A computer device and method are provided for detecting anomalies in a monitored computer system by classifying detected events using a machine learning model trained based on an activity log of events detected during an initial activity period. The machine learning model embeds logged events by generating a vector based on a tokenization of the logged event and a categorization of the logged event by a large language model. Events detected during the initial activity period are used to generate a profile of the monitored computer system. Events detected after the initial activity period are compared to the generated profile by a classifier of the machine learning model to classify each detected event as anomalous or normal.
A device and method are provided for protecting against malware attacks affecting a computer system. To do so, system operations are detected and categorized as benign, suspicious, or malicious. Suspicious actions are delayed and placed in a queue instead of being immediately executed. The process initiating the suspicious action is determined and the suspicious action is categorized as benign or malicious based on the initiating process. When the suspicious action is categorized as a benign action, the suspicious action is performed. Conversely, when the suspicious action is categorized as a malicious action, the suspicious process is terminated, and the malicious action is removed from the unperformed actions queue without performing the malicious action.
G06F 21/56 - Computer malware detection or handling, e.g. anti-virus arrangements
G06F 21/55 - Detecting local intrusion or implementing counter-measures
G06F 21/57 - Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
A device, method, and system are provided for improving user interactions with large language models (LLMs) by enhancing user queries. User queries are enhanced by retrieving if/then pairs from a database that are related to the user query. The query is matched to related if statements stored in the database and the then statements of the matched if statements are included with the query to generate improved answers from the LLM.
A computer system and method are provided for generating a brand registry and classifying content as real or fake based on the brand registry. The brand registry is formed by generating a representation of brand content by encoding indicators found in brand content as a vector, identifying clusters in the encoded brand content as separate brands, and determining brand indicators for each brand. Unknown content is classified as real or fake brand content by encoding the unknown content, finding as the most similar brand the brand in the brand registry having a cluster centroid closest to the encoded unknown content, and comparing representative indicators for the unknown content to brand indicators for the most similar brand.
A device, system, and method are provided for generating a network security policy automatically based on network traffic. The network security policy is generated by building a directional graph from the network traffic, with the nodes of the graph representing network end points, and the edges representing communication between two nodes on a communication channel. A feature vector is generated for each of the nodes and a graph neural network is applied to the feature vectors to generate output vectors. The output vectors are clustered using a cost function based on a weighted combination of a distance-based cost function and a network functionality cost function. The clusters generated from the output vectors are used to assign network security rules to each of the clusters.
G06F 21/57 - Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
A system and method are provided for utilizing a service's Application Programming Interface (API) documentation, generating an OpenAPI specification for the API, enriching the OpenAPI specification with artificial intelligence (AI) generated explanatory notes, and integrating the enriched OpenAPI specification with an AI engine (e.g., a natural language model, large language model, etc.). This process may permit users to interact with the service through natural language.
A computer device (referred to as a processing engine), system, and method are provided for refactoring an original security policy using an artificial intelligence (AI) engine including a large language model (LLM). The processing engine parses policy data converts the original security policy into a code representation and sends the converted code representation to the AI engine. The AI engine analyzes the original security policy by applying the LLM to the code representation and identifies policy insights that are sent to the processing engine.
H04L 41/16 - Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks using machine learning or artificial intelligence
A device and method for employing a machine learning model using processor circuitry to intelligently predict user permissions within a network environment and output a restriction recommendation for modifying user permissions.
A device and method for classifying network devices based on their manufacturer (also referred to as vendor or brand) and function (e.g., printer, car, thermostat, etc.). This classification process utilizes a trained model that leverages parameters associated with the device's network activity as input.
Methods and devices are provided for differentiating between benign DNS data and malicious DNS data included in DNS traffic using an autoencoder. The autoencoder receives input DNS data and is trained to successfully encode the input DNS data when the input DNS data is benign DNS data and to fail to encode the input DNS data when the input DNS data is malicious DNS data. The autoencoder is trained using a modified loss function having a large weight when successfully encoding malicious DNS data.
A method and system are provided for detecting malicious code using graph neural networks. A call graph is created from the computer code by identifying functions in the computer code and vectorizing the identified functions using a stream of application programming interfaces (APIs) called by the functions and using tokens generated for the functions using a byte pair tokenizer. A trained graph neural network (GNN) and a trained attention neural network are applied to the call graph to generate an output graph with each node representing a function and each node assigned weights based on a probability distribution of the maliciousness of the corresponding function. A graph embedding is generated by calculating a weighted sum of the assigned weights and a trained deep neural network is applied to the graph embedding to generate a malicious score for the computer code identifying the computer code as malicious or benign.
A device, system, and method are provided for detecting an email phishing attack by training graph neural network to detect phishing emails based on hypertext markup language (HTML) tags and cascading style sheets (CSS) included in an email. Noise is added during the training of the graph neural network to make the trained graph neural networks more robust against small changes in the training data.
H04L 29/06 - Communication control; Communication processing characterised by a protocol
H04L 41/16 - Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks using machine learning or artificial intelligence
13.
Techniques for securing services using inter-service visibility
A system and method for securing software as a service (SaaS) platforms by providing inter-service visibility. A method includes identifying, based on log data of a first service, a second service connected to the first service, wherein each of the first service and the second service is a set of functions for performing a respective task, wherein the second service is called by the first service; identifying a plurality of patterns in communications between the first service and the second service in the log data of the first service; creating, based on the identified plurality of patterns, a baseline for communications between the first service and the second service; detecting an anomalous communication between the first service and the second service, wherein the anomalous communication deviates from the baseline; and performing a mitigation action with respect to the detected anomalous communication.
A method and network gateway are provided for routing network traffic between internet service providers (ISPs) based on dynamic communication quality of the ISPs. Dynamic communication quality of the ISPs are monitored and compared by processor circuitry of the network gateway. When a session-based connection is being transmitted on an ISP having dynamic communication quality that does not meet a required communication quality of the connection, the processor circuitry transitions the session-based connection to an ISP meeting the required communication quality of the connection.
G06F 15/16 - Combinations of two or more digital computers each having at least an arithmetic unit, a program unit and a register, e.g. for a simultaneous processing of several programs
H04L 45/00 - Routing or path finding of packets in data switching networks
A method and device are presented for decreasing processing cycles spent forwarding packets of a communication from receive queues to at least one transmit queue of a network interface controller. When received, packets are placed into a receive queue based on property(ies) of a leading packet. Buffer metadata including transmit information is associated with each communication. Processor circuitry transfers the packets from each of the receive queues to a transmit queue and the buffer metadata is used to determine how to transmit the packet and how to process the packet before transmission.
