The technical solutions can provide a timely and consistent monitoring of SD-WAN by combining network topology data acquired via API calls with SD-WAN performance data gathered from one or more network communication protocols. A solution can include a system, having one or more processors coupled with memory to receive, responsive to BFD monitoring, BFD session data in a first format. The BFD session data can correspond to a tunnel between devices of a SD-WAN. The one or more processors can receive, responsive to IPFIX monitoring, flow metrics in a second format, the flow metrics corresponding to one or more flows of a network traffic traversing the tunnel. The one or more processors can aggregate the BFD session data and the flow metrics into aggregated metrics according to a third format and determine an action to take based at least on the aggregated metrics in the third format.
H04L 41/0631 - Gestion des fautes, des événements, des alarmes ou des notifications en utilisant l’analyse des causes profondesGestion des fautes, des événements, des alarmes ou des notifications en utilisant l’analyse de la corrélation entre les notifications, les alarmes ou les événements en fonction de critères de décision, p. ex. la hiérarchie ou l’analyse temporelle ou arborescente
H04L 41/40 - Dispositions pour la maintenance, l’administration ou la gestion des réseaux de commutation de données, p. ex. des réseaux de commutation de paquets en utilisant la virtualisation des fonctions réseau ou ressources, p. ex. entités SDN ou NFV
H04L 43/0876 - Utilisation du réseau, p. ex. volume de charge ou niveau de congestion
H04L 43/10 - Surveillance active, p. ex. battement de cœur, utilitaire Ping ou trace-route
An embodiment of the present invention describes means by which a proxy can maintain visibility between a client and a server when the client initiates a Transport Layer Security connection with Encrypted Client Hello (ECH). The proxy uses intelligence data has the ability to identify connections between clients and servers that are utilizing the Encrypted Client Hello extension to Transport Layer Security (TLS) Protocol Version 1.3 and triggers the client to fallback to utilizing a new connection that does not utilize ECH. This preserves the proxy's ability to determine the true destination of the client and identify the risks and characteristics of the request and response and act based on the administrator's authored policy.
A device to detect a first piece of equipment of a plurality of pieces of equipment, identify a first node of a plurality of nodes that represents the first piece of equipment of the plurality of pieces of equipment, receive an identification of the first piece of equipment of the plurality of pieces of equipment, update a record to include the identification of the first piece of equipment of the plurality of pieces of equipment and an indication that the first node of the plurality of nodes represents the first piece of equipment of the plurality of pieces of equipment, determine that a second piece of equipment of the plurality of pieces of equipment is absent from a first section of the plurality of sections, and query one or more devices of a plurality of devices to identify the second piece of equipment of the plurality of pieces of equipment.
H04L 41/12 - Découverte ou gestion des topologies de réseau
H04L 41/0604 - Gestion des fautes, des événements, des alarmes ou des notifications en utilisant du filtrage, p. ex. la réduction de l’information en utilisant la priorité, les types d’éléments, la position ou le temps
H04L 41/22 - Dispositions pour la maintenance, l’administration ou la gestion des réseaux de commutation de données, p. ex. des réseaux de commutation de paquets comprenant des interfaces utilisateur graphiques spécialement adaptées [GUI]
Novel systems and methods for canvas sanitization are provided. In various embodiments, a system and method include: receiving a request to open a web page from a client device; replacing, via an agent, a first function with a second function, the agent being loaded to a browser; loading the web page from a web server to the browser; in response to an attempt to perform the first function on the web page, performing, via the browser, the second function corresponding to the first function to generate a drawing for a predetermined period of time; converting, via the agent, the drawing to an image; and transmitting the image to the client device. Other aspects, embodiments, and features are also claimed and described.
The systems and methods described provide a seamless end-to-end email delivery between secure email clusters without reliance on prior sharing of encryption keys or protocol configurations. The solution can receive a request to transmit an email to a recipient identified by a domain of the recipient. The solution can transmit a first query to a domain name service (DNS) to fetch one or more records corresponding to the domain of the recipient. The one or more records can identify a key service. The solution can receive, from the key service responsive to a second query to the key service, a key for encrypting the email. The solution can encrypt at least a portion of the email based at least on the key and transmit the encrypted email to the recipient.
Operations of a security device are provided herein. The operations may include receiving, via a first network interface, a network packet, and evaluating attributes of the received network packet against a ruleset to identify a first rule match, wherein the attributes comprise an identifier of the first network interface, a source address, and a destination address. The operations may further include comparing the attributes of the received network packet against a table listing one or more network devices associated with the first network interface or a second network interface. The operations may further include switching the attributes of the received network packet by changing the identifier of the first network interface to an identifier of the second network interface and swapping the source address and the destination address, and evaluating the switched attributes of the received network packet against the ruleset to identify a second rule match. The switched attributes of the received network packet may be compared against the table, and one of the first rule match or the second rule match may be selected based on the comparisons of the network packet attributes and the switched network packet attributes against the table. The received network packet may be processed according to the selected one of the first rule match or the second rule match.
Novel solutions for monitoring and analyzing networks in terms of the volatility of various devices. Some solutions consider a weighted set of metrics in determining such volatility. Evaluation of devices against peers in view of these factors can produce insight about network conditions.
H04L 43/0817 - Surveillance ou test en fonction de métriques spécifiques, p. ex. la qualité du service [QoS], la consommation d’énergie ou les paramètres environnementaux en vérifiant la disponibilité en vérifiant le fonctionnement
H04L 43/045 - Traitement des données de surveillance capturées, p. ex. pour la génération de fichiers journaux pour la visualisation graphique des données de surveillance
H04L 43/062 - Génération de rapports liés au trafic du réseau
8.
SYSTEMS AND METHODS FOR PRESERVING SYSTEM CONTEXTUAL INFORMATION IN AN ENCAPSULATED PACKET
In some embodiments, a computing system includes a communication interface; and a processor that is coupled to the communication interface. In some embodiments, least one of the communication interface or the processor receives a network packet from the network via a network adapter port; encapsulates the received network packet with a tunnel header, wherein the tunnel header comprises network identifier information identifying the network adapter port; addresses, based on the network identifier information, an outer Internet protocol (IP) header of the encapsulated network packet with an outer IP address corresponding to a network function in a first computing device; and sends the encapsulated network packet toward the network function identified by the outer IP address.
H04L 61/251 - Traduction d'adresses de protocole Internet [IP] entre versions IP différentes
H04L 67/1001 - Protocoles dans lesquels une application est distribuée parmi les nœuds du réseau pour accéder à un serveur parmi une pluralité de serveurs répliqués
H04L 69/167 - Adaptation pour la transition entre deux versions IP, p. ex. entre IPv4 et IPv6
H04L 69/22 - Analyse syntaxique ou évaluation d’en-têtes
9.
SYSTEMS OF AND METHODS FOR MANAGING TENANT AND USER IDENTITY INFORMATION IN A MULTI-TENANT ENVIRONMENT
A system and method for managing user identity information in a multi-tenant environment can perform operations including assigning a first address from an address pool for a first user session, storing first information for the first user session in the memory linked to the first address, and assigning a second address from the address pool for a second user session. The operations can also include storing second information for the second user session in the memory linked to the second address from the address pool for the second user session if the second address does not match a third address from the address pool for a third session in the memory, and forwarding communication data for the second user session after the second information has been stored.
Network rules established on a device can establish communication protocol between applications running on the device and interfaces connected to the device. For example, a network rule can establish which application(s) can access which interface(s), and when an application is not assigned to an interface, the application is not granted network access to the interface(s). In some instances, interfaces can be aggregated together to create an aggregation (e.g., link aggregation or a bridge aggregation), thus allowing the network rule to use the aggregation for multiple applications. An aggregation, such as a link aggregation, can be established as a shared rule that allows access to the interface by multiple applications. Alternatively, an aggregation, such as a bridge aggregation, can be established as a reserve rule that permits only a particular application, and no other application(s), access to the interface.
Aspects of the disclosure include replacing, by a DNS proxy in DNS responses, a cryptographic key associated with a client-facing server for an origin content server with another cryptographic key received from a TLS proxy. A device may encrypt an extension of a ClientHello message with the other cryptographic key, such that the encrypted ClientHello (ECH) extension can be decrypted by the TLS proxy. The TLS proxy can then allow or deny the connection using a TLS intercept policy and decrypted information in the ClientHello message, and if the TLS connection is allowed, re-encrypt the ECH with the cryptographic key in the DNS response for the client-facing server to decrypt for establishment of the TLS connection with the origin content server. To preserve selective intercept while using ECH, a TLS Intercept Policy may be used to decide whether the TLS proxy feeds an Application Layer Proxy.
