The present disclosure provides techniques for computing an efficacy of a cyberthreat detection technique using proximity of detections. A processing device generates an incident report comprising a plurality of events detected at an endpoint. The processing device performs a scoring process on the plurality of events based on a first cyberthreat detection technique. Responsive to determining, during the scoring process, that a summed score corresponding to at least one event in the plurality of events exceeds a threshold score, the processing device computes a difference between a first timestamp at which the summed score exceeded the threshold score and a second timestamp at which a second cyberthreat detection technique detected a cyberthreat with respect to the endpoint. The processing device outputs an indication of the difference.
An endpoint cybersecurity reinforcement learning agent uses reinforcement learning to implement cybersecurity actions. The endpoint cybersecurity RL agent interfaces with a host operating system as an antimalware driver. The endpoint cybersecurity RL agent receives an event notification generated by the OS and determines a responsive cybersecurity action using the reinforcement learning. The endpoint cybersecurity RL agent implements the cybersecurity action via the OS. The endpoint cybersecurity RL agent thus greatly improves computer functioning by quickly learning to identify new/novel suspicious events and operations.
G06F 21/53 - Contrôle des utilisateurs, des programmes ou des dispositifs de préservation de l’intégrité des plates-formes, p. ex. des processeurs, des micrologiciels ou des systèmes d’exploitation au stade de l’exécution du programme, p. ex. intégrité de la pile, débordement de tampon ou prévention d'effacement involontaire de données par exécution dans un environnement restreint, p. ex. "boîte à sable" ou machine virtuelle sécurisée
H04L 41/16 - Dispositions pour la maintenance, l’administration ou la gestion des réseaux de commutation de données, p. ex. des réseaux de commutation de paquets en utilisant l'apprentissage automatique ou l'intelligence artificielle
A cybersecurity model assessment service assesses machine learning and/or artificial intelligence models for cybersecurity threats. The cybersecurity model assessment service may particularly assess a pickle file associated with an AI/ML model. A dynamic emulation reveals whether the pickle file represents normal or abnormal computer behavior. The dynamic emulation of the pickle file may thus reveal whether the AI/ML model is safe or unsafe to use.
G06F 21/56 - Détection ou gestion de programmes malveillants, p. ex. dispositions anti-virus
G06F 21/57 - Certification ou préservation de plates-formes informatiques fiables, p. ex. démarrages ou arrêts sécurisés, suivis de version, contrôles de logiciel système, mises à jour sécurisées ou évaluation de vulnérabilité
The present disclosure provides techniques for adaptive and context-aware scanning. A processing device obtains a set of metrics associated with at least one of: a target device in a network or the network. The processing device determines, based on the set of metrics, a time instance at which to perform a scan of the target device. The processing device performs the scan of the target device at the time instance.
A security agent executing on a computing system may determine when an encryption process, configured to generate an encrypted archive file containing one or more files, is initiated on the computing system. The security agent may identify files accessed by the encryption process during generation of the encrypted archive file, and may generate corresponding archive content data indicating content of the files accessed by the encryption process and that are likely included within the encrypted archive file. The security agent may apply policies to operations associated with the encrypted archive file by using the archive content data to determine contents of the encrypted archive file, without decrypting the encrypted archive file.
The present disclosure provides techniques for executable parsing and feature extraction. A processing device identifies an operating system (OS) associated with an executable file and a version of a programming language associated with the executable file based on contents of the executable file. The processing device parses the executable file based on the OS associated with the executable file and the version of the programming language. The processing device extracts a set of features based on the parsed executable file. The processing device provides, as an input to an artificial intelligence (AI) model, the set of features, where the AI model is trained to classify executable files. The processing device obtains, as an output of the AI model, a classification of the executable file based on the input and learned parameters of the AI model.
G06F 21/57 - Certification ou préservation de plates-formes informatiques fiables, p. ex. démarrages ou arrêts sécurisés, suivis de version, contrôles de logiciel système, mises à jour sécurisées ou évaluation de vulnérabilité
The present disclosure provides an approach of collecting contextual execution data of a service executing in a runtime environment. The contextual execution data indicates a communication between the service and a runtime entity within the runtime environment. The approach determines a cybersecurity risk score of the service based on the contextual execution data and prioritizes the service based on the cybersecurity risk score. In turn, the approach performs a remediation of a cybersecurity threat to the service based on the prioritizing.
