include identifying training data points in a manifold space for an ADMLC, dividing the manifold space into multiple subspaces, merging each of the training data points into one of the multiple subspaces, training a subclassifier for each of the multiple subspaces to determine a decision boundary for each of the multiple subspaces between normal training data points and anomalous training data points, receiving an input data point into the ADMLC, determining whether the input data point is an attack on the ADMLC due to a threshold number of the subclassifiers classifying the input data point as an anomalous input data point, and, in response to identifying the attack against the ADMLC, protecting against the attack.
A computer-implemented method for detecting and protecting against malicious use of legitimate computing-system tools may include (i) identifying a computing-system tool that can perform benign actions and malicious actions on a computing system, (ii) creating a set of recorded actions by recording actions performed by the computing-system tool on the computing system over a predetermined period of time, (iii) analyzing the set of recorded actions via a machine learning method that, for each action in the set of recorded actions, determines whether the action is anomalous compared to other actions in the set, (iv) classifying an action in the set of recorded actions as malicious based at least in part on determining that the action is anomalous, and (v) initiating, in response to classifying the action as malicious, a security action related to the action. Various other methods, systems, and computer-readable media are also disclosed.
G06F 21/57 - Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
39.
Identifying and mitigating harm from malicious network connections by a container
Identifying and mitigating harm from malicious network connections by a container. In some embodiments, a method may include receiving, from a shim, notifications of all network connections that a container has sought to establish through the shim. The method may also include monitoring all actual network connections established by the container. The method may further include comparing the notifications to the actual network connections to determine whether any actual network connection established by the container bypassed the shim. The method may also include, in response to determining that any actual network connection established by the container bypassed the shim, identifying the network connection established by the container that bypassed the shim as a malicious network connection, and performing a security action to mitigate harm from the malicious network connection.
To support adding functionality to applications at a layer of abstraction above language-specific implementations of AOP, a language for implementing AOP facilitates runtime monitoring and analysis of an application independent of the language of the application. Aspects can be created for applications written in any supported language. Program code underlying implementations of aspects can be executed based on detecting triggering events during execution of the application. Routines written with the AOP language comprise event-based aspect code triggers that indicate an event which may occur during execution of the application and the associated aspect code to be executed. An agent deployed to a runtime engine to monitor the application detects events and evaluates contextual information about the detected events against the aspect triggers to determine if aspect code should be executed to perform further monitoring and analysis of the executing application.
G06F 21/57 - Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
G06F 11/36 - Preventing errors by testing or debugging of software
To facilitate runtime monitoring and analysis of an application without modifying the actual application code, an agent monitors and analyzes an application through detection and evaluation of invocations of an API of a runtime engine provided for execution of the application. The agent registers to receive events which are generated upon invocation of target functions of the runtime engine API based on its load. Once loaded, the agent initially determines the language and language version number of the runtime engine. The agent determines associations of events for which to monitor and corresponding analysis code to execute upon detection of the invocations based on the language and version number information. When the agent detects an event during execution of the application based on invocations of the runtime engine API, the agent can monitor and analyze execution of the application based on execution of analysis code corresponding to the detected event.
G06F 21/57 - Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
G06F 11/36 - Preventing errors by testing or debugging of software
The disclosed computer-implemented method for utilizing metadata for protecting against the sharing of images in a computing network may include (i) identifying an image file stored in a public folder on a computing device, (ii) storing a copy of the image file within a secure data storage application, (iii) encoding metadata for revealing an image in the image file, (iv) performing a security action that protects against sharing the image file from the public folder by masking the image in the image file with the encoded metadata, and (v) rendering the image in the image file as an unmasked version of the image from the image file or the copy of the image file in the secure data storage application by decoding the metadata utilized to mask the image. Various other methods, systems, and computer-readable media are also disclosed.
Methods, systems, and devices for protecting against abnormal computer behavior are described. The method may include monitoring a computer process related to an application running on a computing device of one or more computing devices, analyzing a database including a set of digital fingerprints, where a digital fingerprint of the set of digital fingerprints relates to the application, the digital fingerprint including an indication of a set of computer processes related to the application that are classified as normal computer processes for the application, determining that the computer process related to the application is an abnormal computer process based on analyzing, and performing a security action on the computing device to protect the computing device against the abnormal computer process based on the determining.
Methods and systems are provided for automatically generating malware definitions and using generated malware definitions. One example method generally includes receiving information associated with a malicious application and extracting malware strings from the malicious application. The method further includes filtering the malware strings using a set of safe strings to produce filtered strings and scoring the filtered strings to produce string scores by evaluating words of the filtered strings based on word statistics of a set of known malicious words. The method further includes selecting a set of candidate strings from the filtered strings based on the string scores and generating a malware definition for the malicious application based on the set of candidate strings. The method also includes performing one or more security actions to protect against the malicious application, using the malware definition.
