Aspects of the disclosure relate to providing training and information based on simulated cybersecurity attack difficulty. A computing platform may retrieve data associated with a plurality of attack templates for simulating cybersecurity attacks. Subsequently, the computing platform may use one or more models to compute a predicted failure rate for each template of the plurality of attack templates in order to yield a plurality of predicted failure rates for an organization. Based on the plurality of predicted failure rates, the computing platform may use one or more of the plurality of attack templates to configure a simulated cybersecurity attack on the organization. Then, the computing platform may send, via the communication interface, to an administrator user device associated with the organization, information about the simulated cybersecurity attack and may execute the simulated cybersecurity attack.
A method includes monitoring user activities at an endpoint device on a network, determining if a user activity at the endpoint device presents a potential threat to network security, creating an alert of the threat, and providing the alert with a redacted version of a screenshot from the endpoint device. One or more open windows are obscured or removed in the redacted version of the screenshot of the endpoint device. Providing the redacted includes receiving data describing physical characteristics of the open window(s) from an operating system, receiving a screenshot of the screen of the endpoint device, and obscuring the one or more open windows by creating one or more visual covers. Each visual cover matches a size and shape of one of the open windows based on the data that describes the physical characteristics of the open window(s). Each visual cover is placed over the corresponding open window.
Aspects of the disclosure relate to identifying legitimate websites and removing false positives from domain discovery analysis. Based on a list of known legitimate domains, a computing platform may generate a baseline dataset of feature vectors corresponding to the known legitimate domains. Subsequently, the computing platform may receive information identifying a first domain for analysis and may execute one or more machine learning algorithms to compare the first domain to the baseline dataset. Based on execution of the one or more machine learning algorithms, the computing platform may generate first domain classification information indicating that the first domain is a legitimate domain. In response to determining that the first domain is a legitimate domain, the computing platform may send one or more commands directing a domain identification system to remove the first domain from a list of indeterminate domains maintained by the domain identification system.
H04L 61/4511 - Network directoriesName-to-address mapping using standardised directoriesNetwork directoriesName-to-address mapping using standardised directory access protocols using domain name system [DNS]
4.
Dynamically Controlling Access to Linked Content in Electronic Communications
Aspects of the disclosure relate to dynamically controlling access to linked content in electronic communications. A computing platform may receive, from a user computing device, a request for a uniform resource locator associated with an email message and may evaluate the request using one or more isolation criteria. Based on evaluating the request, the computing platform may identify that the request meets at least one isolation condition associated with the one or more isolation criteria. In response to identifying that the request meets the at least one isolation condition associated with the one or more isolation criteria, the computing platform may initiate a browser mirroring session with the user computing device to provide the user computing device with limited access to a resource corresponding to the uniform resource locator associated with the email message.
G06F 21/62 - Protecting access to data via a platform, e.g. using keys or access control rules
G06F 21/53 - Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity, buffer overflow or preventing unwanted data erasure by executing in a restricted environment, e.g. sandbox or secure virtual machine
G06F 21/56 - Computer malware detection or handling, e.g. anti-virus arrangements
Aspects of the disclosure relate to detecting impersonation in email body content using machine learning. Based on email data received from user accounts, a computing platform may generate user identification models that are each specific to one of the user accounts. The computing platform may intercept a message from a first user account to a second user account and may apply a user identification model, specific to the first user account, to the message, so as to calculate feature vectors for the message. The computing platform then may apply impersonation algorithms to the feature vectors and may determine that the message is impersonated. Based on results of the impersonation algorithms, the computing platform may modify delivery of the message.
Aspects of the disclosure relate to dynamically controlling access to linked content in electronic communications. A computing platform may receive, from a user computing device, a request for a uniform resource locator associated with an email message. Subsequently, the computing platform may identify that the uniform resource locator associated with the email message corresponds to a potentially-malicious site. In response to identifying that the uniform resource locator associated with the email message corresponds to the potentially-malicious site, the computing platform may determine a risk profile associated with the request received from the user computing device. Based on the risk profile associated with the request, the computing platform may execute an isolation method to provide limited access to the uniform resource locator associated with the email message. In some instances, executing the isolation method may include initiating a browser mirroring session to provide the limited access to the potentially-malicious site.
G06F 21/62 - Protecting access to data via a platform, e.g. using keys or access control rules
G06F 21/53 - Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity, buffer overflow or preventing unwanted data erasure by executing in a restricted environment, e.g. sandbox or secure virtual machine
G06F 21/56 - Computer malware detection or handling, e.g. anti-virus arrangements
A computer network includes user endpoint devices geographically distributed relative to one another such that at least one of the endpoint devices is subject to a different set of data protection or privacy restrictions than other endpoint devices and data processing facilities coupled to the user endpoint devices over a network. The data processing facilities are in different geographical regions or sovereignties. A computer-based endpoint agent is in each of the endpoint devices. Each endpoint agent is configured to collect telemetry data relating to user activity at its associated endpoint device and transmit the collected telemetry data to a selected one of the data processing facilities, according to an applicable realm definition, in compliance with the data protection or privacy restrictions that apply to the agent's endpoint device.
An electronic device will identify an electronic message received by a messaging client that is associated with a first recipient, and it will analyze the electronic message to determine whether the electronic message is a simulated malicious message. Upon determining that electronic message is a simulated malicious message, the device will identify an actuatable element in the electronic message. The actuatable element will include a service address. The device will modify the electronic message by appending a user identifier of the first recipient to the service address of the actuatable element. Then, when the actuatable element is actuated, the system may determine whether the first recipient actuated the actuatable element or an alternate recipient did so based on whether the user identifier of the first recipient is still appended (or is the only user identifier appended) to the actuatable element.
42 - Scientific, technological and industrial services, research and design
Goods & Services
Computer services, namely, computer system administration for others; Cybersecurity services in the nature of restricting unauthorized access to computer systems; computer services, namely, IT security provided via a software platform; Computer services, namely, monitoring, testing, analyzing, and reporting on the Internet traffic control and content control of the web sites of others; Platform as a service (PAAS) featuring computer software platforms for the identification, detection, prevention, management, mitigation, and analysis of threats to IT infrastructure, computer systems, email systems, and data systems; Computer systems integration services; Computer services, namely, integration of computer software into multiple systems and networks; Platform-as-a-Service (PaaS) featuring computer software that aggregates and correlates threat data points across email, the cloud, mobile, local, and outside computer networks and uses a combination of advanced machine learning and artificial intelligence to detect and prevent cybersecurity attacks; Platform as a service (PAAS) featuring software for detecting, analyzing, and monitoring cybersecurity threats; Platform-as-a-service (PaaS) featuring computer software for obtaining and navigating threat intelligence, running threat assessments on cloud storage, local networks, email, mobile, and social channels, and orchestrating response actions; Computer security service, namely, restricting access to and by computer networks to and of undesired web sites, media and individuals and facilities; Platform as a service (PAAS) featuring computer software for risk analysis; Computer services, namely, filtering of unwanted e-mails; Platform as a service (PAAS) featuring computer software for comprehensive threat intelligence featuring artificial intelligence, machine learning and real-time threat intelligence; Platform as a service (PAAS) featuring computer software for conducting risk analysis and identifying, preventing and mitigating risk to computer systems from human and digital threats
42 - Scientific, technological and industrial services, research and design
Goods & Services
Software as a service (SAAS) services featuring software using artificial intelligence (AI) for identifying, analyzing, monitoring, and preventing threats to IT systems, email systems, and data systems; Providing on-line non-downloadable software for human risks analytics; Software as a service (SAAS) services featuring software for identifying, analyzing, monitoring, and preventing threats to IT systems, email systems, and data systems.; Providing on-line non-downloadable software for identifying, analyzing, monitoring, and preventing threats to IT systems, email systems, and data systems.; Providing on-line non-downloadable software for use in text and language analytics; Providing on-line non-downloadable software for email and email systems security
42 - Scientific, technological and industrial services, research and design
Goods & Services
