Abstract: Detection of phishing messages in network communications is performed by receiving a transmitted message and detecting characteristics of the message. A determination is made if the message matches a pattern of a phishing message in a database, and classifies the message as a phishing or spam message accordingly. If the message does not match a known phishing message pattern, the message is checked for common signs of phishing or spam by determining the severity of a threat embodied by the message, and the message is categorized as having phishing characteristics and according to the severity of threat. In response the user responses to determinations of threats, criteria for detection of phishing characteristics is adjusted, thereby automatically revising criteria for future decisions as to whether the message represents suspected phishing.

Abstract: A method and apparatus for providing IP address filtering. The method identifies one or more suspicious Uniform Resource Locators (URLs) and resolves the one or more suspicious URLs to one or more suspicious IP addresses. A suspicious IP address list is created containing the one or more suspicious IP addresses. The suspicious IP address list may be used to facilitate a security response to filter one or more of the IP addresses in the suspicious IP address list.

Abstract: A method for detecting patterns using statistical analysis is provided. The method includes receiving a subset of structured data having a plurality of fields. A plurality of value combinations is generated for the plurality of fields using a statistical combination function. Each combination of the generated plurality of value combinations is stored as a separate entry in a results table. The entry in the results table includes a counter associated with the stored combination. A value of the counter is incremented for every occurrence of the stored combination in the generated plurality of value combinations. The results table is sorted based on the counters' values and based on a number of fields in each combination. One or more entries having highest counter values are identified in the results table.

Abstract: A vehicle surveillance device for an in-vehicle network system that includes one or more electronic control units includes: a frame transmitter and receiver that receives a frame flowing over the in-vehicle network system; and a score calculator that detects a suspicious behavior different from a normal driving behavior based on the frame received by the frame transmitter and receiver and vehicle data including information on one or more frames received by the frame transmitter and receiver prior to receiving the frame, and calculates, based on a detection result, a score indicating a likelihood that reverse engineering has been performed on a vehicle provided with the in-vehicle network system.

Abstract: An inline malicious traffic detector captures handshake messages in a session with a security protocol. The inline malicious traffic detector comprises a classifier that generates a verdict for the session indicating malicious or benign. The classifier is trained on labelled sessions using custom features generated from handshake messages. Based on determining that the session is malicious using features of the handshake messages, the inline malicious traffic detector blocks the session.

Abstract: Detecting anomalous behavior of a device, including: generating, using information describing historical activity associated with a user device, a trained model for detecting normal activity for the user device; gathering information describing current activity associated with the user device; and determining, by using the information describing current activity associated with the user device as input to the trained model, whether the user device has deviated from normal activity.

Abstract: This disclosure relates to a method for securing the execution of a program by a processor, including a comparison instruction for comparing two data items, followed by a program operation which is selected as a function of a comparison result provided by the comparison instruction. The method may include, before the execution of the comparison instruction, calculating in various ways comparison data representative of the equality of the data to be compared, after the execution of the comparison instruction, verifying whether the comparison data calculated are consistent with the fact that the program operation is selected or not selected, and activating an error signal if the comparison data are mutually inconsistent or inconsistent with the result of the comparison.

Abstract: A method for packet filtering in a network switch includes: utilizing an access control list circuit to filter received packets, wherein the access control list circuit compares header information of the received packets with an access control list to filter the received packets, where the access control list has at least one entry, and rule information in the entry includes only a portion of an IP address; and utilizing a routing circuit to further filter packets that pass the access control list circuit, wherein the routing circuit compares header information of the packets that pass the access control list circuit with a routing table to filter the packets, wherein the routing table has at least one entry, and rule information in the entry includes an entire IP address.

Abstract: A method and system for mitigating against side channel attacks (SCA) that exploit speculative store-to-load forwarding is described. The method comprises conditioning store-to-load forwarding on the memory dependence predictor (MDP) being trained for that load instruction. Training involves identifying situations in which store-to-load forwarding could have been performed, but wasn't, and obversely, identifying situations in which store-to-load forwarding was performed but resulted in an error.

