Aspects of the disclosure include replacing, by a DNS proxy in DNS responses, a cryptographic key associated with a client-facing server for an origin content server with another cryptographic key received from a TLS proxy. A device may encrypt an extension of a ClientHello message with the other cryptographic key, such that the encrypted ClientHello (ECH) extension can be decrypted by the TLS proxy. The TLS proxy can then allow or deny the connection using a TLS intercept policy and decrypted information in the ClientHello message, and if the TLS connection is allowed, re-encrypt the ECH with the cryptographic key in the DNS response for the client-facing server to decrypt for establishment of the TLS connection with the origin content server. To preserve selective intercept while using ECH, a TLS Intercept Policy may be used to decide whether the TLS proxy feeds an Application Layer Proxy.
The disclosed computer-implemented method for preparing a secure search index for securely detecting personally identifiable information may include (i) receiving, at a computing device, a dataset including a record, where the record has a field including a value describing personally identifiable information and (ii) performing, at the computing device, a security action. The security action may include (i) generating, using a perfect hash function, a respective hashed key from the value and (ii) adding, to the secure search index (a) the respective hashed key or (b) a subsequent hashed key created from the respective hashed key. Various other methods, systems, and computer-readable media are also disclosed.
G06F 21/62 - Protecting access to data via a platform, e.g. using keys or access control rules
H04L 9/32 - Arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system
H04L 9/06 - Arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for blockwise coding, e.g. D.E.S. systems
A method for securing cloud applications is described. The method may include establishing a connection between a cloud application isolation portal, a cloud access security broker, and a cloud application based on an indication of the cloud application and a set of credentials associated with an end user of the cloud application, and managing, via the cloud application isolation portal and the cloud access security broker, a session between the cloud application and a computing device associated with the end user based on the connection between the cloud application isolation portal with the cloud access security broker and the cloud application.
H04L 67/60 - Scheduling or organising the servicing of application requests, e.g. requests for application data transmissions using the analysis and optimisation of the required network resources
H04L 67/10 - Protocols in which an application is distributed across nodes in the network
Machine learning adversarial campaign mitigation on a computing device. The method may include deploying an original machine learning model in a model environment associated with a client device; deploying a classification monitor in the model environment to monitor classification decision outputs in the machine learning model; detecting, by the classification monitor, a campaign of adversarial classification decision outputs in the machine learning model; applying a transformation function to the machine learning model in the model environment to transform the adversarial classification decision outputs to thwart the campaign of adversarial classification decision outputs; determining a malicious attack on the client device based in part on detecting the campaign of adversarial classification decision outputs; and implementing a security action to protect the computing device against the malicious attack.
Knowledge-aware detection of attacks on a client device conducted with dual-use tools. A method may include obtaining dual-use tool data related to a plurality of dual-use tools; collecting from a client device, by the computing device, user input related to the use of a dual-use tool of the plurality of dual-use tools; determining that the user input contains a feature of the dual-use tool data; creating a behavioral index of the user input, the behavioral index stored on the client device; detecting new input on the client device; determining a similarity level between the user input and the new input; flagging a malicious attack on the client device based on determining that the similarity level does not satisfy a pre-determined threshold; and implementing a security action on the client device based on flagging the malicious attack.
Secure access to a corporate application with translation between an internal address and an external address. In some embodiments, a method may include receiving, at a secure access cloud point of delivery (PoD), from a client application on a client device, a request to access a corporate web application that is deployed in a corporate datacenter. The method may also include forwarding, from the secure access cloud PoD, to a connector that is also deployed in the corporate datacenter, the request to access the corporate web application. The method may further include brokering, by the connector and the secure access cloud PoD, authentication of a user, authorization of access by the user, and a secure communication session between the client application and the corporate web application by translating between an internal address of the corporate web application and an external address of the corporate web application.
09 - Scientific and electric apparatus and instruments
42 - Scientific, technological and industrial services, research and design
Goods & Services
(1) Downloadable computer programs for project management, product management, work collaboration, information technology portfolio management, and business process management (1) Non-downloadable, cloud-based computer programs for project management, product management, work collaboration, information technology portfolio management, and business process management
42 - Scientific, technological and industrial services, research and design
Goods & Services
(1) Software as a service (SAAS) services featuring software for project management, product management, work collaboration, and software development and implementation
09 - Scientific and electric apparatus and instruments
42 - Scientific, technological and industrial services, research and design
Goods & Services
Downloadable computer programs for project management, product management, work collaboration, information technology portfolio management, and business process management, all aforementioned goods only in the context of financial investment management software and not in the context of security, law-enforcement, defense and military software. Providing online, non-downloadable, cloud-based computer programs for project management, product management, work collaboration, information technology portfolio management, and business process management, all aforementioned services only in the context of financial investment management software and not in the context of security, law-enforcement, defense and military software.
42 - Scientific, technological and industrial services, research and design
Goods & Services
Software as a service (SAAS) services featuring software for project management, product management, work collaboration, and software development and implementation.
42 - Scientific, technological and industrial services, research and design
Goods & Services
Software as a service (SAAS) services featuring software for project management, product management, work collaboration, and software development and implementation
09 - Scientific and electric apparatus and instruments
42 - Scientific, technological and industrial services, research and design
Goods & Services
Downloadable computer programs for project management, product management, work collaboration, information technology portfolio management, and business process management; all aforementioned goods/services only in the context of financial investment management software and not in the context of security, law-enforcement, defense and military software Non-downloadable, cloud-based computer programs for project management, product management, work collaboration, information technology portfolio management, and business process management; all aforementioned goods/services only in the context of financial investment management software and not in the context of security, law-enforcement, defense and military software
13.
Systems and methods for producing adjustments to malware-detecting services
The disclosed computer-implemented method for producing adjustments to malware-detecting services may include (1) receiving, from a plurality of malware-detecting services executing on a plurality of client computing devices, a respective plurality of probability scores with corresponding model identifiers for an analyzed file and a plurality of respective identifiers describing the malware-detecting services, (2) building a training dataset from at least a portion of the received plurality of probability scores with corresponding model identifiers, and (3) performing a security action including (A) training, with the training dataset, a malware-detecting linear regression ensemble machine learning model that is specific to an identifier in the plurality of identifiers and (B) sending the trained linear regression ensemble machine learning model to one of the plurality of malware-detecting services executing on one of the client computing devices. Various other methods, systems, and computer-readable media are also disclosed.
Techniques are disclosed relating to increasing the amount of training data available to machine learning algorithms. A computer system may access an initial set of training data that specifies a plurality of sequences, each of which may define a set of data values. The computer system may amplify the initial set of training data to create a revised set of training data. The amplifying may include identifying sub-sequences of data values in ones of the plurality of sequences in the initial set of training data and using an inheritance algorithm to create a set of additional sequences of data values, where each one of the set of additional sequences may include sub-sequences of data values from at least two different sequences in the initial set of training data. The computer system may process the set of additional sequences using the machine learning algorithm to train a machine learning model.