A system, method, and device are provided for detecting and mitigating a storage attack at the block level by generating canary blocks by marking blocks of data (referred to as memory blocks) such that other programs do not modify these canary blocks that are monitored to detect data storage attacks that attempt to modify the canary blocks and/or by monitoring statistical and behavioral features of activities over blocks, whether they can be modified by other programs or not. The system and method also backup the memory blocks by backing up memory blocks as they are modified. When a data storage attack is detected, the attack is stopped, and the files are remediated using the backup of the affected memory blocks.
Disclosed herein are systems and methods for automatically mitigating potential network services attacks based on service usage patterns learned using Machine Learning (ML) comprising, collecting operational data indicative of resource utilization of one or more network services serving a plurality of connections and of a plurality of operational factors of the plurality of connections, detecting degradation of the network service(s) based on analysis of the operational data, applying trained ML model(s) to the operational data in order to identify negative operational factor(s) of one or more suspected connections to the network service estimated to induce the degradation where the one or more ML model is trained to predict an impact pattern induced by each of a plurality of operational factors on the resource utilization of the one or more network services, and disconnecting, at least temporarily, the suspected connection(s) from the network service(s).
09 - Scientific and electric apparatus and instruments
42 - Scientific, technological and industrial services, research and design
Goods & Services
Computer hardware in the field of internet and network security; computer hardware with embedded recorded computer software for protecting and securing computer systems and networks; computer hardware for protecting and securing computer systems and networks; downloadable computer software for protecting and securing computer systems and networks; downloadable computer software for inspecting electronic files to detect and prevent computer security attacks, computer and email viruses, spam, spyware, adware and malware Software as a service (SAAS) services featuring software for protecting and securing computer systems and networks; providing online, non-downloadable software for protecting and securing computer systems and networks; computer security services, namely, providing computer and information technology security services through the cloud, for protecting data and information from unauthorized access and for detecting and preventing computer and email viruses, spam, spyware, adware and malware; providing online, non-downloadable software for inspecting electronic files to detect and prevent computer security attacks, computer and email viruses, spam, spyware, adware and malware
19.
Automatically generating security rules for a networked environment based on anomaly detection
A computer implemented method of automatically generating security rules for a networked environment based on anomalies identified using Machine Learning (ML), comprising receiving one or more feature vectors each comprising a plurality of operational parameters of a plurality of objects of a networked environment, identifying one or more anomaly patterns in the networked environment by applying one or more trained ML models to the one or more feature vectors trained to identify patterns deviating from normal behavior of the plurality of objects, parsing each anomaly patterns to a set of behavioral rules by traversing the anomaly pattern through a tree-like decision model, and generating one or more security rules for the networked environment according to the set(s) of behavior rules. Wherein the one or more security rules are applied to increase security of the networked environment.
H04L 41/16 - Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks using machine learning or artificial intelligence
20.
Method for generating, sharing and enforcing network profiles for IoT devices
A method and system is provided for setting network policies based on electronic devices connected to a network. The electronic devices present on the network are detected and their behavior is captured using profiles. These profiles are then used to generate network policies based on the electronic devices connected to the network. Instead of reacting to behavior of the electronic devices (e.g., anomaly detection to detect malware), the method and system sets the network policies to prevent unauthorized communications (e.g., before malware is present in the system).
Provided herein are systems, devices and methods for opening a connection in a gateway of a cloud based network for a client device connected via two different network links to the gateway and to a Software Defined Perimeter (SDP) controller of a cloud based network. The SDP controller may receive a request from a client device to connect to a gateway of the cloud based network, generate a one-time SPA key for the client device (after authenticated), transmit the SPA key to the gateway, and transmit, via the first network link, the SPA key to the client device. The client device may transmit the SPA key to the gateway via the second network link and the gateway may be configured to open a connection for the client device via the second network link in case the SPA key is valid.
Provided herein are systems and methods for configuring a segmented cloud based network based on separate Internet Protocol (IP) segments, comprising receiving instructions to create one or more additional private virtual networks as respective additional segments in a multi-tenant multi-regional cloud based network segmented to a plurality of segments each mapped by a respective IP address range, calculating one or more non-conflicting new IP address range based on analysis of the IP address range of each of the segments, allocating a respective new IP address range to each additional segment, and deploying automatically one or more gateways. The gateways are configured to connect one or more client devices to the additional segment(s) by assigning each client device an IP address in the respective new IP address range and routing network packets between the client devices and the respective additional segment according to mapping of the respective new IP address range.
09 - Scientific and electric apparatus and instruments
16 - Paper, cardboard and goods made from these materials
42 - Scientific, technological and industrial services, research and design
Goods & Services
Software and / or applications incorporated into computers and / or network systems used in data networks to control network traffic flow, establish trusted links over the network and / or Internet, prevent network attacks (as opposed to physical attacks and / or theft) and to integrate various technologies into a uniform network security policy sold primarily through value added resellers and system integrators, computer and network equipment providers, telecommunications and Internet service providers; excluding software and/or applications incorporated into machines and apparatus for use in currency exchange, cash dispensing and other financial transactions, automatic teller machines and parts and fitting therefor. Printed matter in the form of catalogs, brochures, instructional and technical manuals concerning computer software intended to protect computer systems from unauthorized access via computer networks, but excluding credit cards, debit cards, charge cards, top-up cards and money transfer cards. Design, implementation and maintenance of computer software for Internet service providers and telecommunications companies for managing network infrastructure, traffic management, IP management and for computer software to protect systems from unauthorized access.
Methods and systems are provided for protecting DNS traffic locally on an electronic device (e.g., a smart phone) by capturing DNS traffic from network traffic transmitted from the device and ensuring the DNS traffic is routed to a trusted DNS server via a prescribed transmission protocol.
H04L 61/4511 - Network directoriesName-to-address mapping using standardised directoriesNetwork directoriesName-to-address mapping using standardised directory access protocols using domain name system [DNS]
25.
Systems and methods for the efficient detection of improperly redacted electronic documents
A method is provided for identifying improperly redacted information in documents. The documents are analyzed to detect redacted areas and text elements and to identify an intersection between a redacted area and a text element. When an area of the intersection is greater than an intersection threshold, the document is identified as containing improperly redacted information.
A method and system is provided for setting network policies based on electronic devices connected to a network. The electronic devices present on the network are detected and their behavior is captured using profiles. These profiles are then used to generate network policies based on the electronic devices connected to the network. Instead of reacting to behavior of the electronic devices (e.g., anomaly detection to detect malware), the method and system sets the network policies to prevent unauthorized communications (e.g., before malware is present in the system).