Abstract: There is described a neural network system implemented by one or more computers for determining graph similarity. The neural network system comprises one or more neural networks configured to process an input graph to generate a node state representation vector for each node of the input graph and an edge representation vector for each edge of the input graph; and process the node state representation vectors and the edge representation vectors to generate a vector representation of the input graph. The neural network system further comprises one or more processors configured to: receive a first graph; receive a second graph; generate a vector representation of the first graph; generate a vector representation of the second graph; determine a similarity score for the first graph and the second graph based upon the vector representations of the first graph and the second graph.

Abstract: The disclosed apparatus, systems and methods relate to methods, systems, and devices for the isolation of devices on a LAN network. Route poisoning, ARP poisoning null routing, blackhole and/or firewall blocking are employed to prevent peer-to-peer network communications within the local area network.

Abstract: Techniques are described herein that are capable of constructing a finite automaton using regular expression derivatives to simulate behavior of a backtracking engine. The behavior indicates an order in which paths in an input regular expression are to be evaluated by the backtracking engine. The finite automaton is constructed to include a graph that includes a root node that represents the input regular expression. Regular expressions are derived such that each derived regular expression is a regular expression derivative of the input regular expression or of another derived regular expression. Priorities are assigned to alternations in the derived regular expressions to correspond to priorities indicated by the behavior. Nodes that represent the respective derived regular expressions and transitions between respective pairs of nodes are caused to be included in the graph. Priorities, which correspond to the order, are assigned to respective branches of the graph.

Abstract: A computing system can have a data storage device connected to a host as part of a distributed computing system with an initial reputation score assigned to the data storage device with a decentralize module. The data storage device is positioned in a hierarchical device organization based on the reputation score with the hierarchical device organization maintained by the decentralize module. A decentralized secret sharing scheme generated by the decentralize module can authenticate the host with multiple different secrets sourced from different components logically positioned in different levels of the hierarchical device organization.

Abstract: A method and system for detecting anomalous network activity in a cloud-based compute environment. The method comprises receiving configuration data and network activity observations for a set of virtual entities in the cloud-based compute environment; creating a profile for each virtual entity in the set of virtual entities, when the virtual entity does not already have an associated profile; dynamically updating the virtual entity of a profile with the respective network activity observations of the virtual entity; and determining whether anomalies have been detected.

Abstract: Methods and systems for detecting threats using threat signatures loaded in a computing device.

Abstract: Securing a mobile device against malware may include an analysis of events executing on the mobile device to detect and identify unexpected behaviors and events, and further determining whether these unexpected behaviors and events are authorized or unauthorized. Specific runtime events may be compared to patterns of expected user input/interaction on the mobile device, or generalized background behavior patterns occurring without user input/interaction, to determine whether events are expected or unexpected, and/or to determine whether events are authorized or potentially malicious. Examples of unexpected and potentially malicious events on mobile devices, particularly when they occur without specific user interaction, may include making phone calls, accessing or making changes to the contacts/phone book, accessing user habits such as browser settings/history and other communication logs, accessing files, accessing the camera and audio, and so forth.

Abstract: There is disclosed in one example a ransomware mitigation engine, including: a processor; a convolutional neural network configured to provide file type identification (FTI) services including: identifying an access operation of a file as a write to the file or newly creating the file; computing a byte correlation factor for the file; classifying the file as belonging to a file type; determining with a screening confidence that the file type is correct for the file; determining that the screening confidence is below a screening confidence threshold; and circuitry and logic to provide heuristic analysis including: receiving notification that the confidence is below the confidence threshold; performing a statistical analysis of the file to determine a difference between an expected value and a computed value; determining from the difference, with a detection confidence, that the file has been compromised; and identifying the file as having been compromised by a ransomware attack.

Abstract: A system includes a hypervisor, a memory, and boot firmware stored in the memory. The boot firmware is configured to execute on a processor to load a trusted code that includes a condition checker from the hypervisor, check a signature of the trusted code, and verify the signature is trusted by a guest. The boot firmware is also configured to load the trusted code into an encrypted memory at a known guest address. The hypervisor is configured to protect the known guest address. The trusted code includes a first instruction, one or more intermediate instructions, and a final instruction. The first instruction and the final instruction are exits to the hypervisor. The hypervisor is also configured to execute the condition checker and detect an inconsistency in guest memory.