Secure access to a corporate application in an SSH session using a transparent SSH proxy. In some embodiments, a method may include receiving, at a secure access cloud point of delivery (PoD), from a client application on a client device, a request to access a corporate application that is deployed in a corporate datacenter. The method may also include forwarding, from the secure access cloud PoD, to a connector that is also deployed in the corporate datacenter, the request. The method may further include brokering, by the connector and the secure access cloud PoD, authentication of a user, authorization of access by the user, and an SSH session between the client application and the corporate application using a transparent SSH proxy, with the client application being unaware that the SSH session is brokered by the connector and the secure access cloud PoD.
Secure access to a corporate application using a facade. In some embodiments, a method may include receiving, at a secure access cloud point of delivery (PoD), from a client application on a client device, a request to access a corporate application that is deployed in a corporate datacenter. The method may also include creating, at the secure access cloud PoD, a facade representing the corporate application. The method may further include forwarding, from the facade, to a connector that is also deployed in the corporate datacenter, the request. The method may also include brokering, by the connector and the facade, authentication of a user, authorization of access by the user, and a secure communication session between the client application and the corporate application via the facade, with the client application being unaware that the secure communication session is brokered by the connector and the facade.
The disclosed computer-implemented method for dynamically augmenting machine learning models based on contextual factors associated with execution environments may include (1) generating a base machine learning model and a supplemental set of machine learning models, (2) determining at least one contextual factor associated with an execution environment of a machine learning system that is configured to make predictions regarding a set of input data using at least the base machine learning model, (3) selecting, based on the contextual factor, a continuation set of machine learning models from the supplemental set of machine learning models, and (4) directing the machine learning system to utilize both the base machine learning model and the continuation set of machine learning models when making predictions regarding the set of input data. Various other methods, systems, and computer-readable media are also disclosed.
G06K 9/62 - Methods or arrangements for recognition using electronic means
G06F 21/53 - Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity, buffer overflow or preventing unwanted data erasure by executing in a restricted environment, e.g. sandbox or secure virtual machine
G06F 21/56 - Computer malware detection or handling, e.g. anti-virus arrangements
Secure access to a corporate application with translation between an internal address and an external address. In some embodiments, a method may include receiving, at a secure access cloud point of delivery (PoD), from a client application on a client device, a request to access a corporate web application that is deployed in a corporate datacenter. The method may also include forwarding, from the secure access cloud PoD, to a connector that is also deployed in the corporate datacenter, the request to access the corporate web application. The method may further include brokering, by the connector and the secure access cloud PoD, authentication of a user, authorization of access by the user, and a secure communication session between the client application and the corporate web application by translating between an internal address of the corporate web application and an external address of the corporate web application.
G06F 15/16 - Combinations of two or more digital computers each having at least an arithmetic unit, a program unit and a register, e.g. for a simultaneous processing of several programs
The disclosed computer-implemented method for protecting a cloud computing device from malware may include (i) intercepting, at a computing device, a malicious attempt by the malware to (A) access sensitive information in an encrypted file stored on the computing device and (B) send the sensitive information to the cloud computing device and (ii) performing, responsive to the attempt to access the encrypted file, a security action. Various other methods, systems, and computer-readable media are also disclosed.
A method for identifying suspicious activity on a monitored computing device is described. In one embodiment, the method may include monitoring a local procedure call interface of the monitored computing device, identifying, based at least in part on the monitoring, a remote procedure call (RPC) of a suspicious process, the RPC being transmitted over a local procedure call message of the local procedure call interface, analyzing the RPC of the suspicious process, and performing a security action based at least in part on the analyzing.
The disclosed computer-implemented method for detecting code implanted into a published application may include retrieving a published version of an application and a source version of the application, and determining, based on an analysis of the source version and the published version, a transformation process for transforming from the source version to the published version. The method may also include performing the transformation process on the source version to produce a build version, comparing the build version with the published version, and identifying, based on the comparison, implanted code in the published version. The method may further include performing, in response to identifying the implanted code, a security action. Various other methods, systems, and computer-readable media are also disclosed.
The disclosed computer-implemented method for malware detection using localized machine learning may include (i) generating a global score for a file using a global machine learning model, (ii) generating a localized score for the file using a localized machine learning model, (iii) determining that the file is malware using the global score, the localized score, and the local conviction threshold, and (iv) in response to determining that the file is malware, performing a security action to protect the computing device against malware. Various other methods, systems, and computer-readable media are also disclosed.
The disclosed computer-implemented method for managing a need-to-know domain name system may include (i) intercepting, by an agent of the computing device, network traffic received on the computing device, (ii) generating, by the agent, a one-time password based on a unique identifier of the agent of the computing device, (iii) wrapping, by the agent, the network traffic with the one-time password, and (iv) pushing, by the agent, the wrapped network traffic to a cloud server using a local domain name system (DNS) of the agent of the computing device, wherein the local DNS comprises a private domain name unpublished in a global DNS. Various other methods, systems, and computer-readable media are also disclosed.
Telemetry data from client file reputation queries is collected over time. Directories/sub-directories under which files of queries are located are identified. The files including the reputations for the files under a given directory/sub-directory are identified and used to calculate the reputation score for the directory/sub-directory. The directory/sub-directory is then classified based on the calculated score for the directory/sub-directory. After the classification of directories/sub-directories, reputation for a file with unknown reputation is then determined based on the classification of the directory/sub-directory under which the file is located.
Pre-filtering detection of an injected script on a webpage accessed by a computing device. The method may include receiving an indication of access to the webpage at a web browser of the computing device; identifying a web form associated with the webpage; determining that the webpage has been previously visited by the computing device; recording at least one current domain associated with at least one current object request made by the web form; determining a difference of a count of the at least one current domain associated with the at least one current object request and a count of at least one historical domain associated with at least one historical object request previously made by the webpage; identifying the webpage as suspicious based on determining that the difference is greater than zero and less than a domain threshold; and initiating a security action on the webpage based on the identifying.
G06F 21/53 - Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity, buffer overflow or preventing unwanted data erasure by executing in a restricted environment, e.g. sandbox or secure virtual machine
Identifying and protecting against an attack against an anomaly detector machine learning classifier (ADMLC). In some embodiments, a method may include identifying training data points in a manifold space for an ADMLC, dividing the manifold space into multiple subspaces, merging each of the training data points into one of the multiple subspaces, training a subclassifier for each of the multiple subspaces to determine a decision boundary for each of the multiple subspaces between normal training data points and anomalous training data points, receiving an input data point into the ADMLC, determining whether the input data point is an attack on the ADMLC due to a threshold number of the subclassifiers classifying the input data point as an anomalous input data point, and, in response to identifying the attack against the ADMLC, protecting against the attack.
A computer-implemented method for detecting and protecting against malicious use of legitimate computing-system tools may include (i) identifying a computing-system tool that can perform benign actions and malicious actions on a computing system, (ii) creating a set of recorded actions by recording actions performed by the computing-system tool on the computing system over a predetermined period of time, (iii) analyzing the set of recorded actions via a machine learning method that, for each action in the set of recorded actions, determines whether the action is anomalous compared to other actions in the set, (iv) classifying an action in the set of recorded actions as malicious based at least in part on determining that the action is anomalous, and (v) initiating, in response to classifying the action as malicious, a security action related to the action. Various other methods, systems, and computer-readable media are also disclosed.