The disclosed computer-implemented method for preparing a secure search index for securely detecting personally identifiable information may include (i) receiving, at a computing device, a dataset including a record, where the record has a field including a value describing personally identifiable information and (ii) performing, at the computing device, a security action. The security action may include (i) generating, using a perfect hash function, a respective hashed key from the value and (ii) adding, to the secure search index (a) the respective hashed key or (b) a subsequent hashed key created from the respective hashed key. Various other methods, systems, and computer-readable media are also disclosed.
G06F 21/62 - Protection de l’accès à des données via une plate-forme, p. ex. par clés ou règles de contrôle de l’accès
H04L 9/32 - Dispositions pour les communications secrètes ou protégéesProtocoles réseaux de sécurité comprenant des moyens pour vérifier l'identité ou l'autorisation d'un utilisateur du système
H04L 9/06 - Dispositions pour les communications secrètes ou protégéesProtocoles réseaux de sécurité l'appareil de chiffrement utilisant des registres à décalage ou des mémoires pour le codage par blocs, p. ex. système DES
09 - Appareils et instruments scientifiques et électriques
Produits et services
Computer software, namely, downloadable computer utility program for analyzing function and performance of other computer programs; server software, namely, downloadable computer utility program for analyzing function and performance of other computer programs
A method for securing cloud applications is described. The method may include establishing a connection between a cloud application isolation portal, a cloud access security broker, and a cloud application based on an indication of the cloud application and a set of credentials associated with an end user of the cloud application, and managing, via the cloud application isolation portal and the cloud access security broker, a session between the cloud application and a computing device associated with the end user based on the connection between the cloud application isolation portal with the cloud access security broker and the cloud application.
H04L 67/60 - Ordonnancement ou organisation du service des demandes d'application, p. ex. demandes de transmission de données d'application en utilisant l'analyse et l'optimisation des ressources réseau requises
H04L 67/10 - Protocoles dans lesquels une application est distribuée parmi les nœuds du réseau
Machine learning adversarial campaign mitigation on a computing device. The method may include deploying an original machine learning model in a model environment associated with a client device; deploying a classification monitor in the model environment to monitor classification decision outputs in the machine learning model; detecting, by the classification monitor, a campaign of adversarial classification decision outputs in the machine learning model; applying a transformation function to the machine learning model in the model environment to transform the adversarial classification decision outputs to thwart the campaign of adversarial classification decision outputs; determining a malicious attack on the client device based in part on detecting the campaign of adversarial classification decision outputs; and implementing a security action to protect the computing device against the malicious attack.
G06F 21/00 - Dispositions de sécurité pour protéger les calculateurs, leurs composants, les programmes ou les données contre une activité non autorisée
Knowledge-aware detection of attacks on a client device conducted with dual-use tools. A method may include obtaining dual-use tool data related to a plurality of dual-use tools; collecting from a client device, by the computing device, user input related to the use of a dual-use tool of the plurality of dual-use tools; determining that the user input contains a feature of the dual-use tool data; creating a behavioral index of the user input, the behavioral index stored on the client device; detecting new input on the client device; determining a similarity level between the user input and the new input; flagging a malicious attack on the client device based on determining that the similarity level does not satisfy a pre-determined threshold; and implementing a security action on the client device based on flagging the malicious attack.
Secure access to a corporate application with translation between an internal address and an external address. In some embodiments, a method may include receiving, at a secure access cloud point of delivery (PoD), from a client application on a client device, a request to access a corporate web application that is deployed in a corporate datacenter. The method may also include forwarding, from the secure access cloud PoD, to a connector that is also deployed in the corporate datacenter, the request to access the corporate web application. The method may further include brokering, by the connector and the secure access cloud PoD, authentication of a user, authorization of access by the user, and a secure communication session between the client application and the corporate web application by translating between an internal address of the corporate web application and an external address of the corporate web application.
09 - Appareils et instruments scientifiques et électriques
42 - Services scientifiques, technologiques et industriels, recherche et conception
Produits et services
(1) Downloadable computer programs for project management, digital product management, work collaboration, information technology portfolio management, and business process management (1) Software as a service (SaaS) services featuring non-downloadable, cloud-based computer programs for project management, digital product management, work collaboration, information technology portfolio management, and business process management
42 - Services scientifiques, technologiques et industriels, recherche et conception
Produits et services
(1) Software as a service (SAAS) services featuring software for project management, digital product management, work collaboration, and computer software development and implementation
09 - Appareils et instruments scientifiques et électriques
42 - Services scientifiques, technologiques et industriels, recherche et conception
Produits et services
Downloadable computer programs for project management, product management, work collaboration, information technology portfolio management, and business process management, all aforementioned goods only in the context of financial investment management software and not in the context of security, law-enforcement, defense and military software; none of the aforementioned goods in the context of energy production and distribution; none of the aforementioned goods in the context of chemistry for health sciences, biomedicine, biology, biotechnology, clinical biochemistry, pharmaceutical and pharmacology chemistry. Providing online, non-downloadable, cloud-based computer programs for project management, product management, work collaboration, information technology portfolio management, and business process management, all aforementioned services only in the context of financial investment management software and not in the context of security, law-enforcement, defense and military software; none of the aforementioned services in the context of energy production and distribution; none of the aforementioned services in the context of chemistry for health sciences, biomedicine, biology, biotechnology, clinical biochemistry, pharmaceutical and pharmacology chemistry.
42 - Services scientifiques, technologiques et industriels, recherche et conception
Produits et services
Software as a service (SAAS) services featuring software for project management, product management, work collaboration, and software development and implementation.
09 - Appareils et instruments scientifiques et électriques
42 - Services scientifiques, technologiques et industriels, recherche et conception
Produits et services
Downloadable computer programs for project management, product management, work collaboration, information technology portfolio management, and business process management; all aforementioned goods/services only in the context of financial investment management software and not in the context of security, law-enforcement, defense and military software Non-downloadable, cloud-based computer programs for project management, product management, work collaboration, information technology portfolio management, and business process management; all aforementioned goods/services only in the context of financial investment management software and not in the context of security, law-enforcement, defense and military software
42 - Services scientifiques, technologiques et industriels, recherche et conception
Produits et services
Software as a service (SAAS) services featuring software for project management, product management, work collaboration, and software development and implementation
25.
Systems and methods for producing adjustments to malware-detecting services
The disclosed computer-implemented method for producing adjustments to malware-detecting services may include (1) receiving, from a plurality of malware-detecting services executing on a plurality of client computing devices, a respective plurality of probability scores with corresponding model identifiers for an analyzed file and a plurality of respective identifiers describing the malware-detecting services, (2) building a training dataset from at least a portion of the received plurality of probability scores with corresponding model identifiers, and (3) performing a security action including (A) training, with the training dataset, a malware-detecting linear regression ensemble machine learning model that is specific to an identifier in the plurality of identifiers and (B) sending the trained linear regression ensemble machine learning model to one of the plurality of malware-detecting services executing on one of the client computing devices. Various other methods, systems, and computer-readable media are also disclosed.
Techniques are disclosed relating to increasing the amount of training data available to machine learning algorithms. A computer system may access an initial set of training data that specifies a plurality of sequences, each of which may define a set of data values. The computer system may amplify the initial set of training data to create a revised set of training data. The amplifying may include identifying sub-sequences of data values in ones of the plurality of sequences in the initial set of training data and using an inheritance algorithm to create a set of additional sequences of data values, where each one of the set of additional sequences may include sub-sequences of data values from at least two different sequences in the initial set of training data. The computer system may process the set of additional sequences using the machine learning algorithm to train a machine learning model.
G06F 18/214 - Génération de motifs d'entraînementProcédés de Bootstrapping, p. ex. ”bagging” ou ”boosting”
G06V 10/82 - Dispositions pour la reconnaissance ou la compréhension d’images ou de vidéos utilisant la reconnaissance de formes ou l’apprentissage automatique utilisant les réseaux neuronaux
27.
Secure access to a corporate application in an SSH session using a transparent SSH proxy
Secure access to a corporate application in an SSH session using a transparent SSH proxy. In some embodiments, a method may include receiving, at a secure access cloud point of delivery (PoD), from a client application on a client device, a request to access a corporate application that is deployed in a corporate datacenter. The method may also include forwarding, from the secure access cloud PoD, to a connector that is also deployed in the corporate datacenter, the request. The method may further include brokering, by the connector and the secure access cloud PoD, authentication of a user, authorization of access by the user, and an SSH session between the client application and the corporate application using a transparent SSH proxy, with the client application being unaware that the SSH session is brokered by the connector and the secure access cloud PoD.