09 - Scientific and electric apparatus and instruments
16 - Paper, cardboard and goods made from these materials
41 - Education, entertainment, sporting and cultural services
42 - Scientific, technological and industrial services, research and design
Goods & Services
Computer hardware and computer software in the field of
internet and network security; computer software and
hardware with embedded technology designed to protect and
secure computer systems and networks; computer software for
protecting and securing computer systems and networks;
computer software for inspecting electronic files to detect
and prevent computer security attacks, phishing, computer
and email viruses, spam, spyware, adware and malware. Printed matter; instructional and technical manuals;
datasheets; product documentation; training materials;
catalogues; brochures. Provision of training; provision of training courses;
provision of training programs in the field of cyber
security; educational services; arranging of educational
conferences; conducting of educational seminars; teaching;
arranging and conducting of workshops, tutorials, seminars
and conferences; arranging professional workshop and
training courses; consultancy relating to arranging and
conducting of training workshops; arranging and conducting
of workshops and seminars in the field of internet and
network security; providing of training and further
training; personal development training; vocational
training; providing of training and education; providing
online training; providing online training seminars;
providing online information in the field of training. Software as a service (SAAS) services featuring software for
protecting and securing computer systems and networks;
providing online, non-downloadable software for protecting
and securing computer systems and networks; providing
computer and information technology security services
through the cloud; providing online, non-downloadable
software for inspecting electronic files to detect and
prevent computer security attacks, phishing, computer and
email viruses, spam, spyware, adware and malware.
28.
Methods and system for packet control and inspection in containers and meshed environments
An instantiated application includes both a runtime instantiation of an application image, and an administrative service operable to install in the instantiated application at least one security module during runtime of the instantiated application in a container. Prior to runtime, a design time agent can access the application image in a repository, examine the application image, and based on the examining, adding at least one security module to the application image prior to instantiation. During runtime, a runtime agent can query parameters of the container, such as static and dynamic variables available on the machine on which the container is running. The runtime agent processes these parameters in conjunction with predefined rules to determine an action such as starting, stopping, adding, and/or changing the security module, such as the method of packet inspection.
An automated method executed by circuitry is provided for monitoring a software platform including multiple pods that manage, deploy, and execute micro services. The method uses monitoring pods at locations of interest in the software platform to label transactions that pass through the monitoring pods. The labels applied to the transactions are sent to a security program for review.
G06F 21/57 - Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
G06F 21/62 - Protecting access to data via a platform, e.g. using keys or access control rules
G06F 21/55 - Detecting local intrusion or implementing counter-measures
09 - Scientific and electric apparatus and instruments
16 - Paper, cardboard and goods made from these materials
41 - Education, entertainment, sporting and cultural services
42 - Scientific, technological and industrial services, research and design
Goods & Services
(1) Computer hardware and computer software in the field of internet and network security; computer software and hardware with embedded technology designed to protect and secure computer systems and networks; computer software for protecting and securing computer systems and networks; computer software for inspecting electronic files to detect and prevent computer security attacks, phishing, computer and email viruses, spam, spyware, adware and malware.
(2) Printed publications, namely course materials, manuals, precedents and case digests, books, newsletters, brochures, reference guides in the field cybersecurity; instruction materials in the field of cybersecurity; datasheets; product documentation in the field of cybersecurity; training materials in the field of cybersecurity; catalogues; brochures (1) Educational services, namely, development and provision of educational courses in the field of cybersecurity; provision of training programs in the field of cyber security; educational services in the form of seminars, webinars, conferences, and workshops in the field of cybersecurity; teaching programs in the field of cybersecurity; arranging and conducting of workshops, tutorials, seminars and conferences in the field of cybersecurity; arranging professional workshop and training courses in the field of cybersecurity; consultancy relating to arranging and conducting of training workshops in the field of cybersecurity; arranging and conducting of workshops and seminars in the field of internet and network security; arranging of training in the field of cybersecurity; providing of training in the fields of personal development and professional development; providing online training in the field of cybersecurity; providing online training seminars in the field of cybersecurity; providing online information in the field of cybersecurity trainings
(2) Software as a service (SAAS) services featuring software for protecting and securing computer systems and networks; providing online, non-downloadable software for protecting and securing computer systems and networks; cloud services in the nature of monitoring of the condition and status of computer systems for security purposes; cloud services in the nature of monitoring of computer systems for detecting unauthorized access or data breach; cloud-based data protection services; cloud-based computer security services for the prevention and resolution of email and web-based cyberattacks; providing online, non-downloadable software for inspecting electronic files to detect and prevent computer security attacks, phishing, computer and email viruses, spam, spyware, adware and malware
31.
Implementing a multi-regional cloud based network using network address translation
Provided herein are systems, devices and methods for applying address translation to network traffic originating from client devices having dynamic Internet Protocol (IP) addresses to support IP based security measures using a gateway configured to connect a plurality of client devices used by a plurality of users to a plurality of cloud based networks. The gateway may receive, from a client device assigned a dynamic IP address, credentials of a user using the respective client device, access a translation record mapping the user, identified by his credentials, to a respective unique static IP address, adjust a source address of each packet received from the client device to include the static IP address, and forward each adjusted packet to a security engine configured to apply security policy(s) to each adjusted packet before transmitting it to the cloud based network(s). The security policy(s) is applied according to the static IP address.
G06F 15/16 - Combinations of two or more digital computers each having at least an arithmetic unit, a program unit and a register, e.g. for a simultaneous processing of several programs
H04L 61/2503 - Translation of Internet protocol [IP] addresses
H04L 29/06 - Communication control; Communication processing characterised by a protocol
H04L 12/66 - Arrangements for connecting between networks having differing types of switching systems, e.g. gateways
32.
Unification of data flows over network links with different internet protocol (IP) addresses
Provided herein are systems, devices and methods for opening a connection in a gateway of a cloud based network for a client device connected via two different network links to the gateway and to a Software Defined Perimeter (SDP) controller of a cloud based network. The SDP controller may receive a request from a client device to connect to a gateway of the cloud based network, generate a one-time SPA key for the client device (after authenticated), transmit the SPA key to the gateway, and transmit, via the first network link, the SPA key to the client device. The client device may transmit the SPA key to the gateway via the second network link and the gateway may be configured to open a connection for the client device via the second network link in case the SPA key is valid.
Provided herein are systems and methods for configuring a segmented cloud based network based on separate Internet Protocol (IP) segments, comprising receiving instructions to create one or more additional private virtual networks as respective additional segments in a multi-tenant multi-regional cloud based network segmented to a plurality of segments each mapped by a respective IP address range, calculating one or more non-conflicting new IP address range based on analysis of the IP address range of each of the segments, allocating a respective new IP address range to each additional segment, and deploying automatically one or more gateways. The gateways are configured to connect one or more client devices to the additional segments) by assigning each client device an IP address in the respective new IP address range and routing network packets between the client devices and the respective additional segment according to mapping of the respective new IP address range.