Computer services, namely, computer system administration for others; Cybersecurity services in the nature of restricting unauthorized access to computer systems; computer services, namely, IT security provided via a software platform; Computer services, namely, monitoring, testing, analyzing, and reporting on the Internet traffic control and content control of the web sites of others; Platform as a service (PAAS) featuring computer software platforms for the identification, detection, prevention, management, mitigation, and analysis of threats to IT infrastructure, computer systems, email systems, and data systems; Computer systems integration services; Computer services, namely, integration of computer software into multiple systems and networks; Platform-as-a-Service (PaaS) featuring computer software that aggregates and correlates threat data points across email, the cloud, mobile, local, and outside computer networks and uses a combination of advanced machine learning and artificial intelligence to detect and prevent cybersecurity attacks; Platform as a service (PAAS) featuring software for detecting, analyzing, and monitoring cybersecurity threats; Platform-as-a-service (PaaS) featuring computer software for obtaining and navigating threat intelligence, running threat assessments on cloud storage, local networks, email, mobile, and social channels, and orchestrating response actions; Computer security service, namely, restricting access to and by computer networks to and of undesired web sites, media and individuals and facilities; Platform as a service (PAAS) featuring computer software for risk analysis; Computer services, namely, filtering of unwanted e-mails; Platform as a service (PAAS) featuring computer software for comprehensive threat intelligence featuring artificial intelligence, machine learning and real-time threat intelligence; Platform as a service (PAAS) featuring computer software for conducting risk analysis and identifying, preventing and mitigating risk to computer systems from human and digital threats
42 - Scientific, technological and industrial services, research and design
Goods & Services
Software as a service (SAAS) services featuring software using artificial intelligence (AI) for identifying, analyzing, monitoring, and preventing threats to IT systems, email systems, and data systems; Software as a service (SAAS) services featuring software for detecting and preventing vision-based cybersecurity threats; Providing on-line non-downloadable software for human risks analytics; Providing on-line non-downloadable software using artificial intelligence (AI) for email and email systems security; Providing on-line non-downloadable software using artificial intelligence (AI) for detecting and preventing cyber attacks; Software as a service (SAAS) services featuring software for identifying, analyzing, monitoring, and preventing threats to IT systems, email systems, and data systems.; Providing on-line non-downloadable software for identifying, analyzing, monitoring, and preventing threats to IT systems, email systems, and data systems.; Software as a service (SAAS) services featuring software for detecting and preventing cyber attacks; Providing on-line non-downloadable software for email and email systems security; Providing on-line non-downloadable software for use in detecting and preventing vision-based cybersecurity threats
42 - Scientific, technological and industrial services, research and design
Goods & Services
Providing on-line non-downloadable software for use in behavioral analytics; Software as a service (SAAS) services featuring software using artificial intelligence (AI) for identifying, analyzing, monitoring, and preventing threats to IT systems, email systems, and data systems; Providing on-line non-downloadable software for human risks analytics; Providing on-line non-downloadable software using artificial intelligence (AI) for email and email systems security; Providing on-line non-downloadable software using artificial intelligence (AI) for anomaly detection in digital environments; Software as a service (SAAS) services featuring software using artificial intelligence (AI) for identifying anomalous user behavior, IT infrastructure risks, and cybersecurity risks; Providing on-line non-downloadable software using artificial intelligence (AI) for detecting and preventing cyber attacks; Software as a service (SAAS) services featuring software for identifying, analyzing, monitoring, and preventing threats to IT systems, email systems, and data systems.; Providing on-line non-downloadable software for identifying, analyzing, monitoring, and preventing threats to IT systems, email systems, and data systems.; Software as a service (SAAS) services featuring software for detecting and preventing cyber attacks; Providing on-line non-downloadable software for email and email systems security; Software as a service (SAAS) services featuring software for behavioral analytics
42 - Scientific, technological and industrial services, research and design
Goods & Services
Software as a service (SAAS) services featuring software using artificial intelligence (AI) for identifying, analyzing, monitoring, and preventing threats to IT systems, email systems, and data systems; Providing on-line non-downloadable software for human risks analytics; Providing on-line non-downloadable software using artificial intelligence (AI) for email and email systems security; Providing on-line non-downloadable software using artificial intelligence (AI) for detecting and preventing cyber attacks; Software as a service (SAAS) services featuring software for identifying, analyzing, monitoring, and preventing threats to IT systems, email systems, and data systems.; Providing on-line non-downloadable software for identifying, analyzing, monitoring, and preventing threats to IT systems, email systems, and data systems.; Providing on-line non-downloadable software for use in text and language analytics; Software as a service (SAAS) services featuring software for detecting and preventing cyber attacks; Providing on-line non-downloadable software for email and email systems security; Software as a service (SAAS) services featuring software for providing real-time updates on emerging threats, attacker tactics and system vulnerabilities
Systems and methods for data discovery within documents in one or more data repositories in a computer network or cloud infrastructure for protection of sensitive data are provided. The method includes selecting a data discovery starting point within the documents in the one or more data repositories in the computer network or the cloud infrastructure and identifying a user associated with one or more documents at the data discovery starting point. The method further includes discovering data using activities and/or relationships of the user to discover subsequent documents to identify the sensitive data.
Systems and methods for privacy-preserving transformer model training are provided. The system includes one or more data repositories in a computer network or cloud infrastructure having data stored therein. The system anonymizes the data in the one or more documents, and trains a transformer model on the data outside of the network. The data includes sensitive information. Anonymizing the data includes extracting the data from the one or more documents and irreversibly transforming the data in the one or more documents into context-preserving tensors. Training the transformer model on the data comprises using the context-preserving tensors instead of the data to train the transformer model on the data.
Systems, methods and products for increasing efficiency of resource usage by determining the reliability of reporters of unwanted messages and prioritizing evaluation of messages based on the reliability scores. Reports of unwanted messages are evaluated to determine whether they are bad. If an unwanted message is bad, a score for the reporter is updated to reflect a positive credit. A set of safe rules are applied to the message to determine whether it is safe and if the message is determined to be safe, the reporter score corresponding to the reporter is updated to reflect a non-positive (zero or negative) credit. If the message is determined to be neither bad nor safe, the message is entered in a reevaluation queue and, after a waiting period, the message evaluation is repeated using updated threat information, and the reporter score is updated according to the reevaluation.
A system monitors access to a computer file via a dynamically changeable non-heterogeneous collection load balanced across two hash tables. User activity is monitored on a target device to detect a user entered pattern including a wildcard character, selects one of the two hash tables, and calculates an index for the selected hash table based on the user entered pattern. The index is used to access the selected hash table to receive a stored pattern. The hash tables each have a plurality of entries, and each entry includes a list of one or more patterns that have the same hash index but different pattern values sorted by length in characters from longest to shortest. The first hash table is a direct hash table, and the second hash table is a reverse hash table.
G06F 21/55 - Detecting local intrusion or implementing counter-measures
G06F 21/54 - Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity, buffer overflow or preventing unwanted data erasure by adding security routines or objects to programs
20.
INTELLIGENT CLUSTERING SYSTEMS AND METHODS USEFUL FOR DOMAIN PROTECTION
An intelligent clustering system has a dual-mode clustering engine for mass-processing and stream-processing. A tree data model is utilized to describe heterogenous data elements in an accurate and uniform way and to calculate a tree distance between each data element and a cluster representative. The clustering engine performs element clustering, through sequential or parallel stages, to cluster the data elements based at least in part on calculated tree distances and parameter values reflecting user-provided domain knowledge on a given objective. The initial clusters thus generated are fine-tuned by undergoing an iterative self-tuning process, which continues when new data is streamed from data source(s). The clustering engine incorporates stage-specific domain knowledge through stage-specific configurations. This hybrid approach combines strengths of user domain knowledge and machine learning power. Optimized clusters can be used by a prediction engine to increase prediction performance and/or by a network security specialist to identify hidden patterns.
USING A MACHINE LEARNING SYSTEM TO PROCESS A CORPUS OF DOCUMENTS ASSOCIATED WITH A USER TO DETERMINE A USER-SPECIFIC AND/OR PROCESS-SPECIFIC CONSEQUENCE INDEX
Aspects of the disclosure relate to using a machine learning system to process a corpus of documents associated with a user to determine a user-specific consequence index. A computing platform may load a corpus of documents associated with a user. Subsequently, the computing platform may create a first plurality of smart groups based on the corpus of documents, and then may generate a first user interface comprising a representation of the first plurality of smart groups. Next, the computing platform may receive user input applying one or more labels to a plurality of documents associated with at least one smart group. Subsequently, the computing platform may create a second plurality of smart groups based on the corpus of documents and the received user input. Then, the computing platform may generate a second user interface comprising a representation of the second plurality of smart groups.
Aspects of the disclosure relate to detecting random and/or algorithmically-generated character sequences in domain names. A computing platform may train a machine learning model based on a set of semantically-meaningful words. Subsequently, the computing platform may receive a seed string and a set of domains to be analyzed in connection with the seed string. Based on the machine learning model, the computing platform may apply a classification algorithm to the seed string and the set of domains, where applying the classification algorithm to the seed string and the set of domains produces a classification result. Thereafter, the computing platform may store the classification result.