G06F 21/57 - Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
28.
Identifying and mitigating harm from malicious network connections by a container
Identifying and mitigating harm from malicious network connections by a container. In some embodiments, a method may include receiving, from a shim, notifications of all network connections that a container has sought to establish through the shim. The method may also include monitoring all actual network connections established by the container. The method may further include comparing the notifications to the actual network connections to determine whether any actual network connection established by the container bypassed the shim. The method may also include, in response to determining that any actual network connection established by the container bypassed the shim, identifying the network connection established by the container that bypassed the shim as a malicious network connection, and performing a security action to mitigate harm from the malicious network connection.
The disclosed computer-implemented method for utilizing metadata for protecting against the sharing of images in a computing network may include (i) identifying an image file stored in a public folder on a computing device, (ii) storing a copy of the image file within a secure data storage application, (iii) encoding metadata for revealing an image in the image file, (iv) performing a security action that protects against sharing the image file from the public folder by masking the image in the image file with the encoded metadata, and (v) rendering the image in the image file as an unmasked version of the image from the image file or the copy of the image file in the secure data storage application by decoding the metadata utilized to mask the image. Various other methods, systems, and computer-readable media are also disclosed.
Methods, systems, and devices for protecting against abnormal computer behavior are described. The method may include monitoring a computer process related to an application running on a computing device of one or more computing devices, analyzing a database including a set of digital fingerprints, where a digital fingerprint of the set of digital fingerprints relates to the application, the digital fingerprint including an indication of a set of computer processes related to the application that are classified as normal computer processes for the application, determining that the computer process related to the application is an abnormal computer process based on analyzing, and performing a security action on the computing device to protect the computing device against the abnormal computer process based on the determining.
Methods and systems are provided for automatically generating malware definitions and using generated malware definitions. One example method generally includes receiving information associated with a malicious application and extracting malware strings from the malicious application. The method further includes filtering the malware strings using a set of safe strings to produce filtered strings and scoring the filtered strings to produce string scores by evaluating words of the filtered strings based on word statistics of a set of known malicious words. The method further includes selecting a set of candidate strings from the filtered strings based on the string scores and generating a malware definition for the malicious application based on the set of candidate strings. The method also includes performing one or more security actions to protect against the malicious application, using the malware definition.
The disclosed computer-implemented method for safely executing unreliable malware may include (i) intercepting a call to an application programming interface (API) in a computing operating system, the API being utilized by malware for disseminating malicious code, (ii) determining an incompatibility between the API call and the computing operating system that prevents successful execution of the API call, (iii) creating a proxy container for receiving the API call, (iv) modifying, utilizing the proxy container, the API call to be compatible with the computing operating system, (v) sending the modified API call from the proxy container to the computing operating system for retrieving the API utilized by the malware, and (vi) performing a security action during a threat analysis of the malware by executing the API to disseminate the malicious code in a sandboxed environment. Various other methods, systems, and computer-readable media are also disclosed.
G06F 21/53 - Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity, buffer overflow or preventing unwanted data erasure by executing in a restricted environment, e.g. sandbox or secure virtual machine
G06F 21/54 - Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity, buffer overflow or preventing unwanted data erasure by adding security routines or objects to programs
G06F 21/56 - Computer malware detection or handling, e.g. anti-virus arrangements
33.
Systems and methods for protecting against malicious content
The disclosed computer-implemented method for protecting against malicious content may include intercepting, by a security application installed on the computing device, an original message intended for a target application installed on the same computing device. The original message may include potentially malicious content. The security application may forward the original message to a security service. The computing device may receive a clean message from the security service, wherein the clean message includes a safe representation of the potentially malicious content. Various other methods, systems, and computer-readable media are also disclosed.
The disclosed computer-implemented method for managing endpoint security states using passive data integrity attestations may include (i) receiving passively collected network data from an endpoint device of a computing environment, (ii) determining a security state of the endpoint device using the passively collected network data from the endpoint device, (iii) determining that the security state of the endpoint device is below a threshold, and (iv) in response to determining that the security state of the endpoint device is below a threshold, performing a security action to protect the computing environment against malicious actions. Various other methods, systems, and computer-readable media are also disclosed.
The present disclosure relates to using correlations between support interaction data and telemetry data to discover emerging incidents for remediation. One example method generally includes receiving a corpus of support interaction data and a corpus of telemetry data. Topics indicative of underlying problems experienced by users of an application are extracted from the corpus of support interaction data. A topic having a rate of appearance in the support interaction data above a threshold value is identified. A set of telemetry data relevant to the topic is extracted from the corpus of telemetry data, and a subset of the relevant set of telemetry data having a frequency in the relevant set of telemetry data above a second threshold value is identified. The topic and the subset of telemetry data are correlated to an incident to be remediated, and one or more actions are taken to remedy the incident.
The disclosed computer-implemented method for executing decision trees may include (i) executing a security classification decision tree that classifies an input data item, (ii) gathering, simultaneously using a gather instruction, values for both a current threshold at a parent node of the security classification decision tree and a subsequent threshold at a child node of the parent node, (iii) gathering, simultaneously using the gather instruction, values for both a current measurement at the parent node and a subsequent measurement at the child node, (iv) comparing, simultaneously using a comparison instruction, the current threshold at the parent node with the current measurement at the parent node and the subsequent threshold at the child node with the subsequent measurement at the child node, and (v) performing a security action to protect the computing device. Various other methods, systems, and computer-readable media are also disclosed.
The disclosed computer-implemented method for protection of storage systems using decoy data may include identifying an original file comprising sensitive content to be protected against malicious access and protecting the sensitive content. Protecting the sensitive content may include (i) processing the original file to identify a structure of the original file and the sensitive content of the original file, (ii) generating a decoy file using the structure of the original file and using substitute content in a location corresponding to the sensitive content of the original file, and (iii) storing the decoy file with the original file. Various other methods, systems, and computer-readable media are also disclosed.
In some embodiments, a computing system includes a communication interface; and a processor that is coupled to the communication interface. In some embodiments, least one of the communication interface or the processor receives a network packet from the network via a network adapter port; encapsulates the received network packet with a tunnel header, wherein the tunnel header comprises network identifier information identifying the network adapter port; addresses, based on the network identifier information, an outer Internet protocol (IP) header of the encapsulated network packet with an outer IP address corresponding to a network function in a first computing device; and sends the encapsulated network packet toward the network function identified by the outer IP address.
The disclosed computer-implemented method for detecting covert channels structured in Internet Protocol (IP) transactions may include (1) intercepting an IP transaction including textual data and a corresponding address, (2) evaluating the textual data against a model to determine a difference score, (3) determining that the textual data is suspicious when the difference score exceeds a threshold value associated with the model, (4) examining, upon determining that the textual data is suspicious, the address in the transaction to determine whether the address is invalid, (5) analyzing the transaction to determine a frequency of address requests that have been initiated from a source address over a predetermined period, and (6) identifying the transaction as a covert data channel for initiating a malware attack when the address is determined to be invalid and the frequency of the address requests exceeds a threshold value. Various other methods, systems, and computer-readable media are also disclosed.