09 - Scientific and electric apparatus and instruments
16 - Paper, cardboard and goods made from these materials
41 - Education, entertainment, sporting and cultural services
42 - Scientific, technological and industrial services, research and design
Goods & Services
Computer hardware for use in the field of internet and network security; Downloadable or recorded computer software for protection, detection, and prevention of threats in the field of Internet and network security; Downloadable or recorded computer software for protecting and securing computer systems and networks; Downloadable or recorded computer software for protecting and securing computer systems and networks; Computer hardware with embedded technology designed to protect and secure computer systems and networks; Downloadable or recorded computer software for inspecting electronic files to detect and prevent computer security attacks, phishing, computer and email viruses, spam, spyware, adware and malware Printed matter, namely, paper signs and manuals in the field of cyber security; Printed matter, namely, instructional and technical manuals in the field of cyber security; Printed matter, namely, datasheets in the field of cyber security; Printed matter, namely, product documentation in the nature of informational product flyers in the field of cyber security; Printed training materials in the field of cyber security; Printed catalogues in the field of cyber security; Printed brochures about cyber security Training services, namely, provision of training in the field of cyber security; Provision of training courses, namely, arranging and conducting of training courses in the field of cyber security; Provision of training programs, namely, arranging and conducting of training programs in the field of cyber security; Educational services, namely, providing classes, seminars, non-downloadable webinars and workshops in the field of cyber security; Arranging of educational conferences in the field of cyber security; Conducting of educational seminars in the field of cyber security; Teaching in the field of cyber security; Arranging and conducting of workshops, tutorials, seminars and conferences in the field of cyber security; Arranging professional workshop and training courses in the field of cyber security; Providing of training and further training in the field of cyber security ; Training services in the field of personal development; Vocational training, namely, vocational education in the field of cyber security; Educational services, namely, providing of training and education classes in the field of cyber security; Providing online training courses, workshops in the field of cyber security; Providing online training seminars in the field of cyber security; Providing online information in the field of cyber security training Software as a service (SAAS) services featuring software for protecting and securing computer systems and networks; providing online, non-downloadable software for protecting and securing computer systems and networks; Computer security services, namely, providing computer and information technology security services through the cloud in the nature of access control, policy management, threat detection, threat prevention, security forensics, machine learning visualization, misconfiguration detection, and enforcement of security best practices and compliance frameworks; providing online, non-downloadable software for inspecting electronic files to detect and prevent computer security attacks, phishing, computer and email viruses, spam, spyware, adware and malware
35.
System and method to detect and prevent Phishing attacks
Detecting and preventing phishing attacks in real-time features protection of users from feeding sensitive data to phishing sites, educating users for theft awareness, and protecting enterprise credentials. A requested document traversing a gateway is embedded with a detection module. When a user accesses the document, the embedded detection module is executed in the context of the document, checks if the document is prompting the user for sensitive information, determining if the document is part of a phishing attack, and initiates mitigation, warning, and/or education techniques.
An instantiated application includes both a runtime instantiation of an application image, and an administrative service operable to install in the instantiated application at least one security module during runtime of the instantiated application in a container. Prior to runtime, a design time agent can access the application image in a repository, examine the application image, and based on the examining, adding at least one security module to the application image prior to instantiation. During runtime, a runtime agent can query parameters of the container, such as static and dynamic variables available on the machine on which the container is running. The runtime agent processes these parameters in conjunction with predefined rules to determine an action such as starting, stopping, adding, and/or changing the security module, such as the method of packet inspection.
Methods and systems utilizing sandbox outputs for files, such as dynamic file analysis (DFA) reports, regardless of size, to automatically create rules. From these rules, the maliciousness of the file is determined, and if the file is malicious, i.e., malware, the malware is classified into malware families.
G06F 21/53 - Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity, buffer overflow or preventing unwanted data erasure by executing in a restricted environment, e.g. sandbox or secure virtual machine
G06N 7/02 - Computing arrangements based on specific mathematical models using fuzzy logic
G06F 21/56 - Computer malware detection or handling, e.g. anti-virus arrangements
38.
Methods and systems for identifying malware enabled by automatically generated domain names
Computerized methods and systems identify malware enabled by automatically generated domain names. An agent executes a malware, in a controlled environment, at a first temporal input value and a second temporal input value. A first set of domain names is generated in response to the execution at the first temporal input value. A second set of domain names is generated in response to the execution at the second temporal input value. The agent compares the first set of domain names with the second set of domain names to produce a comparison output metric.
H04L 61/3015 - Name registration, generation or assignment
H04L 61/4511 - Network directoriesName-to-address mapping using standardised directoriesNetwork directoriesName-to-address mapping using standardised directory access protocols using domain name system [DNS]
39.
Method and system for reducing false positives in web application firewalls
Computerized methods and systems reduce the false positive rate of Web Application Firewalls (WAFs), by operating automatically and utilizing system defined “trusted sources”.
Methods and systems for processing cryptographically secured connections by a gateway, between a client and a server, are performed. Upon receiving TCP and TLS/SSL handshakes associated with a client side connection, from a client (client computer) to the gateway, a probing connection is established. The probing connection completes the handshakes, and based on the completion of the handshakes, the gateway renders a decision, to bypass, block or inspect, the connections between the client and the server, allowing or not allowing data to pass through the connections between the client and the server.
H04L 9/32 - Arrangements for secret or secure communicationsNetwork security protocols including means for verifying the identity or authority of a user of the system
41.
Online assets continuous monitoring and protection
The present invention relates to a method and system for monitoring webpages for detecting malicious contents. According to a preferred embodiment the method comprises A) providing a plurality of URLs provided by a subscriber, employing a crawler to visit a URL webpage of said plurality of URLs; B) retrieving an object from said URL webpage by said crawler; C) analyzing said object retrieved by said crawler from said URL webpage, and determining whether said object retrieved is malicious or not; and D) alerting the subscriber, when said retrieved object is deemed malicious. According to one embodiment, the method further comprises E) employing a crawler to visit a URL webpage of a following URL of the plurality of URLs, when the determination of step C) is deemed not malicious; and F) returning to step B).
Computerized methods and systems determine an entry point or source of an attack on an endpoint, such as a machine, e.g., a computer, node of a network, system or the like. These computerized methods and systems utilize an attack execution/attack or start root, to build an attack tree, which shows the attack on the end point and the damage caused by the attack, as it propagates through the machine, network, system, or the like.
Methods and systems provide for detecting exploitation of kernel vulnerabilities which typically corrupt memory. The methods and systems are implemented, for example, via a host, which includes a hypervisor, which controls the operating system (OS) user space and the OS kernel space.
G06F 21/55 - Detecting local intrusion or implementing counter-measures
G06F 21/57 - Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
G06F 21/56 - Computer malware detection or handling, e.g. anti-virus arrangements
G06F 9/455 - EmulationInterpretationSoftware simulation, e.g. virtualisation or emulation of application or operating system execution engines
G06F 9/48 - Program initiatingProgram switching, e.g. by interrupt
G06F 21/52 - Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity, buffer overflow or preventing unwanted data erasure
44.