Systems, methods and products for identifying “similar” threats by clustering the threats based on corresponding forensics. A corpus of forensic data for a plurality of threat URLs is obtained by a threat protection system, the data including forensic elements corresponding to each threat URLs. For each pair of threat URLs, the corresponding forensic elements are examined to identify shared forensic elements. A similarity score is then generated for the pair of threat URLs based on the comparison of the corresponding forensic elements, including both malicious and non-malicious elements. Based on the similarity score generated for each pair of threat URLs, clusters of the threat URLs are identified, with each cluster including a subset of the plurality of threat URLs. Clusters of URLs similar to a selected URL may be identified by accessing the threat cluster information using a similar-threat search interface or through internal APIs of the threat protection system.
Aspects of the disclosure relate to data loss prevention. A computing platform may detect input of a first target recipient domain into a first email message. The computing platform may identify, in real time and prior to sending the first email message, that the first target recipient domain comprises an unintended recipient domain instead of an intended recipient domain. The computing platform may send, based on the identification of the unintended recipient domain and to a user device, a notification that the first target recipient domain is flagged as an unintended recipient domain and one or more commands directing the user device to display the notification.
Disclosed is a new location threat monitoring solution that leverages deep learning (DL) to process data from data sources on the Internet, including social media and the dark web. Data containing textual information relating to a brand is fed to a DL model having a DL neural network trained to recognize or infer whether a piece of natural language input data from a data source references an address or location of interest to the brand, regardless of whether the piece of natural language input data actually contains the address or location. A DL module can determine, based on an outcome from the neural network, whether the data is to be classified for potential location threats. If so, the data is provided to location threat classifiers for identifying a location threat with respect to the address or location referenced in the data from the data source.
A universal resource locator (URL) collider processes a click event referencing a URL and directs a browser to a page at the URL. While the page is being rendered by the browser with page data from a web server, the URL collider intercepts the page data including events associated with rendering the page, determines microfeatures of the page such as Document Object Model objects and any URLs referenced by the page, applies detection rules, tags as evidence any detected bad microfeature, bad URL, or suspicious sequence of events, and stores the evidence in an evidence database. Based on the evidence, a judge module dynamically determines whether to condemn the URL before or just in time as the page at the URL is fully rendered by the browser. If so, the browser is directed to a safe location or a notification page.
G06F 16/955 - Retrieval from the web using information identifiers, e.g. uniform resource locators [URL]
G06F 16/958 - Organisation or management of web site content, e.g. publishing, maintaining pages or automatic linking
G06F 21/51 - Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems at application loading time, e.g. accepting, rejecting, starting or inhibiting executable software based on integrity or source reliability
G06F 21/56 - Computer malware detection or handling, e.g. anti-virus arrangements
G06F 21/57 - Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
A domain processing system is enhanced with a first-pass domain filter configured for loading character strings representing a pair of domains consisting of a seed domain and a candidate domain in a computer memory, computing a similarity score and a dynamic threshold for the pair of domains, determining whether the similarity score exceeds the dynamic threshold, and iterating the loading, the computing, and the determining for each of a plurality of candidate domains paired with the seed domain. A similarity score between the seed domain and the candidate domain and a corresponding dynamic threshold for the pair are computed. If the similarity score exceeds the corresponding dynamic threshold, the candidate domain is provided to a downstream computing facility. Otherwise, it is dropped. In this way, the first-pass domain filter can significantly reduce the number of domains that otherwise would need to be processed by the downstream computing facility.
H04L 61/30 - Managing network names, e.g. use of aliases or nicknames
H04L 61/4511 - Network directoriesName-to-address mapping using standardised directoriesNetwork directoriesName-to-address mapping using standardised directory access protocols using domain name system [DNS]
28.
Systems and methods for promissory image classification
Systems, methods and products for classifying images according to a visual concept where, in one embodiment, a system includes an object detector and a visual concept classifier, the object detector being configured to detect objects depicted in an image and generate a corresponding object data set identifying the objects and containing information associated with each of the objects, the visual concept classifier being configured to examine the object data set generated by the object detector, detect combinations of the information in the object data set that are high-precision indicators of the designated visual concept being contained in the image, generate a classification for the object data set with respect to the designated visual concept, and associate the classification with the image, wherein the classification identifies the image as either containing the designated visual concept or not containing the designated visual concept.
G06F 18/2433 - Single-class perspective, e.g. one-against-all classificationNovelty detectionOutlier detection
G06F 18/214 - Generating training patternsBootstrap methods, e.g. bagging or boosting
G06F 18/2413 - Classification techniques relating to the classification model, e.g. parametric or non-parametric approaches based on distances to training or reference patterns
Aspects of the disclosure relate to detecting and protecting against cybersecurity attacks using unprintable tracking characters. A computing platform may receive a character-limited message sent to a user device. Subsequently, the computing platform may detect that the character-limited message sent to the user device includes suspicious content. Then, the computing platform may generate a modified character-limited message by inserting one or more special characters into the character-limited message and cause transmission of the modified character-limited message to the user device. Next, the computing platform may receive, from the user device, a spam report that includes the modified character-limited message. Then, the computing platform may identify a presence of the one or more special characters included in the modified character-limited message and adjust one or more filters based on the identification.
Systems, methods and products for identifying “similar” threats by clustering the threats based on corresponding forensics. A corpus of forensic data for a plurality of threat URLs is obtained by a threat protection system, the data including forensic elements corresponding to each threat URLs. For each pair of threat URLs, the corresponding forensic elements are examined to identify shared forensic elements. A similarity score is then generated for the pair of threat URLs based on the comparison of the corresponding forensic elements, including both malicious and non-malicious elements. Based on the similarity score generated for each pair of threat URLs, clusters of the threat URLs are identified, with each cluster including a subset of the plurality of threat URLs. Clusters of URLs similar to a selected URL may be identified by accessing the threat cluster information using a similar-threat search interface or through internal APIs of the threat protection system.
Aspects of the disclosure relate to providing commercial and/or spam messaging detection and enforcement. A computing platform may receive a plurality of text messages from a sender. It may then tokenize the plurality of text messages to yield a plurality of tokens. The computing platform may then match one or more tokens of the plurality of tokens in the plurality of text messages to one or more bulk string tokens. Next, it may detect one or more homoglyphs in the plurality of text messages, and then detect one or more URLs in the plurality of text messages. The computing platform may flag the sender based at least on the one or more matching tokens, the one or more detected homoglyphs, and the one or more detected URLs. Based on flagging the sender, the computing platform may block one or more messages from the sender.
Aspects of the disclosure relate to processing external messages using a secure email relay. A computing platform may receive, from a message source server associated with a first domain, a first email message and a first set of authentication credentials. Based on validating the first set of authentication credentials, the computing platform may inject, into the first email message, a DomainKeys Identified Mail (DKIM) signature of a second domain different from the first domain, which may produce a signed message that identifies itself as originating from the second domain. Based on scanning and validating content of the signed message, the computing platform may send the signed message to a message recipient server, which may cause the message recipient server to validate the DKIM signature of the signed message and determine that the signed message passes Domain-based Message Authentication, Reporting and Conformance (DMARC) with respect to the second domain.
A cyberthreat detection system queries a content database for unstructured content that contains a set of keywords, clusters the unstructured content into clusters based on topics, and determines a cybersecurity cluster utilizing a list of vetted cybersecurity phrases. The set of keywords represents a target of interest such as a newly discovered cyberthreat, an entity, a brand, or a combination thereof. The cybersecurity cluster thus determined is composed of unstructured content that has the set of keywords as well as some percentage of the vetted cybersecurity phrases. If the size of the cybersecurity cluster, as compared to the amount of unstructured content queried from the content database, meets or exceeds a predetermined threshold, the query is saved as a new classifier rule that can then be used by a cybersecurity classifier to automatically, dynamically and timely identify the target of interest in unclassified unstructured content.
G06F 21/57 - Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
Aspects of the disclosure relate to spear phishing simulation using machine learning. A computing platform may send, to an enterprise user device, a spear phishing message. The computing platform may receive initial user interaction information indicating how a user of the enterprise user device interacted with the spear phishing message. Based on the initial user interaction information and using a series of branching message templates, the computing platform may generate additional spear phishing messages. The computing platform may receive additional user interaction information indicating how the user interacted with the additional spear phishing messages. Based on the initial user interaction information and the additional user interaction information, the computing platform may compute spear phishing scores. Based on a comparison of the spear phishing scores to spear phishing thresholds, the computing platform may generate training modules for the user, and may send the training modules to the enterprise user device.