Isolating an iframe of a webpage. In one embodiment, a method may include targeting an iframe in a webpage for isolation, executing, in a server browser, iframe code, sending, from the remote isolation server to the local client, the webpage with the iframe code of the iframe replaced with isolation code, executing, in a client browser, webpage code and the isolation code, intercepting, in the client browser, webpage messages sent from the webpage code and intended to be delivered to the iframe, sending, to the remote isolation server, the intercepted webpage messages to be injected into the iframe code executing at the server browser, intercepting, at the server browser, iframe messages sent from the iframe code and intended to be delivered to the webpage, and sending, to the local client, the intercepted iframe messages to be injected into the webpage code executing at the client browser.
A cloud device is configured in an email transmission pathway. The cloud device receives an email attachment whose maliciousness status is determined to be unknown. The cloud device encrypts the email attachment and delivers the encrypted attachment to the recipient. When the recipient attempts to access the encrypted attachment, the cloud device re-determines the maliciousness status of the attachment. If the re-determined maliciousness status is benign, the cloud device allows the encrypted attachment to be decrypted and opened locally on the recipient's device. If the re-determined maliciousness status is still unknown, the cloud device provides a cloud-based viewing solution to the recipient using an isolation service.
A method for detecting and protecting against abnormal user behavior is described. The method may include generating a tensor model based on a set of user information within a temporal period. The tensor model may include a behavioral profile associated with a user of a set of users. In some examples, the method may include determining that a behavior associated with the user of the set of users is abnormal based on the tensor model, adapting the tensor model based on feedback from an additional user of a set of additional users different from the set of users, and performing a security action on at least one computing device to protect against the abnormal user behavior based on the adapting.
The disclosed computer-implemented method for preventing data loss from data containers may include (1) identifying, at a computing device, a process running in a data container on the computing device, (2) intercepting an attempt by the process to exfiltrate information from the computing device via at least one of a file system operation or a network operation, and (3) performing a security action to prevent the intercepted attempt. Various other methods, systems, and computer-readable media are also disclosed.
Detecting and protecting against computing breaches based on lateral movement of a computer file within an enterprise. A method may include obtaining data associated with an existence a computer file in a first computing device and a second computing device of an enterprise, detecting a pattern of lateral movement of the computer from the first computing device to the second computing device over a predetermined period of time, based on the data, calculating a likelihood score that the computer file is malicious based on the detected pattern, determining that the likelihood score satisfies a predetermined breach threshold, and in response to determining that the likelihood score satisfies the predetermined breach threshold, initiating remedial action on the computer file to protect the enterprise against the computer file.
The disclosed computer-implemented method for preserving system contextual information in an encapsulated packet may include (1) receiving, at a computing device, a network packet from the network via a network adapter port, (2) encapsulating the received network packet with a tunnel header, where a network identifier field in the tunnel header comprises information identifying the network adapter port, (3) determine an outer Internet protocol (IP) address for the encapsulated network packet, where the destination IP address corresponds to a destination on the network, (4) addressing an outer header of the encapsulated network packet with the IP address, and (5) sending the encapsulated network packet toward the destination identified by the destination IP address. Various other methods, systems, and computer-readable media are also disclosed.
The disclosed computer-implemented method for tuning application network behavior may include identifying an application for a closed operating system. The closed operating system may prevent applications from implementing machine-level traffic control for network traffic. The method may include determining an expected network behavior of the application, intercepting network traffic of the application on the closed operating system, determining whether the intercepted network traffic conforms to the expected network behavior, and modifying, based on the determining whether the intercepted network traffic conforms to the expected network behavior, the network traffic. Various other methods, systems, and computer-readable media are also disclosed.
A computer-implemented method for preventing electronic form data from being electronically transmitted to untrusted domains may include (i) identifying a web page that includes an electronic form with field for data entry, (ii) detecting that the web page is electronically sending first and second messages that each include data from the field of the electronic form and that are directed to first and second destinations, respectively, (iii) determining that the first destination includes an untrusted destination, and (iv) blocking the web page from electronically sending the data from the field of the electronic form to the untrusted destination by blocking the first message from being electronically sent. Various other methods, systems, and computer-readable media are also disclosed.
G06F 21/51 - Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems at application loading time, e.g. accepting, rejecting, starting or inhibiting executable software based on integrity or source reliability
H04L 29/06 - Communication control; Communication processing characterised by a protocol
The disclosed computer-implemented method for providing an integrated cyber threat defense exchange platform may include (i) receiving unnormalized security data from a plurality of disparate security data sources that generate security data in differing formats, (ii) normalizing, using a security data schema, the unnormalized security data into normalized security data, (iii) identifying a security action that is responsive to at least one security event identified within the normalized security data, and (iv) coordinating performance of the security action within a plurality of networked computing devices. Various other methods, systems, and computer-readable media are also disclosed.
The disclosed computer-implemented method for protecting website visitors may include (i) retrieving an instance of a website that was dynamically generated by aggregating multiple website subcomponents, (ii) decomposing the instance of the website into the multiple website subcomponents, (iii) checking whether a website subcomponent has been previously scanned by a security scanner, (iv) accelerating a review of the instance of the website by reusing results of a previous scan of the website subcomponent that was performed in response to retrieving a different instance of the website subcomponent rather than performing an original scan of the website subcomponent, and (v) protecting a visitor of the website by modifying a display of the instance of the website based on the accelerated review of the instance of the website that reused results of the previous scan of the website subcomponent. Various other methods, systems, and computer-readable media are also disclosed.
Methods and systems are provided for generating a security profile for a new computing system. One example method generally includes obtaining, over a network, information associated with a plurality of existing computing systems and generating, by a clustering algorithm, a set of clusters based on the information associated with the plurality of existing computing systems. The method further includes obtaining external data associated with the computing system and classifying the computing system into a cluster in the set of clusters based on the external data associated with the computing system. The method further includes determining the security profile based on statistics associated with the cluster and transmitting, over the network, an indication of the security profile.
G06F 21/57 - Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
51.
Systems and methods for preventing sharing of sensitive content in image data on a closed computing platform
The disclosed computer-implemented method for preventing sharing of sensitive content in image data on a closed computing platform may include (i) detecting initiation of a network connection for sending network traffic data to a data storage service on the closed computing platform, (ii) monitoring the sending of the network traffic data to identify a target traffic indicator associated with image data, (iii) interrupting the sending of the network traffic data upon identifying the target traffic indicator, (iv) analyzing the image data to identify sensitive content, and (v) performing a security action that protects against the sensitive content being shared to the data storage service on the closed computing platform. Various other methods, systems, and computer-readable media are also disclosed.
Image quality optimization during remote isolated sessions. In one embodiment, a method may include a remote isolation server receiving, at a remote isolation server, a request from a local browser on a local network device to obtain webpage data from a webserver, requesting, from the webserver, the webpage data, receiving, from the webserver, the requested webpage data, rendering a first image of the requested webpage data, storing a first copy of the first image of the requested webpage data in memory associated with the remote isolation server, compressing a first portion of the first image using a first compression method, sending, from the remote isolation server, the compressed first portion of the first image to the local browser, compressing a second portion of the first image using a second compression method, and sending the compressed second portion of the first image to the local browser.