Digital MDR (managed detection and response) analysis
A method for detecting an occurrence of an online event including retrieving a data item from online sources; forming a list by tagging words and/or strings within the data item according to predefined attributes such that the list includes the words and/or strings with their corresponding attributes; forming sequence items relating to the list according to a predefined criterion such that each sequence item includes at least the list and optionally additional preformed lists that have been formed in the same manner as the list and that have a shared concept with the list according to the predefined criterion; running each of the sequence items in a preformed machine learning classifying model that outputs a determination if there is an occurrence of the online event or not. The present invention further relates to generating the machine learning classifying model. The present invention also relates to a corresponding system.
Methods performed by a system on a computer device, such as a smart phone, i.e., locally, for protecting against network-based attacks. These methods inspect all traffic to every application and web browser on the device.
09 - Scientific and electric apparatus and instruments
42 - Scientific, technological and industrial services, research and design
Goods & Services
(1) Computer hardware and computer software in the field of internet and network security; computer software and technology embedded in hardware designed to protect and secure computer systems and networks; computer software for protecting and securing computer systems and networks; computer software for inspecting electronic files to detect and prevent computer security attacks, computer and email viruses, spam, spyware, adware and malware (1) Software as a service (SAAS) services featuring software for protecting and securing computer systems and networks; providing online, non-downloadable software for protecting and securing computer systems and networks; cloud-based computer security services for the prevention and resolution of email and webbased cyberattacks; providing online, nondownloadable software for inspecting electronic files to detect and prevent computer security attacks, computer and email viruses, spam, spyware, adware and malware
47.
Anti-malware detection and removal systems and methods
An anti-malware system including at least one database, remote from a plurality of computers to be protected, which stores identification of computer applications resident on the computers to be protected and an application-specific communications footprint for the computer applications, and at least one server, remote from the plurality of computers to be protected, and being operative to calculate a reference computer-specific communications composite pattern based on multiple application-specific communications footprints for applications installed on the computers to be protected, calculate a current computer-specific communications composite pattern based on actual communications of at least one the plurality of computers to be protected, and provide an alert when the current computer-specific communications composite pattern of the at least one of the plurality of computers to be protected differs from the reference computer-specific communications composite pattern of the at least one of the plurality of computers to be protected.
A cloud security assessment (CSA) system configured to identify and remedy a workflow executing in a cloud web service environment is provided. The CSA system includes a network interface configured to connect the CSA system to the cloud web service environment, wherein the cloud web service environment is defined by a cloud account; and a processor in operative communication with the cloud web service environment configured to receive a cloud account compliance rule for the cloud account in a structured near natural language, the compliance rule being applied by the CSA system on at least an instance of the cloud web service environment, wherein is processor is further configured to perform a remediation action based on a policy of the cloud account upon determination of a violation of the compliance rule.
Transparently identifying users using a shared VPN tunnel uses an innovative method to detect a user of a shared VPN tunnel, after authenticating the user, using an assigned userid (that may be a virtual IP). The virtual IP is used as a cookie in each request made by the user. This cookie is an authentication token used by the gateway to detect the user behind a specific request for an Internet resource (such as an http/s request). The cookie is stripped by the gateway so the cookie is not sent to the resource.
Disclosed are methods and systems for detecting malware and potential malware based on using generalized attack trees (generalized attack tree graphs). The generalized attack trees are based on attack trees (attack tree graphs), whose objects, such as links and vertices, have been analyzed, and some of these objects have been generalized, resulting in the generalized attack tree of the invention.
Computerized methods and systems identify malware enabled by automatically generated domain names. An agent executes a malware, in a controlled environment, at a first temporal input value and a second temporal input value. A first set of domain names is generated in response to the execution at the first temporal input value. A second set of domain names is generated in response to the execution at the second temporal input value. The agent compares the first set of domain names with the second set of domain names to produce a comparison output metric.
A method for monitoring access of users to Internet SaaS applications includes the CISO (company Internet security office) in the configuration and operation of the method, instead of relying only on whatever security the SaaS application implements. Certificates, not accessible to users, are pushed to a user's client. When an access request is received from a client by an application, a gateway requests from the client the certificate. After a notification and approval process with the user, a received certificate is verified, user access to the application is allowed or denied, and the CISO notified of the attempted access.
H04L 29/00 - Arrangements, apparatus, circuits or systems, not covered by a single one of groups
H04L 29/06 - Communication control; Communication processing characterised by a protocol
H04L 9/32 - Arrangements for secret or secure communicationsNetwork security protocols including means for verifying the identity or authority of a user of the system
53.
Key exchange and mutual authentication in low performance devices
Securely exchanging keys to establish secure connections to low powered connected devices (LPCDs), such as smart devices and IoT (Internet Of Things) devices, and mutual authentication between these devices and third party controllers is accomplished via a higher performance machine configured with a dedicated remote service (DRS). A known symmetric pre-shared key (PSK) is used to establish a secure first connection between the LPCD and the DRS using another symmetric key. The DRS can then use asymmetric key exchange to securely send a new symmetric key to the 3P, and send the same new symmetric key to the LPCD using the secure first connection. This facilitates LPCDs to securely establish secure communications with other devices, in particular for control by third party (3P) devices. This also allows authentication of the LPCD with cloud services, and enables a DRS to vouch for associated devices to other DRSs.
H04L 29/06 - Communication control; Communication processing characterised by a protocol
H04L 9/32 - Arrangements for secret or secure communicationsNetwork security protocols including means for verifying the identity or authority of a user of the system
Methods and systems provide for detecting exploitation of kernel vulnerabilities which typically corrupt memory. The methods and systems are implemented, for example, via a host, which includes a hypervisor, which controls the operating system (OS) user space and the OS kernel space.
G06F 21/55 - Detecting local intrusion or implementing counter-measures
G06F 21/57 - Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
G06F 21/56 - Computer malware detection or handling, e.g. anti-virus arrangements
G06F 9/455 - EmulationInterpretationSoftware simulation, e.g. virtualisation or emulation of application or operating system execution engines
G06F 9/48 - Program initiatingProgram switching, e.g. by interrupt
G06F 21/52 - Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity, buffer overflow or preventing unwanted data erasure
55.
Automatic establishment of a VPN connection over unsecure wireless connection
System and method for automatically establishing a Virtual Private Network (VPN) link between a mobile device and a VPN server over an unsecure wireless network, comprising, at the mobile device, detecting an attempt to establish a wireless connection to the internet via an unsecure wireless network, probing the unsecure wireless network to determine accessibility over the unsecure wireless network to a VPN server, automatically initializing, based on the determination, a VPN client, the VPN client executed to establishes a VPN link between the mobile device and the VPN server over the unsecure wireless network, directing network traffic of the mobile device through the VPN link and automatically terminating the VPN client when the mobile device disconnects from the unsecure wireless network.