The disclosed computer-implemented method for safely executing unreliable malware may include (i) intercepting a call to an application programming interface (API) in a computing operating system, the API being utilized by malware for disseminating malicious code, (ii) determining an incompatibility between the API call and the computing operating system that prevents successful execution of the API call, (iii) creating a proxy container for receiving the API call, (iv) modifying, utilizing the proxy container, the API call to be compatible with the computing operating system, (v) sending the modified API call from the proxy container to the computing operating system for retrieving the API utilized by the malware, and (vi) performing a security action during a threat analysis of the malware by executing the API to disseminate the malicious code in a sandboxed environment. Various other methods, systems, and computer-readable media are also disclosed.
G06F 21/53 - Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity, buffer overflow or preventing unwanted data erasure by executing in a restricted environment, e.g. sandbox or secure virtual machine
G06F 21/54 - Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity, buffer overflow or preventing unwanted data erasure by adding security routines or objects to programs
G06F 21/56 - Computer malware detection or handling, e.g. anti-virus arrangements
46.
Systems and methods for protecting against malicious content
The disclosed computer-implemented method for protecting against malicious content may include intercepting, by a security application installed on the computing device, an original message intended for a target application installed on the same computing device. The original message may include potentially malicious content. The security application may forward the original message to a security service. The computing device may receive a clean message from the security service, wherein the clean message includes a safe representation of the potentially malicious content. Various other methods, systems, and computer-readable media are also disclosed.
The disclosed computer-implemented method for managing endpoint security states using passive data integrity attestations may include (i) receiving passively collected network data from an endpoint device of a computing environment, (ii) determining a security state of the endpoint device using the passively collected network data from the endpoint device, (iii) determining that the security state of the endpoint device is below a threshold, and (iv) in response to determining that the security state of the endpoint device is below a threshold, performing a security action to protect the computing environment against malicious actions. Various other methods, systems, and computer-readable media are also disclosed.
The present disclosure relates to using correlations between support interaction data and telemetry data to discover emerging incidents for remediation. One example method generally includes receiving a corpus of support interaction data and a corpus of telemetry data. Topics indicative of underlying problems experienced by users of an application are extracted from the corpus of support interaction data. A topic having a rate of appearance in the support interaction data above a threshold value is identified. A set of telemetry data relevant to the topic is extracted from the corpus of telemetry data, and a subset of the relevant set of telemetry data having a frequency in the relevant set of telemetry data above a second threshold value is identified. The topic and the subset of telemetry data are correlated to an incident to be remediated, and one or more actions are taken to remedy the incident.
To facilitate runtime monitoring and analysis of an application without modifying the actual application code, an agent monitors and analyzes an application through detection and evaluation of invocations of an API of a runtime engine provided for execution of the application. The agent registers to receive events which are generated upon invocation of target functions of the runtime engine API based on its load. Once loaded, the agent initially determines the language and language version number of the runtime engine. The agent determines associations of events for which to monitor and corresponding analysis code to execute upon detection of the invocations based on the language and version number information. When the agent detects an event during execution of the application based on invocations of the runtime engine API, the agent can monitor and analyze execution of the application based on execution of analysis code corresponding to the detected event.
To support adding functionality to applications at a layer of abstraction above language-specific implementations of AOP, a language for implementing AOP facilitates runtime monitoring and analysis of an application independent of the language of the application. Aspects can be created for applications written in any supported language. Program code underlying implementations of aspects can be executed based on detecting triggering events during execution of the application. Routines written with the AOP language comprise event-based aspect code triggers that indicate an event which may occur during execution of the application and the associated aspect code to be executed. An agent deployed to a runtime engine to monitor the application detects events and evaluates contextual information about the detected events against the aspect triggers to determine if aspect code should be executed to perform further monitoring and analysis of the executing application.
The disclosed computer-implemented method for executing decision trees may include (i) executing a security classification decision tree that classifies an input data item, (ii) gathering, simultaneously using a gather instruction, values for both a current threshold at a parent node of the security classification decision tree and a subsequent threshold at a child node of the parent node, (iii) gathering, simultaneously using the gather instruction, values for both a current measurement at the parent node and a subsequent measurement at the child node, (iv) comparing, simultaneously using a comparison instruction, the current threshold at the parent node with the current measurement at the parent node and the subsequent threshold at the child node with the subsequent measurement at the child node, and (v) performing a security action to protect the computing device. Various other methods, systems, and computer-readable media are also disclosed.