G06F 21/57 - Certification ou préservation de plates-formes informatiques fiables, p. ex. démarrages ou arrêts sécurisés, suivis de version, contrôles de logiciel système, mises à jour sécurisées ou évaluation de vulnérabilité
G06F 21/55 - Détection d’intrusion locale ou mise en œuvre de contre-mesures
G06F 21/56 - Détection ou gestion de programmes malveillants, p. ex. dispositions anti-virus
A method for managing reliability of a cloud application includes deploying one or more detection engines into a customer environment. The method also includes monitoring data related to the reliability of the cloud application from within the customer environment. The method further includes detecting, by the one or more detection engines, a parameter affecting the reliability based on a set of rules. In addition, the method includes generating a response to interrogate the customer environment based on the parameter.
The present disclosure provides techniques for sensor event based activity hour modelling. A processing device obtains, via a sensor application installed on a user device, a plurality of events occurring on the user device, where each event in the plurality of events includes a respective day and a respective time. The processing device aggregates, based on the respective day and the respective time, the plurality of events to generate time series data. The processing device performs a smoothing operation on the time series data to generate a curve. The processing device classifies an event on the user device as usual or unusual based on a baseline level of activity on the user device and the curve.
G06F 30/27 - Optimisation, vérification ou simulation de l’objet conçu utilisant l’apprentissage automatique, p. ex. l’intelligence artificielle, les réseaux neuronaux, les machines à support de vecteur [MSV] ou l’apprentissage d’un modèle
G06F 17/17 - Évaluation de fonctions par des procédés d'approximation, p. ex. par interpolation ou extrapolation, par lissage ou par le procédé des moindres carrés
G06F 17/18 - Opérations mathématiques complexes pour l'évaluation de données statistiques
42 - Services scientifiques, technologiques et industriels, recherche et conception
Produits et services
Software as a service (SaaS) services featuring software for security information and event management (SIEM); software as a service (SaaS) services featuring software for data orchestration, namely, collecting, sorting, searching, processing, filtering, transforming, and routing computer and network data from multiple sources in structured and unstructured formats; software as a service (SaaS) services featuring software for software for monitoring and analyzing system performance, logs and telemetry data, namely, real-time observability, log management, and data analytics in the fields of computer and network security; software as a service (SaaS) services featuring software for detecting, blocking, and removing computer viruses and threats; application service provider (ASP) featuring non-downloadable computer software for use in managing data pipelines and optimizing data storage costs by routing and filtering routing and filtering security telemetry data generated by computer networks and security systems; computer security consultancy in the field of scanning and penetration testing of computers and networks; computer security consultancy, namely, developing plans for improving computer and network security and observability for businesses and governmental agencies; technological planning and consulting services in the field of selection and implementation of computer hardware and software systems for others; computer services, namely, online scanning, detecting, and eliminating malware and unauthorized data on computers and networks; cloud computing featuring software for use in computer and network security and large-scale data ingestion and analysis.
Prediction of CPEs using banners greatly improves computer functioning. Many web services have an unknown common platform enumeration (CPE). When the CPE is unknown, a computer system is unable to obtain cybersecurity flaws and software fixes for a software product or web service. A CPE, though, is predicted by banner-prompting a large language model using a web service banner. Once the CPE is predicted, vulnerabilities may be identified.
G06F 21/57 - Certification ou préservation de plates-formes informatiques fiables, p. ex. démarrages ou arrêts sécurisés, suivis de version, contrôles de logiciel système, mises à jour sécurisées ou évaluation de vulnérabilité
A cybersecurity model assessment service assesses machine learning and/or artificial intelligence models for cybersecurity threats. When an endpoint client device encounters an ML/AI model, the client device may stop processing the ML/AI model and determine its provenance. The provenance identifies a base, foundational, or origin model from which the ML/AI model derives. The provenance, for example, determines whether the ML/AI model originates from, derives from, or is sufficiently similar to a known good/safe model or to a known bad/unsafe model. The cybersecurity model assessment service may then predict a computer behavior of the ML/AI model, based on the provenance. Similarity to a known good/safe model, for example, may be safe to run, while similarity to a known bad/unsafe model is unsafe to run.
G06F 21/52 - Contrôle des utilisateurs, des programmes ou des dispositifs de préservation de l’intégrité des plates-formes, p. ex. des processeurs, des micrologiciels ou des systèmes d’exploitation au stade de l’exécution du programme, p. ex. intégrité de la pile, débordement de tampon ou prévention d'effacement involontaire de données
13.