Secure access to a corporate application using a facade. In some embodiments, a method may include receiving, at a secure access cloud point of delivery (PoD), from a client application on a client device, a request to access a corporate application that is deployed in a corporate datacenter. The method may also include creating, at the secure access cloud PoD, a facade representing the corporate application. The method may further include forwarding, from the facade, to a connector that is also deployed in the corporate datacenter, the request. The method may also include brokering, by the connector and the facade, authentication of a user, authorization of access by the user, and a secure communication session between the client application and the corporate application via the facade, with the client application being unaware that the secure communication session is brokered by the connector and the facade.
The disclosed computer-implemented method for dynamically augmenting machine learning models based on contextual factors associated with execution environments may include (1) generating a base machine learning model and a supplemental set of machine learning models, (2) determining at least one contextual factor associated with an execution environment of a machine learning system that is configured to make predictions regarding a set of input data using at least the base machine learning model, (3) selecting, based on the contextual factor, a continuation set of machine learning models from the supplemental set of machine learning models, and (4) directing the machine learning system to utilize both the base machine learning model and the continuation set of machine learning models when making predictions regarding the set of input data. Various other methods, systems, and computer-readable media are also disclosed.
G06K 9/62 - Méthodes ou dispositions pour la reconnaissance utilisant des moyens électroniques
G06F 21/53 - Contrôle des utilisateurs, des programmes ou des dispositifs de préservation de l’intégrité des plates-formes, p. ex. des processeurs, des micrologiciels ou des systèmes d’exploitation au stade de l’exécution du programme, p. ex. intégrité de la pile, débordement de tampon ou prévention d'effacement involontaire de données par exécution dans un environnement restreint, p. ex. "boîte à sable" ou machine virtuelle sécurisée
G06F 21/56 - Détection ou gestion de programmes malveillants, p. ex. dispositions anti-virus
Secure access to a corporate application with translation between an internal address and an external address. In some embodiments, a method may include receiving, at a secure access cloud point of delivery (PoD), from a client application on a client device, a request to access a corporate web application that is deployed in a corporate datacenter. The method may also include forwarding, from the secure access cloud PoD, to a connector that is also deployed in the corporate datacenter, the request to access the corporate web application. The method may further include brokering, by the connector and the secure access cloud PoD, authentication of a user, authorization of access by the user, and a secure communication session between the client application and the corporate web application by translating between an internal address of the corporate web application and an external address of the corporate web application.
G06F 15/16 - Associations de plusieurs calculateurs numériques comportant chacun au moins une unité arithmétique, une unité programme et un registre, p. ex. pour le traitement simultané de plusieurs programmes
The disclosed computer-implemented method for protecting a cloud computing device from malware may include (i) intercepting, at a computing device, a malicious attempt by the malware to (A) access sensitive information in an encrypted file stored on the computing device and (B) send the sensitive information to the cloud computing device and (ii) performing, responsive to the attempt to access the encrypted file, a security action. Various other methods, systems, and computer-readable media are also disclosed.
A method for identifying suspicious activity on a monitored computing device is described. In one embodiment, the method may include monitoring a local procedure call interface of the monitored computing device, identifying, based at least in part on the monitoring, a remote procedure call (RPC) of a suspicious process, the RPC being transmitted over a local procedure call message of the local procedure call interface, analyzing the RPC of the suspicious process, and performing a security action based at least in part on the analyzing.
The disclosed computer-implemented method for detecting code implanted into a published application may include retrieving a published version of an application and a source version of the application, and determining, based on an analysis of the source version and the published version, a transformation process for transforming from the source version to the published version. The method may also include performing the transformation process on the source version to produce a build version, comparing the build version with the published version, and identifying, based on the comparison, implanted code in the published version. The method may further include performing, in response to identifying the implanted code, a security action. Various other methods, systems, and computer-readable media are also disclosed.
The disclosed computer-implemented method for malware detection using localized machine learning may include (i) generating a global score for a file using a global machine learning model, (ii) generating a localized score for the file using a localized machine learning model, (iii) determining that the file is malware using the global score, the localized score, and the local conviction threshold, and (iv) in response to determining that the file is malware, performing a security action to protect the computing device against malware. Various other methods, systems, and computer-readable media are also disclosed.
The disclosed computer-implemented method for managing a need-to-know domain name system may include (i) intercepting, by an agent of the computing device, network traffic received on the computing device, (ii) generating, by the agent, a one-time password based on a unique identifier of the agent of the computing device, (iii) wrapping, by the agent, the network traffic with the one-time password, and (iv) pushing, by the agent, the wrapped network traffic to a cloud server using a local domain name system (DNS) of the agent of the computing device, wherein the local DNS comprises a private domain name unpublished in a global DNS. Various other methods, systems, and computer-readable media are also disclosed.
G06F 13/00 - Interconnexion ou transfert d'information ou d'autres signaux entre mémoires, dispositifs d'entrée/sortie ou unités de traitement
H04L 29/06 - Commande de la communication; Traitement de la communication caractérisés par un protocole
H04L 67/10 - Protocoles dans lesquels une application est distribuée parmi les nœuds du réseau
H04L 61/4511 - Répertoires de réseauCorrespondance nom-adresse en utilisant des répertoires normalisésRépertoires de réseauCorrespondance nom-adresse en utilisant des protocoles normalisés d'accès aux répertoires en utilisant le système de noms de domaine [DNS]
Telemetry data from client file reputation queries is collected over time. Directories/sub-directories under which files of queries are located are identified. The files including the reputations for the files under a given directory/sub-directory are identified and used to calculate the reputation score for the directory/sub-directory. The directory/sub-directory is then classified based on the calculated score for the directory/sub-directory. After the classification of directories/sub-directories, reputation for a file with unknown reputation is then determined based on the classification of the directory/sub-directory under which the file is located.
G06F 21/00 - Dispositions de sécurité pour protéger les calculateurs, leurs composants, les programmes ou les données contre une activité non autorisée
G06F 21/56 - Détection ou gestion de programmes malveillants, p. ex. dispositions anti-virus
G06F 16/185 - Systèmes de gestion de stockage hiérarchisé, p. ex. migration de fichiers ou politiques de migration de fichiers
37.
Pre-filtering detection of an injected script on a webpage accessed by a computing device
Pre-filtering detection of an injected script on a webpage accessed by a computing device. The method may include receiving an indication of access to the webpage at a web browser of the computing device; identifying a web form associated with the webpage; determining that the webpage has been previously visited by the computing device; recording at least one current domain associated with at least one current object request made by the web form; determining a difference of a count of the at least one current domain associated with the at least one current object request and a count of at least one historical domain associated with at least one historical object request previously made by the webpage; identifying the webpage as suspicious based on determining that the difference is greater than zero and less than a domain threshold; and initiating a security action on the webpage based on the identifying.
H04L 29/06 - Commande de la communication; Traitement de la communication caractérisés par un protocole
H04L 67/56 - Approvisionnement des services mandataires
G06F 21/53 - Contrôle des utilisateurs, des programmes ou des dispositifs de préservation de l’intégrité des plates-formes, p. ex. des processeurs, des micrologiciels ou des systèmes d’exploitation au stade de l’exécution du programme, p. ex. intégrité de la pile, débordement de tampon ou prévention d'effacement involontaire de données par exécution dans un environnement restreint, p. ex. "boîte à sable" ou machine virtuelle sécurisée
Identifying and protecting against an attack against an anomaly detector machine learning classifier (ADMLC). In some embodiments, a method may include identifying training data points in a manifold space for an ADMLC, dividing the manifold space into multiple subspaces, merging each of the training data points into one of the multiple subspaces, training a subclassifier for each of the multiple subspaces to determine a decision boundary for each of the multiple subspaces between normal training data points and anomalous training data points, receiving an input data point into the ADMLC, determining whether the input data point is an attack on the ADMLC due to a threshold number of the subclassifiers classifying the input data point as an anomalous input data point, and, in response to identifying the attack against the ADMLC, protecting against the attack.
A computer-implemented method for detecting and protecting against malicious use of legitimate computing-system tools may include (i) identifying a computing-system tool that can perform benign actions and malicious actions on a computing system, (ii) creating a set of recorded actions by recording actions performed by the computing-system tool on the computing system over a predetermined period of time, (iii) analyzing the set of recorded actions via a machine learning method that, for each action in the set of recorded actions, determines whether the action is anomalous compared to other actions in the set, (iv) classifying an action in the set of recorded actions as malicious based at least in part on determining that the action is anomalous, and (v) initiating, in response to classifying the action as malicious, a security action related to the action. Various other methods, systems, and computer-readable media are also disclosed.
G06F 21/57 - Certification ou préservation de plates-formes informatiques fiables, p. ex. démarrages ou arrêts sécurisés, suivis de version, contrôles de logiciel système, mises à jour sécurisées ou évaluation de vulnérabilité
40.