G06F 21/56 - Computer malware detection or handling, e.g. anti-virus arrangements
G06F 21/57 - Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
Aspects of the disclosure relate to detecting and identifying malicious sites using machine learning. A computing platform may receive a uniform resource locator (URL). The computing platform may parse and/or tokenize the URL to reduce the URL into a plurality of components. The computing platform may identify human-engineered features of the URL. The computing platform may compute a vector representation of the URL to identify deep learned features of the URL. The computing platform may concatenate the human-engineered features of the URL to the deep learned features of the URL, resulting in a concatenated vector representation. By inputting the concatenated vector representation of the URL to a URL classifier, the computing platform may compute a phish classification score. In response to determining that the phish classification score exceeds a first phish classification threshold, the computing platform may cause a cybersecurity server to perform a first action.
A URL velocity monitor is integrated with a message-hold decision maker of an electronic mail processing system that processes electronic messages for a protected computer network. The URL velocity monitor receives or obtains a URL, decomposes the URL into URL features based on logical boundaries, and determines features of interest from the URL features for velocity tracking. Examples of URL features can include a randomized URL segment. The velocity of each feature of interest is tracked over a period of time using a counting algorithm that employs a slow counter or a fast counter. The two different counters track two types of velocities which represent different domain behaviors targeting the protected computer network. The URL velocity monitor determines whether the velocity of a feature of interest is accelerating within the time period. If so, the URL is placed in a queue or a sandbox.
Aspects of the disclosure relate to data loss prevention. A computing platform may detect input of a first target recipient domain into a first email message. The computing platform may identify, in real time and prior to sending the first email message, that the first target recipient domain is an unintended recipient domain instead of an intended recipient domain. The computing platform may identify, in real time and prior to sending the first email message, that the first email message violates one or more data loss prevention rules. Based on identifying the violation, the computing platform may send a notification that the first target recipient domain is flagged as an unintended recipient domain and one or more commands directing a user device of the message sender to display the notification.
A universal resource locator (URL) collider processes a click event referencing a URL and directs a browser to a page at the URL. While the page is being rendered by the browser with page data from a web server, the URL collider intercepts the page data including events associated with rendering the page, determines microfeatures of the page such as Document Object Model objects and any URLs referenced by the page, applies detection rules, tags as evidence any detected bad microfeature, bad URL, or suspicious sequence of events, and stores the evidence in an evidence database. Based on the evidence, a judge module dynamically determines whether to condemn the URL before or just in time as the page at the URL is fully rendered by the browser. If so, the browser is directed to a safe location or a notification page.
Aspects of the disclosure relate to generating threat intelligence information. A computing platform may receive forensics information corresponding to message attachments. For each message attachment, the computing platform may generate a feature representation. The computing platform may input the feature representations into a neural network, which may result in a numeric representation for each message attachments. The computing platform may apply a clustering algorithm to cluster each message attachments based on the numeric representations, which may result in clustering information. The computing platform may extract, from the clustering information, one or more indicators of compromise indicating that one or more attachments corresponds to a threat campaign. The computing platform may send, to an enterprise user device, user interface information comprising the one or more indicators of compromise, which may cause the enterprise user device to display a user interface identifying the one or more indicators of compromise.
To find enriching contextual information for an abbreviated domain name, a data enrichment engine can comb through web content source code corresponding to the abbreviated domain name. From textual content in the web content source code, the data enrichment engine can identify words with initial characters that match characters of the abbreviated domain name to thereby establish a relationship there-between. This relationship can facilitate more accurate and efficient domain name classification. The data enrichment engine can query a WHOIS server to find out if candidate domains having initial characters that match the characters of the abbreviated domain name are registered to the same entity. If so, keywords can be extracted from the candidate domains and used to find more relevant domains for domain risk analysis and detection. Candidate domains determined by the data enrichment engine can be provided to a downstream computing facility such as a domain filter.
Aspects of the disclosure relate to providing secure shortened URLs in character-limited messages. A computing platform may receive one or more character-limited messages sent to a user device. The computing platform may detect a URL within the one or more character-limited messages for replacement and generate a shortened URL corresponding to the detected URL, wherein a domain of the shortened URL is hosted by the message security system. The computing platform may then modify the one or more character-limited messages by replacing the URL with the shortened URL, and then cause transmission of the modified one or more character-limited messages to the user device. Next, the computing platform may receive, from the user device, a request to access the shortened URL, and redirect the user device to the detected URL corresponding to the shortened URL.
Aspects of the disclosure relate to dynamically generating simulated attack messages configured for annotation by users as part of cybersecurity training. A computing platform may generate a simulated attack message including a plurality of elements and send the simulated attack message to an enterprise user device. Subsequently, the computing platform may receive, from the enterprise user device, user selections annotating selected elements of the plurality of elements of the simulated attack message. The computing platform may thereafter identify one or more training areas for the user based on the user selections received from the enterprise user device, generate a customized training module specific to the identified one or more training areas, and send the customized training module to the enterprise user device. Sending the customized training module to the enterprise user device may cause the enterprise user device to display the customized training module.
Aspects of the disclosure relate to dynamic message analysis using machine learning. A computing platform may monitor a messaging server associated with an enterprise organization. Based on monitoring the messaging server, the computing platform may identify bi-directional messaging traffic between enterprise domains associated with the enterprise organization and external domains not associated with the enterprise organization. Based on identifying the bi-directional messaging traffic, the computing platform may select external domains for a conversation detection process. The computing platform may compute an initial set of rank-ordered external domains by: determining, based on a number of messages sent to and received from each enterprise domain/external domain pair, weighted difference values and ranking the plurality of external domains selected for the conversation detection process based the weighted difference values. The computing platform may remove, from the initial set of rank-ordered external domains, known outlier domains, and may execute enhanced protection actions.
H04L 61/4511 - Network directoriesName-to-address mapping using standardised directoriesNetwork directoriesName-to-address mapping using standardised directory access protocols using domain name system [DNS]
Disclosed is a domain engineering analysis solution that determines relevance of a domain name to a brand name in which a domain name, brand name, and identification of a substring of the domain name may be provided to or obtained by a computer embodying a domain engineering analyzer. A list of features may be determined. The list of features may include a lexicon, or a set of key-value pairs that encode information about terms included as substrings in the domain name. Determining the features may include obtaining a language model for each term, analyzing a cluster of language models closest to the obtained language model, and determining and scoring a relevance of each term to the brand name. The determined relevance and score of each term may be provided to a client. This relevance analysis can be dynamically applied in an online process or proactively applied in an offline process.
H04L 61/4511 - Network directoriesName-to-address mapping using standardised directoriesNetwork directoriesName-to-address mapping using standardised directory access protocols using domain name system [DNS]
45.
Using signed tokens to verify short message service (sms) message bodies
Aspects of the disclosure relate to message verification. A computing platform may generate a cryptographic key pair comprising a public key and a private key. The computing platform may publish, to a server, the public key. The computing platform may generate a short message service (SMS) message. The computing platform may sign, using the private key, the SMS message, which may include computing a cryptographic hash of the SMS message using the private key and embedding the cryptographic hash in an SMPP field of the SMS message. The computing platform may send, to a downstream computing system, the signed SMS message, where the downstream computing system may be configured to validate the signed SMS message using the cryptographic hash embedded in the SMPP field of the SMS message and by accessing the public key.
H04L 9/32 - Arrangements for secret or secure communicationsNetwork security protocols including means for verifying the identity or authority of a user of the system
H04L 9/30 - Public key, i.e. encryption algorithm being computationally infeasible to invert and users' encryption keys not requiring secrecy
A URL velocity monitor is integrated with a message-hold decision maker of an electronic mail processing system that processes electronic messages for a protected computer network. The URL velocity monitor receives or obtains a URL, decomposes the URL into URL features based on logical boundaries, and determines features of interest from the URL features for velocity tracking. Examples of URL features can include a randomized URL segment. The velocity of each feature of interest is tracked over a period of time using a counting algorithm that employs a slow counter or a fast counter. The two different counters track two types of velocities which represent different domain behaviors targeting the protected computer network. The URL velocity monitor determines whether the velocity of a feature of interest is accelerating within the time period. If so, the URL is placed in a queue or a sandbox.