DEFINING INDICATORS OF MALICIOUS ACTIVITY BY A MACHINE LEARNED MODEL
Techniques for determining vector representations of labeled data entities and using those vector representations to detect malicious activity are described herein. A system implementing the techniques receives a vocabulary comprised of data tokens and a set of labeled data entities. The vocabulary includes at least one data token determined based at least in part on user data associated with a user interface and at least one data token determined by a machine learned model. Based on the vocabulary, the system then determines, for at least labeled one data entity of the set of labeled data entities, a vector representation of the at least one labeled data entity. The vector representation indicates presence or counts of data tokens of the vocabulary within the at least one labeled data entity. The system then provides the vector representation for use in detecting malicious activity in data transactions.
A cybersecurity service assesses, scores, and/or prioritizes activities associated with a directory service. When the directory service is requested to change a directory service assignment, the directory service may first request a verdict from the cybersecurity service. The cybersecurity service may use profiling and/or machine learning to predict directory service assignments. The cybersecurity service may then score and prioritize requests to change/update directory service assignments. Small deviations from predicted directory service assignments, for example, may indicate harmless/normal directory service activity. Larger deviations, though, may indicate abnormal directory service activity. Larger deviations may even indicate malicious directory service activity, such as permission escalation and cyberbreaches. Scoring and prioritization allows for resource allocation and timely mitigations by human experts.
A cybersecurity service assesses cybersecurity detections reported by endpoint client devices. The cybersecurity detections are compared to different groupings of historical cybersecurity detections. Each grouping of the historical cybersecurity detections shares common traits, features, and other characteristics. As each new cybersecurity detection is received, the cybersecurity service determines the best match between the new cybersecurity detection and the different groupings of the historical cybersecurity detections, based on similar traits, features, and other characteristics. The cybersecurity service may thus commonly assess the new cybersecurity detection based on the best match.
The present disclosure provides techniques for machine speed attack defense. A processing device detects evidence of a potential in-progress cybersecurity attack with respect to an endpoint. The processing device generates a data structure based on the detected evidence. The processing device performs a fuzzy comparison based on the data structure and at least one data structure associated with a known cybersecurity attack. The processing device implements, based on the fuzzy comparison, a reversible response to the potential in-progress cybersecurity attack.
The present disclosure provides an approach of obtaining information associated with a software program. The present disclosure produces, by a processing device, a classification using an AI model that identifies, in the information, a provision indicating that the software program will perform an intrusive action. In turn, the present disclosure provides the classification to a destination device that indicates the information comprises the provision.
G06F 21/51 - Contrôle des utilisateurs, des programmes ou des dispositifs de préservation de l’intégrité des plates-formes, p. ex. des processeurs, des micrologiciels ou des systèmes d’exploitation au stade du chargement de l’application, p. ex. en acceptant, en rejetant, en démarrant ou en inhibant un logiciel exécutable en fonction de l’intégrité ou de la fiabilité de la source
Multi-modal query processing greatly improves computer functioning. A single cybersecurity sensory nodal server concurrently processes standing queries, agent point queries, and agent fleet queries. The single cybersecurity sensory nodal server is dedicated to locally storing electronic data associated with a cybersecurity sensory agent installed at a client device. Because the single cybersecurity sensory nodal server locally stores the single source of the electronic data, the single cybersecurity sensory nodal server answers the standing queries, agent point queries, and agent fleet queries using less hardware resources, less network resources, less electrical energy, and less time.
A system method for application discovery in a computing environment utilize static analysis. The method includes receiving data of an application, the application deployed on a workload in a first computing environment; detecting a plurality of anchor points in the data; and generating an application graph, including a plurality of first nodes, based on the plurality of anchor points, wherein each anchor point corresponds to a first node, and wherein at least a first node of the plurality of nodes is connected to at least another node of the plurality of nodes.