Identifying and mitigating harm from malicious network connections by a container
Identifying and mitigating harm from malicious network connections by a container. In some embodiments, a method may include receiving, from a shim, notifications of all network connections that a container has sought to establish through the shim. The method may also include monitoring all actual network connections established by the container. The method may further include comparing the notifications to the actual network connections to determine whether any actual network connection established by the container bypassed the shim. The method may also include, in response to determining that any actual network connection established by the container bypassed the shim, identifying the network connection established by the container that bypassed the shim as a malicious network connection, and performing a security action to mitigate harm from the malicious network connection.
The disclosed computer-implemented method for utilizing metadata for protecting against the sharing of images in a computing network may include (i) identifying an image file stored in a public folder on a computing device, (ii) storing a copy of the image file within a secure data storage application, (iii) encoding metadata for revealing an image in the image file, (iv) performing a security action that protects against sharing the image file from the public folder by masking the image in the image file with the encoded metadata, and (v) rendering the image in the image file as an unmasked version of the image from the image file or the copy of the image file in the secure data storage application by decoding the metadata utilized to mask the image. Various other methods, systems, and computer-readable media are also disclosed.
Methods, systems, and devices for protecting against abnormal computer behavior are described. The method may include monitoring a computer process related to an application running on a computing device of one or more computing devices, analyzing a database including a set of digital fingerprints, where a digital fingerprint of the set of digital fingerprints relates to the application, the digital fingerprint including an indication of a set of computer processes related to the application that are classified as normal computer processes for the application, determining that the computer process related to the application is an abnormal computer process based on analyzing, and performing a security action on the computing device to protect the computing device against the abnormal computer process based on the determining.
Methods and systems are provided for automatically generating malware definitions and using generated malware definitions. One example method generally includes receiving information associated with a malicious application and extracting malware strings from the malicious application. The method further includes filtering the malware strings using a set of safe strings to produce filtered strings and scoring the filtered strings to produce string scores by evaluating words of the filtered strings based on word statistics of a set of known malicious words. The method further includes selecting a set of candidate strings from the filtered strings based on the string scores and generating a malware definition for the malicious application based on the set of candidate strings. The method also includes performing one or more security actions to protect against the malicious application, using the malware definition.
The disclosed computer-implemented method for safely executing unreliable malware may include (i) intercepting a call to an application programming interface (API) in a computing operating system, the API being utilized by malware for disseminating malicious code, (ii) determining an incompatibility between the API call and the computing operating system that prevents successful execution of the API call, (iii) creating a proxy container for receiving the API call, (iv) modifying, utilizing the proxy container, the API call to be compatible with the computing operating system, (v) sending the modified API call from the proxy container to the computing operating system for retrieving the API utilized by the malware, and (vi) performing a security action during a threat analysis of the malware by executing the API to disseminate the malicious code in a sandboxed environment. Various other methods, systems, and computer-readable media are also disclosed.
G06F 21/53 - Contrôle des utilisateurs, des programmes ou des dispositifs de préservation de l’intégrité des plates-formes, p. ex. des processeurs, des micrologiciels ou des systèmes d’exploitation au stade de l’exécution du programme, p. ex. intégrité de la pile, débordement de tampon ou prévention d'effacement involontaire de données par exécution dans un environnement restreint, p. ex. "boîte à sable" ou machine virtuelle sécurisée
G06F 21/54 - Contrôle des utilisateurs, des programmes ou des dispositifs de préservation de l’intégrité des plates-formes, p. ex. des processeurs, des micrologiciels ou des systèmes d’exploitation au stade de l’exécution du programme, p. ex. intégrité de la pile, débordement de tampon ou prévention d'effacement involontaire de données par ajout de routines ou d’objets de sécurité aux programmes
G06F 21/56 - Détection ou gestion de programmes malveillants, p. ex. dispositions anti-virus
45.
Systems and methods for protecting against malicious content
The disclosed computer-implemented method for protecting against malicious content may include intercepting, by a security application installed on the computing device, an original message intended for a target application installed on the same computing device. The original message may include potentially malicious content. The security application may forward the original message to a security service. The computing device may receive a clean message from the security service, wherein the clean message includes a safe representation of the potentially malicious content. Various other methods, systems, and computer-readable media are also disclosed.
The disclosed computer-implemented method for managing endpoint security states using passive data integrity attestations may include (i) receiving passively collected network data from an endpoint device of a computing environment, (ii) determining a security state of the endpoint device using the passively collected network data from the endpoint device, (iii) determining that the security state of the endpoint device is below a threshold, and (iv) in response to determining that the security state of the endpoint device is below a threshold, performing a security action to protect the computing environment against malicious actions. Various other methods, systems, and computer-readable media are also disclosed.
The present disclosure relates to using correlations between support interaction data and telemetry data to discover emerging incidents for remediation. One example method generally includes receiving a corpus of support interaction data and a corpus of telemetry data. Topics indicative of underlying problems experienced by users of an application are extracted from the corpus of support interaction data. A topic having a rate of appearance in the support interaction data above a threshold value is identified. A set of telemetry data relevant to the topic is extracted from the corpus of telemetry data, and a subset of the relevant set of telemetry data having a frequency in the relevant set of telemetry data above a second threshold value is identified. The topic and the subset of telemetry data are correlated to an incident to be remediated, and one or more actions are taken to remedy the incident.
The disclosed computer-implemented method for executing decision trees may include (i) executing a security classification decision tree that classifies an input data item, (ii) gathering, simultaneously using a gather instruction, values for both a current threshold at a parent node of the security classification decision tree and a subsequent threshold at a child node of the parent node, (iii) gathering, simultaneously using the gather instruction, values for both a current measurement at the parent node and a subsequent measurement at the child node, (iv) comparing, simultaneously using a comparison instruction, the current threshold at the parent node with the current measurement at the parent node and the subsequent threshold at the child node with the subsequent measurement at the child node, and (v) performing a security action to protect the computing device. Various other methods, systems, and computer-readable media are also disclosed.
The disclosed computer-implemented method for protection of storage systems using decoy data may include identifying an original file comprising sensitive content to be protected against malicious access and protecting the sensitive content. Protecting the sensitive content may include (i) processing the original file to identify a structure of the original file and the sensitive content of the original file, (ii) generating a decoy file using the structure of the original file and using substitute content in a location corresponding to the sensitive content of the original file, and (iii) storing the decoy file with the original file. Various other methods, systems, and computer-readable media are also disclosed.
In some embodiments, a computing system includes a communication interface; and a processor that is coupled to the communication interface. In some embodiments, least one of the communication interface or the processor receives a network packet from the network via a network adapter port; encapsulates the received network packet with a tunnel header, wherein the tunnel header comprises network identifier information identifying the network adapter port; addresses, based on the network identifier information, an outer Internet protocol (IP) header of the encapsulated network packet with an outer IP address corresponding to a network function in a first computing device; and sends the encapsulated network packet toward the network function identified by the outer IP address.
H04L 61/251 - Traduction d'adresses de protocole Internet [IP] entre versions IP différentes
H04L 67/1001 - Protocoles dans lesquels une application est distribuée parmi les nœuds du réseau pour accéder à un serveur parmi une pluralité de serveurs répliqués
H04L 69/167 - Adaptation pour la transition entre deux versions IP, p. ex. entre IPv4 et IPv6
H04L 69/22 - Analyse syntaxique ou évaluation d’en-têtes
51.
Systems and methods for detecting covert channels structured in internet protocol transactions
The disclosed computer-implemented method for detecting covert channels structured in Internet Protocol (IP) transactions may include (1) intercepting an IP transaction including textual data and a corresponding address, (2) evaluating the textual data against a model to determine a difference score, (3) determining that the textual data is suspicious when the difference score exceeds a threshold value associated with the model, (4) examining, upon determining that the textual data is suspicious, the address in the transaction to determine whether the address is invalid, (5) analyzing the transaction to determine a frequency of address requests that have been initiated from a source address over a predetermined period, and (6) identifying the transaction as a covert data channel for initiating a malware attack when the address is determined to be invalid and the frequency of the address requests exceeds a threshold value. Various other methods, systems, and computer-readable media are also disclosed.
Isolating an iframe of a webpage. In one embodiment, a method may include targeting an iframe in a webpage for isolation, executing, in a server browser, iframe code, sending, from the remote isolation server to the local client, the webpage with the iframe code of the iframe replaced with isolation code, executing, in a client browser, webpage code and the isolation code, intercepting, in the client browser, webpage messages sent from the webpage code and intended to be delivered to the iframe, sending, to the remote isolation server, the intercepted webpage messages to be injected into the iframe code executing at the server browser, intercepting, at the server browser, iframe messages sent from the iframe code and intended to be delivered to the webpage, and sending, to the local client, the intercepted iframe messages to be injected into the webpage code executing at the client browser.