Abstract: A computer-implemented method can be used for restoring a computer system following an infection event. The computer system can have a plurality of machines, in which a plurality of back-up copies are associated with each one of the plurality of machines, and in which each of the plurality of back-up copies associated with a particular machine is a different version back-up. The method can include searching the plurality of back-up copies to identify one or more clean-back-up copies that do not comprise a signature of the infection event and restoring one or more of the plurality of machines using a respective clean-back-up copy.

Abstract: Determining malicious activity in a monitored network using clustering algorithmic techniques in which a source of known malicious network entities and known legitimate network entities associated with network traffic flow are provided. A dataset is generated consisting of a plurality of known malicious network entities and a plurality of known legitimate network entities. Network related attributes are identified associated with each of the plurality of malicious network entities and the plurality of legitimate network entities contained in the generated dataset. A predetermined number (X) of clusters is generated based upon the plurality of malicious (bad) and legitimate (good) network entities. A generated cluster is tagged with a bad, good or an unknown tag. If a generated cluster is determined assigned a bad tag, it is then stored it in a database and assigned a clusterID for future use in machine learning techniques for detecting network attacks upon the monitored network.

Abstract: A method and system for determining anomalies in call center communications. Data relating to communications is streamed and processed to obtain baseline probability distributions over various domains of communications. Streams related to subsequent calls are compared to the baselines to determine anomalies.

Abstract: Systems and methods may provide connectivity to client electronic devices in a wireless communication network aboard aircraft or in another environment. During initial client device association with the wireless network, captive browser use at the client device may be minimized by directing the device to a fully-capable browser. Upon association, subsequent captivity probes transmitted by the client device may be detected and handled so as to prevent undesired re-launching of the captive browser at the client device.

Abstract: A protection system is provided for delivering runtime security to a task including a workload container. The protection system uses a sidecar to limit access of the workload container to a standard library of the operating system running the workload container by modifying the task so that the sidecar is executed before the workload container. The sidecar places a guard loader into a shared volume and binds the workload container, such that calls to the workload container are passed to an agent binary. The agent binary compares requested calls from the workload container to a policy to approve and/or deny the requested calls. If the requested call is approved, then the requested call is passed to the standard library.

Abstract: A system and method for the detection and mitigation of data source compromises in an adversarial information environment. The system and method feature the ability to scan for, ingest and process, and then use relational, wide column, and graph stores for capturing entity data, their relationships, and actions associated with them. Furthermore, meta-data is gathered and linked to the ingested data, which provides a broader contextual view of the environment leading up to and during an event of interest. Data quality analysis is conducted on the data as it is ingested in order to identify various data source metrics and determine if a data source may be compromised. The results of the data quality analysis, the identified metrics, the gathered data, and meta-data are used to manage the reputation of the contributing data sources. The system can make recommendations on data sources based on the data source reputation scoring.

Abstract: Methods, storage systems and computer program products implement embodiments of the present invention that include identifying multiple host computers executing respective instances of a specific software application, each given instance on each given host computer including a set of program instructions loaded, by the host computer, from a respective storage device. Information on actions performed by the executing instances is collected from the host computers, and features are computed based on the information collected from the multiple host computers. The collected information for a given instance are compared to the features so as to classify the given instance as benign or suspicious, and an alert s generated for the given instance only upon classifying the given instance as suspicious.

Abstract: A processor may identify one or more predicted microservice chains for each of one or more user profiles. The one or more predicted microservice chains may be selected based on historical information. The one or more user profiles may each be associated with a respective user of a user device. The processor may analyze user specific information. The user specific information may be associated with the user device. The processor may determine, based on the user specific information, if the user device causes network intrusion. The processor may perform, based on the determination, an action for the user device.

Abstract: This application provides a method for training a neural network model and an apparatus. The method includes: obtaining annotation data that is of a service and that is generated by a terminal device in a specified period; training a second neural network model by using the annotation data that is of the service and that is generated in the specified period, to obtain a trained second neural network model; and updating a first neural network model based on the trained second neural network model. In the method, training is performed based on the annotation data generated by the terminal device, so that in an updated first neural network model compared with a universal model, an inference result has a higher confidence level, and a personalized requirement of a user can be better met.