Aspects of the disclosure relate to anomaly detection in cybersecurity training modules. A computing platform may receive information defining a training module. The computing platform may capture a plurality of screenshots corresponding to different permutations of the training module. The computing platform may input, into an auto-encoder, the plurality of screenshots corresponding to the different permutations of the training module, wherein inputting the plurality of screenshots corresponding to the different permutations of the training module causes the auto-encoder to output a reconstruction error value. The computing platform may execute an outlier detection algorithm on the reconstruction error value, which may cause the computing platform to identify an outlier permutation of the training module. The computing platform may generate a user interface comprising information identifying the outlier permutation of the training module. The computing platform may send the user interface to at least one user device.
To find enriching contextual information for an abbreviated domain name, a data enrichment engine can comb through web content source code corresponding to the abbreviated domain name. From textual content in the web content source code, the data enrichment engine can identify words with initial characters that match characters of the abbreviated domain name to thereby establish a relationship there-between. This relationship can facilitate more accurate and efficient domain name classification. The data enrichment engine can query a WHOIS server to find out if candidate domains having initial characters that match the characters of the abbreviated domain name are registered to the same entity. If so, keywords can be extracted from the candidate domains and used to find more relevant domains for domain risk analysis and detection. Candidate domains determined by the data enrichment engine can be provided to a downstream computing facility such as a domain filter.
Aspects of the disclosure relate to detecting and identifying malicious sites using machine learning. A computing platform may receive image data of a graphical rendering of a resource available at a uniform resource locator (URL). The computing platform may compute a computer vision vector representation of the image data. The computing platform may compare the computer vision vector representation of the image data to stored numeric vectors representing page elements, resulting in a feature indicating whether the computer vision vector representation of the image data is visually similar to a known page element, and may input the feature to a classifier. The computing platform may receive, from the classifier, a phish classification score indicating a likelihood that the URL is malicious. In response to determining that the phish classification score exceeds a first phish classification threshold, the computing platform may cause a cybersecurity server to perform a first action.
Aspects of the disclosure relate to dynamic message analysis using machine learning. Using one or more automated methods, a computing platform may identify relationships between message sender domains and message recipient domains. After identifying the relationships, the computing platform may apply a security scoring process to a message sender domain to compute a weighted security score for the message sender domain. The computing platform may determine a weighted grade for the message sender domain based on the weighted security score for the message sender domain. Based on the weighted grade for the message sender domain, the computing platform may execute one or more enhanced protection actions associated with the message sender domain.
Aspects of the disclosure relate to automated simulated phishing lure generation for cybersecurity training. The computing platform may receive personalization data. The computing platform may generate, using a phishing lure generation model, one or more simulated synthetic phishing lures based on the personalization data. The computing platform may send the one or more simulated synthetic phishing lures to one or more user devices and one or more commands directing the one or more user devices to display the one or more simulated synthetic phishing lures, which may cause the one or more user devices to display the one or more simulated synthetic phishing lures. The computing platform may receive, from the one or more user devices, feedback data corresponding to user interactions with the simulated one or more synthetic phishing lures. The computing platform may update, using the feedback data, the phishing lure generation model.
Technology is disclosed for detecting imposters of a brand account. The technology can store a brand profile of the brand account, detect that a message has been publicly communicated to the brand account from a social media account, monitor messages sent publicly to the social media account from other social media accounts by repeatedly comparing the brand profile to metadata of each of the monitored messages, and identify at least one of the other social media accounts as an imposter account based on the comparing. The technology can cease the comparing at predetermined expiration time occurring after the detection of the message that was sent publicly to the brand account.
G06Q 50/00 - Information and communication technology [ICT] specially adapted for implementation of business processes of specific business sectors, e.g. utilities or tourism
Aspects of the disclosure relate to URL classification. A computing platform may receive, from an enterprise user device, a request to evaluate a URL. The computing platform may execute one or more feature enrichment actions on the URL to identify one or more data points corresponding to the URL, which may include crawling the URL to extract metadata for the URL. The computing platform may input, into a URL classification model, the one or more data points corresponding to the URL, which may cause the URL classification model to output a maliciousness score indicative of a degree to which the URL is malicious. The computing platform may send, to the enterprise user device, a malicious score notification and one or more commands directing the enterprise user device to display the malicious score notification, which may cause the enterprise user device to display the malicious score notification.
Threat detection systems and methods in which feature syntax language (FSL) statements are used to define functions that generate features corresponding to detected text within textual non-attachment, non-URL input data. Generated features are aggregated in a core object, and classification rules are applied to the core object to determine a threat classification and theme associated with the input data. Using FSL statements and classification rules enable the system to rapidly generate thematic threat classifications identifying socially engineered attacks. A user interface enables users to rapidly update the FSL statements that define the functions used to generate the features, as well as the threat classification rules that are applied to the features in the core object to classify the input data. The modified statements and rules can be immediately used by the system.
Systems, methods, and products for identifying IP mass hosts and determining whether they are good or bad. One embodiment is a method including selecting a first candidate IP address, identifying a set of domains hosted at the IP address, and identifying registrants of the domains. A number of unique ones of the registrants is determined and if the number of unique registrants exceeds a threshold number, the candidate IP address is deemed an IP mass host. Otherwise, the candidate IP address is deemed not to be an IP mass host. For an IP mass host, domains that have bad reputations are identified, and it is determined whether the bad domains comprise at least a threshold percentage of the total hosted domains. If the IP mass host has at least the threshold percentage of bad domains, the IP mass host is deemed a bad mass host.
H04L 61/5046 - Resolving address allocation conflictsTesting of addresses
H04L 61/4511 - Network directoriesName-to-address mapping using standardised directoriesNetwork directoriesName-to-address mapping using standardised directory access protocols using domain name system [DNS]
H04L 61/4552 - Lookup mechanisms between a plurality of directoriesSynchronisation of directories, e.g. metadirectories
Threat detection systems and methods in which feature syntax language (FSL) statements are used to define functions that generate features corresponding to detected text within textual non-attachment, non-URL input data. Generated features are aggregated in a core object, and classification rules are applied to the core object to determine a threat classification and theme associated with the input data. Using FSL statements and classification rules enable the system to rapidly generate thematic threat classifications identifying socially engineered attacks. A user interface enables users to rapidly update the FSL statements that define the functions used to generate the features, as well as the threat classification rules that are applied to the features in the core object to classify the input data. The modified statements and rules can be immediately used by the system.
A system preventing upload of a source file to an upload destination includes a computer, a user application, and an agent application. The agent registers for a notification of a user interface action with the computer operating system (OS), and receives notice from the OS of the user interface action associated with the registering. The agent determines the user interface action is indicative of a data file upload operation of a source file to an upload destination. The agent compares a property of the source file and a property of the upload destination to a blocking criteria and prevents the user application from receiving the user interface action. The user interface action includes detection by the OS of a user interaction with a controller of a graphical user interface pointer and/or a pressing of one or more keys on a keyboard user interface.
A computer system detects whether a new document has been opened at a user computer on the computer system. The system includes a user computer, a user application accessible by a human user at the user computer, and an agent application hosted by the user computer. The agent is configured to register to receive notifications of user interface actions with an operating system (OS) of the user computer. The agent receives a notification from the OS of a user interface action, and determines whether a new document was opened at a display screen of the user computer by the user interface action.
Aspects of the disclosure relate to identifying potentially malicious messages and generating instream alerts based on real-time message monitoring. A computing platform may monitor a plurality of messages received by a messaging server associated with an operator. Subsequently, the computing platform may detect that a message of the plurality of messages is potentially malicious. In response to detecting that the message of the plurality of messages is potentially malicious, the computing platform may execute one or more protection actions. In executing the one or more protection actions, the computing platform may generate an alert message comprising information indicating that the message of the plurality of messages is potentially malicious. Then, the computing platform may send the alert message to the messaging server, which may cause the messaging server to deliver the alert message to a computing device associated with an intended recipient of the message.
Aspects of the disclosure relate to providing commercial and/or spam messaging detection and enforcement. A computing platform may receive a plurality of text messages from a sender. It may then tokenize the plurality of text messages to yield a plurality of tokens. The computing platform may then match one or more tokens of the plurality of tokens in the plurality of text messages to one or more bulk string tokens. Next, it may detect one or more homoglyphs in the plurality of text messages, and then detect one or more URLs in the plurality of text messages. The computing platform may flag the sender based at least on the one or more matching tokens, the one or more detected homoglyphs, and the one or more detected URLs. Based on flagging the sender, the computing platform may block one or more messages from the sender.