A cloud device is configured in an email transmission pathway. The cloud device receives an email attachment whose maliciousness status is determined to be unknown. The cloud device encrypts the email attachment and delivers the encrypted attachment to the recipient. When the recipient attempts to access the encrypted attachment, the cloud device re-determines the maliciousness status of the attachment. If the re-determined maliciousness status is benign, the cloud device allows the encrypted attachment to be decrypted and opened locally on the recipient's device. If the re-determined maliciousness status is still unknown, the cloud device provides a cloud-based viewing solution to the recipient using an isolation service.
A method for detecting and protecting against abnormal user behavior is described. The method may include generating a tensor model based on a set of user information within a temporal period. The tensor model may include a behavioral profile associated with a user of a set of users. In some examples, the method may include determining that a behavior associated with the user of the set of users is abnormal based on the tensor model, adapting the tensor model based on feedback from an additional user of a set of additional users different from the set of users, and performing a security action on at least one computing device to protect against the abnormal user behavior based on the adapting.
The disclosed computer-implemented method for preventing data loss from data containers may include (1) identifying, at a computing device, a process running in a data container on the computing device, (2) intercepting an attempt by the process to exfiltrate information from the computing device via at least one of a file system operation or a network operation, and (3) performing a security action to prevent the intercepted attempt. Various other methods, systems, and computer-readable media are also disclosed.
Detecting and protecting against computing breaches based on lateral movement of a computer file within an enterprise. A method may include obtaining data associated with an existence a computer file in a first computing device and a second computing device of an enterprise, detecting a pattern of lateral movement of the computer from the first computing device to the second computing device over a predetermined period of time, based on the data, calculating a likelihood score that the computer file is malicious based on the detected pattern, determining that the likelihood score satisfies a predetermined breach threshold, and in response to determining that the likelihood score satisfies the predetermined breach threshold, initiating remedial action on the computer file to protect the enterprise against the computer file.
G06F 21/00 - Dispositions de sécurité pour protéger les calculateurs, leurs composants, les programmes ou les données contre une activité non autorisée
G06F 21/56 - Détection ou gestion de programmes malveillants, p. ex. dispositions anti-virus
G06F 21/55 - Détection d’intrusion locale ou mise en œuvre de contre-mesures
G06K 9/62 - Méthodes ou dispositions pour la reconnaissance utilisant des moyens électroniques
G06F 11/34 - Enregistrement ou évaluation statistique de l'activité du calculateur, p. ex. des interruptions ou des opérations d'entrée–sortie
The disclosed computer-implemented method for preserving system contextual information in an encapsulated packet may include (1) receiving, at a computing device, a network packet from the network via a network adapter port, (2) encapsulating the received network packet with a tunnel header, where a network identifier field in the tunnel header comprises information identifying the network adapter port, (3) determine an outer Internet protocol (IP) address for the encapsulated network packet, where the destination IP address corresponds to a destination on the network, (4) addressing an outer header of the encapsulated network packet with the IP address, and (5) sending the encapsulated network packet toward the destination identified by the destination IP address. Various other methods, systems, and computer-readable media are also disclosed.
The disclosed computer-implemented method for tuning application network behavior may include identifying an application for a closed operating system. The closed operating system may prevent applications from implementing machine-level traffic control for network traffic. The method may include determining an expected network behavior of the application, intercepting network traffic of the application on the closed operating system, determining whether the intercepted network traffic conforms to the expected network behavior, and modifying, based on the determining whether the intercepted network traffic conforms to the expected network behavior, the network traffic. Various other methods, systems, and computer-readable media are also disclosed.
A computer-implemented method for preventing electronic form data from being electronically transmitted to untrusted domains may include (i) identifying a web page that includes an electronic form with field for data entry, (ii) detecting that the web page is electronically sending first and second messages that each include data from the field of the electronic form and that are directed to first and second destinations, respectively, (iii) determining that the first destination includes an untrusted destination, and (iv) blocking the web page from electronically sending the data from the field of the electronic form to the untrusted destination by blocking the first message from being electronically sent. Various other methods, systems, and computer-readable media are also disclosed.
G06F 21/51 - Contrôle des utilisateurs, des programmes ou des dispositifs de préservation de l’intégrité des plates-formes, p. ex. des processeurs, des micrologiciels ou des systèmes d’exploitation au stade du chargement de l’application, p. ex. en acceptant, en rejetant, en démarrant ou en inhibant un logiciel exécutable en fonction de l’intégrité ou de la fiabilité de la source
H04L 29/06 - Commande de la communication; Traitement de la communication caractérisés par un protocole
H04W 12/106 - Intégrité des paquets ou des messages
60.
Systems and methods for providing an integrated cyber threat defense exchange platform
The disclosed computer-implemented method for providing an integrated cyber threat defense exchange platform may include (i) receiving unnormalized security data from a plurality of disparate security data sources that generate security data in differing formats, (ii) normalizing, using a security data schema, the unnormalized security data into normalized security data, (iii) identifying a security action that is responsive to at least one security event identified within the normalized security data, and (iv) coordinating performance of the security action within a plurality of networked computing devices. Various other methods, systems, and computer-readable media are also disclosed.
The disclosed computer-implemented method for protecting website visitors may include (i) retrieving an instance of a website that was dynamically generated by aggregating multiple website subcomponents, (ii) decomposing the instance of the website into the multiple website subcomponents, (iii) checking whether a website subcomponent has been previously scanned by a security scanner, (iv) accelerating a review of the instance of the website by reusing results of a previous scan of the website subcomponent that was performed in response to retrieving a different instance of the website subcomponent rather than performing an original scan of the website subcomponent, and (v) protecting a visitor of the website by modifying a display of the instance of the website based on the accelerated review of the instance of the website that reused results of the previous scan of the website subcomponent. Various other methods, systems, and computer-readable media are also disclosed.
H04L 29/06 - Commande de la communication; Traitement de la communication caractérisés par un protocole
H04L 29/08 - Procédure de commande de la transmission, p.ex. procédure de commande du niveau de la liaison
G06F 16/955 - Recherche dans le Web utilisant des identifiants d’information, p. ex. des localisateurs uniformisés de ressources [uniform resource locators - URL]
G06F 16/957 - Optimisation de la navigation, p. ex. mise en cache ou distillation de contenus
62.
Method to assess internal security posture of a computing system using external variables
Methods and systems are provided for generating a security profile for a new computing system. One example method generally includes obtaining, over a network, information associated with a plurality of existing computing systems and generating, by a clustering algorithm, a set of clusters based on the information associated with the plurality of existing computing systems. The method further includes obtaining external data associated with the computing system and classifying the computing system into a cluster in the set of clusters based on the external data associated with the computing system. The method further includes determining the security profile based on statistics associated with the cluster and transmitting, over the network, an indication of the security profile.
G06F 21/57 - Certification ou préservation de plates-formes informatiques fiables, p. ex. démarrages ou arrêts sécurisés, suivis de version, contrôles de logiciel système, mises à jour sécurisées ou évaluation de vulnérabilité
63.
Systems and methods for preventing sharing of sensitive content in image data on a closed computing platform
The disclosed computer-implemented method for preventing sharing of sensitive content in image data on a closed computing platform may include (i) detecting initiation of a network connection for sending network traffic data to a data storage service on the closed computing platform, (ii) monitoring the sending of the network traffic data to identify a target traffic indicator associated with image data, (iii) interrupting the sending of the network traffic data upon identifying the target traffic indicator, (iv) analyzing the image data to identify sensitive content, and (v) performing a security action that protects against the sensitive content being shared to the data storage service on the closed computing platform. Various other methods, systems, and computer-readable media are also disclosed.
G06K 9/00 - Méthodes ou dispositions pour la lecture ou la reconnaissance de caractères imprimés ou écrits ou pour la reconnaissance de formes, p.ex. d'empreintes digitales
H04L 12/24 - Dispositions pour la maintenance ou la gestion
H04L 29/06 - Commande de la communication; Traitement de la communication caractérisés par un protocole
Image quality optimization during remote isolated sessions. In one embodiment, a method may include a remote isolation server receiving, at a remote isolation server, a request from a local browser on a local network device to obtain webpage data from a webserver, requesting, from the webserver, the webpage data, receiving, from the webserver, the requested webpage data, rendering a first image of the requested webpage data, storing a first copy of the first image of the requested webpage data in memory associated with the remote isolation server, compressing a first portion of the first image using a first compression method, sending, from the remote isolation server, the compressed first portion of the first image to the local browser, compressing a second portion of the first image using a second compression method, and sending the compressed second portion of the first image to the local browser.