Abstract: A multimode system for receiving data in a retail environment includes: a secure input module for receiving high security input and low security input from a customer, the high security input to be communicated by the secure input module in cipher text, and the low security input to be communicated by the secure input module in plaintext. The multimode system is adapted to operate in a high security mode and a low security mode. The multimode system is adapted to enter the low security mode upon detection by the multimode system of a security breach condition. In the high security mode, the secure input module accepts low security input and high security input. In the low security mode, the secure input module accepts the low security input and does not accept the high security input.

Abstract: Techniques facilitating hardware-based memory-error mitigation for heap-objects. In one example, a system can comprise a process that executes computer executable components stored in a non-transitory computer readable medium. The computer executable components comprise: an entry component; and a re-purpose component. The entry component can allocate an entry in a table to store bounds-information when an object is allocated in memory. The re-purpose component can re-purpose unused bits of an object address to store an index to the table entry.

Abstract: An internal network can include a plurality of linked internal nodes, each internal node being configured to communicate with other internal nodes or with one or more external servers over an external network. The internal network can analyze the configuration of the internal nodes and the network traffic between internal nodes of the internal network and external servers. Based on the analysis, a network vulnerability score measuring the vulnerability of the internal network to attack can be determined. If the vulnerability score is below a threshold, the internal network can be isolated from the external network, for example by preventing internal nodes from communicating with or over the external network.

Abstract: Systems and methods are disclosed to implement a cyberattack detection system that monitors a computer network for lateral movement. In embodiments, the system uses network data from a computer network to build a baseline of connection behaviors for the network. Connection graphs are generated from new network data that indicate groups of nodes that made connections with one another during a last time interval. The graphs are analyzed for connection behavior anomalies and ranked to determine a subset of graphs with suspected lateral movement. Graphs with suspected lateral movement may be further analyzed to determine a set of possible attack paths in the lateral movements. The suspected attack paths are reported to network administrators via a notification interface. Advantageously, the disclosed system is able to detect potential lateral movements in localized portions of a network by monitoring for connection behavior anomalies in network data gathered from the network.

Abstract: A system including at least one processor; and at least one memory having stored thereon computer program code that, when executed by the at least one processor, controls the at least one processor to: receive an email addressed to a user; separate the email into a plurality of email components; analyze, using respective machine-learning techniques, each of the plurality of email components; feed the analysis of each of the plurality of email components into a stacked ensemble analyzer; and based on an output of the stacked ensemble analyzer, determine whether the email is malicious.

Abstract: One embodiment of the described invention is directed to a computerized method for improving detection of cybersecurity threats initiated by a script. Herein, the method is configured to analyze the script provided as part of a script object by at least (i) determining whether any functional code blocks forming the script include a critical code statement, (ii) determining whether any of the functional code blocks include an evasive code statement, (iii) modifying the script to control processing of a subset of the functional code blocks by avoiding an execution code path including the evasive code statement and processing functional code blocks forming a code path including the critical code statement, and (iv) executing of the modified script and monitoring behaviors of a virtual environment. Thereafter, the method is configured to determine whether the script including cybersecurity threats based on the monitored behaviors.

Abstract: Aspects of the invention include receiving, at an operating system executing on a processor, a write request from a program to write data to a memory. The write request includes a virtual memory address and the data. It is determined that the virtual memory address is not assigned to a physical memory address. Based on the determining, the unassigned virtual memory address is assigned to a physical memory address in an overflow memory. The data is written to the physical memory address in the overflow memory and an indication that the write data was successfully written is returned to the program. Future requests by the program to access the virtual memory address are directed to the physical memory address in the overflow memory.

Abstract: Novel tools and techniques are provided for implementing fraud or distributed denial of service (“DDoS”) protection for session initiation protocol (“SIP”)-based communication. In various embodiments, a computing system may receive, from a first router, first SIP data indicating a request to initiate a SIP-based media communication session between a calling party at a source address and a called party at a destination address. The computing system may analyze the received first SIP data to determine whether the received first SIP data comprises any abnormalities indicative of potential fraudulent or malicious actions. If so, the computing system may reroute the first SIP data to a security deep packet inspection (“DPI”) engine, which may perform a deep scan of the received first SIP data to identify any known fraudulent or malicious attack vectors contained within the received first SIP data. If so, the security DPI engine may initiate mitigation actions.