Aspects of the disclosure relate to message compliance analysis. A computing platform may access historical messages. The computing platform may pre-process the historical messages to configure the historical messages for use in training a disclaimer model to identify whether or not input messages include a disclaimer. The computing platform may train, using the pre-processed historical messages, the disclaimer model. The computing platform may receive a new message. The computing platform may input, into the disclaimer model, the new message, which may produce a disclaimer score indicating a likelihood that the new message includes a disclaimer. The computing platform may compare the disclaimer score to a disclaimer threshold. Based on identifying that the disclaimer score meets or exceeds the disclaimer threshold, the computing platform may remove, from a set of messages scheduled for compliance review, the new message, and send, to an intended recipient of the new message, the new message.
Methods and systems allow organizations to discover accounts, subscriptions, properties, sites and other online portals within each distinct social network platform and across disparate social network platforms, publishing platforms and networks that represent, claim to represent or are relevant to their organization and/or brands based on search terms and facilitate the statistical reporting and analysis of activities on the discovered properties.
An intelligent clustering system has a dual-mode clustering engine for mass-processing and stream-processing. A tree data model is utilized to describe heterogenous data elements in an accurate and uniform way and to calculate a tree distance between each data element and a cluster representative. The clustering engine performs element clustering, through sequential or parallel stages, to cluster the data elements based at least in part on calculated tree distances and parameter values reflecting user-provided domain knowledge on a given objective. The initial clusters thus generated are fine-tuned by undergoing an iterative self-tuning process, which continues when new data is streamed from data source(s). The clustering engine incorporates stage-specific domain knowledge through stage-specific configurations. This hybrid approach combines strengths of user domain knowledge and machine learning power. Optimized clusters can be used by a prediction engine to increase prediction performance and/or by a network security specialist to identify hidden patterns.
A cyberthreat detection system queries a content database for unstructured content that contains a set of keywords, clusters the unstructured content into clusters based on topics, and determines a cybersecurity cluster utilizing a list of vetted cybersecurity phrases. The set of keywords represents a target of interest such as a newly discovered cyberthreat, an entity, a brand, or a combination thereof. The cybersecurity cluster thus determined is composed of unstructured content that has the set of keywords as well as some percentage of the vetted cybersecurity phrases. If the size of the cybersecurity cluster, as compared to the amount of unstructured content queried from the content database, meets or exceeds a predetermined threshold, the query is saved as a new classifier rule that can then be used by a cybersecurity classifier to automatically, dynamically and timely identify the target of interest in unclassified unstructured content.
G06F 16/36 - Creation of semantic tools, e.g. ontology or thesauri
G06F 21/57 - Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
A spammy app detection system may search a database for any new social media application discovered during a recent time period. A spammy app detection algorithm can be executed on the spammy app detection system on an hourly basis to determine whether any of such applications is spammy (i.e., posting to a social media page anomalously). The spammy app detection algorithm has a plurality of stages. When a new social media application fails any of the stages, it is identified as a spammy app. The spammy app detection system can update the database accordingly, ban the spammy application from further posting to a social media page monitored by the spammy app detection system, notify an entity associated with the social media page, further process the spammy application, and so on. In this way, the spammy app detection system can reduce digital risk and spam attacks.
G06F 21/54 - Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity, buffer overflow or preventing unwanted data erasure by adding security routines or objects to programs
G06F 21/55 - Detecting local intrusion or implementing counter-measures
G06Q 50/00 - Information and communication technology [ICT] specially adapted for implementation of business processes of specific business sectors, e.g. utilities or tourism
67.
Uniform resource locator classifier and visual comparison platform for malicious site detection preliminary
Aspects of the disclosure relate to detecting and identifying malicious sites using machine learning. A computing platform may receive a uniform resource locator (URL). The computing platform may parse and/or tokenize the URL to reduce the URL into a plurality of components. The computing platform may identify human-engineered features of the URL. The computing platform may compute a vector representation of the URL to identify deep learned features of the URL. The computing platform may concatenate the human-engineered features of the URL to the deep learned features of the URL, resulting in a concatenated vector representation. By inputting the concatenated vector representation of the URL to a URL classifier, the computing platform may compute a phish classification score. In response to determining that the phish classification score exceeds a first phish classification threshold, the computing platform may cause a cybersecurity server to perform a first action.
A message-hold decision maker system used with an electronic mail processing system that processes electronic messages for a protected computer network improves the electronic mail processing system's performance by increasing the throughput performance of the system. The improvements are achieved by providing an electronic mail processing gateway with additional logic that makes fast and intelligent decisions on whether to hold, block, allow, or sandbox electronic messages in view of potential threats such as viruses or URL-based threats. A message hold decision maker uses current and stored information from a plurality of specialized classification engines to quickly make the decisions. In some examples, the message hold decision maker will instruct an email gateway to hold an electronic mail message while the classification engines perform further analysis.
Disclosed is an effective domain name defense solution in which a domain name string may be provided to or obtained by a computer embodying a visual domain analyzer. The domain name string may be rendered or otherwise converted to an image. An optical character recognition function may be applied to the image to read out a text string which can then be compared with a protected domain name to determine whether the text string generated by the optical character recognition function from the image converted from the domain name string is similar to or matches the protected domain name. This visual domain analysis can be dynamically applied in an online process or proactively applied in an offline process to hundreds of millions of domain names.
H04L 61/4511 - Network directoriesName-to-address mapping using standardised directoriesNetwork directoriesName-to-address mapping using standardised directory access protocols using domain name system [DNS]
G06F 18/22 - Matching criteria, e.g. proximity measures
G06V 10/75 - Organisation of the matching processes, e.g. simultaneous or sequential comparisons of image or video featuresCoarse-fine approaches, e.g. multi-scale approachesImage or video pattern matchingProximity measures in feature spaces using context analysisSelection of dictionaries
70.
IP address and routing schemes for overlay network
A communication system includes multiple Point-of-Presence (POP) interfaces distributed in a Wide-Area Network (WAN), and one or more processors coupled to the POP interfaces. The processors are configured to assign to an initiator in the communication system a client Internet Protocol (IP) address, including embedding in the client IP address an affiliation of the initiator with a group of initiators, to assign to a responder in the communication system a service IP address, including embedding in the service IP address an affiliation of the service with a group of responders, and to route traffic between the initiator and the responder, over the WAN via one or more of the POP interfaces, in a stateless manner, based on the affiliation of the initiator and the affiliation of the service, as embedded in the client and service IP addresses.
H04L 69/325 - Intralayer communication protocols among peer entities or protocol data unit [PDU] definitions in the network layer [OSI layer 3], e.g. X.25
71.
DETECTING INSIDER USER BEHAVIOR THREATS BY COMPARING A CURRENT (LATEST) USER ACTIVITY TO USER ACTIVITIES OF OTHERS
A computer method detect internal user behavior threats by recording user activity data at endpoints on a computer network associated with a tenant, generating a sampled activity matrix for each user, grouping users from the tenant into clusters based on similarity, assigning a user activity weight to each activity-set, creating a ranked list of the user activity-sets for all users within the tenant, computing a user behavior vector for each respective one of the users in the tenant, and comparing the user behavior vector for a particular one of the users in the tenant to other users in the tenant to determine whether the user behavior vector indicates that the user behavior deviates beyond a threshold amount from the other users in the tenant, and, if so, creating an internal user behavior threat notification that may, for example, prompt a real world response.
G06F 11/34 - Recording or statistical evaluation of computer activity, e.g. of down time, of input/output operation
G06F 21/55 - Detecting local intrusion or implementing counter-measures
G06F 21/57 - Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
72.
DETECTING INSIDER USER BEHAVIOR THREATS BY COMPARING A USER'S BEHAVIOR TO THE USER'S PRIOR BEHAVIOR
A computer method includes recording user activity data at endpoints on a computer network, generating a sampled activity matrix representing occurrences of activity-sets performed by the user over multiple time windows, computing a user activity weight for each activity-set based on a variance over the time windows, computing a historical user activity score and a contextual user activity score, computing a user behavior vector and user behavior score, using the user behavior scores to detect a deviation beyond a threshold amount from a baseline behavior for the user; creating an internal user behavior threat notification in response to detecting a deviation beyond the threshold amount and, optionally, taking real world steps, as a human, to react to the threat notification.
Systems, methods, and apparatuses directed to efficiently determining whether a device making a request to access an application or service is a managed device and using that information to set an appropriate security policy for the device or the request to access the application or service. In some embodiments, a service or server (referred to as a Managed Device Identification Service) is configured to request a client certificate from a device that is requesting access to a cloud-based application or service as part of a protocol handshake. If a certificate is received, it is compared to a stored certificate to determine if the device is a managed device and as a result, the appropriate security policy.