Methods and systems are provided for detecting malware. One example method generally includes receiving a reference dataset comprising an aggregation of probability distributions of a plurality of intra-file patterns for a plurality of files of at least a first class and applying a logical query to the reference dataset to generate a template distribution with probability distributions of the plurality of intra-file patterns calculated according to one or more logical operators in the logical query. The method further includes detecting a likely presence of malware in a computer file by indicating one or more areas in the computer file based on at least a portion of the calculated probability distributions of the plurality of intra-file patterns in the template distribution.
Secure Quarantine of Potentially Malicious Content. In one embodiment, a method for secure quarantine of potentially malicious content may include receiving a computer file from a third party, preventing the computer file from initially being accessed by a user associated with the computing device, collecting metadata from the computer file, encrypting the file and the collected metadata using a first encryption key, creating an encrypted computer file, encrypting the first encryption key using an asymmetric key, embedding the encrypted computer file into a new computer file, wherein at least one file object that is in the encrypted computer file is removed from the new computer file, enabling user access to the new computer file and the embedded encrypted computer file.
H04L 9/06 - Arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for blockwise coding, e.g. D.E.S. systems
In one embodiment, a method for electronic document sanitization may include receiving a first request from a client device to send a first electronic document, the first request including a requested usability level of the first electronic document, removing at least one document object from the first electronic document, the document object having potentially malicious content, the removing based at least in part on receiving the first request, and transmitting the first electronic document to the client device after removing the at least one document object therefrom.
G06F 12/14 - Protection against unauthorised use of memory
H04L 29/06 - Communication control; Communication processing characterised by a protocol
G06F 21/56 - Computer malware detection or handling, e.g. anti-virus arrangements
G06F 3/0484 - Interaction techniques based on graphical user interfaces [GUI] for the control of specific functions or operations, e.g. selecting or manipulating an object, an image or a displayed text element, setting a parameter value or selecting a range
The disclosed computer-implemented method for improving performance of cascade classifiers for protecting against computer malware may include receiving a training dataset usable to train a cascade classifier of a machine-learning classification system. A sample to add to the training dataset may be received. A weight for the sample may be calculated. The training dataset may be modified using the sample and the weight. A weighted training for the cascade classifier of the machine-learning classification system may be performed using the modified training dataset. Computer malware may be identified using the cascade classifier. In response to identifying the computer malware, a security action may be performed to protect the one or more computing devices from the computer malware. Various other methods, systems, and computer-readable media are also disclosed.
In one embodiment, a computer-implemented method for using customer context to detonate malware may be performed by one or more computing devices, each comprising one or more processors. The method may include receiving an artefact associated with a first device being targeted by malware, simulating in a controlled environment attributes of the first device based at least in part on the artefact, executing the malware in the controlled environment while the attributes of the first device are being simulated, and performing a security action with respect to the malware based at least in part on the execution of the malware in the controlled environment.
G06F 9/455 - Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
G06F 21/56 - Computer malware detection or handling, e.g. anti-virus arrangements
G06F 21/53 - Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity, buffer overflow or preventing unwanted data erasure by executing in a restricted environment, e.g. sandbox or secure virtual machine
The disclosed computer-implemented method for identifying users may include (i) detecting that a user at an endpoint computing device is connecting to an identity provider, (ii) detecting, after detecting that the user at the endpoint computing device is connecting to the identity provider, that a mobile device has received a second-factor authentication message, (iii) discovering, by a security service, that the user at the endpoint computing device matches a known user profile registered to the mobile device by correlating the user at the endpoint computing device connecting to the identity provider with the mobile device receiving the second-factor authentication message, and (iv) applying a security policy to the user at the endpoint computing device based on the known user profile matched to the user by the security service. Various other methods, systems, and computer-readable media are also disclosed.
Systems, apparatuses, methods, and computer readable mediums for implementing an email deception service. A system includes one or more processors coupled to one or more memories storing program instructions. The program instructions are executable by the processor(s) to scan live emails for suspicious emails. The suspicious emails are emails with phishing links, business compromise emails, emails with malware attachments, and so on. When a suspicious email is detected, the processor(s) execute the program instructions to interact with the suspicious email in a way that mimics an end-user. A set of decoy credentials are provided to an attacker during the interaction, and then a decoy account is monitored for accesses by the attacker using the decoy credentials. Accesses to the decoy account are monitored and recorded to obtain intelligence on the attacker.
A computer-implemented method for server load control may include: (a) receiving a request of a first type or a second type; (b) transmitting a response of a form that will not be processed by the second computer, thereby reducing the load on a third computer, when the request is of the first type, and that will be processed by the second computer when the request is of the second type; and (c) when the request is of the second type and the response is processed by the second computer, receiving a message from the second computer that results from the processed response and indicates that the request is not of the first type. Various other methods, systems, and computer-readable media are also disclosed.
Protecting a network device from malicious executable code embedded in a computer document. In one embodiment, a method may include detecting executable code embedded in a computer document stored on a network device. The method may also include detecting a potential hoax object in the computer document. The method may further include determining that the potential hoax object is a hoax object by determining that the potential hoax object includes a message enticing a user to enable execution of the executable code. The method may also include, in response to determining that the potential hoax object is a hoax object, concluding that the executable code is malicious and performing a security action on the network device that secures the network device from the malicious executable code.
G06F 21/56 - Computer malware detection or handling, e.g. anti-virus arrangements
G06F 21/52 - Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity, buffer overflow or preventing unwanted data erasure
G06F 21/55 - Detecting local intrusion or implementing counter-measures
A set of DLP rules are enforced to prevent loss of biometric data on a computing device. Attempts to perform operations targeting biometric data are detected, and the specific biometric data being targeted is identified. It is determined whether given attempted operations targeting biometric data are permitted, according to the set of DLP rules. This can take the form of enforcing DLP rules governing attempted operations based on factors such as the type of biometric data, quantity of biometric data, quality of biometric data, target of an attempt to transmit biometric data, specific users and/or applications that initiated attempted operations, specific people represented by the biometric data, relationships between them, etc. In response to determining that a specific attempted operation targeting biometric data is not permitted according to the DLP rules, the operation is blocked. If the DLP rules do not prohibit the operation, its execution is permitted.
Disclosed are methods for tracking consumer transactions from a non-mainframe environment into a mainframe environment. The methods provide for carryover of consumer data from the non-mainframe environment into a mainframe environment.
A computer-implemented method for controlling access to credentials may include (i) maintaining, by a computing device, a set of applications for which attempting to access digital credentials comprises anomalous behavior, (ii) monitoring, by the computing device, each application within the set of applications for attempts to access digital credentials, (iii) automatically detecting, while monitoring for attempts to access digital credentials, an attempt of an application in the set of applications to access a digital credential, and (iv) performing, in response to detecting the attempt to access the digital credential, a security action to secure the digital credential. Various other methods, systems, and computer-readable media are also disclosed.