The disclosed computer-implemented method for protection of storage systems using decoy data may include identifying an original file comprising sensitive content to be protected against malicious access and protecting the sensitive content. Protecting the sensitive content may include (i) processing the original file to identify a structure of the original file and the sensitive content of the original file, (ii) generating a decoy file using the structure of the original file and using substitute content in a location corresponding to the sensitive content of the original file, and (iii) storing the decoy file with the original file. Various other methods, systems, and computer-readable media are also disclosed.
In some embodiments, a computing system includes a communication interface; and a processor that is coupled to the communication interface. In some embodiments, least one of the communication interface or the processor receives a network packet from the network via a network adapter port; encapsulates the received network packet with a tunnel header, wherein the tunnel header comprises network identifier information identifying the network adapter port; addresses, based on the network identifier information, an outer Internet protocol (IP) header of the encapsulated network packet with an outer IP address corresponding to a network function in a first computing device; and sends the encapsulated network packet toward the network function identified by the outer IP address.
The disclosed computer-implemented method for detecting covert channels structured in Internet Protocol (IP) transactions may include (1) intercepting an IP transaction including textual data and a corresponding address, (2) evaluating the textual data against a model to determine a difference score, (3) determining that the textual data is suspicious when the difference score exceeds a threshold value associated with the model, (4) examining, upon determining that the textual data is suspicious, the address in the transaction to determine whether the address is invalid, (5) analyzing the transaction to determine a frequency of address requests that have been initiated from a source address over a predetermined period, and (6) identifying the transaction as a covert data channel for initiating a malware attack when the address is determined to be invalid and the frequency of the address requests exceeds a threshold value. Various other methods, systems, and computer-readable media are also disclosed.
Isolating an iframe of a webpage. In one embodiment, a method may include targeting an iframe in a webpage for isolation, executing, in a server browser, iframe code, sending, from the remote isolation server to the local client, the webpage with the iframe code of the iframe replaced with isolation code, executing, in a client browser, webpage code and the isolation code, intercepting, in the client browser, webpage messages sent from the webpage code and intended to be delivered to the iframe, sending, to the remote isolation server, the intercepted webpage messages to be injected into the iframe code executing at the server browser, intercepting, at the server browser, iframe messages sent from the iframe code and intended to be delivered to the webpage, and sending, to the local client, the intercepted iframe messages to be injected into the webpage code executing at the client browser.
A cloud device is configured in an email transmission pathway. The cloud device receives an email attachment whose maliciousness status is determined to be unknown. The cloud device encrypts the email attachment and delivers the encrypted attachment to the recipient. When the recipient attempts to access the encrypted attachment, the cloud device re-determines the maliciousness status of the attachment. If the re-determined maliciousness status is benign, the cloud device allows the encrypted attachment to be decrypted and opened locally on the recipient's device. If the re-determined maliciousness status is still unknown, the cloud device provides a cloud-based viewing solution to the recipient using an isolation service.
A method for detecting and protecting against abnormal user behavior is described. The method may include generating a tensor model based on a set of user information within a temporal period. The tensor model may include a behavioral profile associated with a user of a set of users. In some examples, the method may include determining that a behavior associated with the user of the set of users is abnormal based on the tensor model, adapting the tensor model based on feedback from an additional user of a set of additional users different from the set of users, and performing a security action on at least one computing device to protect against the abnormal user behavior based on the adapting.
The disclosed computer-implemented method for preventing data loss from data containers may include (1) identifying, at a computing device, a process running in a data container on the computing device, (2) intercepting an attempt by the process to exfiltrate information from the computing device via at least one of a file system operation or a network operation, and (3) performing a security action to prevent the intercepted attempt. Various other methods, systems, and computer-readable media are also disclosed.
Detecting and protecting against computing breaches based on lateral movement of a computer file within an enterprise. A method may include obtaining data associated with an existence a computer file in a first computing device and a second computing device of an enterprise, detecting a pattern of lateral movement of the computer from the first computing device to the second computing device over a predetermined period of time, based on the data, calculating a likelihood score that the computer file is malicious based on the detected pattern, determining that the likelihood score satisfies a predetermined breach threshold, and in response to determining that the likelihood score satisfies the predetermined breach threshold, initiating remedial action on the computer file to protect the enterprise against the computer file.
The disclosed computer-implemented method for preserving system contextual information in an encapsulated packet may include (1) receiving, at a computing device, a network packet from the network via a network adapter port, (2) encapsulating the received network packet with a tunnel header, where a network identifier field in the tunnel header comprises information identifying the network adapter port, (3) determine an outer Internet protocol (IP) address for the encapsulated network packet, where the destination IP address corresponds to a destination on the network, (4) addressing an outer header of the encapsulated network packet with the IP address, and (5) sending the encapsulated network packet toward the destination identified by the destination IP address. Various other methods, systems, and computer-readable media are also disclosed.