H04L 9/32 - Arrangements for secret or secure communicationsNetwork security protocols including means for verifying the identity or authority of a user of the system
74.
System and methods for reducing an organization's cybersecurity risk by determining the function and seniority of employees
Systems, methods, and apparatuses directed to implementations of an approach and techniques for more effectively preparing for, detecting, and responding to cybersecurity threats directed at people or at groups of people. Embodiments are directed to classifying or segmenting employees by “predicting” what are believed to be two attributes of an employee that contribute to making them at a higher risk of being a target of a cybersecurity attack. These attributes are the employee's seniority level (e.g., employee, contractor, manager, executive, board member) and the employee's primary function or role in an organization (e.g., HR, Legal, Operations, Finance, Marketing, Sales, R&D, etc.
G06F 21/57 - Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
G06Q 10/0637 - Strategic management or analysis, e.g. setting a goal or target of an organisationPlanning actions based on goalsAnalysis or evaluation of effectiveness of goals
G06Q 10/0635 - Risk analysis of enterprise or organisation activities
An intelligent clustering system has a dual-mode clustering engine for mass-processing and stream-processing. A tree data model is utilized to describe heterogenous data elements in an accurate and uniform way and to calculate a tree distance between each data element and a cluster representative. The clustering engine performs element clustering, through sequential or parallel stages, to cluster the data elements based at least in part on calculated tree distances and parameter values reflecting user-provided domain knowledge on a given objective. The initial clusters thus generated are fine-tuned by undergoing an iterative self-tuning process, which continues when new data is streamed from data source(s). The clustering engine incorporates stage-specific domain knowledge through stage-specific configurations. This hybrid approach combines strengths of user domain knowledge and machine learning power. Optimized clusters can be used by a prediction engine to increase prediction performance and/or by a network security specialist to identify hidden patterns.
Systems, apparatuses, and methods for more effectively preparing for and responding to cybersecurity threats directed at people or at groups of people. A segmentation process is described that evaluates multiple characteristics of a person that may make them a potential target or that may make a cybersecurity attack on that person more likely to be successful. Based on the segmentation, a security analyst can apply an appropriate risk reduction or security protocol to each person or group of similarly situated people to reduce the likelihood of an attack and/or the likelihood of a successful attack.
G06F 21/57 - Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
Aspects of the disclosure relate to detecting impersonation in email body content using machine learning. Based on email data received from user accounts, a computing platform may generate user identification models that are each specific to one of the user accounts. The computing platform may intercept a message from a first user account to a second user account and may apply a user identification model, specific to the first user account, to the message, so as to calculate feature vectors for the message. The computing platform then may apply impersonation algorithms to the feature vectors and may determine that the message is impersonated. Based on results of the impersonation algorithms, the computing platform may modify delivery of the message.
H04L 51/212 - Monitoring or handling of messages using filtering or selective blocking
H04L 51/224 - Monitoring or handling of messages providing notification on incoming messages, e.g. pushed notifications of received messages
78.
Using a machine learning system to process a corpus of documents associated with a user to determine a user-specific and/or process-specific consequence index
Aspects of the disclosure relate to using a machine learning system to process a corpus of documents associated with a user to determine a user-specific consequence index. A computing platform may load a corpus of documents associated with a user. Subsequently, the computing platform may create a first plurality of smart groups based on the corpus of documents, and then may generate a first user interface comprising a representation of the first plurality of smart groups. Next, the computing platform may receive user input applying one or more labels to a plurality of documents associated with at least one smart group. Subsequently, the computing platform may create a second plurality of smart groups based on the corpus of documents and the received user input. Then, the computing platform may generate a second user interface comprising a representation of the second plurality of smart groups.
Aspects of the disclosure relate to providing a flexible and automated system for automatically detecting when emails include harmful content, flagging the emails, providing interactive reporting functionality, and providing follow-up enforcement actions to protect users. A computing platform may intercept an email in transit to an email server. Subsequently, the computing platform may analyze the email and generate at least one unique link for reporting suspicious content associated with the email. Next, the computing platform may generate an email warning tag comprising text information and the at least one unique link for reporting the suspicious content associated with the email. Then, the computing platform may inject the email warning tag into the email to produce a modified email comprising content from the email and the email warning tag, and may send the modified email to the email server.
A system and methods for determining the degree to which a vendor, supplier, or company's compliance or lack of compliance with a specific regulation or requirement contributes to, or could contribute to, the cybersecurity risk of an organization whose employees use that company's products or services. This source of risk may be evaluated for a plurality or set of vendors to determine an estimated total risk arising this source or set of sources. In response to evaluating the degree or level of this source of risk, the system and methods can be used to determine or select the apprFinal opriate security process or protocol that should be applied to employees, devices, systems, and networks to limit the risk to the organization.
G06Q 10/0637 - Strategic management or analysis, e.g. setting a goal or target of an organisationPlanning actions based on goalsAnalysis or evaluation of effectiveness of goals
Aspects of the disclosure relate to identifying legitimate websites and removing false positives from domain discovery analysis. Based on a list of known legitimate domains, a computing platform may generate a baseline dataset of feature vectors corresponding to the known legitimate domains. Subsequently, the computing platform may receive information identifying a first domain for analysis and may execute one or more machine learning algorithms to compare the first domain to the baseline dataset. Based on execution of the one or more machine learning algorithms, the computing platform may generate first domain classification information indicating that the first domain is a legitimate domain. In response to determining that the first domain is a legitimate domain, the computing platform may send one or more commands directing a domain identification system to remove the first domain from a list of indeterminate domains maintained by the domain identification system.
H04L 61/4511 - Network directoriesName-to-address mapping using standardised directoriesNetwork directoriesName-to-address mapping using standardised directory access protocols using domain name system [DNS]
82.
Dynamically initiating and managing automated spear phishing in enterprise computing environments
Aspects of the disclosure relate to dynamic and automated spear phishing management. A computing platform may identify users to receive a simulated spear phishing message. In some instances, the computing platform may receive a very attacked persons (VAP) list and may identify the users to receive the simulated spear phishing message based on the VAP list. Based on historical message data associated with a first user, the computing platform may identify message features associated with the first user. Using a predetermined template and for a first user account linked to the first user, the computing platform may generate a first spear phishing message based on the message features. The computing platform may then send, to the first user account, the first spear phishing message.
Aspects of the disclosure relate to dynamically controlling access to linked content in electronic communications. A computing platform may receive, from a user computing device, a request for a uniform resource locator associated with an email message and may evaluate the request using one or more isolation criteria. Based on evaluating the request, the computing platform may identify that the request meets at least one isolation condition associated with the one or more isolation criteria. In response to identifying that the request meets the at least one isolation condition associated with the one or more isolation criteria, the computing platform may initiate a browser mirroring session with the user computing device to provide the user computing device with limited access to a resource corresponding to the uniform resource locator associated with the email message.
H04L 29/06 - Communication control; Communication processing characterised by a protocol
G06F 21/53 - Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity, buffer overflow or preventing unwanted data erasure by executing in a restricted environment, e.g. sandbox or secure virtual machine
G06F 21/56 - Computer malware detection or handling, e.g. anti-virus arrangements
G06F 21/62 - Protecting access to data via a platform, e.g. using keys or access control rules
A threat response platform to act as a bridge between non-inline security programs and inline security programs. The threat response platform receives event reports, relating to client devices, from the non-inline security programs and creates incident reports for a user. The incident reports describe the event report and also additional data gathered by an active correlation system of the threat response platform. The active correlation system automatically gathers various types of data that are potentially useful to a user in determining whether the reported event is an incidence of malware operating on the client device or a false positive. The active correlation system places a temporary agent on the client device to identify indications of compromise.
Systems, methods and products for classifying images according to a visual concept where, in one embodiment, a system includes an object detector and a visual concept classifier, the object detector being configured to detect objects depicted in an image and generate a corresponding object data set identifying the objects and containing information associated with each of the objects, the visual concept classifier being configured to examine the object data set generated by the object detector, detect combinations of the information in the object data set that are high-precision indicators of the designated visual concept being contained in the image, generate a classification for the object data set with respect to the designated visual concept, and associate the classification with the image, wherein the classification identifies the image as either containing the designated visual concept or not containing the designated visual concept.