Abstract: A system and method for providing dynamic network traffic policies. The method includes: detecting a cybersecurity risk on a workload deployed in a cloud computing environment, the cloud computing environment having a firewall connected to an untrusted network; and configuring the firewall to filter network traffic to the workload based on the detected cybersecurity risk.

Abstract: A system and method for a threat monitoring device for determining, within an industrial control system over a data communication network, cross-correlated behaviors of an information technology domain, an operational technology domain, and a physical access domain and associated threats. The method includes receiving sensor data from the information technology domain, sensor data from the operational technology domain, and sensor data from the physical access domain, fusing the sensor data of each of the domains to obtain fused sensor data, determining feature sets from the fused sensor data using behavior profiles, constructing behaviors as sets of the features over time periods, classifying the behaviors to determine a degree of anomaly, classifying anomalous behaviors to determine a threat probability, generating an alert based on the degree of anomaly and the threat probability, displaying particular sensor data and particular time periods associated with the alert.

Abstract: A method and system for mitigating against side channel attacks (SCA) that exploit speculative store-to-load forwarding is described. The method comprises conditioning store-to-load forwarding on the memory dependence predictor (MDP) being trained for that load instruction. Training involves identifying situations in which store-to-load forwarding could have been performed, but wasn't, and obversely, identifying situations in which store-to-load forwarding was performed but resulted in an error.

Abstract: According to some embodiments, a method performed by a classification scanner comprises receiving an electronic message and determining whether the electronic message includes an express indication from the user indicating that a classification applies to the electronic message. In response to determining that the electronic message does not include the express indication that the classification applies to the electronic message, the message further comprises sending the electronic message to a machine learning scanner. The machine learning scanner is adapted to use a machine learning policy to determine whether the classification applies to the electronic message.

Abstract: A reader system for an access control system includes first and second antennas and first and second controllers. The first controller is configured to communicate with a credential device using a first communication protocol via the first antenna to exchange a credential with the credential device. The second controller is configured to communicate with the credential device using a second communication protocol via the second antenna to perform ranging for the credential device and is configured to communicate with the first controller via a communication link.

Abstract: Systems and methods are provided for dynamic virtual private network concentrators (VPNC) gateway selection and on-demand VRF-ID configuration. A dynamic VPNC gateway selection component can dynamically route to a particular VPNC gateway based on multiple user-specific factors, including: a) behavior of users on the network; and b) performance of a destination service/device. A dynamic VPNC gateway selection component can rank a user based on one or more factors relating to the behavior of the user. Also, the dynamic VPNC gateway selection component can determine whether a VPNC gateway at a data center is healthy, and whether a destination service at the data center is healthy. The dynamic VPNC gateway selection component can dynamically select a VPNC gateway from a plurality of VPNC gateways at the data center for communicating forwarded traffic from the user based on the user's ranking if either the VPNC gateway or the service are unhealthy.

Abstract: Embodiments of the present disclosure relate to a data analysis system that may automatically generate memory-efficient clustered data structures, automatically analyze those clustered data structures, automatically tag and group those clustered data structures, and provide results of the automated analysis and grouping in an optimized way to an analyst. The automated analysis of the clustered data structures (also referred to herein as data clusters) may include an automated application of various criteria, rules, indicators, or scenarios so as to generate scores, reports, alerts, or conclusions that the analyst may quickly and efficiently use to evaluate the groups of data clusters.

Abstract: A synchronization adapter is coupled to the application that does not support synchronization and generates the necessary synchronization metadata for all data in the application that is to be synchronized. The synchronization adapter then combines the metadata to the actual data to be synchronized to form a synchronization feed. The synchronization feed is stored in an internal cache (or data store) which is internal to the application, or an external cache (or data store), which is external to the application, or it can be stored in both caches. The synchronization adapter also intermittently determines whether the application data has changed, thus warranting a change in its metadata, or whether a synchronization operation is warranted to synchronization operation is warranted to synchronize the data with data in another application. In either case, the synchronization adapter makes the changes to the data, or performs a synchronization operation.