The disclosed computer-implemented method for tuning application network behavior may include identifying an application for a closed operating system. The closed operating system may prevent applications from implementing machine-level traffic control for network traffic. The method may include determining an expected network behavior of the application, intercepting network traffic of the application on the closed operating system, determining whether the intercepted network traffic conforms to the expected network behavior, and modifying, based on the determining whether the intercepted network traffic conforms to the expected network behavior, the network traffic. Various other methods, systems, and computer-readable media are also disclosed.
A computer-implemented method for preventing electronic form data from being electronically transmitted to untrusted domains may include (i) identifying a web page that includes an electronic form with field for data entry, (ii) detecting that the web page is electronically sending first and second messages that each include data from the field of the electronic form and that are directed to first and second destinations, respectively, (iii) determining that the first destination includes an untrusted destination, and (iv) blocking the web page from electronically sending the data from the field of the electronic form to the untrusted destination by blocking the first message from being electronically sent. Various other methods, systems, and computer-readable media are also disclosed.
G06F 21/51 - Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems at application loading time, e.g. accepting, rejecting, starting or inhibiting executable software based on integrity or source reliability
H04L 29/06 - Communication control; Communication processing characterised by a protocol
The disclosed computer-implemented method for providing an integrated cyber threat defense exchange platform may include (i) receiving unnormalized security data from a plurality of disparate security data sources that generate security data in differing formats, (ii) normalizing, using a security data schema, the unnormalized security data into normalized security data, (iii) identifying a security action that is responsive to at least one security event identified within the normalized security data, and (iv) coordinating performance of the security action within a plurality of networked computing devices. Various other methods, systems, and computer-readable media are also disclosed.
The disclosed computer-implemented method for protecting website visitors may include (i) retrieving an instance of a website that was dynamically generated by aggregating multiple website subcomponents, (ii) decomposing the instance of the website into the multiple website subcomponents, (iii) checking whether a website subcomponent has been previously scanned by a security scanner, (iv) accelerating a review of the instance of the website by reusing results of a previous scan of the website subcomponent that was performed in response to retrieving a different instance of the website subcomponent rather than performing an original scan of the website subcomponent, and (v) protecting a visitor of the website by modifying a display of the instance of the website based on the accelerated review of the instance of the website that reused results of the previous scan of the website subcomponent. Various other methods, systems, and computer-readable media are also disclosed.
Methods and systems are provided for generating a security profile for a new computing system. One example method generally includes obtaining, over a network, information associated with a plurality of existing computing systems and generating, by a clustering algorithm, a set of clusters based on the information associated with the plurality of existing computing systems. The method further includes obtaining external data associated with the computing system and classifying the computing system into a cluster in the set of clusters based on the external data associated with the computing system. The method further includes determining the security profile based on statistics associated with the cluster and transmitting, over the network, an indication of the security profile.
G06F 21/57 - Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
66.
Systems and methods for preventing sharing of sensitive content in image data on a closed computing platform
The disclosed computer-implemented method for preventing sharing of sensitive content in image data on a closed computing platform may include (i) detecting initiation of a network connection for sending network traffic data to a data storage service on the closed computing platform, (ii) monitoring the sending of the network traffic data to identify a target traffic indicator associated with image data, (iii) interrupting the sending of the network traffic data upon identifying the target traffic indicator, (iv) analyzing the image data to identify sensitive content, and (v) performing a security action that protects against the sensitive content being shared to the data storage service on the closed computing platform. Various other methods, systems, and computer-readable media are also disclosed.
Image quality optimization during remote isolated sessions. In one embodiment, a method may include a remote isolation server receiving, at a remote isolation server, a request from a local browser on a local network device to obtain webpage data from a webserver, requesting, from the webserver, the webpage data, receiving, from the webserver, the requested webpage data, rendering a first image of the requested webpage data, storing a first copy of the first image of the requested webpage data in memory associated with the remote isolation server, compressing a first portion of the first image using a first compression method, sending, from the remote isolation server, the compressed first portion of the first image to the local browser, compressing a second portion of the first image using a second compression method, and sending the compressed second portion of the first image to the local browser.
Methods and systems are provided for detecting malware. One example method generally includes receiving a reference dataset comprising an aggregation of probability distributions of a plurality of intra-file patterns for a plurality of files of at least a first class and applying a logical query to the reference dataset to generate a template distribution with probability distributions of the plurality of intra-file patterns calculated according to one or more logical operators in the logical query. The method further includes detecting a likely presence of malware in a computer file by indicating one or more areas in the computer file based on at least a portion of the calculated probability distributions of the plurality of intra-file patterns in the template distribution.