Computerized methods and systems inspect data packets received from a web server for the presence of a value from a list of prohibited values. If a prohibited value is absent, a gateway injects at least one JavaScript code segment for execution by a web browser. The at least one JavaScript code segment includes a plurality of JavaScript functions which include at least one security analysis JavaScript function and a plurality of modified JavaScript functions. Each of the modified JavaScript functions is created from a respective native JavaScript function to include at least one code segment that when executed inspects for at least one of: a dynamic modification of at least one JavaScript function from a prohibited list of JavaScript functions, a dynamic creation of at least one JavaScript function from the prohibited list of JavaScript functions, or a dynamic reference to a value from the list of prohibited values.
A method for introducing a replacement code segment over-the-air through a wireless mobile communication network to an existing code resident on a mobile terminal: identifying the mobile terminal from among terminals served through the wireless mobile communication network; sending a push notification through the network to the mobile terminal, the push notification indicative of the replacement code segment ready for downloading; activating a dynamic update module resident in the mobile terminal, in response to the push notification; sending a request for the replacement code segment; downloading the replacement code segment to the mobile terminal; and transferring the downloaded replacement code segment to the dynamic update module for dynamic replacement of a corresponding old code segment within the mobile terminal with the replacement code segment, obviating a need to recompile the existing code.
H04L 29/06 - Communication control; Communication processing characterised by a protocol
H04L 29/08 - Transmission control procedure, e.g. data link level control procedure
H04L 9/16 - Arrangements for secret or secure communicationsNetwork security protocols using a plurality of keys or algorithms the keys or algorithms being changed during operation
H04W 12/02 - Protecting privacy or anonymity, e.g. protecting personally identifiable information [PII]
58.
Method and system for creating and receiving neutralized data items
Computerized methods and systems receive neutralized data items on a first entity from a second entity over a network by receiving a first data item from the second entity. A security protocol that applies rules and policies is applied to the first data item to create a second data item that is a neutralized version of the first data item. The first data item and the second data item are converted into comparable forms. The second data item is analyzed against the first data item by comparing the comparable forms to form at least one comparison measure. The second data item is received on the endpoint if the at least one comparison measure satisfies a threshold criterion. The security protocol is modified to adjust the applied rules and policies if the at least one comparison measure does not satisfy the threshold criterion.
Computerized methods and systems mitigate the effect of a ransomware attack on an endpoint by detecting access events associated with requests by processes, including ransomware processes, to access data items on the endpoint. The data items are hidden from the operating system processes executed on the endpoint. In response to detecting an access event, an action is taken against the process associated with the access event.
Client-less methods and systems destroy/break the predictive layout of, for example, a client computer memory. The methods and systems operate by injecting a library that manipulates the client computer memory during exploitation attempts.
Methods and systems provide mechanisms for inspection devices, such as firewalls and servers and computers associated therewith, to selectively manipulate files, for which a download has been requested. The manipulation is performed in a manner which is transparent to the requesting user.
Disclosed are methods and systems for detecting malware and potential malware based on using generalized attack trees (generalized attack tree graphs). The generalized attack trees are based on attack trees (attack tree graphs), whose objects, such as links and vertices, have been analyzed, and some of these objects have been generalized, resulting in the generalized attack tree of the invention.
Computerized methods and systems determine summary events from an attack on an endpoint. The detection and determination of these summary events is performed by a machine, e.g., a computer, node of a network, system or the like.
Computerized methods and systems identify events associated with an attack initiated on an endpoint client. A listing of processes executed or created on the endpoint during the attack is obtained. The listing of processes includes a first process and at least one subsequent process executed or created by the first process. The computerized methods and systems analyze for the occurrence of at least one event during a time interval associated with the attack. The computerized methods and systems determine whether the listing of processes includes a process that when executed caused the occurrence of the at least one event. If the listing of processes excludes process that when executed caused the occurrence of the at least one event, the at least one event and the causing process are stored, for example, in a database or memory.
Computerized methods and systems determine an initial execution of an attack on an endpoint. An indicator of the attack is obtained by analysis of a first process on the endpoint. A sequence of processes that includes the first process associates the initial execution of the attack with the first process. Each respective process in the sequence of processes is created or executed by at least one of the initial execution or a process in the sequence of processes. The initial execution is identified based on linking from the first process to the initial execution through a combination of executions and creations of the processes in the sequence of processes.
Computerized methods and systems determine an entry point or source of an attack on an endpoint, such as a machine, e.g., a computer, node of a network, system or the like. These computerized methods and systems utilize an attack execution/attack or start root, to build an attack tree, which shows the attack on the end point and the damage caused by the attack, as it propagates through the machine, network, system, or the like.
A method and system for on-demand authorization of access to protected resources are presented. The method comprises associating a primary user device with at least one secondary user device, the primary device having access privileges at a first degree of privilege; changing any access privileges assigned to the primary user device for accessing protected resources to a lesser degree of privilege; and reinstating the access privileges of the primary user device to the first degree of privilege, upon receiving a verification message from the at least one secondary user device.
Computerized methods and systems detect unauthorized and potentially malicious, as well as malicious records, typically in the form of electronic forms, such as those where users input information (into input blocks or fields), such as bank and financial institution electronic forms and the like. Should such an unauthorized form, be detected, the detection causes the taking of protective action by the computer whose on whose browser the unauthorized form has been rendered.
Methods and systems for protecting components of a linked vehicle from cyber-attack are disclosed. These methods and systems comprise elements of hardware and software for receiving a packet; tunneling the packet to a terrestrial-based security service, analyzing whether the packet is harmful to a component in the vehicle, and at least one action to protect at least one component.
Methods and systems for the detection of receipt of potentially malicious web content by a web clients are disclosed. These methods and systems comprise elements of hardware and software for obtaining a sandbox environment on a server, wherein the sandbox is configured according to the system characteristics of the client device, emulating web requests and responses of the web client in the sandbox; and analyzing the behavior of components in the sandbox during processing of received web content.
Methods and systems for mitigating cyber attacks on components of an automotive communication system are disclosed. These methods and systems comprise elements of hardware and software for receiving a frame; determining whether the frame potentially affects correct operation of an automotive component; and, taking protective action.
Methods and systems provide mechanisms for inspection devices, such as firewalls and servers and computers associated therewith, to modify HTTP requests, without requiring the inspection device to terminate the connections at the TCP (Transport Control Protocol) level, as occurs with contemporary web proxies, e.g., web proxy servers—either explicit or implicit proxies.