Abstract: Disclosed are systems and methods for improving interactions with and between computers in distributional similarity identification using randomized observations. In connection with an intrusion detection system monitoring a computing system, a pair of perturbed sample sets are generating using a pair of real sample set (or real observations) and a pair of random sample sets (of randomly-selected observations), and a similarity measuring representing a level of consistency in user behavior is determined. The systems improve the quality and accuracy of the similarity determination for use in intrusion detection.

Abstract: A search apparatus includes processing circuitry configured to extract fingerprints that are combinations of first communication data corresponding to requests and second communication data corresponding to responses to the requests, from communication data obtained by executing known malware, give degrees of priority corresponding to degrees of maliciousness of the malware, to the fingerprints, generate probes that are requests based on the first communication data included in the fingerprints and signatures based on the second communication data included in the fingerprints, decide, based on information about communication of sending-out destinations, search-target sending-out destinations from among the sending-out destinations, send out the probes generated to the search-target sending-out destinations decided in order according to the degrees of priority given, and determine whether the search-target sending-out destinations are malicious or not, based on whether responses to the probes sent out match th

Abstract: A system texecutes automatic attribute inference and includes: a processor; a memory coupled to the memory; a first engine that executes automatic attribute inference; an extraction engine in communication with a managed infrastructure and the first engine, the extraction engine configured to receive managed infrastructure data; and a signaliser engine that includes one or more of an NMF engine, a k-means clustering engine and a topology proximity engine, the signaliser engine inputting a list of devices and a list a connections between components or nodes in the managed infrastructure, the signaliser engine determining one or more common characteristics and produces one or more dusters of events.

Abstract: Embodiments described herein relate to methods and apparatuses for performing a re-establishment procedure. A method in a user equipment comprises: receiving a re-establishment message; upon reception of the re-establishment message, monitoring for an indication of an integrity check failure received from lower layers, wherein the indication relates to a first message or a second message received by the UE after transmitting a re-establishment request; responsive to the indication of the integrity check failure, performing actions upon going into an RRC_IDLE mode of operation; indicating a connection failure to upper layers; and based on the indication, upper layers triggering a recovery procedure.

Abstract: A security system detects and attributes anomalous activity in a network. The system logs user network activity, which can include ports used, IP addresses, commands typed, etc., and may detect anomalous activity by comparing users to find similar users, sorting similar users into cohorts, and comparing new user activity to logged behavior of the cohort. The comparison can include a divergence calculation. Origins of user activity can also be used to determine anomalous network activity. The hostname, username, IP address, and timestamp can be used to calculate aggregate scores and convoluted scores. The system extracts features from the logged anomalous network activity, and determines whether the activity is attributable to an actor profile by comparing the extracted features and attributes associated with the actor profile based upon previous activity attributed to the actor.

Abstract: The disclosure provides an approach for coordinating a distributed vulnerability network scan. Embodiments include sending, by a computing node, a check-in message to a scanning coordinator, the check-in message indicating attributes of the computing node. Embodiments include receiving, by the computing node, a scan configuration message from the scanning coordinator, the scan configuration message comprising: scan timing information for the computing node; and a list of scanning targets for the computing node. Embodiments include determining, by the computing node, a scanning time window based on the scan timing information for the computing node. Embodiments include scanning, by the computing node, one or more scanning targets in the list of scanning targets for the computing node during the scanning time window.

Abstract: Disclosed are a Radio Resource Control (RRC) state transition method, a terminal, a Centralized Unit (CU), a Distributed Unit (DU) and a computer-readable storage medium. The RRC state transition method includes: when a terminal changes from a current state to an RRC connected state, the terminal requests to resume an RRC connection by using an existing Signaling Radio Bearer (SRB) configuration; when the terminal receives a response from a Distributed Unit (DU) for request of resuming the RRC connection, if the response comprises a newly allocated SRB configuration, the terminal replaces the existing SRB configuration with the newly allocated SRB configuration to resume the RRC connection.