Secure Quarantine of Potentially Malicious Content. In one embodiment, a method for secure quarantine of potentially malicious content may include receiving a computer file from a third party, preventing the computer file from initially being accessed by a user associated with the computing device, collecting metadata from the computer file, encrypting the file and the collected metadata using a first encryption key, creating an encrypted computer file, encrypting the first encryption key using an asymmetric key, embedding the encrypted computer file into a new computer file, wherein at least one file object that is in the encrypted computer file is removed from the new computer file, enabling user access to the new computer file and the embedded encrypted computer file.
H04L 9/06 - Arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for blockwise coding, e.g. D.E.S. systems
In one embodiment, a method for electronic document sanitization may include receiving a first request from a client device to send a first electronic document, the first request including a requested usability level of the first electronic document, removing at least one document object from the first electronic document, the document object having potentially malicious content, the removing based at least in part on receiving the first request, and transmitting the first electronic document to the client device after removing the at least one document object therefrom.
G06F 12/14 - Protection against unauthorised use of memory
H04L 29/06 - Communication control; Communication processing characterised by a protocol
G06F 21/56 - Computer malware detection or handling, e.g. anti-virus arrangements
G06F 3/0484 - Interaction techniques based on graphical user interfaces [GUI] for the control of specific functions or operations, e.g. selecting or manipulating an object, an image or a displayed text element, setting a parameter value or selecting a range
The disclosed computer-implemented method for improving performance of cascade classifiers for protecting against computer malware may include receiving a training dataset usable to train a cascade classifier of a machine-learning classification system. A sample to add to the training dataset may be received. A weight for the sample may be calculated. The training dataset may be modified using the sample and the weight. A weighted training for the cascade classifier of the machine-learning classification system may be performed using the modified training dataset. Computer malware may be identified using the cascade classifier. In response to identifying the computer malware, a security action may be performed to protect the one or more computing devices from the computer malware. Various other methods, systems, and computer-readable media are also disclosed.
In one embodiment, a computer-implemented method for using customer context to detonate malware may be performed by one or more computing devices, each comprising one or more processors. The method may include receiving an artefact associated with a first device being targeted by malware, simulating in a controlled environment attributes of the first device based at least in part on the artefact, executing the malware in the controlled environment while the attributes of the first device are being simulated, and performing a security action with respect to the malware based at least in part on the execution of the malware in the controlled environment.
G06F 9/455 - Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
G06F 21/56 - Computer malware detection or handling, e.g. anti-virus arrangements
G06F 21/53 - Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity, buffer overflow or preventing unwanted data erasure by executing in a restricted environment, e.g. sandbox or secure virtual machine
The disclosed computer-implemented method for identifying users may include (i) detecting that a user at an endpoint computing device is connecting to an identity provider, (ii) detecting, after detecting that the user at the endpoint computing device is connecting to the identity provider, that a mobile device has received a second-factor authentication message, (iii) discovering, by a security service, that the user at the endpoint computing device matches a known user profile registered to the mobile device by correlating the user at the endpoint computing device connecting to the identity provider with the mobile device receiving the second-factor authentication message, and (iv) applying a security policy to the user at the endpoint computing device based on the known user profile matched to the user by the security service. Various other methods, systems, and computer-readable media are also disclosed.
Systems, apparatuses, methods, and computer readable mediums for implementing an email deception service. A system includes one or more processors coupled to one or more memories storing program instructions. The program instructions are executable by the processor(s) to scan live emails for suspicious emails. The suspicious emails are emails with phishing links, business compromise emails, emails with malware attachments, and so on. When a suspicious email is detected, the processor(s) execute the program instructions to interact with the suspicious email in a way that mimics an end-user. A set of decoy credentials are provided to an attacker during the interaction, and then a decoy account is monitored for accesses by the attacker using the decoy credentials. Accesses to the decoy account are monitored and recorded to obtain intelligence on the attacker.
A method and apparatus utilize a peer-to-peer network of security nodes collectively adhering to a protocol for inter-node communication. The system is comprised a plurality of first security nodes, at least one second security node, and at least one third security node. The plurality of first security nodes receive at least one of pre-trained detection models and rules, monitor at least one of a blockchain and connected devices for malicious behavior based on the received at least one of pre-trained detection models and rules, and report the malicious behavior. The at least one second security node creates and communicates the at least one of pre-trained detection models and rules to the plurality of first security nodes. The at least one third security node is informed by the at least one second security node of the reported malicious behavior.
At least a static analysis and a dynamic analysis to perform for a first software application are determined based, at least in part, on a profile of the first software application. The first software application is analyzed with the static analysis to generate static analysis results. The first software application is analyzed with dynamic analysis to generate dynamic analysis results. An assessment report is generated based on the static analysis results and the dynamic analysis results, wherein the assessment report indicates a security score of the first software application that is based, at least in part, on the static analysis results and the dynamic analysis results.
G06F 21/57 - Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
G06F 11/36 - Preventing errors by testing or debugging of software
A computer-implemented method for server load control may include: (a) receiving a request of a first type or a second type; (b) transmitting a response of a form that will not be processed by the second computer, thereby reducing the load on a third computer, when the request is of the first type, and that will be processed by the second computer when the request is of the second type; and (c) when the request is of the second type and the response is processed by the second computer, receiving a message from the second computer that results from the processed response and indicates that the request is not of the first type. Various other methods, systems, and computer-readable media are also disclosed.
Protecting a network device from malicious executable code embedded in a computer document. In one embodiment, a method may include detecting executable code embedded in a computer document stored on a network device. The method may also include detecting a potential hoax object in the computer document. The method may further include determining that the potential hoax object is a hoax object by determining that the potential hoax object includes a message enticing a user to enable execution of the executable code. The method may also include, in response to determining that the potential hoax object is a hoax object, concluding that the executable code is malicious and performing a security action on the network device that secures the network device from the malicious executable code.
G06F 21/56 - Computer malware detection or handling, e.g. anti-virus arrangements
G06F 21/52 - Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity, buffer overflow or preventing unwanted data erasure
G06F 21/55 - Detecting local intrusion or implementing counter-measures
A set of DLP rules are enforced to prevent loss of biometric data on a computing device. Attempts to perform operations targeting biometric data are detected, and the specific biometric data being targeted is identified. It is determined whether given attempted operations targeting biometric data are permitted, according to the set of DLP rules. This can take the form of enforcing DLP rules governing attempted operations based on factors such as the type of biometric data, quantity of biometric data, quality of biometric data, target of an attempt to transmit biometric data, specific users and/or applications that initiated attempted operations, specific people represented by the biometric data, relationships between them, etc. In response to determining that a specific attempted operation targeting biometric data is not permitted according to the DLP rules, the operation is blocked. If the DLP rules do not prohibit the operation, its execution is permitted.
Disclosed are methods for tracking consumer transactions from a non-mainframe environment into a mainframe environment. The methods provide for carryover of consumer data from the non-mainframe environment into a mainframe environment.
A computer-implemented method for controlling access to credentials may include (i) maintaining, by a computing device, a set of applications for which attempting to access digital credentials comprises anomalous behavior, (ii) monitoring, by the computing device, each application within the set of applications for attempts to access digital credentials, (iii) automatically detecting, while monitoring for attempts to access digital credentials, an attempt of an application in the set of applications to access a digital credential, and (iv) performing, in response to detecting the attempt to access the digital credential, a security action to secure the digital credential. Various other methods, systems, and computer-readable media are also disclosed.
G06F 21/55 - Detecting local intrusion or implementing counter-measures
G06F 21/57 - Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
The disclosed computer-implemented method for detecting geolocation-aware malware may include (1) receiving, by a computing device, trajectory information for network traffic carrying geolocation-aware malware, (2) identifying, from the trajectory information, a target geolocation characteristic required to activate the geolocation-aware malware, (3) establishing, on an image of a user machine, an execution environment having the target geolocation characteristic, (4) running, on the image of the user machine, the geolocation-aware malware, and (5) analyzing functioning of the geolocation-aware malware to identify malicious activity by the geolocation-aware malware. Various other methods, systems, and computer-readable media are also disclosed.
42 - Scientific, technological and industrial services, research and design
Goods & Services
Software as a Service (SAAS) services featuring cloud software security services, namely, monitoring of cloud services usage, controlling per-user access, governance and auditing of cloud services, data security, information protection, data loss prevention, management of security policies, security analytics and forensic analysis
84.
Securely sharing a transport layer security session with one or more trusted devices
Securely sharing a Transport Layer Security (TLS) session with one or more trusted devices. In one embodiment, a method may include establishing a TLS session between a client device and a server device, communicating encrypted messages that are encrypted using encryption keys between the client device and the server device, and intercepting and decrypting one or more of the encrypted messages at a trusted device using the encryption keys. In this embodiment, the establishing of the TLS session may include negotiating a master secret, establishing a secure channel between the trusted device and the client device or the server device, sending, from the client device or the server device, the master secret to the trusted device over the secure channel, and employing the master secret at the client device, at the server device, and at the trusted device to generate, for the TLS session, the encryption keys.
H04L 29/06 - Communication control; Communication processing characterised by a protocol
H04L 9/32 - Arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system
An autonomous controller for SDN, virtual, and/or physical networks can be used to optimize a network automatically and determine new optimizations as a network scales. The controller trains models that can determine in real-time the optimal path for the flow of data from node A to B in an arbitrary network. The controller processes a network topology to determine relative importance of nodes in the network. The controller reduces a search space for a machine learning model by selecting pivotal nodes based on the determined relative importance. When a demand to transfer traffic between two hosts is detected, the controller utilizes an AI model to determine one or more of the pivotal nodes to be used in routing the traffic between the two hosts. The controller determines a path between the two hosts which comprises the selected pivotal nodes and deploys a routing configuration for the path to the network.
The disclosed computer-implemented method for evaluating security services may include (i) receiving, at a backend security server from an enterprise, multiple suspicious computing events detected within the enterprise, (ii) recording, within the backend security server, historical security information for each computing event that includes (a) a classification of the computing event as malicious or non-malicious based on a security analysis performed by the backend security server and (b) a point in time at which the classification was determined, (iii) evaluating an ability of the backend security server to detect security threats by (a) detecting an additional computing event within the enterprise and (b) determining, based on the historical security information, a point in time at which the backend security server became capable of classifying the additional computing event, and (iv) adjusting a security policy within the enterprise based on the evaluated ability of the backend security server.
A method of identifying security risks in a computer system that includes several computers executing different applications is provided. The method receives event data about threat events associated with a set of applications executing on a set of computers in the computer system. The method, for each event, compares a set of parameters associated with the event with a set of historical parameters maintained for a similar event. The method, based on the comparisons, defines a normality characterization for each event to express a probability of an exploit of the application associated with the event. The method, based on the normality characterization, defines a prioritized display of security risks due to the threat events associated with the set of application.
The disclosed computer-implemented method for detecting anomalous behavior within computing sessions may include (i) identifying, by the computing device, a set of execution events that correspond to a computing session, (ii) providing, by the computing device, the set of execution events as input to an autoencoder, (iii) receiving, by the computing device and from the autoencoder, a reconstruction error associated with autoencoding the set of execution events, (iv) detecting, by the computing device and based on the reconstruction error, an anomaly within the computing session, and (v) performing, by the computing device, a security action to address the anomaly within the computing session. Various other methods, systems, and computer-readable media are also disclosed.
The disclosed computer-implemented method for managing illegitimate authentication attempts may include (i) detecting an authentication attempt performed by a user to gain access to a protected computing environment, (ii) determining that the authentication attempt to access the protected computing environment is illegitimate, and (iii) simulating, in response to the determination, a successful attempt to authenticate to the protected computing environment by presenting the user with access to a catch-all environment that poses as the protected computing environment and that isolates the protected computing environment from the user. Various other methods, systems, and computer-readable media are also disclosed.
The disclosed computer-implemented method for creating automatic computer-generated classifications may include (i) mining webpages of entities with a known classification, (ii) using information mined from the webpages to create a classification structure that assigns class labels to entities based on entity webpage content, (iii) applying, to the classification structure, one or more webpages of a new entity with an unknown classification, (iv) receiving, from the classification structure, a class label for the new entity, and (v) performing a security action based on the new entity's class label. Various other methods, systems, and computer-readable media are also disclosed.
A method to block overlay phishing attempt is described. In one embodiment, the method includes detecting a first application displaying a page of the first application on a display of a computing device, detecting a second application displaying a page of the second application on the display of the computing device, upon detecting the second application displaying the page of the second application, comparing a schematic representation of the page of the first application to a schematic representation of the page of the second application, and determining whether an overlay phishing attempt occurs based at least in part on the comparing.
A computer-implemented method for detecting potentially malicious hardware-related anomalies may include (1) profiling a computing environment of at least one hardware component on a computing device, (2) detecting, by comparing the hardware component's profile with an expected profile for the hardware component, at least one anomaly in the hardware component's computing environment, (3) identifying additional suspicious activity on the computing device, and (4) determining, by correlating the additional suspicious activity on the computing device with the anomaly in the hardware component's computing environment, that the anomaly in the hardware component's computing environment is potentially malicious. Various other methods, systems, and computer-readable media are also disclosed.
In a method for generating narrative interface descriptions, a file including a machine-readable description of a computing interface is parsed to identify an element therein based on a property thereof. Cross-reference data including human-readable narrative information corresponding to the element is retrieved from a data source, and an embellished file is generated in which the element is modified to include the cross-reference data. Related methods, systems, and computer program products are also discussed.
API calls made by a code sample executing in an emulator are analyzed. Specific ones of the analyzed API calls are classified as meeting a threshold level of suspicion of being made by malware. In response to a specific API call being classified as meeting the threshold, a range of memory before and after the return address of the classified API call is copied to a buffer that is not accessible to the code sample. The copied range of memory in the buffer that is not accessible to the code sample is scanned, and a signature corresponding to the code sample is generated. The generated signature can be used for signature based malware detection, in order to detect one or more instances of malware. In response to detecting malware, one or more security actions can be performed.
The disclosed computer-implemented method for authenticating applications installed on computing devices may include (i) requesting to download, onto an endpoint device, an application from a host server, (ii) receiving the application from the host server after the host server has (a) generated an authentication token to be used to authenticate the application on the endpoint device and (b) embedded the authentication token within a filename of the application, (iii) installing the application onto the endpoint device, (iv) identifying the authentication token within the filename of the application, and (v) using the authentication token to authenticate the endpoint device to the application such that a user of the endpoint device is provided access to the application. Various other methods, systems, and computer-readable media are also disclosed.
H04L 29/06 - Communication control; Communication processing characterised by a protocol
G06F 21/30 - Authentication, i.e. establishing the identity or authorisation of security principals
G06F 21/51 - Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems at application loading time, e.g. accepting, rejecting, starting or inhibiting executable software based on integrity or source reliability
G06F 21/62 - Protecting access to data via a platform, e.g. using keys or access control rules
H04L 9/32 - Arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system
An autonomous controller for SDN, virtual, and/or physical networks can be used to optimize a network automatically and determine new optimizations as a network scales. The controller trains models that can determine in real-time the optimal path for the flow of data from node A to B in an arbitrary network. The controller processes a network topology to determine relative importance of nodes in the network. The controller reduces a search space for a machine learning model by selecting pivotal nodes based on the determined relative importance. When a demand to transfer traffic between two hosts is detected, the controller utilizes an AI model to determine one or more of the pivotal nodes to be used in routing the traffic between the two hosts. The controller determines a path between the two hosts which comprises the selected pivotal nodes and deploys a routing configuration for the path to the network.
Provided is a process that includes: obtaining a training set of n-grams labeled as offensive; causing a machine learning model to be trained based on the training set of n-grams, wherein the machine learning model, when trained, is configured to classify natural language text as offensive or non-offensive; obtaining input natural language text expressing a computer-generated utterance; classifying after causing training, the computer-generated utterance as offensive or non-offensive using the machine learning model; and causing an output to be provided to a recipient, the output being based on whether the machine learning model classifies the computer-generated utterance as offensive or non-offensive.
The disclosed computer-implemented method for updating locked states may include (i) identifying a computing system and a mobile device that are both operated by a user, (ii) using a signal strength between the computing system and the mobile device to calculate a physical distance between the mobile device and the computing system that correlates to a proximity of the user to the computing system, (iii) calibrating, based on input from a sensor that indicates an activity of the user, a parameter for calculating the physical distance, (iv) using the signal strength and the parameter to recalculate the physical distance, and (v) updating, based at least in part on the recalculated physical distance, a locked state of the computing system in response to a change in the proximity of the user to the computing system. Various other methods, systems, and computer-readable media are also disclosed.
A method performed by a server processing computer for a plurality of monitored servers is provided. The method includes receiving a server alarm of a first type in response to one of a first set of server metrics, each of which includes a measure of a first property for the monitored servers, exceeding a first threshold. The method also includes receiving a server alarm of a second type in response to one of a second set of server metrics, each of which includes a measure of a second property for the monitored servers, exceeding a second threshold. The method includes determining a server alarm correlation between the received server alarm of the first type and the received server alarm of the second type, and generating a new server alarm configuration for a server alarm of the first type and/or the second type based on the server alarm correlation.
G06F 15/16 - Combinations of two or more digital computers each having at least an arithmetic unit, a program unit and a register, e.g. for a simultaneous processing of several programs
H04L 12/24 - Arrangements for maintenance or administration
An authentication server can receive an electronic message transmitted by a sender. The electronic message can have an intended recipient and can include message data. A sender identification (“ID”) is embedded in the message data. The authentication server can generate a first message ID based on the message data that includes the sender ID. The first message ID can be determined to match a second message ID that is stored in a database. The sender ID can be determined to be different from an originator ID that is associated with the second message ID in the database. The authentication server can determine whether an originator associated with the originator ID has authorized the sender to transmit the message data and can determine whether to transmit the electronic message to the intended recipient based on whether the originator has authorized the sender to transmit the data.