Methods and systems are provided for detecting malware. One example method generally includes receiving a reference dataset comprising an aggregation of probability distributions of a plurality of intra-file patterns for a plurality of files of at least a first class and applying a logical query to the reference dataset to generate a template distribution with probability distributions of the plurality of intra-file patterns calculated according to one or more logical operators in the logical query. The method further includes detecting a likely presence of malware in a computer file by indicating one or more areas in the computer file based on at least a portion of the calculated probability distributions of the plurality of intra-file patterns in the template distribution.
Secure Quarantine of Potentially Malicious Content. In one embodiment, a method for secure quarantine of potentially malicious content may include receiving a computer file from a third party, preventing the computer file from initially being accessed by a user associated with the computing device, collecting metadata from the computer file, encrypting the file and the collected metadata using a first encryption key, creating an encrypted computer file, encrypting the first encryption key using an asymmetric key, embedding the encrypted computer file into a new computer file, wherein at least one file object that is in the encrypted computer file is removed from the new computer file, enabling user access to the new computer file and the embedded encrypted computer file.
H04L 9/06 - Dispositions pour les communications secrètes ou protégéesProtocoles réseaux de sécurité l'appareil de chiffrement utilisant des registres à décalage ou des mémoires pour le codage par blocs, p. ex. système DES
In one embodiment, a method for electronic document sanitization may include receiving a first request from a client device to send a first electronic document, the first request including a requested usability level of the first electronic document, removing at least one document object from the first electronic document, the document object having potentially malicious content, the removing based at least in part on receiving the first request, and transmitting the first electronic document to the client device after removing the at least one document object therefrom.
G06F 12/14 - Protection contre l'utilisation non autorisée de mémoire
H04L 29/06 - Commande de la communication; Traitement de la communication caractérisés par un protocole
G06F 21/56 - Détection ou gestion de programmes malveillants, p. ex. dispositions anti-virus
G06F 3/0484 - Techniques d’interaction fondées sur les interfaces utilisateur graphiques [GUI] pour la commande de fonctions ou d’opérations spécifiques, p. ex. sélection ou transformation d’un objet, d’une image ou d’un élément de texte affiché, détermination d’une valeur de paramètre ou sélection d’une plage de valeurs
G06F 40/166 - Édition, p. ex. insertion ou suppression
68.
Systems and methods for improving performance of cascade classifiers for protecting against computer malware
The disclosed computer-implemented method for improving performance of cascade classifiers for protecting against computer malware may include receiving a training dataset usable to train a cascade classifier of a machine-learning classification system. A sample to add to the training dataset may be received. A weight for the sample may be calculated. The training dataset may be modified using the sample and the weight. A weighted training for the cascade classifier of the machine-learning classification system may be performed using the modified training dataset. Computer malware may be identified using the cascade classifier. In response to identifying the computer malware, a security action may be performed to protect the one or more computing devices from the computer malware. Various other methods, systems, and computer-readable media are also disclosed.
In one embodiment, a computer-implemented method for using customer context to detonate malware may be performed by one or more computing devices, each comprising one or more processors. The method may include receiving an artefact associated with a first device being targeted by malware, simulating in a controlled environment attributes of the first device based at least in part on the artefact, executing the malware in the controlled environment while the attributes of the first device are being simulated, and performing a security action with respect to the malware based at least in part on the execution of the malware in the controlled environment.
G06F 9/455 - ÉmulationInterprétationSimulation de logiciel, p. ex. virtualisation ou émulation des moteurs d’exécution d’applications ou de systèmes d’exploitation
G06F 21/56 - Détection ou gestion de programmes malveillants, p. ex. dispositions anti-virus
G06F 21/53 - Contrôle des utilisateurs, des programmes ou des dispositifs de préservation de l’intégrité des plates-formes, p. ex. des processeurs, des micrologiciels ou des systèmes d’exploitation au stade de l’exécution du programme, p. ex. intégrité de la pile, débordement de tampon ou prévention d'effacement involontaire de données par exécution dans un environnement restreint, p. ex. "boîte à sable" ou machine virtuelle sécurisée
The disclosed computer-implemented method for identifying users may include (i) detecting that a user at an endpoint computing device is connecting to an identity provider, (ii) detecting, after detecting that the user at the endpoint computing device is connecting to the identity provider, that a mobile device has received a second-factor authentication message, (iii) discovering, by a security service, that the user at the endpoint computing device matches a known user profile registered to the mobile device by correlating the user at the endpoint computing device connecting to the identity provider with the mobile device receiving the second-factor authentication message, and (iv) applying a security policy to the user at the endpoint computing device based on the known user profile matched to the user by the security service. Various other methods, systems, and computer-readable media are also disclosed.
Systems, apparatuses, methods, and computer readable mediums for implementing an email deception service. A system includes one or more processors coupled to one or more memories storing program instructions. The program instructions are executable by the processor(s) to scan live emails for suspicious emails. The suspicious emails are emails with phishing links, business compromise emails, emails with malware attachments, and so on. When a suspicious email is detected, the processor(s) execute the program instructions to interact with the suspicious email in a way that mimics an end-user. A set of decoy credentials are provided to an attacker during the interaction, and then a decoy account is monitored for accesses by the attacker using the decoy credentials. Accesses to the decoy account are monitored and recorded to obtain intelligence on the attacker.
A computer-implemented method for server load control may include: (a) receiving a request of a first type or a second type; (b) transmitting a response of a form that will not be processed by the second computer, thereby reducing the load on a third computer, when the request is of the first type, and that will be processed by the second computer when the request is of the second type; and (c) when the request is of the second type and the response is processed by the second computer, receiving a message from the second computer that results from the processed response and indicates that the request is not of the first type. Various other methods, systems, and computer-readable media are also disclosed.
Protecting a network device from malicious executable code embedded in a computer document. In one embodiment, a method may include detecting executable code embedded in a computer document stored on a network device. The method may also include detecting a potential hoax object in the computer document. The method may further include determining that the potential hoax object is a hoax object by determining that the potential hoax object includes a message enticing a user to enable execution of the executable code. The method may also include, in response to determining that the potential hoax object is a hoax object, concluding that the executable code is malicious and performing a security action on the network device that secures the network device from the malicious executable code.
G06F 21/56 - Détection ou gestion de programmes malveillants, p. ex. dispositions anti-virus
G06F 21/52 - Contrôle des utilisateurs, des programmes ou des dispositifs de préservation de l’intégrité des plates-formes, p. ex. des processeurs, des micrologiciels ou des systèmes d’exploitation au stade de l’exécution du programme, p. ex. intégrité de la pile, débordement de tampon ou prévention d'effacement involontaire de données
G06F 21/55 - Détection d’intrusion locale ou mise en œuvre de contre-mesures
A set of DLP rules are enforced to prevent loss of biometric data on a computing device. Attempts to perform operations targeting biometric data are detected, and the specific biometric data being targeted is identified. It is determined whether given attempted operations targeting biometric data are permitted, according to the set of DLP rules. This can take the form of enforcing DLP rules governing attempted operations based on factors such as the type of biometric data, quantity of biometric data, quality of biometric data, target of an attempt to transmit biometric data, specific users and/or applications that initiated attempted operations, specific people represented by the biometric data, relationships between them, etc. In response to determining that a specific attempted operation targeting biometric data is not permitted according to the DLP rules, the operation is blocked. If the DLP rules do not prohibit the operation, its execution is permitted.
Disclosed are methods for tracking consumer transactions from a non-mainframe environment into a mainframe environment. The methods provide for carryover of consumer data from the non-mainframe environment into a mainframe environment.
A computer-implemented method for controlling access to credentials may include (i) maintaining, by a computing device, a set of applications for which attempting to access digital credentials comprises anomalous behavior, (ii) monitoring, by the computing device, each application within the set of applications for attempts to access digital credentials, (iii) automatically detecting, while monitoring for attempts to access digital credentials, an attempt of an application in the set of applications to access a digital credential, and (iv) performing, in response to detecting the attempt to access the digital credential, a security action to secure the digital credential. Various other methods, systems, and computer-readable media are also disclosed.
G06F 21/55 - Détection d’intrusion locale ou mise en œuvre de contre-mesures
G06F 21/57 - Certification ou préservation de plates-formes informatiques fiables, p. ex. démarrages ou arrêts sécurisés, suivis de version, contrôles de logiciel système, mises à jour sécurisées ou évaluation de vulnérabilité
The disclosed computer-implemented method for detecting geolocation-aware malware may include (1) receiving, by a computing device, trajectory information for network traffic carrying geolocation-aware malware, (2) identifying, from the trajectory information, a target geolocation characteristic required to activate the geolocation-aware malware, (3) establishing, on an image of a user machine, an execution environment having the target geolocation characteristic, (4) running, on the image of the user machine, the geolocation-aware malware, and (5) analyzing functioning of the geolocation-aware malware to identify malicious activity by the geolocation-aware malware. Various other methods, systems, and computer-readable media are also disclosed.