G06F 21/55 - Detecting local intrusion or implementing counter-measures
G06F 21/57 - Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
The disclosed computer-implemented method for detecting geolocation-aware malware may include (1) receiving, by a computing device, trajectory information for network traffic carrying geolocation-aware malware, (2) identifying, from the trajectory information, a target geolocation characteristic required to activate the geolocation-aware malware, (3) establishing, on an image of a user machine, an execution environment having the target geolocation characteristic, (4) running, on the image of the user machine, the geolocation-aware malware, and (5) analyzing functioning of the geolocation-aware malware to identify malicious activity by the geolocation-aware malware. Various other methods, systems, and computer-readable media are also disclosed.
42 - Scientific, technological and industrial services, research and design
Goods & Services
Software as a Service (SAAS) services featuring cloud software security services, namely, monitoring of cloud services usage, controlling per-user access, governance and auditing of cloud services, data security, information protection, data loss prevention, management of security policies, security analytics and forensic analysis
67.
Securely sharing a transport layer security session with one or more trusted devices
Securely sharing a Transport Layer Security (TLS) session with one or more trusted devices. In one embodiment, a method may include establishing a TLS session between a client device and a server device, communicating encrypted messages that are encrypted using encryption keys between the client device and the server device, and intercepting and decrypting one or more of the encrypted messages at a trusted device using the encryption keys. In this embodiment, the establishing of the TLS session may include negotiating a master secret, establishing a secure channel between the trusted device and the client device or the server device, sending, from the client device or the server device, the master secret to the trusted device over the secure channel, and employing the master secret at the client device, at the server device, and at the trusted device to generate, for the TLS session, the encryption keys.
H04L 29/06 - Communication control; Communication processing characterised by a protocol
H04L 9/32 - Arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system
An autonomous controller for SDN, virtual, and/or physical networks can be used to optimize a network automatically and determine new optimizations as a network scales. The controller trains models that can determine in real-time the optimal path for the flow of data from node A to B in an arbitrary network. The controller processes a network topology to determine relative importance of nodes in the network. The controller reduces a search space for a machine learning model by selecting pivotal nodes based on the determined relative importance. When a demand to transfer traffic between two hosts is detected, the controller utilizes an AI model to determine one or more of the pivotal nodes to be used in routing the traffic between the two hosts. The controller determines a path between the two hosts which comprises the selected pivotal nodes and deploys a routing configuration for the path to the network.
The disclosed computer-implemented method for evaluating security services may include (i) receiving, at a backend security server from an enterprise, multiple suspicious computing events detected within the enterprise, (ii) recording, within the backend security server, historical security information for each computing event that includes (a) a classification of the computing event as malicious or non-malicious based on a security analysis performed by the backend security server and (b) a point in time at which the classification was determined, (iii) evaluating an ability of the backend security server to detect security threats by (a) detecting an additional computing event within the enterprise and (b) determining, based on the historical security information, a point in time at which the backend security server became capable of classifying the additional computing event, and (iv) adjusting a security policy within the enterprise based on the evaluated ability of the backend security server.
A method of identifying security risks in a computer system that includes several computers executing different applications is provided. The method receives event data about threat events associated with a set of applications executing on a set of computers in the computer system. The method, for each event, compares a set of parameters associated with the event with a set of historical parameters maintained for a similar event. The method, based on the comparisons, defines a normality characterization for each event to express a probability of an exploit of the application associated with the event. The method, based on the normality characterization, defines a prioritized display of security risks due to the threat events associated with the set of application.
The disclosed computer-implemented method for detecting anomalous behavior within computing sessions may include (i) identifying, by the computing device, a set of execution events that correspond to a computing session, (ii) providing, by the computing device, the set of execution events as input to an autoencoder, (iii) receiving, by the computing device and from the autoencoder, a reconstruction error associated with autoencoding the set of execution events, (iv) detecting, by the computing device and based on the reconstruction error, an anomaly within the computing session, and (v) performing, by the computing device, a security action to address the anomaly within the computing session. Various other methods, systems, and computer-readable media are also disclosed.
The disclosed computer-implemented method for managing illegitimate authentication attempts may include (i) detecting an authentication attempt performed by a user to gain access to a protected computing environment, (ii) determining that the authentication attempt to access the protected computing environment is illegitimate, and (iii) simulating, in response to the determination, a successful attempt to authenticate to the protected computing environment by presenting the user with access to a catch-all environment that poses as the protected computing environment and that isolates the protected computing environment from the user. Various other methods, systems, and computer-readable media are also disclosed.
The disclosed computer-implemented method for creating automatic computer-generated classifications may include (i) mining webpages of entities with a known classification, (ii) using information mined from the webpages to create a classification structure that assigns class labels to entities based on entity webpage content, (iii) applying, to the classification structure, one or more webpages of a new entity with an unknown classification, (iv) receiving, from the classification structure, a class label for the new entity, and (v) performing a security action based on the new entity's class label. Various other methods, systems, and computer-readable media are also disclosed.
A method to block overlay phishing attempt is described. In one embodiment, the method includes detecting a first application displaying a page of the first application on a display of a computing device, detecting a second application displaying a page of the second application on the display of the computing device, upon detecting the second application displaying the page of the second application, comparing a schematic representation of the page of the first application to a schematic representation of the page of the second application, and determining whether an overlay phishing attempt occurs based at least in part on the comparing.
A computer-implemented method for detecting potentially malicious hardware-related anomalies may include (1) profiling a computing environment of at least one hardware component on a computing device, (2) detecting, by comparing the hardware component's profile with an expected profile for the hardware component, at least one anomaly in the hardware component's computing environment, (3) identifying additional suspicious activity on the computing device, and (4) determining, by correlating the additional suspicious activity on the computing device with the anomaly in the hardware component's computing environment, that the anomaly in the hardware component's computing environment is potentially malicious. Various other methods, systems, and computer-readable media are also disclosed.
In a method for generating narrative interface descriptions, a file including a machine-readable description of a computing interface is parsed to identify an element therein based on a property thereof. Cross-reference data including human-readable narrative information corresponding to the element is retrieved from a data source, and an embellished file is generated in which the element is modified to include the cross-reference data. Related methods, systems, and computer program products are also discussed.
API calls made by a code sample executing in an emulator are analyzed. Specific ones of the analyzed API calls are classified as meeting a threshold level of suspicion of being made by malware. In response to a specific API call being classified as meeting the threshold, a range of memory before and after the return address of the classified API call is copied to a buffer that is not accessible to the code sample. The copied range of memory in the buffer that is not accessible to the code sample is scanned, and a signature corresponding to the code sample is generated. The generated signature can be used for signature based malware detection, in order to detect one or more instances of malware. In response to detecting malware, one or more security actions can be performed.
The disclosed computer-implemented method for authenticating applications installed on computing devices may include (i) requesting to download, onto an endpoint device, an application from a host server, (ii) receiving the application from the host server after the host server has (a) generated an authentication token to be used to authenticate the application on the endpoint device and (b) embedded the authentication token within a filename of the application, (iii) installing the application onto the endpoint device, (iv) identifying the authentication token within the filename of the application, and (v) using the authentication token to authenticate the endpoint device to the application such that a user of the endpoint device is provided access to the application. Various other methods, systems, and computer-readable media are also disclosed.