Aspects of the disclosure relate to data loss prevention. A computing platform may detect input of a first target recipient domain into a first email message. The computing platform may identify, in real time and prior to sending the first email message, that the first target recipient domain is an unintended recipient domain instead of an intended recipient domain. The computing platform may identify, in real time and prior to sending the first email message, that the first email message violates one or more data loss prevention rules. Based on identifying the violation, the computing platform may send a notification that the first target recipient domain is flagged as an unintended recipient domain and one or more commands directing a user device of the message sender to display the notification.
Aspects of the disclosure relate to data loss prevention. A computing platform may detect input of a first target recipient domain into a first email message. The computing platform may identify, in real time and prior to sending the first email message, that the first target recipient domain comprises an unintended recipient domain instead of an intended recipient domain. The computing platform may send, based on the identification of the unintended recipient domain and to a user device, a notification that the first target recipient domain is flagged as an unintended recipient domain and one or more commands directing the user device to display the notification.
Aspects of the disclosure relate to identifying domain name lookalikes. A computing platform may generate a plurality of lookalike domain names for an input domain name. The computing platform may generate, by applying a hash algorithm to the plurality of lookalike domain names, a dictionary index. The computing platform may identify a first domain name. The computing platform may identify, by performing a lookup function in the dictionary index using the first domain name, that the first domain name is a lookalike domain name corresponding to the input domain name. The computing platform may send, to a user device, one or more commands directing the user device to display a user interface that includes the lookalike domain name, which may cause the user device to display the user interface.
Mobile device security techniques are described. For a specific computing device, for each of a plurality of distinct security categories, a risk score is determined. The determined risk scores are aggregated to obtain an overall risk score.
A computer network includes user endpoint devices geographically distributed relative to one another such that at least one of the endpoint devices is subject to a different set of data protection or privacy restrictions than other endpoint devices and data processing facilities coupled to the user endpoint devices over a network. The data processing facilities are in different geographical regions or sovereignties. A computer-based endpoint agent is in each of the endpoint devices. Each endpoint agent is configured to collect telemetry data relating to user activity at its associated endpoint device and transmit the collected telemetry data to a selected one of the data processing facilities, according to an applicable realm definition, in compliance with the data protection or privacy restrictions that apply to the agent's endpoint device.
A dynamic Domain-based Message Authentication, Reporting, and Conformance (DMARC) enforcement solution is disclosed. A mail transfer agent (MTA) receives an email and obtains an originating email domain from the email. The MTA queries a dynamic DMARC module (which can be implemented on a domain name system (DNS) infrastructure or the MTA) about any local policy override associated with the originating email domain. DMARC policy overrides can be published from a source system and stored locally to the dynamic DMARC module (e.g., on the DNS infrastructure or the MTA). The MTA receives a response which contains the local policy override published from the source system and dynamically overrides the fact that the email had failed DMARC. In this way, an email which failed DMARC can still be dynamically considered and delivered if a local policy override that is published from a source system indicates that it should be delivered.
A system controls access to data for customer of a multi-tenant software as a service (SaaS) system. A multi-tenant SaaS system cloud includes a metadata store. A customer-controlled storage realm includes a customer-controlled key management system (KMS) and a data store for storing encrypted customer data objects. An agent at a user endpoint identifies customer data for storage in the customer data store, transmits metadata and telemetry information related to the customer data to a SaaS application interface (API), and provides a storage reference for a SaaS metadata store. The agent is pre-configured with credentials from the KMS for storing customer data objects in the data store. The customer-controlled storage realm is not in direct communication with the SaaS system cloud.
A computer-based method includes monitoring user activities at an endpoint device on a computer network, determining if one of the user activities at the endpoint device presents a potential threat to network security, creating an alert of the potential threat, and providing, with the alert, a redacted version of a screenshot from the endpoint device. One or more open windows that appeared on the screen of the endpoint device are obscured or removed in the redacted version of the screenshot of the endpoint device.
Systems, methods, and apparatuses directed to efficiently determining whether a device making a request to access an application or service is a managed device and using that information to set an appropriate security policy for the device or the request to access the application or service. In some embodiments, a service or server (referred to as a Managed Device Identification Service) is configured to request a client certificate from a device that is requesting access to a cloud-based application or service as part of a protocol handshake. If a certificate is received, it is compared to a stored certificate to determine if the device is a managed device and as a result, the appropriate security policy.
H04L 9/32 - Arrangements for secret or secure communicationsNetwork security protocols including means for verifying the identity or authority of a user of the system
95.
System and method for light data file duplication prevention
A system for preventing duplication of a computer source file to a destination file includes a user application accessed by a user of a computer. An agent application hosted by the computer registers for a notification of a user interface action with an operating system (OS) of the computer. The agent receives notice from the OS of the user interface action and determines if the user interface action is indicative of a data file duplication operation of a source file to a destination file location The Agent compares a property of the source file and a property of the destination file location to a blocking criteria, and blocks the user interface action from reaching the application.
G06F 3/0481 - Interaction techniques based on graphical user interfaces [GUI] based on specific properties of the displayed interaction object or a metaphor-based environment, e.g. interaction with desktop elements like windows or icons, or assisted by a cursor's changing behaviour or appearance
G06F 16/17 - Details of further file system functions
G06F 16/16 - File or folder operations, e.g. details of user interfaces specifically adapted to file systems
96.
Distributed Attribute Based Access Control as means of Data Protection and Collaboration in Sensitive (Personal) Digital Record and Activity Trail Investigations
A distributed system provides access by a principal to a resource associated with sensitive data. Micro-services in communication with an authorization engine each include a resource provider that receives a resource action request from the principal to access the resource, determines a context for the request, and transmits the context to the authorization engine in an authorization request. The authorization engine receives the authorization request, resolves the authorization request context against a plurality of pre-defined resource conditions, and responds to the resource provider with an authorization response of allow, deny, or allow-with-conditions. The context for the request includes metadata regarding attributes of the principal, and each of the resource conditions includes a logical expression operating upon the attributes.
Aspects of the disclosure relate to providing commercial and/or spam messaging detection and enforcement. A computing platform may receive a plurality of text messages from a sender. It may then tokenize the plurality of text messages to yield a plurality of tokens. The computing platform may then match one or more tokens of the plurality of tokens in the plurality of text messages to one or more bulk string tokens. Next, it may detect one or more homoglyphs in the plurality of text messages, and then detect one or more URLs in the plurality of text messages. The computing platform may flag the sender based at least on the one or more matching tokens, the one or more detected homoglyphs, and the one or more detected URLs. Based on flagging the sender, the computing platform may block one or more messages from the sender.
A query term analytics system receives a search query from a user device. The system has an engine enhanced with the ability to track query terms using in-memory counters and leveraging an inverted index of content stored in a content repository. The search query is run on the content and, contemporaneously the engine performs a query term analysis on the query terms to produce query term analytics. The query term analysis includes an impact analysis that determines an impact of removing a keyword or keyword criteria from the search query. A compressed bitset can be used to indicate whether a keyword is in the content. The engine can accumulate statistics using the in-memory counters while the search query is being processed. Using the statistics thus accumulated, a query term analytics report is generated and provided to the user device for presentation on the user device.
G06F 16/383 - Retrieval characterised by using metadata, e.g. metadata not derived from the content or metadata generated manually using metadata automatically derived from the content
A computer-based method of reducing or limiting data transmissions from a computer to a remote network destination includes receiving an indication, at an agent on a computer, that a recent user activity has occurred at the computer. The indication typically includes data relevant to user context when the user activity occurred. The method further includes determining, with the agent, whether the data relevant to the user's context when the user activity occurred indicates that a change in user context relative to a user activity at the computer immediately prior to the recent user activity and conditioning a transmission of data relevant to the recent user activity from the computer to a remote network destination based on an outcome of the determination.
H04L 67/568 - Storing data temporarily at an intermediate stage, e.g. caching
H04L 9/06 - Arrangements for secret or secure communicationsNetwork security protocols the encryption apparatus using shift registers or memories for blockwise coding, e.g. D.E.S. systems
Systems, methods and products for increasing efficiency of resource usage by determining the reliability of reporters of unwanted messages and prioritizing evaluation of messages based on the reliability scores. Reports of unwanted messages are evaluating to determine whether they are bad. If an unwanted message is bad, a score for the reporter is updated to reflect a positive credit. A set of safe rules are applied to the message to determine whether it is safe and if the message is determined to be safe, the reporter score corresponding to the reporter is updated to reflect a non-positive (zero or negative) credit. If the message is determined to be neither bad nor safe, the message is entered in a reevaluation queue and, after a waiting period, the message evaluation is repeated using updated threat information, and the reporter score is updated according to the reevaluation.