An anti-malware system including at least one database, remote from a plurality of computers to be protected, which stores identification of computer applications resident on the computers to be protected and an application-specific communications footprint for the computer applications, and at least one server, remote from the plurality of computers to be protected, and being operative to calculate a reference computer-specific communications composite pattern based on multiple application-specific communications footprints for applications installed on the computer to be projected, calculate a current computer-specific communications composite pattern based on actual communications of at least one the plurality of computers to be protected, and provide an alert when the current computer-specific communications composite pattern of the at least one of the plurality of computers to be protected differs from the reference computer-specific communications composite pattern of the at least one of the plurality of computers to be protected.
Client-less methods and systems destroy/break the predictive layout of, for example, a client computer memory. The methods and systems operate by injecting a library that manipulates the client computer memory during exploitation attempts.
An anti-malware system including at least one database, remote from a plurality of computers to be protected, which stores identification of computer applications resident on the computers to be protected and an application-specific communications footprint for the computer applications, and at least one server, remote from the plurality of computers to be protected, and being operative to calculate a reference computer-specific communications composite pattern based on multiple application-specific communications footprints for applications installed on the computers to be protected, calculate a current computer-specific communications composite pattern based on actual communications of at least one the plurality of computers to be protected, and provide an alert when the current computer-specific communications composite pattern of the at least one of the plurality of computers to be protected differs from the reference computer-specific communications composite pattern of the at least one of the plurality of computers to be protected.
Data access optimization features the innovative use of a writer-present flag when acquiring read-locks and write-locks. Setting a writer-present flag indicates that a writer desires to modify a particular data. This serves as an indicator to readers and writers waiting to acquire read-locks or write-locks not to acquire a lock, but rather to continue waiting (i.e., spinning) until the write-present flag is cleared. As opposed to conventional techniques in which readers and writers are not locked out until the writer acquires the write-lock, the writer-present flag locks out other readers and writers once a writer begins waiting for a write-lock (that is, sets a writer-present flag). This feature allows a write-lock method to acquire a write-lock without having to contend with waiting readers and writers trying to obtain read-locks and write-locks, such as when using conventional spinlock implementations.
Processing client requests for duplicate-free server operations is particularly useful for creating and sending items using Microsoft Exchange Web Services (EWS). The system facilitates avoiding creation and sending of duplicate items. In contrast to conventional implementations that send a single command to create and then perform subsequent processing of an item, a feature of the present embodiment is using two commands: a first command to create the item, and a second command to subsequently process the item. In a specific implementation, an EWS item's provided ChangeKey property is used to keep track of the EWS's reply from the server to the client, thereby avoiding duplicate item creation.
A method of inspecting content intended for a workstation to detect content that performs malicious exploits, including receiving the content for inspection at an inspection server using a processor and memory, loading a virtual machine at the inspection server with an operating system and processes for activating the content, wherein the operating system and processes are similar to those executed at the intended workstation, activating the content in the virtual machine, tracing activity of the virtual machine to form trace data by using features of the processor, wherein upon occurrence of an exception control is transferred to an analyzer that analyzes the trace data based on a context of the exception; and a notification is provided if suspicious activity is detected.
A method of inspecting content intended for a workstation to detect content that performs malicious exploits, including receiving the content for inspection at an inspection server using a processor and memory, loading a virtual machine at the inspection server with an operating system and processes for activating the content, wherein the operating system and processes are similar to those executed at the intended workstation, activating the content in the virtual machine, tracing activity of the virtual machine to form trace data by using features of the processor, wherein upon occurrence of an exception control is transferred to an analyzer that analyzes the trace data based on a context of the exception; and a notification is provided if suspicious activity is detected.
An anti-malware system including at least one database, remote from a plurality of computers to be protected, which stores identification of computer applications resident on the computers to be protected and an application-specific communications footprint for the computer applications, and at least one server, remote from the plurality of computers to be protected, and being operative to calculate a reference computer-specific communications composite pattern based on multiple application-specific communications footprints for applications installed on the computers to be protected, calculate a current computer-specific communications composite pattern based on actual communications of at least one the plurality of computers to be protected, and provide an alert when the current computer-specific communications composite pattern of the at least one of the plurality of computers to be protected differs from the reference computer-specific communications composite pattern of the at least one of the plurality of computers to be protected.
A mobile communicator network routing decision system communicating with each mobile communicator device of a plurality of mobile communicator devices, the plurality of mobile communicator devices communicating with a network via at least one computerized network gateway server, the system including security risk calculation functionality operable for calculating a calculated malware-associated risk associated with each mobile communicator device, and security risk responsive decision functionality, operating in response to the calculated malware-associated risk, for ascertaining whether to allow the communicating of each mobile communicator device with the network via the computerized network gateway server.
H04L 29/06 - Communication control; Communication processing characterised by a protocol
G06F 21/57 - Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
82.
Method for synchronized BGP and VRRP failover of a network device in a network
A network device which communicates with peers using Border Gateway Protocol (BGP) advertises to one or more peers a first Multi-Exit Discriminator (MED) when all sessions are in ‘established’ state, and a second MED when one or more sessions are in a non-‘established’ state. The second MED is higher than the first MED and higher than the MED advertised by the backup network device, causing peers to prefer the backup device. If the device is also configured for Virtual Router Redundancy Protocol (VRRP), when the device advertises the first MED, virtual routers are transitioned to ‘master’ state, and when the device advertises the second MED, virtual routers are transitioned to ‘backup’ state.
To defend a computer against malware, first executable code, of the computer, that includes a signature that identifies an address, in the computer's memory, of a respective data structure that is potentially vulnerable to tampering, is identified. The first executable code is copied to provide second executable code that emulates the first executable code using its own respective data structure. The first executable code is modified to jump to the second executable code before accessing the data structure, and also so that the signature identifies the address of a guard page.
A network component has a set of one or more rules, each of which has a match component and an action component. If an incoming packet maps to the match component of a rule, then the packet is handled according to the rule's action component. If the rule also includes a limit component, then if the packet maps to the rule's match component, a family history of the rule is updated, and the packet is handled according to the rule's action component only if the rule's family history satisfies the rule's limit component.
A plurality of untrusted digital files are run simultaneously in fewer sandboxes than there are files, while monitoring for malicious activity. Preferably, only one sandbox is used. If the monitoring detects malicious activity, either the files are run again in individual sandboxes, or the files are divided among subsets whose files are run simultaneously in one or more sandboxes, while monitoring for malicious activity.
G06F 21/56 - Computer malware detection or handling, e.g. anti-virus arrangements
G06F 21/53 - Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity, buffer overflow or preventing unwanted data erasure by executing in a restricted environment, e.g. sandbox or secure virtual machine
To administer computer network security, a computer system receives a bit string that encodes a natural-language request for adjusting a security policy of the network and parses the bit string to identify one or more objects and an action to be applied to the object(s). Preferably, the system displays a description of one of the objects and a menu of operations that are applicable to the object, receives a user selection of one of the options, and effects the selected operation. The scope of the invention also includes a non-transient computer-readable storage medium bearing code for implementing the method and a system for implementing the method.