H04L 29/06 - Communication control; Communication processing characterised by a protocol
G06F 21/30 - Authentication, i.e. establishing the identity or authorisation of security principals
G06F 21/51 - Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems at application loading time, e.g. accepting, rejecting, starting or inhibiting executable software based on integrity or source reliability
G06F 21/62 - Protecting access to data via a platform, e.g. using keys or access control rules
H04L 9/32 - Arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system
An autonomous controller for SDN, virtual, and/or physical networks can be used to optimize a network automatically and determine new optimizations as a network scales. The controller trains models that can determine in real-time the optimal path for the flow of data from node A to B in an arbitrary network. The controller processes a network topology to determine relative importance of nodes in the network. The controller reduces a search space for a machine learning model by selecting pivotal nodes based on the determined relative importance. When a demand to transfer traffic between two hosts is detected, the controller utilizes an AI model to determine one or more of the pivotal nodes to be used in routing the traffic between the two hosts. The controller determines a path between the two hosts which comprises the selected pivotal nodes and deploys a routing configuration for the path to the network.
Provided is a process that includes: obtaining a training set of n-grams labeled as offensive; causing a machine learning model to be trained based on the training set of n-grams, wherein the machine learning model, when trained, is configured to classify natural language text as offensive or non-offensive; obtaining input natural language text expressing a computer-generated utterance; classifying after causing training, the computer-generated utterance as offensive or non-offensive using the machine learning model; and causing an output to be provided to a recipient, the output being based on whether the machine learning model classifies the computer-generated utterance as offensive or non-offensive.
The disclosed computer-implemented method for updating locked states may include (i) identifying a computing system and a mobile device that are both operated by a user, (ii) using a signal strength between the computing system and the mobile device to calculate a physical distance between the mobile device and the computing system that correlates to a proximity of the user to the computing system, (iii) calibrating, based on input from a sensor that indicates an activity of the user, a parameter for calculating the physical distance, (iv) using the signal strength and the parameter to recalculate the physical distance, and (v) updating, based at least in part on the recalculated physical distance, a locked state of the computing system in response to a change in the proximity of the user to the computing system. Various other methods, systems, and computer-readable media are also disclosed.
A method performed by a server processing computer for a plurality of monitored servers is provided. The method includes receiving a server alarm of a first type in response to one of a first set of server metrics, each of which includes a measure of a first property for the monitored servers, exceeding a first threshold. The method also includes receiving a server alarm of a second type in response to one of a second set of server metrics, each of which includes a measure of a second property for the monitored servers, exceeding a second threshold. The method includes determining a server alarm correlation between the received server alarm of the first type and the received server alarm of the second type, and generating a new server alarm configuration for a server alarm of the first type and/or the second type based on the server alarm correlation.
G06F 15/16 - Combinations of two or more digital computers each having at least an arithmetic unit, a program unit and a register, e.g. for a simultaneous processing of several programs
H04L 12/24 - Arrangements for maintenance or administration
An authentication server can receive an electronic message transmitted by a sender. The electronic message can have an intended recipient and can include message data. A sender identification (“ID”) is embedded in the message data. The authentication server can generate a first message ID based on the message data that includes the sender ID. The first message ID can be determined to match a second message ID that is stored in a database. The sender ID can be determined to be different from an originator ID that is associated with the second message ID in the database. The authentication server can determine whether an originator associated with the originator ID has authorized the sender to transmit the message data and can determine whether to transmit the electronic message to the intended recipient based on whether the originator has authorized the sender to transmit the data.
Detecting a malicious application executing in an emulator based on a check made by the malicious application after making an API call. In one embodiment, a method may include executing an application in an emulator that emulates a real-world computing environment. The method may also include detecting, in the application, an API call configured to accept a parameter and return a variable return value to a return address in the application. The method may further include detecting, at the return address, a check to be performed on the variable return value returned by the API call. The method may also include, in response to the detecting of the check, determining that the application is malicious. The method may further include performing a security action on the malicious application to prevent the malicious application from executing in the real-world computing environment.
G06F 21/56 - Computer malware detection or handling, e.g. anti-virus arrangements
G06F 21/53 - Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity, buffer overflow or preventing unwanted data erasure by executing in a restricted environment, e.g. sandbox or secure virtual machine
Systems and methods are provided for sharing a device identifier between two applications installed on an unmanaged device. An enterprise application running on a device may execute client-side code received from an ID matching server to generate a target data set characterizing the device. The enterprise application may send the target data set to the ID matching server. The ID matching server may interact with a Mobile Threat Defense (MTD) server to determine a device ID that the MTD server may use to identify the device. The ID matching server may send the device identifier to an Identity Management (IdM) server. The IdM server may send an API request for security information about the target device to the MTD server, which may send the requested security information in response. The IdM server may determine an authorization level based on the security information.
G06F 21/53 - Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity, buffer overflow or preventing unwanted data erasure by executing in a restricted environment, e.g. sandbox or secure virtual machine
A client can be authenticated with an identity provider. The identity provider can generate an identity provider token after successful authentication. Prior to issuing a request to a service provider, the client can request a temporary (one time use) token from the identity provider. The request may include a client token to verify the client's identity. The identity provider can validate the client token using details saved in the identity provider token and issue the temporary token to the client. The client can provide the temporary token to a service provider in a request for service. The service provider can validate the temporary token with the identity provider. If the temporary token is valid (i.e., has not already been used), the service provider can respond to the request. The use of a temporary token and not sharing the identity provider token with the client can prevent security breaches.
H04L 9/32 - Arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system
H04L 29/06 - Communication control; Communication processing characterised by a protocol
H04L 9/30 - Public key, i.e. encryption algorithm being computationally infeasible to invert and users' encryption keys not requiring secrecy
87.
Systems and methods for creating program-specific execution environments
The disclosed computer-implemented method for creating program-specific execution environments may include (1) identifying a privileged software program to be executed on a client system in a program-specific execution environment, (2) establishing the program-specific execution environment by (a) determining that at least one process executing on the client system is not essential to operation of the privileged software program to be executed on the client system and (b) suspending execution of the non-essential process in response to identifying the non-essential process, and (3) initiating execution of the privileged software program in the program-specific execution environment. Various other methods, systems, and computer-readable media are also disclosed.
A system uses event correlation to identify components belonging to a same service or service domain. The system correlates events by generating covariance matrices or by performing sequence mining with temporal databases in order to discover event patterns that occur sequentially in a fixed time window. Components corresponding to the correlated events are identified as being part of a same service domain and can be indicated in a service domain data structure, such as a topology. The system utilizes the identified service domains during root cause analysis. The system can determine an anomalous event occurring a lowest layer component in a service domain as a root cause or can determine an anomalous event which occurs first in an identified event sequence of a service domain as a root cause. After identifying the root cause event, the system suppresses notifications of events occurring at other components in the service domain.
A first request and a first identifier corresponding to an identity of a first source device that initiated the first request is received. At least a second source device is queried to obtain information indicative of whether the first source device is authorized to complete the first request. The second source device is configured to periodically gather and transmit data, over one or more networks, to one or more local processing devices or one or more remote devices for data analysis. The first request is blocked or authorized to proceed based at least in part on whether at least the first source device is authorized to complete the first request.