42 - Services scientifiques, technologiques et industriels, recherche et conception
Produits et services
Software as a Service (SAAS) services featuring cloud software security services, namely, monitoring of cloud services usage, controlling per-user access, governance and auditing of cloud services, data security, information protection, data loss prevention, management of security policies, security analytics and forensic analysis
79.
Securely sharing a transport layer security session with one or more trusted devices
Securely sharing a Transport Layer Security (TLS) session with one or more trusted devices. In one embodiment, a method may include establishing a TLS session between a client device and a server device, communicating encrypted messages that are encrypted using encryption keys between the client device and the server device, and intercepting and decrypting one or more of the encrypted messages at a trusted device using the encryption keys. In this embodiment, the establishing of the TLS session may include negotiating a master secret, establishing a secure channel between the trusted device and the client device or the server device, sending, from the client device or the server device, the master secret to the trusted device over the secure channel, and employing the master secret at the client device, at the server device, and at the trusted device to generate, for the TLS session, the encryption keys.
H04L 29/06 - Commande de la communication; Traitement de la communication caractérisés par un protocole
H04L 9/32 - Dispositions pour les communications secrètes ou protégéesProtocoles réseaux de sécurité comprenant des moyens pour vérifier l'identité ou l'autorisation d'un utilisateur du système
An autonomous controller for SDN, virtual, and/or physical networks can be used to optimize a network automatically and determine new optimizations as a network scales. The controller trains models that can determine in real-time the optimal path for the flow of data from node A to B in an arbitrary network. The controller processes a network topology to determine relative importance of nodes in the network. The controller reduces a search space for a machine learning model by selecting pivotal nodes based on the determined relative importance. When a demand to transfer traffic between two hosts is detected, the controller utilizes an AI model to determine one or more of the pivotal nodes to be used in routing the traffic between the two hosts. The controller determines a path between the two hosts which comprises the selected pivotal nodes and deploys a routing configuration for the path to the network.
H04L 12/751 - Mise à jour ou découverte de la topologie
H04L 12/755 - Cohérence de la mise à jour de la topologie, p.ex. avis d’état de liaison [LSA], horodatage ou numéros de séquence dans les mises à jour
H04L 12/721 - Procédures de routage, p.ex. routage par le chemin le plus court, routage par la source, routage à état de lien ou routage par vecteur de distance
H04L 12/24 - Dispositions pour la maintenance ou la gestion
H04L 12/707 - Prévention ou récupération du défaut de routage, p.ex. reroutage, redondance de route "virtual router redundancy protocol" [VRRP] ou "hot standby router protocol" [HSRP] par redondance des chemins d’accès
H04L 12/715 - Routage hiérarchique, p.ex. réseaux en grappe ou routage inter-domaine
81.
Systems and methods for evaluating security services
The disclosed computer-implemented method for evaluating security services may include (i) receiving, at a backend security server from an enterprise, multiple suspicious computing events detected within the enterprise, (ii) recording, within the backend security server, historical security information for each computing event that includes (a) a classification of the computing event as malicious or non-malicious based on a security analysis performed by the backend security server and (b) a point in time at which the classification was determined, (iii) evaluating an ability of the backend security server to detect security threats by (a) detecting an additional computing event within the enterprise and (b) determining, based on the historical security information, a point in time at which the backend security server became capable of classifying the additional computing event, and (iv) adjusting a security policy within the enterprise based on the evaluated ability of the backend security server.
A method of identifying security risks in a computer system that includes several computers executing different applications is provided. The method receives event data about threat events associated with a set of applications executing on a set of computers in the computer system. The method, for each event, compares a set of parameters associated with the event with a set of historical parameters maintained for a similar event. The method, based on the comparisons, defines a normality characterization for each event to express a probability of an exploit of the application associated with the event. The method, based on the normality characterization, defines a prioritized display of security risks due to the threat events associated with the set of application.
The disclosed computer-implemented method for detecting anomalous behavior within computing sessions may include (i) identifying, by the computing device, a set of execution events that correspond to a computing session, (ii) providing, by the computing device, the set of execution events as input to an autoencoder, (iii) receiving, by the computing device and from the autoencoder, a reconstruction error associated with autoencoding the set of execution events, (iv) detecting, by the computing device and based on the reconstruction error, an anomaly within the computing session, and (v) performing, by the computing device, a security action to address the anomaly within the computing session. Various other methods, systems, and computer-readable media are also disclosed.
The disclosed computer-implemented method for managing illegitimate authentication attempts may include (i) detecting an authentication attempt performed by a user to gain access to a protected computing environment, (ii) determining that the authentication attempt to access the protected computing environment is illegitimate, and (iii) simulating, in response to the determination, a successful attempt to authenticate to the protected computing environment by presenting the user with access to a catch-all environment that poses as the protected computing environment and that isolates the protected computing environment from the user. Various other methods, systems, and computer-readable media are also disclosed.
H04L 29/06 - Commande de la communication; Traitement de la communication caractérisés par un protocole
G06K 9/00 - Méthodes ou dispositions pour la lecture ou la reconnaissance de caractères imprimés ou écrits ou pour la reconnaissance de formes, p.ex. d'empreintes digitales
85.
Systems and methods for creating automatic computer-generated classifications
The disclosed computer-implemented method for creating automatic computer-generated classifications may include (i) mining webpages of entities with a known classification, (ii) using information mined from the webpages to create a classification structure that assigns class labels to entities based on entity webpage content, (iii) applying, to the classification structure, one or more webpages of a new entity with an unknown classification, (iv) receiving, from the classification structure, a class label for the new entity, and (v) performing a security action based on the new entity's class label. Various other methods, systems, and computer-readable media are also disclosed.
A method to block overlay phishing attempt is described. In one embodiment, the method includes detecting a first application displaying a page of the first application on a display of a computing device, detecting a second application displaying a page of the second application on the display of the computing device, upon detecting the second application displaying the page of the second application, comparing a schematic representation of the page of the first application to a schematic representation of the page of the second application, and determining whether an overlay phishing attempt occurs based at least in part on the comparing.
A computer-implemented method for detecting potentially malicious hardware-related anomalies may include (1) profiling a computing environment of at least one hardware component on a computing device, (2) detecting, by comparing the hardware component's profile with an expected profile for the hardware component, at least one anomaly in the hardware component's computing environment, (3) identifying additional suspicious activity on the computing device, and (4) determining, by correlating the additional suspicious activity on the computing device with the anomaly in the hardware component's computing environment, that the anomaly in the hardware component's computing environment is potentially malicious. Various other methods, systems, and computer-readable media are also disclosed.
In a method for generating narrative interface descriptions, a file including a machine-readable description of a computing interface is parsed to identify an element therein based on a property thereof. Cross-reference data including human-readable narrative information corresponding to the element is retrieved from a data source, and an embellished file is generated in which the element is modified to include the cross-reference data. Related methods, systems, and computer program products are also discussed.
API calls made by a code sample executing in an emulator are analyzed. Specific ones of the analyzed API calls are classified as meeting a threshold level of suspicion of being made by malware. In response to a specific API call being classified as meeting the threshold, a range of memory before and after the return address of the classified API call is copied to a buffer that is not accessible to the code sample. The copied range of memory in the buffer that is not accessible to the code sample is scanned, and a signature corresponding to the code sample is generated. The generated signature can be used for signature based malware detection, in order to detect one or more instances of malware. In response to detecting malware, one or more security actions can be performed.
The disclosed computer-implemented method for authenticating applications installed on computing devices may include (i) requesting to download, onto an endpoint device, an application from a host server, (ii) receiving the application from the host server after the host server has (a) generated an authentication token to be used to authenticate the application on the endpoint device and (b) embedded the authentication token within a filename of the application, (iii) installing the application onto the endpoint device, (iv) identifying the authentication token within the filename of the application, and (v) using the authentication token to authenticate the endpoint device to the application such that a user of the endpoint device is provided access to the application. Various other methods, systems, and computer-readable media are also disclosed.
H04L 29/06 - Commande de la communication; Traitement de la communication caractérisés par un protocole
G06F 21/30 - Authentification, c.-à-d. détermination de l’identité ou de l’habilitation des responsables de la sécurité
G06F 21/51 - Contrôle des utilisateurs, des programmes ou des dispositifs de préservation de l’intégrité des plates-formes, p. ex. des processeurs, des micrologiciels ou des systèmes d’exploitation au stade du chargement de l’application, p. ex. en acceptant, en rejetant, en démarrant ou en inhibant un logiciel exécutable en fonction de l’intégrité ou de la fiabilité de la source
G06F 21/62 - Protection de l’accès à des données via une plate-forme, p. ex. par clés ou règles de contrôle de l’accès
H04L 9/32 - Dispositions pour les communications secrètes ou protégéesProtocoles réseaux de sécurité comprenant des moyens pour vérifier l'identité ou l'autorisation d'un utilisateur du système
An autonomous controller for SDN, virtual, and/or physical networks can be used to optimize a network automatically and determine new optimizations as a network scales. The controller trains models that can determine in real-time the optimal path for the flow of data from node A to B in an arbitrary network. The controller processes a network topology to determine relative importance of nodes in the network. The controller reduces a search space for a machine learning model by selecting pivotal nodes based on the determined relative importance. When a demand to transfer traffic between two hosts is detected, the controller utilizes an AI model to determine one or more of the pivotal nodes to be used in routing the traffic between the two hosts. The controller determines a path between the two hosts which comprises the selected pivotal nodes and deploys a routing configuration for the path to the network.
H04L 12/751 - Mise à jour ou découverte de la topologie
H04L 12/755 - Cohérence de la mise à jour de la topologie, p.ex. avis d’état de liaison [LSA], horodatage ou numéros de séquence dans les mises à jour
H04L 12/721 - Procédures de routage, p.ex. routage par le chemin le plus court, routage par la source, routage à état de lien ou routage par vecteur de distance
H04L 12/24 - Dispositions pour la maintenance ou la gestion
H04L 12/707 - Prévention ou récupération du défaut de routage, p.ex. reroutage, redondance de route "virtual router redundancy protocol" [VRRP] ou "hot standby router protocol" [HSRP] par redondance des chemins d’accès
H04L 12/715 - Routage hiérarchique, p.ex. réseaux en grappe ou routage inter-domaine
92.
Machine learning model for identifying offensive, computer-generated natural-language text or speech
Provided is a process that includes: obtaining a training set of n-grams labeled as offensive; causing a machine learning model to be trained based on the training set of n-grams, wherein the machine learning model, when trained, is configured to classify natural language text as offensive or non-offensive; obtaining input natural language text expressing a computer-generated utterance; classifying after causing training, the computer-generated utterance as offensive or non-offensive using the machine learning model; and causing an output to be provided to a recipient, the output being based on whether the machine learning model classifies the computer-generated utterance as offensive or non-offensive.
G10L 15/06 - Création de gabarits de référenceEntraînement des systèmes de reconnaissance de la parole, p. ex. adaptation aux caractéristiques de la voix du locuteur
G10L 15/18 - Classement ou recherche de la parole utilisant une modélisation du langage naturel
93.
Systems and methods for updating locked states of computing systems
The disclosed computer-implemented method for updating locked states may include (i) identifying a computing system and a mobile device that are both operated by a user, (ii) using a signal strength between the computing system and the mobile device to calculate a physical distance between the mobile device and the computing system that correlates to a proximity of the user to the computing system, (iii) calibrating, based on input from a sensor that indicates an activity of the user, a parameter for calculating the physical distance, (iv) using the signal strength and the parameter to recalculate the physical distance, and (v) updating, based at least in part on the recalculated physical distance, a locked state of the computing system in response to a change in the proximity of the user to the computing system. Various other methods, systems, and computer-readable media are also disclosed.
A method performed by a server processing computer for a plurality of monitored servers is provided. The method includes receiving a server alarm of a first type in response to one of a first set of server metrics, each of which includes a measure of a first property for the monitored servers, exceeding a first threshold. The method also includes receiving a server alarm of a second type in response to one of a second set of server metrics, each of which includes a measure of a second property for the monitored servers, exceeding a second threshold. The method includes determining a server alarm correlation between the received server alarm of the first type and the received server alarm of the second type, and generating a new server alarm configuration for a server alarm of the first type and/or the second type based on the server alarm correlation.
G06F 15/16 - Associations de plusieurs calculateurs numériques comportant chacun au moins une unité arithmétique, une unité programme et un registre, p. ex. pour le traitement simultané de plusieurs programmes
H04L 12/24 - Dispositions pour la maintenance ou la gestion
H04L 12/26 - Dispositions de surveillance; Dispositions de test
95.
Tracking and securing electronic messages using an embedded identifier
An authentication server can receive an electronic message transmitted by a sender. The electronic message can have an intended recipient and can include message data. A sender identification (“ID”) is embedded in the message data. The authentication server can generate a first message ID based on the message data that includes the sender ID. The first message ID can be determined to match a second message ID that is stored in a database. The sender ID can be determined to be different from an originator ID that is associated with the second message ID in the database. The authentication server can determine whether an originator associated with the originator ID has authorized the sender to transmit the message data and can determine whether to transmit the electronic message to the intended recipient based on whether the originator has authorized the sender to transmit the data.
Detecting a malicious application executing in an emulator based on a check made by the malicious application after making an API call. In one embodiment, a method may include executing an application in an emulator that emulates a real-world computing environment. The method may also include detecting, in the application, an API call configured to accept a parameter and return a variable return value to a return address in the application. The method may further include detecting, at the return address, a check to be performed on the variable return value returned by the API call. The method may also include, in response to the detecting of the check, determining that the application is malicious. The method may further include performing a security action on the malicious application to prevent the malicious application from executing in the real-world computing environment.
G06F 21/56 - Détection ou gestion de programmes malveillants, p. ex. dispositions anti-virus
G06F 21/53 - Contrôle des utilisateurs, des programmes ou des dispositifs de préservation de l’intégrité des plates-formes, p. ex. des processeurs, des micrologiciels ou des systèmes d’exploitation au stade de l’exécution du programme, p. ex. intégrité de la pile, débordement de tampon ou prévention d'effacement involontaire de données par exécution dans un environnement restreint, p. ex. "boîte à sable" ou machine virtuelle sécurisée
Systems and methods are provided for sharing a device identifier between two applications installed on an unmanaged device. An enterprise application running on a device may execute client-side code received from an ID matching server to generate a target data set characterizing the device. The enterprise application may send the target data set to the ID matching server. The ID matching server may interact with a Mobile Threat Defense (MTD) server to determine a device ID that the MTD server may use to identify the device. The ID matching server may send the device identifier to an Identity Management (IdM) server. The IdM server may send an API request for security information about the target device to the MTD server, which may send the requested security information in response. The IdM server may determine an authorization level based on the security information.
G06F 21/53 - Contrôle des utilisateurs, des programmes ou des dispositifs de préservation de l’intégrité des plates-formes, p. ex. des processeurs, des micrologiciels ou des systèmes d’exploitation au stade de l’exécution du programme, p. ex. intégrité de la pile, débordement de tampon ou prévention d'effacement involontaire de données par exécution dans un environnement restreint, p. ex. "boîte à sable" ou machine virtuelle sécurisée
A client can be authenticated with an identity provider. The identity provider can generate an identity provider token after successful authentication. Prior to issuing a request to a service provider, the client can request a temporary (one time use) token from the identity provider. The request may include a client token to verify the client's identity. The identity provider can validate the client token using details saved in the identity provider token and issue the temporary token to the client. The client can provide the temporary token to a service provider in a request for service. The service provider can validate the temporary token with the identity provider. If the temporary token is valid (i.e., has not already been used), the service provider can respond to the request. The use of a temporary token and not sharing the identity provider token with the client can prevent security breaches.
H04L 9/32 - Dispositions pour les communications secrètes ou protégéesProtocoles réseaux de sécurité comprenant des moyens pour vérifier l'identité ou l'autorisation d'un utilisateur du système
H04L 29/06 - Commande de la communication; Traitement de la communication caractérisés par un protocole
H04L 9/30 - Clé publique, c.-à-d. l'algorithme de chiffrement étant impossible à inverser par ordinateur et les clés de chiffrement des utilisateurs n'exigeant pas le secret
99.
Systems and methods for creating program-specific execution environments
The disclosed computer-implemented method for creating program-specific execution environments may include (1) identifying a privileged software program to be executed on a client system in a program-specific execution environment, (2) establishing the program-specific execution environment by (a) determining that at least one process executing on the client system is not essential to operation of the privileged software program to be executed on the client system and (b) suspending execution of the non-essential process in response to identifying the non-essential process, and (3) initiating execution of the privileged software program in the program-specific execution environment. Various other methods, systems, and computer-readable media are also disclosed.
A system uses event correlation to identify components belonging to a same service or service domain. The system correlates events by generating covariance matrices or by performing sequence mining with temporal databases in order to discover event patterns that occur sequentially in a fixed time window. Components corresponding to the correlated events are identified as being part of a same service domain and can be indicated in a service domain data structure, such as a topology. The system utilizes the identified service domains during root cause analysis. The system can determine an anomalous event occurring a lowest layer component in a service domain as a root cause or can determine an anomalous event which occurs first in an identified event sequence of a service domain as a root cause. After identifying the root cause event, the system suppresses notifications of events occurring at other components in the service domain.