A security gateway of a computer network receives incoming packets at one or more network interfaces. One or more security functions are applied to the packets. Reports of security function violations are recorded. The reports include the source addresses of the packets, the times that the packets were received, and descriptions of the violations. The descriptions include weights, and if the sum of the weights, for packets of a common source address that are received within a first time interval, exceeds a threshold, subsequent packets from that source address are dropped. Alternatively, in a “monitor only” mode, the common source address is logged but packets are not dropped. Optionally, encrypted packets and/or packets received at some network interfaces but not at other network interfaces are not dropped.
A computer-readable storage medium has embedded thereon non-transient computer-readable code for controlling access to a protected computer network, by intercepting packets that are being exchanged between a computer system and the protected network, and then, for each intercepted packet, identifying the associated application that is running on the computer system, determining whether the application is trusted, for example according to a white list or according to a black list, and disposing of the packet accordingly.
42 - Scientific, technological and industrial services, research and design
Goods & Services
providing information updates on security threats to computer networks; providing online, non-downloadable software for detecting computer security attacks, computer and email viruses, spam, spyware, adware and malware; providing online, non-downloadable software for protecting computer networks from computer security attacks, computer and email viruses, spam, spyware, adware and malware; providing computer and information technology security services, namely, developing, updating, maintaining and providing online databases of illegitimate sources of electronic communications and sources of computer and email viruses, spam, spyware, adware and malware; providing security threat management systems, namely, monitoring and tracking of security vulnerabilities and problems in computer software products, the Internet, and computer networks.
91.
Reducing false positives in data validation using statistical heuristics
To validate data, a plurality of strings that match a predetermined regular expression is extracted from the data. A validated subset of the strings is identified. To determine whether the validated subset has been falsely validated, it is determined whether the validated subset satisfies each of one or more predetermined criteria relative to the plurality of strings. In one embodiment, the subset is determined to be falsely validated if at least one of the criteria is satisfied. In another embodiment, the subset is determined to be falsely validated if all of the criteria are satisfied. The data are released only if the subset is determined to be falsely validated.
A method and system is provided for a scalable clustered system. The method and system may handle asynchronous traffic as well as session backup. In the method and system, a home cluster member having ownership of a local session predicts designation of a an other cluster member to receive a packet associated with the local session and sends appropriate state information or forwarding instruction to the other network member.
Three heuristic layers are used to determine whether suspicious code received at a port of a data processing device is malware. First, static analysis is applied to the suspicious code. If the suspicious code passes the static analysis, dissembling analysis is applied to the suspicious code. Preferably, if the suspicious code passes the dissembling analysis, dynamic analysis is applied to the suspicious code.
To protect a user of a social network, the user's activity is monitored during a baseline monitoring period to determine a baseline activity record. If subsequently monitored activity of the user deviates sufficiently from the baseline activity record to indicate abuse (hijacking) of the user's account, the abuse is mitigated, for example by notifying the user of the abuse. Monitored activity includes posting links, updating statuses, sending messages, and changing a profile. Monitoring also includes logging times of the user activity. Monitoring anomalous profile changes does not need a baseline.
A system and method for protecting data communications in a system including a load-balancer connected to a cluster of security network components, e.g. firewall node. The load-balancer transfers one or more of the data streams respectively to the security components. The security network components transmit control information to the load-balancer and the control information includes an instruction regarding balancing load of the data streams between said components; The load-balancer balances load based on the control information. Preferably, network address translation (NAT) is performed by the load-balancer based on the control information or NAT is performed by the security network component and the control information includes information regarding an expected connection based on NAT. Preferably, when the data communications includes an encrypted session, an encrypted connection of the encrypted session is identified based on the control information and the balancing of the load maintains stickiness of said encrypted connection.
Disclosed are methods, circuits, apparatus, systems and associated software applications for providing security on one or more servers, including virtual servers. A server operating system may include or be otherwise functionally associated with a firewall application, which firewall application may regulate IP port access to resources on the server. A port-tending agent or application (PorTender) running on the server, or on a functionally associated computing platform, may monitor and regulate server port status (e.g. opened, closed, and conditionally opened). The PorTender may initiate and engage in communication sessions with a policy server, from which policy server the PorTender may receive port, user and security policies and/or settings.
Disclosed are methods and media for inspecting security certificates. Methods include the steps of: scanning, by a network security device, messages of a security protocol between a server and a client system; detecting the messages having a security certificate; detecting suspicious security certificates from the messages; and aborting particular sessions of the security protocol associated with the suspicious certificates. Preferably, the step of scanning is performed only on messages of server certificate records. Preferably, the method further includes the step of sending an invalid-certificate notice to the server and the client system. Preferably, the step of detecting the suspicious certificates includes detecting a use of an incorrectly-generated private key for the certificates. Preferably, the step of detecting the suspicious certificates includes detecting an unavailability of revocation information for the certificates. Preferably, the step of detecting the suspicious certificates includes detecting a use of an invalid cryptographic algorithm for the certificates.
H04L 29/06 - Communication control; Communication processing characterised by a protocol
H04L 9/32 - Arrangements for secret or secure communicationsNetwork security protocols including means for verifying the identity or authority of a user of the system
A method and system is provided for a scalable clustered system. The method and system may handle asynchronous traffic as well as session backup. In the method and system, a home cluster member having ownership of a local session predicts designation of a an other cluster member to receive a packet associated with the local session and sends appropriate state information or forwarding instruction to the other network member.
A data leak prevention application that categorizes documents by data type is provided, a data type being a sensitivity classification of a document based on what data the document contains. A scripting language processing engine is embedded into the data leak prevention application, the scripting language forming part of the application as hard code. A user configures interaction of the scripting language processing engine with the application. The configuring may include modifying or adding code or setting criteria for when code portions of the scripting language processing engine activates. The scripting language processing engine is activated to enhance an accuracy of an existing data type or so as to detect a new data type. Upon enhancing the accuracy of the data type, documents may be re-categorized.
Methods, devices, and media for intelligent NIC bonding and load-balancing including the steps of: providing a packet at an incoming-packet port of a gateway; attaching an incoming-port identification, associated with the incoming-packet port, to the packet; routing the packet to a processing core; passing the packet through a gateway processing; sending the packet, by the core, to the operating system of a host system; and routing the packet to an outgoing-packet port of the gateway based on the incoming-port identification. Preferably, the gateway processing includes security processing of the packets. Preferably, the step of routing the packet to the outgoing-packet port is based solely on the incoming-port identification. Preferably, an outgoing-port identification, associated with the outgoing-packet port, has an identical bond-index to the incoming-port identification. Preferably, the gateway includes a plurality of incoming-packet ports, a plurality of respective incoming-port identifications, a plurality of processing cores, and a plurality of outgoing-packet ports.