Techniques are disclosed for identifying legitimate files using a hash-based cloud reputation using parts of a file to generate a hash value for reputation score lookup. A reputation service receives a request for a reputation score associated with a file. The request specifies a hash value for the file. The hash value is generated based on one or more parts of the file. The service identifies one of a plurality of file clusters that includes one or more files that matches to the specified hash value. The service determines a reputation score for the file based on the identified file cluster. The reputation score indicates a rating of the file based on a distribution of the file in a user base. The service returns the reputation score in response to the request.
A method of determining a monetary loss due to security risks associated with a plurality of applications executing on a plurality of computers in a computer system is provided. The method assigns a set of loss levels from a plurality of loss levels to each application. Each loss level in the set of loss levels corresponds to a different type of risk associated to an application. The method define a presentation that identifies a total monetary residual risk of loss due to security risks for the plurality of applications by assigning a monetary value to the set of loss levels assigned to each application. The method receives an adjustment to a loss level for at least one application. The method defines a presentation that identifies a revised total monetary residual risk of loss based on the adjustment to said at least one loss level.
G06F 21/57 - Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
G06Q 10/06 - Resources, workflows, human or project management; Enterprise or organisation planning; Enterprise or organisation modelling
92.
Systems and methods for identifying untrusted devices in peer-to-peer communication
The disclosed computer-implemented method for identifying untrusted devices in peer-to-peer communication may include (i) collecting first communication protocol MAC addresses and second communication protocol MAC addresses, (ii) determining which of the first communication protocol MAC addresses corresponds to which of the second communication protocol MAC addresses, and (iii) storing correlations between the first communication protocol MAC addresses and the second communication protocol MAC addresses. A correlation between a first communication protocol MAC address and a second communication protocol MAC address may indicate a single device having both addresses. The method may also include (i) detecting a communication on the second communication protocol, (ii) determining whether the detected communication is from an untrusted device, and (iii) performing a security action when the detected communication is from the untrusted device. Various other methods, systems, and computer-readable media are also disclosed.
A customer-facing overhead management tool reduces the task of feature configuration to adjusting a scale representing relative feature availability. Features are configured by adjusting a graphical control element presented on a graphical user interface to activate or deactivate features based on relative weights and priorities associated with the features. Weights and priorities are stored within a configuration file underlying the control element and indicate an approximate order in which features will be deactivated upon “dialing down” the available features. The control element facilitates application resource management for the customer, as the customer may configure features to reduce overhead without knowledge of the underlying feature priorities and weights or relative overhead each feature incurs when activated. Customers may override the automatic feature adjustment by manually activating features which have been deactivated following a lowering of the value on the control element.
G05B 13/02 - Adaptive control systems, i.e. systems automatically adjusting themselves to have a performance which is optimum according to some preassigned criterion electric
G06F 11/34 - Recording or statistical evaluation of computer activity, e.g. of down time, of input/output operation
G06F 3/0484 - Interaction techniques based on graphical user interfaces [GUI] for the control of specific functions or operations, e.g. selecting or manipulating an object, an image or a displayed text element, setting a parameter value or selecting a range
Method, product and device for selective traffic blockage. In one embodiment, in response to a detection that a computing device cannot connect to a predetermined server, the blockage policy is applied to an outgoing packet, whereby selectively blocking outgoing packets when the computing device has limited connectivity to the predetermined server. In another embodiment, in response to an attempt to transmit a packet, invoking a local Virtual Private Network (VPN) service that is configured to apply a blockage policy, wherein the local VPN service provides an Application Programming Interface (API) of a VPN service. As a result, selective blockage is implemented using the local VPN service.
The disclosed computer-implemented method for altering time data may include (i) identifying an untrusted executable that is capable of making queries to an operating system of the computing device, (ii) intercepting a request by the untrusted executable to query a system clock of the operating system of the computing device for a current time, (iii) calculating an offset value for the current time that is within a predetermined margin of the current time, and (iv) providing, in response to the request, the untrusted executable with the offset value for the current time instead of the current time. Various other methods, systems, and computer-readable media are also disclosed.
G06F 21/52 - Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity, buffer overflow or preventing unwanted data erasure
G06F 21/56 - Computer malware detection or handling, e.g. anti-virus arrangements
H04L 12/24 - Arrangements for maintenance or administration
G06F 21/57 - Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
H04L 29/06 - Communication control; Communication processing characterised by a protocol
96.
Using closed circuit cameras for emergency services
Method by a computer of a computing system having a plurality of camera sensors and a camera sensor control system is provided. A gesture input event is identified that is detected by a camera sensor of the camera sensors. Each camera sensor routes video captured by the camera sensor to a data storage system. The first gesture input event is identified as corresponding to a defined attention-based gesture performed by a user. A time the first gesture input event was identified is determined. Video stored in the data storage system is fetched using the time that is determined as a pointer. An indication of the first gesture input event and the video that is fetched is transmitted towards an emergency call center (ECC). A trigger word or sound may be detected, and an indication of the trigger word or sound may be transmitted towards the ECC.
Techniques are disclosed relating to increasing the amount of training data available to machine learning algorithms. A computer system may access an initial set of training data that specifies a plurality of sequences, each of which may define a set of data values. The computer system may amplify the initial set of training data to create a revised set of training data. The amplifying may include identifying sub-sequences of data values in ones of the plurality of sequences in the initial set of training data and using an inheritance algorithm to create a set of additional sequences of data values, where each one of the set of additional sequences may include sub-sequences of data values from at least two different sequences in the initial set of training data. The computer system may process the set of additional sequences using the machine learning algorithm to train a machine learning model.
A user equipment includes at least one transmitter, a processor, and a memory. The transmitter transmits RF communication signals through at least one antenna. The processor executes program code in the memory to perform operations. The operations include identifying occurrences of a user being proximately located to the at least one antenna during transmissions. The operations determine duration of the transmissions while the user continues to be identified as being proximately located to the at least one antenna, and generate a cumulative RF exposure metric based on the determined durations of the transmissions. The operations responsively initiate a RF exposure remedial action responsive to the cumulative RF exposure metric satisfying a defined rule. The user terminal may thereby operate to avoid unnecessary RF radiation exposure to a user when that exposure would reach an excessive level.
A method of monitoring tasks for reducing security risks in a computer system comprising a plurality of computers executing a plurality of applications is provided. The method based on a set of login information, displays a set of risks for a set of applications that execute on the plurality of computers and an identification of a person in a hierarchy supervised by the logged-in person assigned to mitigate each risk. The method also displays the current status of each assigned mitigation.
The disclosed computer-implemented method for terminating a computer process blocking user access to a computing device may include (1) receiving, at a user computing device, a communication indicating that a user is unable to access the user computing device, (2) identifying, by the user computing device, an active computer process running on the user computing device, and (3) executing a process termination application stored on the user computing device to terminate the active computer process and enable the user to access the user computing device. Various other methods, systems, and computer-readable media are also disclosed.
G06F 21/55 - Detecting local intrusion or implementing counter-measures
G06F 21/52 - Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity, buffer overflow or preventing unwanted data erasure
G06F 21/56 - Computer malware detection or handling, e.g. anti-virus arrangements
G06F 21/57 - Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities