Many documents, whether hardcopy or softcopy, require authentication for a particular use. Documents are often copied but knowing whether the contents of a document, even a copy of the document, have been altered can still be critical to the particular use. In one embodiment, a document's content is encoded with a symbolic representation, such as one or more Quick Response (QR) codes, derived from the document's content. Subsequent scanning of the document retrieves the document's content and the symbolic representation. The retrieved document's contents are then used to generate a symbolic representation of the content and compared to the content encoded in the symbolic representation. If the two match, the document has not been altered.
H04L 9/32 - Arrangements for secret or secure communicationsNetwork security protocols including means for verifying the identity or authority of a user of the system
G06K 7/14 - Methods or arrangements for sensing record carriers by electromagnetic radiation, e.g. optical sensingMethods or arrangements for sensing record carriers by corpuscular radiation using light without selection of wavelength, e.g. sensing reflected white light
G06K 19/06 - Record carriers for use with machines and with at least a part designed to carry digital markings characterised by the kind of the digital marking, e.g. shape, nature, code
2.
SYSTEM AND METHODS FOR DETECTING ALTERED DOCUMENTS
Many documents, whether hardcopy or softcopy, require authentication for a particular use. Documents are often copied but knowing whether the contents of a document, even a copy of the document, have been altered can still be critical to the particular use. In one embodiment, a document's content is encoded with a symbolic representation, such as one or more Quick Response (QR) codes, derived from the document's content. Subsequent scanning of the document retrieves the document's content and the symbolic representation. The retrieved document's contents are then used to generate a symbolic representation of the content and compared to the content encoded in the symbolic representation. If the two match, the document has not been altered.
G06F 21/30 - Authentication, i.e. establishing the identity or authorisation of security principals
G06K 19/06 - Record carriers for use with machines and with at least a part designed to carry digital markings characterised by the kind of the digital marking, e.g. shape, nature, code
Systems and methods are provided to validate an image. The image is segmented into a plurality of blocks and scrambled. A hash of the original image and scrambled image is then provided with a hash of the algorithms used (e.g., the segmenting algorithm, the scrambling algorithm, and/or the hashing algorithm). The foregoing hashes may be provided as a single, merged hash, and optionally as a quick response (QR) code. A recipient may then validate the image with a provided hash, which may comprise a merged hash that is separated into its constituent hashes. If the hashes match, the image is determined to be unaltered.
H04L 9/32 - Arrangements for secret or secure communicationsNetwork security protocols including means for verifying the identity or authority of a user of the system
Examples of the present disclosure describe systems and methods for identifying anomalous network behavior. In aspects, a network event may be observed network sensors. One or more characteristics may be extracted from the network event and used to construct an evidence vector. The evidence vector may be compared to a mapping of previously-identified events and/or event characteristics. The mapping may be represented as one or more clusters of expected behaviors and anomalous behaviors. The mapping may be modeled using analytic models for direction detection and magnitude detection. One or more centroids may be identified for each of the clusters. A “best fit” may be determined and scored for each of the analytic models. The scores may be fused into single binocular score and used to determine whether the evidence vector is likely to represent an anomaly.
The present disclosure describes systems and methods for detection and mitigation of malicious encryption. A security agent on an infected computing device may monitor data writes to disk, memory, or network transmission buffers for strings that may represent encryption keys or moduli. The security agent may apply one or more techniques to decode and parse the string to either identify or extract the keys, or rule out the string as containing an encryption key or modulus. If a key is identified, or its presence cannot be excluded, then the security agent may generate an alert and take mitigation actions.
Embodiments of systems and methods for DNS leak prevention and protection are disclosed herein. In particular, certain embodiments include a local DNS protection agent installed on a system and an associated trusted external DNS protection server. The DNS protection agent prevents DNS leaks from applications on the system such that all DNS requests from the system are confined to requests from the DNS protection agent to the associated DNS protection server. As the DNS leak prevention provided by the DNS protection agent stops applications on the system from circumventing the DNS protection server, all DNS requests originating from the system remain under the control of the DNS protection server and thus desired DNS protection (e.g., as implemented on the DNS protection server) may be maintained. Certain embodiments prevent applications from using certain DNS security protocols, such as DoH and DoT, without going through the DNS protection agent.
H04L 61/4511 - Network directoriesName-to-address mapping using standardised directoriesNetwork directoriesName-to-address mapping using standardised directory access protocols using domain name system [DNS]
H04L 67/60 - Scheduling or organising the servicing of application requests, e.g. requests for application data transmissions using the analysis and optimisation of the required network resources
7.
METHODS AND SYSTEMS OF CONTENT INTEGRATION FOR GENERATIVE ARTIFICIAL INTELLIGENCE
Systems and methods are provided for a device to obtain a query, such as from a user. The query is vectorized to obtain a numerical representation of the query and provided to a vector database to find the nearest vectors corresponding to most relevant context, such as for a particular domain or subject matter. The query, query vector, and context vectors, and optionally past query history and past query responses, are provided to an artificial intelligence, such as a large language model (LLM), to receive a response to the query without providing the context to the LLM.
A firewall monitors network activity and stores information about that network activity in a network activity log. The network activity is analyzed to identify a potential threat. The potential threat is further analyzed to identify other potential threats that are related to the potential threat, and are likely to pose a future risk to a protected network. A block list is updated to include the potential threat and the other potential threats to protect the protected network from the potential threat and the other potential threats.
Methods, devices and computer program products facilitate the storage, access and management of log files that are associated with particular client devices. The log files provide a record of user or client device activities that are periodically sent to a data backup center. A dedicated log file server facilitates the processing and storage of an increasingly large number of log files that are generated by new and existing client devices. A storage server pre-processes the received log files to facilitate the processing and storage of the log files by the log file server. This Abstract is provided for the sole purpose of complying with the Abstract requirement rules. This Abstract is submitted with the explicit understanding that it will not be used to interpret or to limit the scope or the meaning of the claims.
G06F 3/06 - Digital input from, or digital output to, record carriers
G06F 11/14 - Error detection or correction of the data by redundancy in operation, e.g. by using different operation sequences leading to the same result
G06F 11/34 - Recording or statistical evaluation of computer activity, e.g. of down time, of input/output operation
G06F 16/17 - Details of further file system functions
G06F 16/174 - Redundancy elimination performed by the file system
A computer system comprising a processor and a memory storing instructions that, when executed by the processor, cause the computer system to perform a set of operations. The set of operations comprises collecting domain attribute data comprising one or more domain attribute features for a domain, collecting sampled domain profile data comprising one or more domain profile features for the domain and generating, using the domain attribute data and the sampled domain profile data, a domain reputation assignment utilizing a neural network.
Embodiments disclosed herein relate to systems and methods for providing a smart cache. In embodiments, a variable time to live (TTL) may be calculated and associated with data as it is stored in a cache. The variable TTL may be calculated based upon reputation and/or category information related to the source of the data. The reputation and/or category information may include TTL modifiers for adjusting the TTL for data from a particular data source that is stored in the cache. In further embodiments, a feedback method may be employed to update reputation and/or category information for a particular data source.
H04L 67/5682 - Policies or rules for updating, deleting or replacing the stored data
G06F 12/0802 - Addressing of a memory level in which the access to the desired data or data block requires associative addressing means, e.g. caches
G06F 12/0864 - Addressing of a memory level in which the access to the desired data or data block requires associative addressing means, e.g. caches using pseudo-associative means, e.g. set-associative or hashing
G06F 12/0875 - Addressing of a memory level in which the access to the desired data or data block requires associative addressing means, e.g. caches with dedicated cache, e.g. instruction or stack
G06F 12/128 - Replacement control using replacement algorithms adapted to multidimensional cache systems, e.g. set-associative, multicache, multiset or multilevel
G06F 16/957 - Browsing optimisation, e.g. caching or content distillation
Systems and methods are provided for a device to obtain a query, such as from a user. The query is vectorized to obtain a numerical representation of the query and provided to a vector database to find the nearest vectors corresponding to most relevant context, such as for a particular domain or subject matter. The query, query vector, and context vectors, and optionally past query history and past query responses, are provided to an artificial intelligence, such as a large language model (LLM), to receive a response to the query without providing the context to the LLM.
Methods and systems for determining, presenting and analyzing API usage of an application are disclosed herein. Embodiments of an API monitor as presented herein may serve to provide tightly coupled insight into API usage by an application to ascertain and provide knowledge and visibility into API usage by an application associated with the API monitor, including API calls made by both a frontend and a backend of an application.
A protection module operates to analyze threats, at the protocol level (e.g., at the HTML level), by intercepting all requests that a browser engine resident in a computing device sends and receives, and the protection agent completes the requests without the help of the browser engine. And then the protection module analyzes and/or modifies the completed data before the browser engine has access to it, to, for example, display it. After performing all of its processing, removing, and/or adding any code as needed, the protection module provides the HTML content to the browser engine, and the browser engine receives responses from the protection agent as if it was speaking to an actual web server, when in fact, browser engine is speaking to an analysis engine of the protection module.
Systems, methods and products for enabling parallelized verification of a forensic copy generated using a non-parallelizable hashing algorithm. Disclosed embodiments generate the forensic copy of a data source using a non-parallelizable algorithm. In addition to generating a hash of the source data, intermediate hash states are stored for successive blocks of data from the data source. During verification of the forensic copy, the intermediate hash states and identifiers of the data blocks are retrieved from a data structure that is saved with the forensic copy. The non-parallelizable algorithm is used to hash each data block using the intermediate hash state preceding the data block as a starting hash state, then the hash of the data block is compared to the intermediate hash state following the data block to verify the data block. If all data blocks are successfully verified, the forensic copy is verified, otherwise verification fails.
H04L 9/06 - Arrangements for secret or secure communicationsNetwork security protocols the encryption apparatus using shift registers or memories for blockwise coding, e.g. D.E.S. systems
H04L 9/00 - Arrangements for secret or secure communicationsNetwork security protocols
16.
DEFINITION AND EXTENSION OF STORIES OF CORE ENTITIES AND CALCULATION OF RISK SCORES THEREOF
Core entities are each defined as a subset of base entities that satisfy one or more core entity connection relationships. Base stories are each defined as a subset of core entities that satisfy one or more story connection relationships. A risk score of each core entity is calculated based on previously calculated risk scores of the base entities. A risk score of each base story is calculated based on the calculated risk score of each core entity of the base story. Selected base stories are extended with external content to generate corresponding extended stories.
Core entities are each defined as a subset of base entities that satisfy one or more core entity connection relationships. Base stories are each defined as a subset of core entities that satisfy one or more story connection relationships. A risk score of each core entity is calculated based on previously calculated risk scores of the base entities. A risk score of each base story is calculated based on the calculated risk score of each core entity of the base story. Selected base stories are extended with external content to generate corresponding extended stories.
G06F 21/57 - Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
Examples of the present disclosure describe systems and methods for discrete processor feature behavior collection and analysis. In aspects, a monitoring utility may initialize a set of debugging and/or performance monitoring feature sets for a microprocessor. When the microprocessor receives from software content a set of instructions that involves the loading of a set of modules or code segments, the set of modules or code segments may be evaluated by the monitoring utility. The monitoring utility may generate a process trace of the loaded set of modules or code segments. Based on the process trace output, various execution paths may be reconstructed in real-time. The system and/or API calls made by the microprocessor may then be compared to the process trace output to quickly observe the interaction between the software content and the operating system of the microprocessor.
Domain-specific images used for training an optical character recognition (OCR) machine learning model are generated as follows. Universal resource locator (URL) addresses of web pages associated with a particular domain are retrieved. Words in the web pages associated with the particular domain are determined. Domain-relevant n-grams of the words are identified for the particular domain. Corresponding domain-specific images of each domain-relevant n gram for the particular domain are generated.
G06V 10/764 - Arrangements for image or video recognition or understanding using pattern recognition or machine learning using classification, e.g. of video objects
Examples of the present disclosure describe systems and methods for providing advanced file modification heuristics. In aspects, software content is selected for monitoring. The monitoring comprises determining when the software content performs file accesses that are followed by read and/or write operations. The read/write operations are analyzed in real-time to determine whether the software content is modifying file content. If the monitoring indicates the software content is modifying accessed files, mathematical calculations are applied to the read-write operations to determine the nature of the modifications. Based on the determined nature of the file modifications, the actions of the software content may be categorized and halted prior to completion; thereby, mitigating malicious cyberattacks and/or unauthorized accesses.
Examples of the present disclosure describe systems and methods of providing real-time scanning of IP addresses. In aspects, input may be received by a real-time IP scanning system. The system may generate one or more work orders based on the input. A scanner associated with the system may access a work order and attempt to communicate with one or more devices identified by the work order. If the attempted communication with a device is successful, a protocol analyzer may be used to provide a predefined payload to the device. If the response from the device matches an expected string, the device may be determined to be a safe and/or legitimate device. If the response from the device does not match an expected string, the device may be determined to be a malicious device.
G06F 21/57 - Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
Examples of the present disclosure describe systems and methods for monitoring the security privileges of a process. In aspects, when a process is created, the corresponding process security token and privilege information is detected and recorded. At subsequent “checkpoints,” the security token is evaluated to determine whether the security token has been replaced, or whether new or unexpected privileges have been granted to the created process. When a modification to the security token is determined, a warning or indication of the modification is generated and the process may be terminated to prevent the use of the modified security token.
H04L 9/32 - Arrangements for secret or secure communicationsNetwork security protocols including means for verifying the identity or authority of a user of the system
Examples of the present disclosure describe systems and methods for behavioral threat detection definition compilation. In an example, one or more sets of rule instructions may be packaged for distribution and/or use by a behavioral threat detection engine. As an example, a set of rule instructions is compiled into an intermediate language and assembled in to a compiled behavior rule binary. Event linking is performed, wherein other rules launched by the rule and/or events that launch the rule or are processed by the rule are identified, and such information may be stored accordingly. The behavior rule binary may be packaged with other rules associated with identifying a specific behavior. The packaged behavior rule is distributed to one or more computing devices for use with a behavioral threat detection engine. For example, the threat detection engine may execute the behavior rule using a rule virtual machine.
Peer device protection enables a first device comprising a digital security agent to remedy security issues on (or associated with) a set of devices visible to the first device. In aspects, a first device comprising a digital security agent may identify a set of devices visible to the first device. The first device may monitor the set of devices to collect data, such as types of communications and data points of interest. The digital security agent may apply threat detection to the collected data to identify anomalous network behavior. When anomalous network behavior is detected, the first device may cause an indicator of compromise (IOC) to be generated. Based on the IOC, the first device may facilitate remediation of the anomalous network behavior and/or apply security to one or more devices in the set of devices.
Examples of the present disclosure describe systems and methods for behavioral threat detection definition. In an example, a behavior rule comprising a set of rule instructions is used to define one or more events indicative of a behavior. For example, a set of events from which one event must be matched may be defined or a set of events from which all events must be matched may be defined. In some examples, events are matched based on an event name or type, or may be matched based on one or more parameters. Exact and/or inexact matching may be used. The set of rule instructions ultimately specifies one or more halt instructions, thereby indicating that a determination as to the presence of the behavior has been made. Example determinations include, but are not limited to, a match determination, a non-match determination, or an indication that additional monitoring should be performed.
Examples of the present disclosure describe systems and methods for detecting and mitigating stack pivoting exploits. In aspects, various “checkpoints” may be identified in software code. At each checkpoint, the current stack pointer, stack base, and stack limit for each mode of execution may be obtained. The current stack pointer for each mode of execution may be evaluated to determine whether the stack pointer falls within a stack range between the stack base and the stack limit of the respective mode of execution. When the stack pointer is determined to be outside of the expected stack range, a stack pivot exploit is detected and one or more remedial actions may be automatically performed.
G06F 21/52 - Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity, buffer overflow or preventing unwanted data erasure
B01D 15/18 - Selective adsorption, e.g. chromatography characterised by constructional or operational features relating to flow patterns
The present disclosure describes systems and methods for remote management of appliances. The appliance may be configured to periodically check in a predetermined online location for the presence of a trigger file identifying one or more appliances directed to contact a management server for maintenance. If the file is present at the predetermined location and the file includes the identifier of the appliance, the appliance may initiate a connection to the management server. If the file is not found, then the appliance may reset a call timer and attempt to retrieve the file at a later time. To avoid having to configure addresses on the appliance, link local IPv6 addresses may be configured for use over a virtual private network, allowing administration, regardless of the network configuration or local IP address of the appliance.
H04L 67/125 - Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks involving control of end-device applications over a network
Systems and methods of tracking chain of custody of relevant electronic documents are provided. An example method begins with receiving an electronic document collection request. In response, a set of relevant electronic documents is retrieved, a tracking unit is generated, and the tracking unit is assigned to the set of relevant electronic documents. The tracking unit includes: a state machine having at least two stages including a specification stage for specifying the electronic document collection request and a review stage for displaying the relevant electronic documents, a plurality of Chain-Of-Custody (COC) statuses, and a plurality of number of relevant document values. The chain of custody of the set of relevant electronic documents is tracked. The set of relevant electronic documents generated by the electronic document collection request is displayed by a graphical user interface.
Examples of the present disclosure describe systems and methods of automatic inline detection based on static data. In aspects, a file being received by a recipient device may be analyzed using an inline parser. The inline parser may identify sections of the file and feature vectors may be created for the identified sections. The feature vectors may be used to calculate a score corresponding to the malicious status of the file as the information is being analyzed. If a score is determined to exceed a predetermined threshold, the file download process may be terminated. In aspects, the received files, file fragments, feature vectors and/or additional data may be collected and analyzed to build a probabilistic model used to identify potentially malicious files.
Examples of the present disclosure describe systems and methods for sharing memory using a multi-ring shared, traversable and dynamic database. In aspects, the database may be synchronized and shared between multiple processes and/or operation mode protection rings of a system. The database may also be persisted to enable the management of information between hardware reboots and application sessions. The information stored in the database may be view independent, traversable, and resizable from various component views of the database. In some aspects, an event processor is additionally described. The event processor may use the database to allocate memory chunks of a shared heap to components/processes in one or more protection modes of the operating system.
Examples of the present disclosure describe systems and methods for detecting and mitigating stack pivoting using stack artifact verification. In aspects, function hooks may be added to one or more functions. When a hooked function executes, artifacts relating to the hooked function may be left on the stack memory (“stack”). The location of the artifacts on the stack may be stored in a local storage area. Each time a hook in a hooked function is subsequently executed, protection may be executed to determine whether an artifact remains in the location stored in the local storage area. If the artifact is no longer in the same location, a stack pivot may be detected and one or more remedial actions may be automatically performed.
G06F 21/54 - Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity, buffer overflow or preventing unwanted data erasure by adding security routines or objects to programs
The present disclosure relates to systems and methods for identifying highly sensitive modules and taking a remediation or preventative action if such modules are accessed by malicious software. For example, the likelihood that a module is used for an exploit, and is thus sensitive, is categorized as high, medium, or low. The likelihood that a module can be used for an exploit can dictate whether, and to what degree, an application accessing the module is “suspicious.” However, in some instances, a sensitive module may have legitimate reasons to load when used in certain non-malicious ways. The system may also consider a trust level when determining what actions to take, such that an application and/or user having a higher trust level may be less suspicious when accessing a sensitive module as compared to an application or user having a lower trust level.
G06F 21/57 - Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
G06F 21/51 - Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems at application loading time, e.g. accepting, rejecting, starting or inhibiting executable software based on integrity or source reliability
G06F 21/55 - Detecting local intrusion or implementing counter-measures
Examples of the present disclosure describe systems and methods for malicious software detection based on API trust. In an example, a set of software instructions executed by a computing device may call an API. A hook may be generated on the API, such that a threat processor may receive an indication when the API is called. Accordingly, the threat processor may generate a trust metric based on the execution of the set of software instructions, which may be used to determine whether the set of software instructions poses a potential threat. For example, one or more call stack frames may be evaluated to determine whether a return address is preceded by a call instruction, whether the return address is associated with a set of software instructions or memory associated with a set of software instructions, and/or whether the set of software instructions satisfies a variety of security criteria.
Embodiments provide systems and methods for logging events. A computer-implemented method, for example, includes a syslog connector providing a subscription to a cloud source that collects events from a plurality of data sources, the subscription comprising an event selection criterion, receiving event records from the cloud source according to the subscription, the received event records formatted according to a first format, transforming the event records received from the cloud source from the first format to syslog messages and storing, by the syslog connector, the syslog messages to a syslog data sink.
The present disclosure describes systems and methods for aggregation and management of cloud storage among a plurality of providers via file fragmenting to provide increased reliability and security. In one implementation, fragments or blocks may be distributed among a plurality of cloud storage providers, such that no provider retains a complete copy of a file. Accordingly, even if an individual service is compromised, a malicious actor cannot access the data. In another implementation, fragments may be duplicated and distributed to multiple providers, such that loss of communications to any one provider does not result in inability to access the data. This implementation may be combined with error correction techniques to allow recovery, even with loss of multiple providers. File synchronization may also be faster in these implementations by dividing reading and writing operations among multiple providers.
G06F 11/14 - Error detection or correction of the data by redundancy in operation, e.g. by using different operation sequences leading to the same result
G06F 16/178 - Techniques for file synchronisation in file systems
G06F 21/62 - Protecting access to data via a platform, e.g. using keys or access control rules
H04L 67/1095 - Replication or mirroring of data, e.g. scheduling or transport for data synchronisation between network nodes
36.
Systems and methods for detection and mitigation of malicious encryption
The present disclosure describes systems and methods for detection and mitigation of malicious encryption. A security agent on an infected computing device may monitor data writes to disk, memory, or network transmission buffers for strings that may represent encryption keys or moduli. The security agent may apply one or more techniques to decode and parse the string to either identify or extract the keys, or rule out the string as containing an encryption key or modulus. If a key is identified, or its presence cannot be excluded, then the security agent may generate an alert and take mitigation actions.
Examples of the present disclosure describe systems and methods for selective export address table filtering. In aspects, the relative virtual address (RVA) of exported function names may be modified to point to a protected memory location. An exception handler may be registered to process exceptions relating to access violations of the protected memory location. If an exception is detected that indicates an attempt to access the protected memory location, the instruction pointer of the exception may be compared to an allowed range of memory addresses. If the instruction pointer address is outside the boundaries, remedial action may occur.
G06F 21/54 - Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity, buffer overflow or preventing unwanted data erasure by adding security routines or objects to programs
G06F 21/55 - Detecting local intrusion or implementing counter-measures
38.
Security event transformation and logging systems and methods
Embodiments provide systems and methods for logging events. A computer-implemented method comprises receiving input for selecting one or more event types to receive from an event collector, receiving, based on the one or more event types, a plurality of security events from the event collector, transforming each of the plurality of security events to a standard format to generate a plurality of formatted security events and transmitting the plurality of formatted security events to a security information and event management (SIEM) server.
Examples of the present disclosure describe systems and methods for restricting access to application programming interfaces (APIs). For example, when a process calls an API, the API call may be intercepted by a security system for evaluation of its trustfulness before the API is allowed to run. Upon intercepting an API call, the process calling the API may be evaluated to determine if the process is known to the security system, such that known processes that are untrusted may be blocked from calling the API. Further, when the security system cannot identify the process calling the API, the security service may evaluate a call stack associated with the call operation to determine if attributes of the call operation are known to the security system. If the call operation is known to the security system as untrusted, the call operation may be blocked from calling the API.
G06F 21/51 - Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems at application loading time, e.g. accepting, rejecting, starting or inhibiting executable software based on integrity or source reliability
G06F 21/52 - Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity, buffer overflow or preventing unwanted data erasure
G06F 21/62 - Protecting access to data via a platform, e.g. using keys or access control rules
Examples of the present disclosure describe systems and methods of issuing certificates. One embodiment includes a non-transitory, computer-readable medium comprising computer executable instructions stored thereon, the computer executable instructions executable for receiving a certificate request from an online identity, wherein the certificate request validates a reputation of the online identity, analyzing the certificate request, based on the analysis, determining to issue a certificate, and issuing the certificate to the online identity.
Examples of the present disclosure describe systems and methods for discrete processor feature behavior collection and analysis. In aspects, a monitoring utility may initialize a set of debugging and/or performance monitoring feature sets for a microprocessor. When the microprocessor receives from software content a set of instructions that involves the loading of a set of modules or code segments, the set of modules or code segments may be evaluated by the monitoring utility. The monitoring utility may generate a process trace of the loaded set of modules or code segments. Based on the process trace output, various execution paths may be reconstructed in real-time. The system and/or API calls made by the microprocessor may then be compared to the process trace output to quickly observe the interaction between the software content and the operating system of the microprocessor.
Embodiments disclosed herein relate to systems and methods for providing a smart cache. In embodiments, a variable time to live (TTL) may be calculated and associated with data as it is stored in a cache. The variable TTL may be calculated based upon reputation and/or category information related to the source of the data. The reputation and/or category information may include TTL modifiers for adjusting the TTL for data from a particular data source that is stored in the cache. In further embodiments, a feedback method may be employed to update reputation and/or category information for a particular data source.
G06F 12/0802 - Addressing of a memory level in which the access to the desired data or data block requires associative addressing means, e.g. caches
G06F 12/0864 - Addressing of a memory level in which the access to the desired data or data block requires associative addressing means, e.g. caches using pseudo-associative means, e.g. set-associative or hashing
G06F 12/0875 - Addressing of a memory level in which the access to the desired data or data block requires associative addressing means, e.g. caches with dedicated cache, e.g. instruction or stack
G06F 12/128 - Replacement control using replacement algorithms adapted to multidimensional cache systems, e.g. set-associative, multicache, multiset or multilevel
G06F 16/957 - Browsing optimisation, e.g. caching or content distillation
Aspects of the present disclosure are operable to protect against malicious objects, such as JavaScript code, which may be encountered, downloaded, or otherwise accessed from a content source by a computing system. In an example, antivirus software implementing aspects disclosed herein may be capable of detecting malicious objects in real-time. Aspects of the present disclosure aim to reduce the amount of time used to detect malicious code while maintaining detection accuracy, as detection delays and/or a high false positive rate may result in a negative user experience. Among other benefits, the systems and methods disclosed herein are operable to identify malicious objects encountered by a computing system while maintaining a high detection rate, a low false positive rate, and a high scanning speed.
Examples of the present disclosure describe systems and methods of providing real-time scanning of IP addresses. In aspects, input may be received by a real-time IP scanning system. The system may generate one or more work orders based on the input. A scanner associated with the system may access a work order and attempt to communicate with one or more devices identified by the work order. If the attempted communication with a device is successful, a protocol analyzer may be used to provide a predefined payload to the device. If the response from the device matches an expected string, the device may be determined to be a safe and/or legitimate device. If the response from the device does not match an expected string, the device may be determined to be a malicious device.
G06F 21/57 - Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
Examples of the present disclosure describe systems and methods for exploit detection via induced exceptions. One embodiment of a method can include generating an inspection point, the inspection point causing an exception when a set of software instructions encounters the inspection point during an execution of the set of software instructions by a processor, registering an exception handler to handle the exception associated with by the inspection point; receiving, in response to the set of software instructions encountering the inspection point, an indication of an exception, accessing a context record associated with the execution of the set of software instructions, evaluating the context record to determine if an exploit is present using the first reputation information, and based on a determination that an exploit is present, performing a corrective action for the exploit.
G06F 21/00 - Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
G06F 21/55 - Detecting local intrusion or implementing counter-measures
G06F 21/57 - Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
46.
Aggregation and management among a plurality of storage providers
The present disclosure describes systems and methods for aggregation and management of cloud storage among a plurality of providers via file fragmenting to provide increased reliability and security. In one implementation, fragments or blocks may be distributed among a plurality of cloud storage providers, such that no provider retains a complete copy of a file. Accordingly, even if an individual service is compromised, a malicious actor cannot access the data. In another implementation, file fragmenting may be performed in a non-standard method such that file headers and metadata are divided across separate fragments, obfuscating the original file metadata.
H04L 67/1097 - Protocols in which an application is distributed across nodes in the network for distributed storage of data in networks, e.g. transport arrangements for network file system [NFS], storage area networks [SAN] or network attached storage [NAS]
G06F 16/14 - Details of searching files based on file metadata
G06F 16/17 - Details of further file system functions
G06F 16/27 - Replication, distribution or synchronisation of data between databases or within a distributed database systemDistributed database system architectures therefor
G06F 21/62 - Protecting access to data via a platform, e.g. using keys or access control rules
Examples of the present disclosure describe systems and methods for state-based entity behavior analysis. In an example, entities of a computing environment may be represented using a hierarchical entity web. In some examples, an entity may have a state associated with it, which may be modeled using a place/transition (PT) network. Events within the computing environment may be evaluated by transitions of a PT network to determine whether an entity should change state. If an entity transitions from one state to another, one or more actions may be performed, including, but not limited to, taking a remedial action, generating a recommendation, and updating the state of one or more associated entities. Thus, aspects disclosed herein may provide a high-level overview of the state of entities of a computing environment, but may also be used to view in-depth information of entities at lower levels of the hierarchical entity web.
H04L 41/0853 - Retrieval of network configurationTracking network configuration history by actively collecting configuration information or by backing up configuration information
H04L 41/0893 - Assignment of logical groups to network elements
H04L 41/0816 - Configuration setting characterised by the conditions triggering a change of settings the condition being an adaptation, e.g. in response to network events
Embodiments of systems and methods for DNS smart access are disclosed herein. In particular, certain embodiments include a local cache of trusted addresses resolved by a trusted DNS resolver. A DNS smart access agent monitors outbound communications from applications or processes on a client device. The DNS smart access agent blocks access to addresses that were not resolved through the trusted DNS resolver.
H04L 61/4511 - Network directoriesName-to-address mapping using standardised directoriesNetwork directoriesName-to-address mapping using standardised directory access protocols using domain name system [DNS]
Examples of the present disclosure describe systems and methods for a behavioral threat detection engine. In examples, the behavioral threat detection engine manages execution of one or more virtual machines, wherein each virtual machine processes a rule in relation to a context. The behavioral threat detection engine uses any of a variety of techniques to identify when events occur. Accordingly, the behavioral threat detection engine provides event indications, in the form of event packets, to one or more virtual machines, such that corresponding rules are able to process the events accordingly. Eventually, a rule may make a determination as to the presence or absence of a behavior. As a result, execution of the associated virtual machine may be halted, thereby indicating to the behavioral threat detection engine that a determination has been made. Thus a behavioral threat detection engine employs a behavior-based approach to detecting malicious or potentially malicious behaviors.
09 - Scientific and electric apparatus and instruments
35 - Advertising and business services
38 - Telecommunications services
42 - Scientific, technological and industrial services, research and design
Goods & Services
Downloadable computer software using artificial intelligence for managing content, customer user experience, business networks, IT operations, software developer operations, and cybersecurity; Downloadable computer software using artificial intelligence including machine learning, predictive analytics, and generative artificial intelligence for use in cybersecurity, electronic discovery, customer communications management, customer service management, functional testing, software development, enterprise content management, business process management, and forensics. Business consulting services for businesses and institutions relating to artificial intelligence, big data, cognitive computing and data-driven analytics. Advisory and consultancy services relating to artificial intelligence as it applies to communications between computers over telecommunications networks. Software as a service (SAAS) services featuring software for managing content, customer user experience, business networks, IT operations, software developer operations, and cybersecurity; SaaS services featuring artificial intelligence including machine learning, predictive analytics, and generative artificial intelligence for use in cybersecurity, electronic discovery, customer communications management, customer service management, functional testing, software development, enterprise content management, business process management, and forensics.
09 - Scientific and electric apparatus and instruments
35 - Advertising and business services
38 - Telecommunications services
42 - Scientific, technological and industrial services, research and design
Goods & Services
Downloadable computer software using artificial intelligence for managing content, customer user experience, business networks, IT operations, software developer operations, and cybersecurity; Downloadable computer software using artificial intelligence including machine learning, predictive analytics, and generative artificial intelligence for use in cybersecurity, electronic discovery, customer communications management, customer service management, functional testing, software development, enterprise content management, business process management, and forensics; none of the aforesaid goods being in relation to gaming, gambling or casinos. Business consulting services for businesses and institutions relating to artificial intelligence, big data, cognitive computing and data-driven analytics; none of the aforesaid services being in relation to gaming, gambling or casinos. Advisory and consultancy services relating to artificial intelligence as it applies to communications between computers over telecommunications networks; none of the aforesaid services being in relation to gaming, gambling or casinos. Software as a service (SAAS) services featuring software for managing content, customer user experience, business networks, IT operations, software developer operations, and cybersecurity; SaaS services featuring artificial intelligence including machine learning, predictive analytics, and generative artificial intelligence for use in cybersecurity, electronic discovery, customer communications management, customer service management, functional testing, software development, enterprise content management, business process management, and forensics; none of the aforesaid services being in relation to gaming, gambling or casinos.
09 - Scientific and electric apparatus and instruments
35 - Advertising and business services
38 - Telecommunications services
42 - Scientific, technological and industrial services, research and design
Goods & Services
(1) Downloadable computer software using artificial intelligence for managing content, customer user experience, business networks, IT operations, software developer operations, and cybersecurity; downloadable computer software using artificial intelligence including machine learning, predictive analytics, and generative artificial intelligence for use in cybersecurity, electronic discovery, customer communications management, customer service management, functional testing, software development, enterprise content management, business process management, and forensics (1) Business consulting services for businesses and institutions relating to artificial intelligence, big data, cognitive computing and data-driven analytics
(2) Advisory and consultancy services relating to artificial intelligence as it applies to communications between computers over telecommunications networks
(3) Software as a service (SAAS) services featuring software for managing content, customer user experience, business networks, IT operations, software developer operations, and cybersecurity; SaaS services featuring artificial intelligence including machine learning, predictive analytics, and generative artificial intelligence for use in cybersecurity, electronic discovery, customer communications management, customer service management, functional testing, software development, enterprise content management, business process management, and forensics
09 - Scientific and electric apparatus and instruments
35 - Advertising and business services
38 - Telecommunications services
42 - Scientific, technological and industrial services, research and design
Goods & Services
(1) Downloadable computer software using artificial intelligence for managing content, customer user experience, business networks, IT operations, software developer operations, and cybersecurity; downloadable computer software using artificial intelligence including machine learning, predictive analytics, and generative artificial intelligence for use in cybersecurity, electronic discovery, customer communications management, customer service management, functional testing, software development, enterprise content management, business process management, and forensics (1) Business consulting services for businesses and institutions relating to artificial intelligence, big data, cognitive computing and data-driven analytics
(2) Advisory and consultancy services relating to artificial intelligence as it applies to communications between computers over telecommunications networks
(3) Software as a service (SAAS) services featuring software for managing content, customer user experience, business networks, IT operations, software developer operations, and cybersecurity; SaaS services featuring artificial intelligence including machine learning, predictive analytics, and generative artificial intelligence for use in cybersecurity, electronic discovery, customer communications management, customer service management, functional testing, software development, enterprise content management, business process management, and forensics
09 - Scientific and electric apparatus and instruments
35 - Advertising and business services
42 - Scientific, technological and industrial services, research and design
Goods & Services
Telecommunication advisory and consultancy services relating to artificial intelligence as it applies to communications between computers over telecommunications networks Downloadable computer software using artificial intelligence for managing content, customer user experience, business networks, IT operations, software developer operations, and cybersecurity; Downloadable computer software using artificial intelligence including machine learning, predictive analytics, and generative artificial intelligence for use in cybersecurity, electronic discovery, customer communications management, customer service management, functional testing, software development, enterprise content management, business process management, and forensics in the nature of data analysis Business consulting services for businesses and institutions relating to artificial intelligence, big data, cognitive computing and data-driven analytics Software as a service (SAAS) services featuring software for managing content, customer user experience, business networks, IT operations, software developer operations, and cybersecurity; SaaS services featuring artificial intelligence software for machine learning, predictive analytics, and generative artificial intelligence for use in cybersecurity, electronic discovery, customer communications management, customer service management, functional testing, software development, enterprise content management, business process management, and forensics in the nature of data analysis
55.
Systems and methods for secure file management via an aggregation of cloud storage services
The present disclosure describes systems and methods for aggregation and management of cloud storage among a plurality of providers via file fragmenting to provide increased reliability and security. In one implementation, fragments or blocks may be distributed among a plurality of cloud storage providers, such that no provider retains a complete copy of a file. Accordingly, even if an individual service is compromised, a malicious actor cannot access the data. In another implementation, fragments may be duplicated and distributed to multiple providers, such that loss of communications to any one provider does not result in inability to access the data. This implementation may be combined with error correction techniques to allow recovery, even with loss of multiple providers. File synchronization may also be faster in these implementations by dividing reading and writing operations among multiple providers.
G06F 11/14 - Error detection or correction of the data by redundancy in operation, e.g. by using different operation sequences leading to the same result
G06F 16/178 - Techniques for file synchronisation in file systems
G06F 21/62 - Protecting access to data via a platform, e.g. using keys or access control rules
H04L 67/1095 - Replication or mirroring of data, e.g. scheduling or transport for data synchronisation between network nodes
09 - Scientific and electric apparatus and instruments
35 - Advertising and business services
42 - Scientific, technological and industrial services, research and design
Goods & Services
Telecommunication advisory and consultancy services relating to artificial intelligence as it applies to communications between computers over telecommunications networks Downloadable computer software using artificial intelligence for managing content, customer user experience, business networks, IT operations, software developer operations, and cybersecurity; Downloadable computer software using artificial intelligence including machine learning, predictive analytics, and generative artificial intelligence for use in cybersecurity, electronic discovery, customer communications management, customer service management, functional testing, software development, enterprise content management, business process management, and forensics in the nature of data analysis Business consulting services for businesses and institutions relating to artificial intelligence, big data, cognitive computing and data-driven analytics Software as a service (SAAS) services featuring software for managing content, customer user experience, business networks, IT operations, software developer operations, and cybersecurity; SaaS services featuring artificial intelligence including machine learning, predictive analytics, and generative artificial intelligence for use in cybersecurity, electronic discovery, customer communications management, customer service management, functional testing, software development, enterprise content management, business process management, and forensics in the nature of data analysis
57.
Systems and methods for remote management of appliances
The present disclosure describes systems and methods for remote management of appliances. The appliance may be configured to periodically check in a predetermined online location for the presence of a trigger file identifying one or more appliances directed to contact a management server for maintenance. If the file is present at the predetermined location and the file includes the identifier of the appliance, the appliance may initiate a connection to the management server. If the file is not found, then the appliance may reset a call timer and attempt to retrieve the file at a later time. To avoid having to configure addresses on the appliance, link local IPv6 addresses may be configured for use over a virtual private network, allowing administration, regardless of the network configuration or local IP address of the appliance.
H04L 67/125 - Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks involving control of end-device applications over a network
Embodiments of systems and methods for DNS leak prevention and protection are disclosed herein. In particular, certain embodiments include a local DNS protection agent installed on a system and an associated trusted external DNS protection server. The DNS protection agent prevents DNS leaks from applications on the system such that all DNS requests from the system are confined to requests from the DNS protection agent to the associated DNS protection server. As the DNS leak prevention provided by the DNS protection agent stops applications on the system from circumventing the DNS protection server, all DNS requests originating from the system remain under the control of the DNS protection server and thus desired DNS protection (e.g., as implemented on the DNS protection server) may be maintained. Certain embodiments prevent applications from using certain DNS security protocols, such as DoH and DoT, without going through the DNS protection agent.
H04L 61/4511 - Network directoriesName-to-address mapping using standardised directoriesNetwork directoriesName-to-address mapping using standardised directory access protocols using domain name system [DNS]
H04L 67/60 - Scheduling or organising the servicing of application requests, e.g. requests for application data transmissions using the analysis and optimisation of the required network resources
Examples of the present disclosure describe systems and methods for selective export address table filtering. In aspects, the relative virtual address (RVA) of exported function names may be modified to point to a protected memory location. An exception handler may be registered to process exceptions relating to access violations of the protected memory location. If an exception is detected that indicates an attempt to access the protected memory location, the instruction pointer of the exception may be compared to an allowed range of memory addresses. If the instruction pointer address is outside the boundaries, remedial action may occur.
G06F 21/54 - Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity, buffer overflow or preventing unwanted data erasure by adding security routines or objects to programs
G06F 21/55 - Detecting local intrusion or implementing counter-measures
Examples of the present disclosure describe systems and methods for a behavioral threat detection virtual machine. In examples, the virtual machine executes a rule comprising rule instructions. A rule may comprise one or more wait rule instructions that causes the virtual machine to pause execution. As events are added to an event queue for the rule virtual machine, the behavioral threat detection virtual machine evaluates such events in order to identify a positive or, in some instances, a negative match. When a matching event is identified, rule execution resumes. Eventually, a determination is made as a result of processing events and wait packets, thereby indicating the presence or absence of a malicious or potentially malicious behavior, among other examples. Thus, among other things, the behavioral threat detection virtual machine maintains a state associated with rule execution and processes events to identify behaviors accordingly.
Examples of the present disclosure describe systems and methods for behavioral threat detection definition. In an example, a behavior rule comprising a set of rule instructions is used to define one or more events indicative of a behavior. For example, a set of events from which one event must be matched may be defined or a set of events from which all events must be matched may be defined. In some examples, events are matched based on an event name or type, or may be matched based on one or more parameters. Exact and/or inexact matching may be used. The set of rule instructions ultimately specifies one or more halt instructions, thereby indicating that a determination as to the presence of the behavior has been made. Example determinations include, but are not limited to, a match determination, a non-match determination, or an indication that additional monitoring should be performed.
Aspects of the present disclosure relate to systems and methods for partitioning an OS or hypervisor utilized on a computing device from the process of proxy control. For example, a proxy may be installed on a separation kernel or firmware on a computing device that routes all data traffic received via a network connection to a cloud which performs various services such as IP reputation management, URL reputation detection and validation, malicious file filtering through potential malware detection.
Examples of the present disclosure describe systems and methods for providing advanced file modification heuristics. In aspects, software content is selected for monitoring. The monitoring comprises determining when the software content performs file accesses that are followed by read and/or write operations. The read/write operations are analyzed in real-time to determine whether the software content is modifying file content. If the monitoring indicates the software content is modifying accessed files, mathematical calculations are applied to the read-write operations to determine the nature of the modifications. Based on the determined nature of the file modifications, the actions of the software content may be categorized and halted prior to completion; thereby, mitigating malicious cyberattacks and/or unauthorized accesses.
Examples of the present disclosure describe systems and methods for detecting and mitigating stack pivoting exploits. In aspects, various “checkpoints” may be identified in software code. At each checkpoint, the current stack pointer, stack base, and stack limit for each mode of execution may be obtained. The current stack pointer for each mode of execution may be evaluated to determine whether the stack pointer falls within a stack range between the stack base and the stack limit of the respective mode of execution. When the stack pointer is determined to be outside of the expected stack range, a stack pivot exploit is detected and one or more remedial actions may be automatically performed.
G06F 21/52 - Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity, buffer overflow or preventing unwanted data erasure
B01D 15/18 - Selective adsorption, e.g. chromatography characterised by constructional or operational features relating to flow patterns
A protection module operates to analyze threats, at the protocol level (e.g., at the HTML level), by intercepting all requests that a browser engine resident in a computing device sends and receives, and the protection agent completes the requests without the help of the browser engine. And then the protection module analyzes and/or modifies the completed data before the browser engine has access to it, to, for example, display it. After performing all of its processing, removing, and/or adding any code as needed, the protection module provides the HTML content to the browser engine, and the browser engine receives responses from the protection agent as if it was speaking to an actual web server, when in fact, browser engine is speaking to an analysis engine of the protection module.
Examples of the present disclosure describe systems and methods for malicious software detection based on API trust. In an example, a set of software instructions executed by a computing device may call an API. A hook may be generated on the API, such that a threat processor may receive an indication when the API is called. Accordingly, the threat processor may generate a trust metric based on the execution of the set of software instructions, which may be used to determine whether the set of software instructions poses a potential threat. For example, one or more call stack frames may be evaluated to determine whether a return address is preceded by a call instruction, whether the return address is associated with a set of software instructions or memory associated with a set of software instructions, and/or whether the set of software instructions satisfies a variety of security criteria.
Examples of the present disclosure describe systems and methods for sharing memory using a multi-ring shared, traversable and dynamic database. In aspects, the database may be synchronized and shared between multiple processes and/or operation mode protection rings of a system. The database may also be persisted to enable the management of information between hardware reboots and application sessions. The information stored in the database may be view independent, traversable, and resizable from various component views of the database. In some aspects, an event processor is additionally described. The event processor may use the database to allocate memory chunks of a shared heap to components/processes in one or more protection modes of the operating system.
The present disclosure describes systems and methods for aggregation and management of cloud storage among a plurality of providers. According to one aspect, a computer-implemented method includes providing an aggregated folder at a client computer, the aggregated folder aggregating the contents of a plurality of folders, each of the plurality of folders used for synchronization with a respective one of a plurality of cloud storage providers; identifying a new file for synchronization; determining a first cloud storage provider from the plurality of cloud storage providers to which to store at least a portion of the new file; storing the at least a portion of the new file in a first folder from the plurality of folders, the first folder for synchronization with the first cloud storage provider from the plurality of cloud storage providers; and adding the new file to the aggregated folder.
H04L 67/06 - Protocols specially adapted for file transfer, e.g. file transfer protocol [FTP]
H04L 67/1097 - Protocols in which an application is distributed across nodes in the network for distributed storage of data in networks, e.g. transport arrangements for network file system [NFS], storage area networks [SAN] or network attached storage [NAS]
The present disclosure relates to systems and methods for identifying highly sensitive modules and taking a remediation or preventative action if such modules are accessed by malicious software. For example, the likelihood that a module is used for an exploit, and is thus sensitive, is categorized as high, medium, or low. The likelihood that a module can be used for an exploit can dictate whether, and to what degree, an application accessing the module is “suspicious.” However, in some instances, a sensitive module may have legitimate reasons to load when used in certain non-malicious ways. The system may also consider a trust level when determining what actions to take, such that an application and/or user having a higher trust level may be less suspicious when accessing a sensitive module as compared to an application or user having a lower trust level.
G06F 21/57 - Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
G06F 21/51 - Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems at application loading time, e.g. accepting, rejecting, starting or inhibiting executable software based on integrity or source reliability
G06F 21/55 - Detecting local intrusion or implementing counter-measures
The present disclosure describes systems and methods for detection and mitigation of malicious encryption. A security agent on an infected computing device may monitor data writes to disk, memory, or network transmission buffers for strings that may represent encryption keys or moduli. The security agent may apply one or more techniques to decode and parse the string to either identify or extract the keys, or rule out the string as containing an encryption key or modulus. If a key is identified, or its presence cannot be excluded, then the security agent may generate an alert and take mitigation actions.
Examples of the present disclosure describe systems and methods for identifying anomalous network behavior. In aspects, a network event may be observed network sensors. One or more characteristics may be extracted from the network event and used to construct an evidence vector. The evidence vector may be compared to a mapping of previously-identified events and/or event characteristics. The mapping may be represented as one or more clusters of expected behaviors and anomalous behaviors. The mapping may be modeled using analytic models for direction detection and magnitude detection. One or more centroids may be identified for each of the clusters. A “best fit” may be determined and scored for each of the analytic models. The scores may be fused into single binocular score and used to determine whether the evidence vector is likely to represent an anomaly.
A method and system for controlling access to an Internet resource is disclosed herein. When a request for an Internet resource, such as a Web site, is transmitted by an end-user of a LAN, a security appliance for the LAN analyzes a reputation index for the Internet resource before transmitting the request over the Internet. The reputation index is based on a plurality of factors for the Internet resource. A client application's access to the Internet resource can be allowed or denied based on the reputation index of the Internet resource.
The present disclosure describes systems and methods for remote management of appliances. The appliance may be configured to periodically check in a predetermined online location for the presence of a trigger file identifying one or more appliances directed to contact a management server for maintenance. If the file is present at the predetermined location and the file includes the identifier of the appliance, the appliance may initiate a connection to the management server. If the file is not found, then the appliance may reset a call timer and attempt to retrieve the file at a later time. To avoid having to configure addresses on the appliance, link local IPv6 addresses may be configured for use over a virtual private network, allowing administration, regardless of the network configuration or local IP address of the appliance.
H04L 67/125 - Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks involving control of end-device applications over a network
Examples of the present disclosure describe systems and methods for a behavioral threat detection engine. In examples, the behavioral threat detection engine manages execution of one or more virtual machines, wherein each virtual machine processes a rule in relation to a context. The behavioral threat detection engine uses any of a variety of techniques to identify when events occur. Accordingly, the behavioral threat detection engine provides event indications, in the form of event packets, to one or more virtual machines, such that corresponding rules are able to process the events accordingly. Eventually, a rule may make a determination as to the presence or absence of a behavior. As a result, execution of the associated virtual machine may be halted, thereby indicating to the behavioral threat detection engine that a determination has been made. Thus a behavioral threat detection engine employs a behavior-based approach to detecting malicious or potentially malicious behaviors.
Examples of the present disclosure describe systems and methods for monitoring the security privileges of a process. In aspects, when a process is created, the corresponding process security token and privilege information is detected and recorded. At subsequent “checkpoints,” the security token is evaluated to determine whether the security token has been replaced, or whether new or unexpected privileges have been granted to the created process. When a modification to the security token is determined, a warning or indication of the modification is generated and the process may be terminated to prevent the use of the modified security token.
H04L 9/32 - Arrangements for secret or secure communicationsNetwork security protocols including means for verifying the identity or authority of a user of the system
Methods and systems are provided for detecting a change in web content of a web page. In particular, executable instructions may be inserted into a web page such that a first fingerprint of the web page is created when viewed on a client device. The first fingerprint may then be compared to a previously created fingerprint to determine if the web page has been modified. The fingerprints may be based on one or more elements of the web page.
Aspects of the present disclosure relate to threat detection of executable files. A plurality of static data points may be extracted from an executable file without decrypting or unpacking the executable file. The executable file may then be analyzed without decrypting or unpacking the executable file. Analysis of the executable file may comprise applying a classifier to the plurality of extracted static data points. The classifier may be trained from data comprising known malicious executable files, known benign executable files and known unwanted executable files. Based upon analysis of the executable file, a determination can be made as to whether the executable file is harmful.
Examples of the present disclosure describe systems and methods for detecting and mitigating stack pivoting using stack artifact verification. In aspects, function hooks may be added to one or more functions. When a hooked function executes, artifacts relating to the hooked function may be left on the stack memory (“stack”). The location of the artifacts on the stack may be stored in a local storage area. Each time a hook in a hooked function is subsequently executed, protection may be executed to determine whether an artifact remains in the location stored in the local storage area. If the artifact is no longer in the same location, a stack pivot may be detected and one or more remedial actions may be automatically performed.
G06F 21/54 - Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity, buffer overflow or preventing unwanted data erasure by adding security routines or objects to programs
Examples of the present disclosure describe systems and methods for evaluating malicious web content for associated threats using specialized web crawling techniques. A seed resource identifier is evaluated to determine a second resource identifier associated with the seed resource identifier. A resource corresponding to the second resource identifier is scanned to identify a third resource identifier. The third resource identifier is processed with a machine learning model to classify the third resource identifier according to a classification representing a predicted level of threat. The machine learning model trained to classify resource identifiers into a plurality of classifications. A corrective action can be executed based on the classification of the third resource identifier.
Examples of the present disclosure describe systems and methods for behavioral threat detection definition compilation. In an example, one or more sets of rule instructions may be packaged for distribution and/or use by a behavioral threat detection engine. As an example, a set of rule instructions is compiled into an intermediate language and assembled in to a compiled behavior rule binary. Event linking is performed, wherein other rules launched by the rule and/or events that launch the rule or are processed by the rule are identified, and such information may be stored accordingly. The behavior rule binary may be packaged with other rules associated with identifying a specific behavior. The packaged behavior rule is distributed to one or more computing devices for use with a behavioral threat detection engine. For example, the threat detection engine may execute the behavior rule using a rule virtual machine.
A firewall monitors network activity and stores information about that network activity in a network activity log. The network activity is analyzed to identify a potential threat. The potential threat is further analyzed to identify other potential threats that are related to the potential threat, and are likely to pose a future risk to a protected network. A block list is updated to include the potential threat and the other potential threats to protect the protected network from the potential threat and the other potential threats.
Examples of the present disclosure describe systems and methods for exploit detection via induced exceptions. One embodiment of a method can include generating an inspection point, the inspection point causing an exception when a set of software instructions encounters the inspection point during an execution of the set of software instructions by a processor, registering an exception handler to handle the exception associated with by the inspection point; receiving, in response to the set of software instructions encountering the inspection point, an indication of an exception, accessing a context record associated with the execution of the set of software instructions, evaluating the context record to determine if an exploit is present using the first reputation information, and based on a determination that an exploit is present, performing a corrective action for the exploit.
H04L 29/06 - Communication control; Communication processing characterised by a protocol
G06F 21/57 - Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
G06F 21/55 - Detecting local intrusion or implementing counter-measures
83.
Systems and methods for remote management of appliances
The present disclosure describes systems and methods for remote management of appliances. The appliance may be configured to periodically check in a predetermined online location for the presence of a trigger file identifying one or more appliances directed to contact a management server for maintenance. If the file is present at the predetermined location and the file includes the identifier of the appliance, the appliance may initiate a connection to the management server. If the file is not found, then the appliance may reset a call timer and attempt to retrieve the file at a later time. To avoid having to configure addresses on the appliance, link local IPv6 addresses may be configured for use over a virtual private network, allowing administration, regardless of the network configuration or local IP address of the appliance.
H04L 67/125 - Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks involving control of end-device applications over a network
Examples of the present disclosure describe systems and methods of providing real-time scanning of IP addresses. In aspects, input may be received by a real-time IP scanning system. The system may generate one or more work orders based on the input. A scanner associated with the system may access a work order and attempt to communicate with one or more devices identified by the work order. If the attempted communication with a device is successful, a protocol analyzer may be used to provide a predefined payload to the device. If the response from the device matches an expected string, the device may be determined to be a safe and/or legitimate device. If the response from the device does not match an expected string, the device may be determined to be a malicious device.
G06F 21/57 - Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
Examples of the present disclosure describe systems and methods for determining exploit prevention software settings using machine learning. In aspects, exploit prevention software may be used to identify processes executing on a computing device. Metadata for the identified processes may be determined and transmitted to a machine learning system. The machine learning system may use an exploit prevention model to determine exploit prevention configuration settings for each of the processes, and may transmit the configuration setting to the computing device. The computing device may implement the configuration settings to protect the processes and monitor the stability of the protected processes as they execute. The computing device may transmit the stability data to the machine-learning system. The machine-learning system may then modify the exploit prevention model based on the stability data.
Methods, devices and computer program products facilitate the storage, access and management of log files that are associated with particular client devices. The log files provide a record of user or client device activities that are periodically sent to a data backup center. A dedicated log file server facilitates the processing and storage of an increasingly large number of log files that are generated by new and existing client devices. A storage server pre-processes the received log files to facilitate the processing and storage of the log files by the log file server. This Abstract is provided for the sole purpose of complying with the Abstract requirement rules. This Abstract is submitted with the explicit understanding that it will not be used to interpret or to limit the scope or the meaning of the claims.
G06F 16/00 - Information retrievalDatabase structures thereforFile system structures therefor
G06F 3/06 - Digital input from, or digital output to, record carriers
G06F 11/14 - Error detection or correction of the data by redundancy in operation, e.g. by using different operation sequences leading to the same result
G06F 11/34 - Recording or statistical evaluation of computer activity, e.g. of down time, of input/output operation
Embodiments of systems and methods for DNS leak prevention and protection are disclosed herein. In particular, certain embodiments include a local DNS protection agent installed on a system and an associated trusted external DNS protection server. The DNS protection agent prevents DNS leaks from applications on the system such that all DNS requests from the system are confined to requests from the DNS protection agent to the associated DNS protection server. As the DNS leak prevention provided by the DNS protection agent stops applications on the system from circumventing the DNS protection server, all DNS requests originating from the system remain under the control of the DNS protection server and thus desired DNS protection (e.g., as implemented on the DNS protection server) may be maintained. Certain embodiments prevent applications from using certain DNS security protocols, such as DoH and DoT, without going through the DNS protection agent.
H04L 61/4511 - Network directoriesName-to-address mapping using standardised directoriesNetwork directoriesName-to-address mapping using standardised directory access protocols using domain name system [DNS]
H04L 67/60 - Scheduling or organising the servicing of application requests, e.g. requests for application data transmissions using the analysis and optimisation of the required network resources
88.
Systems and methods for secure file management via an aggregation of cloud storage services
The present disclosure describes systems and methods for aggregation and management of cloud storage among a plurality of providers via file fragmenting to provide increased reliability and security. In one implementation, fragments or blocks may be distributed among a plurality of cloud storage providers, such that no provider retains a complete copy of a file. Accordingly, even if an individual service is compromised, a malicious actor cannot access the data. In another implementation, fragments may be duplicated and distributed to multiple providers, such that loss of communications to any one provider does not result in inability to access the data. This implementation may be combined with error correction techniques to allow recovery, even with loss of multiple providers. File synchronization may also be faster in these implementations by dividing reading and writing operations among multiple providers.
G06F 21/62 - Protecting access to data via a platform, e.g. using keys or access control rules
H04L 67/1095 - Replication or mirroring of data, e.g. scheduling or transport for data synchronisation between network nodes
G06F 16/178 - Techniques for file synchronisation in file systems
G06F 11/14 - Error detection or correction of the data by redundancy in operation, e.g. by using different operation sequences leading to the same result
89.
Behavioral threat detection definition and compilation
Examples of the present disclosure describe systems and methods for behavioral threat detection definition. In an example, a behavior rule comprising a set of rule instructions is used to define one or more events indicative of a behavior. For example, a set of events from which one event must be matched may be defined or a set of events from which all events must be matched may be defined. In some examples, events are matched based on an event name or type, or may be matched based on one or more parameters. Exact and/or inexact matching may be used. The set of rule instructions ultimately specifies one or more halt instructions, thereby indicating that a determination as to the presence of the behavior has been made. Example determinations include, but are not limited to, a match determination, a non-match determination, or an indication that additional monitoring should be performed.
Methods, devices and computer program products facilitate the storage, access and management of log files that are associated with particular client devices. The log files provide a record of user or client device activities that are periodically sent to a data backup center. A dedicated log file server facilitates the processing and storage of an increasingly large number of log files that are generated by new and existing client devices. A storage server pre-processes the received log files to facilitate the processing and storage of the log files by the log file server. This Abstract is provided for the sole purpose of complying with the Abstract requirement rules. This Abstract is submitted with the explicit understanding that it will not be used to interpret or to limit the scope or the meaning of the claims.
G06F 16/00 - Information retrievalDatabase structures thereforFile system structures therefor
G06F 3/06 - Digital input from, or digital output to, record carriers
G06F 11/14 - Error detection or correction of the data by redundancy in operation, e.g. by using different operation sequences leading to the same result
G06F 11/34 - Recording or statistical evaluation of computer activity, e.g. of down time, of input/output operation
Examples of the present disclosure describe systems and methods for a behavioral threat detection virtual machine. In examples, the virtual machine executes a rule comprising rule instructions. A rule may comprise one or more wait rule instructions that causes the virtual machine to pause execution. As events are added to an event queue for the rule virtual machine, the behavioral threat detection virtual machine evaluates such events in order to identify a positive or, in some instances, a negative match. When a matching event is identified, rule execution resumes. Eventually, a determination is made as a result of processing events and wait packets, thereby indicating the presence or absence of a malicious or potentially malicious behavior, among other examples. Thus, among other things, the behavioral threat detection virtual machine maintains a state associated with rule execution and processes events to identify behaviors accordingly.
Examples of the present disclosure describe systems and methods for sharing memory using a multi-ring shared, traversable and dynamic database. In aspects, the database may be synchronized and shared between multiple processes and/or operation mode protection rings of a system. The database may also be persisted to enable the management of information between hardware reboots and application sessions. The information stored in the database may be view independent, traversable, and resizable from various component views of the database. In some aspects, an event processor is additionally described. The event processor may use the database to allocate memory chunks of a shared heap to components/processes in one or more protection modes of the operating system.
Peer device protection enables a first device comprising a digital security agent to remedy security issues on (or associated with) a set of devices visible to the first device. In aspects, a first device comprising a digital security agent may identify a set of devices visible to the first device. The first device may monitor the set of devices to collect data, such as types of communications and data points of interest. The digital security agent may apply threat detection to the collected data to identify anomalous network behavior. When anomalous network behavior is detected, the first device may cause an indicator of compromise (IOC) to be generated. Based on the IOC, the first device may facilitate remediation of the anomalous network behavior and/or apply security to one or more devices in the set of devices.
Examples of the present disclosure describe systems and methods for state-based entity behavior analysis. In an example, entities of a computing environment may be represented using a hierarchical entity web. In some examples, an entity may have a state associated with it, which may be modeled using a place/transition (PT) network. Events within the computing environment may be evaluated by transitions of a PT network to determine whether an entity should change state. If an entity transitions from one state to another, one or more actions may be performed, including, but not limited to, taking a remedial action, generating a recommendation, and updating the state of one or more associated entities. Thus, aspects disclosed herein may provide a high-level overview of the state of entities of a computing environment, but may also be used to view in-depth information of entities at lower levels of the hierarchical entity web.
H04L 41/0853 - Retrieval of network configurationTracking network configuration history by actively collecting configuration information or by backing up configuration information
H04L 41/0893 - Assignment of logical groups to network elements
H04L 41/0816 - Configuration setting characterised by the conditions triggering a change of settings the condition being an adaptation, e.g. in response to network events
Examples of the present disclosure describe systems and methods for restricting access to application programming interfaces (APIs). For example, when a process calls an API, the API call may be intercepted by a security system for evaluation of its trustfulness before the API is allowed to run. Upon intercepting an API call, the process calling the API may be evaluated to determine if the process is known to the security system, such that known processes that are untrusted may be blocked from calling the API. Further, when the security system cannot identify the process calling the API, the security service may evaluate a call stack associated with the call operation to determine if attributes of the call operation are known to the security system. If the call operation is known to the security system as untrusted, the call operation may be blocked from calling the API.
G06F 21/51 - Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems at application loading time, e.g. accepting, rejecting, starting or inhibiting executable software based on integrity or source reliability
G06F 21/62 - Protecting access to data via a platform, e.g. using keys or access control rules
G06F 21/52 - Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity, buffer overflow or preventing unwanted data erasure
Examples of the present disclosure describe systems and methods for detecting and mitigating stack pivoting exploits. In aspects, various “checkpoints” may be identified in software code. At each checkpoint, the current stack pointer, stack base, and stack limit for each mode of execution may be obtained. The current stack pointer for each mode of execution may be evaluated to determine whether the stack pointer falls within a stack range between the stack base and the stack limit of the respective mode of execution. When the stack pointer is determined to be outside of the expected stack range, a stack pivot exploit is detected and one or more remedial actions may be automatically performed.
G06F 21/52 - Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity, buffer overflow or preventing unwanted data erasure
G06F 11/36 - Prevention of errors by analysis, debugging or testing of software
97.
Statistical analysis of network behavior using event vectors to identify behavioral anomalies using a composite score
Examples of the present disclosure describe systems and methods for identifying anomalous network behavior. In aspects, a network event may be observed network sensors. One or more characteristics may be extracted from the network event and used to construct an evidence vector. The evidence vector may be compared to a mapping of previously-identified events and/or event characteristics. The mapping may be represented as one or more clusters of expected behaviors and anomalous behaviors. The mapping may be modeled using analytic models for direction detection and magnitude detection. One or more centroids may be identified for each of the clusters. A “best fit” may be determined and scored for each of the analytic models. The scores may be fused into single binocular score and used to determine whether the evidence vector is likely to represent an anomaly.
The present disclosure relates to systems and methods for identifying highly sensitive modules and taking a remediation or preventative action if such modules are accessed by malicious software. For example, the likelihood that a module is used for an exploit, and is thus sensitive, is categorized as high, medium, or low. The likelihood that a module can be used for an exploit can dictate whether, and to what degree, an application accessing the module is “suspicious.” However, in some instances, a sensitive module may have legitimate reasons to load when used in certain non-malicious ways. The system may also consider a trust level when determining what actions to take, such that an application and/or user having a higher trust level may be less suspicious when accessing a sensitive module as compared to an application or user having a lower trust level.
G06F 21/57 - Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
G06F 21/55 - Detecting local intrusion or implementing counter-measures
G06F 21/51 - Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems at application loading time, e.g. accepting, rejecting, starting or inhibiting executable software based on integrity or source reliability
A protection module operates to analyze threats, at the protocol level (e.g., at the HTML level), by intercepting all requests that a browser engine resident in a computing device sends and receives, and the protection agent completes the requests without the help of the browser engine. And then the protection module analyzes and/or modifies the completed data before the browser engine has access to it, to, for example, display it. After performing all of its processing, removing, and/or adding any code as needed, the protection module provides the HTML content to the browser engine, and the browser engine receives responses from the protection agent as if it was speaking to an actual web server, when in fact, browser engine is speaking to an analysis engine of the protection module.
The present disclosure describes systems and methods for remote management of appliances. The appliance may be configured to periodically check in a predetermined online location for the presence of a trigger file identifying one or more appliances directed to contact a management server for maintenance. If the file is present at the predetermined location and the file includes the identifier of the appliance, the appliance may initiate a connection to the management server. If the file is not found, then the appliance may reset a call timer and attempt to retrieve the file at a later time. To avoid having to configure addresses on the appliance, link local IPv6 addresses may be configured for use over a virtual private network, allowing administration, regardless of the network configuration or local IP address of the appliance.