42 - Services scientifiques, technologiques et industriels, recherche et conception
45 - Services juridiques; services de sécurité; services personnels pour individus
Produits et services
Computer security consulting; consulting in the field of
information technology; computer security and network
security consulting, namely, consultation in the fields of
protecting data and information from unauthorized access,
identifying malware on computer systems, identifying the
source and genealogy of malware, and identifying the
objectives of computer system attackers; computer security
consultancy in the field of scanning and penetration testing
of computers and networks to assess information security
vulnerability; maintenance and updating of computer software
relating to computer and network security and prevention of
computer risks; computer security consultancy for protecting
data and information from unauthorized access, namely,
developing plans for improving computer and network security
and preventing criminal activity; cloud computing featuring
software for detecting breaches for use in computer and
network security; cloud computing services featuring
software for authorizing access to databases in the field of
computer and network security; computer services, namely,
online scanning, detecting, quarantining, and eliminating
viruses, worms, trojans, spyware, adware, malware and
unauthorized data and programs on computers, networks, and
electronic devices; computer systems analysis; monitoring of
computer systems for protecting data and information from
unauthorized access; computer security consultancy for
protecting data and information from unauthorized access;
computer technology consulting in the field of systems for
the surveillance and monitoring of vulnerability and
security problems in computer hardware, networks, and
software; computer security consultancy for protecting data
and information from unauthorized access in the field of
endpoint protection software or curated cyberthreat data for
computer security assurance and identification of malicious
intrusions into computers, computer networks or computer
endpoints; software as a service (SAAS) services featuring
software for ensuring the security of computers and computer
networks; software as a service (SAAS) services, namely,
hosting software for use by others for detecting, blocking,
and removing computer viruses and threats; application
service provider (ASP) featuring non-downloadable computer
software for ensuring the security of computers and computer
networks; computer services, namely, acting as an
application service provider in the field of knowledge
management to host computer application software for
creating databases of information and data related to
malware and computer and network security; computer security
consultancy in the field of administration of digital keys
and digital certificates. Licensing of software, namely, computer and network security
software.
21.
AUTO-CUSTOMIZING CONFIGURATION ASSESSMENT RULE VALUES FROM CAPTURED STATE OF A TEMPLATE MACHINE
The present disclosure provides an approach that obtains, from a template machine executing on a computing environment, a template machine configuration setting comprising a security rule with a template machine rule value. The present disclosure customizes, by a processing device, a benchmark security configuration based on the template machine rule value to produce a customized security configuration. The present disclosure then utilizes the customized security configuration to perform a configuration assessment of a computing machine executing in the computing environment to test a compliance of the computing machine.
Techniques are provided to detect irregular interactive command prompt activity. Interactive command prompt activity that is irregular for one user may be regular for another, and therefore the disclosed techniques determine whether interactive command prompt activity is irregular on a user-by-user basis. A sensor in a customer network can detect interactive command prompt use and send event data to a cloud service configured to score the irregularity of the interactive command prompt use. The score can optionally be combined with other information to determine whether alerting the customer network of potentially malicious activity is warranted.
Prediction of cybersecurity breaches greatly improves computer functioning. When a client device reports a cybersecurity detection, the cybersecurity detection is compared to true positive cybersecurity detection characteristics. The true positive cybersecurity detection characteristics represent true positive cybersecurity detections that remain after applying a false positive pruning operation. If the cybersecurity detection conforms to the true positive cybersecurity detection characteristics, then the cybersecurity detection may be categorized as true positive and abnormal operation. The false positive pruning operation removes false positive influences to produce a more accurate detection of abnormal/suspicious/malicious computer usage/activity.
Prediction of false positive cybersecurity detections greatly improves computer functioning. When a client device reports a cybersecurity detection, the cybersecurity detection is compared to a false positive cybersecurity detection profile. The false positive cybersecurity detection profile represents false positive characteristics associated with false positive cybersecurity detections. If the cybersecurity detection conforms to the false positive cybersecurity detection profile, then the cybersecurity detection may be categorized as false positive and normal operation. If, however, the cybersecurity detection fails to conform to the false positive cybersecurity detection profile, then the cybersecurity detection may be categorized as true positive and abnormal operation. The identification of false positive cybersecurity detections produces a more accurate detection of legitimate computer usage/activity.
Prediction of matches between CPEs and banners greatly improves computer functioning. Many web services have an unknown common platform enumeration (CPE). When the CPE is unknown, a computer system is unable to obtain cybersecurity flaws and software fixes for a software product or web service. A similarity between the CPE and a service banner, though, accurately predicts a match the CPE and the web service. CPEs, for example, may thus be identified for old, obsolete, and uncomment software products and services.
G06F 21/57 - Certification ou préservation de plates-formes informatiques fiables, p. ex. démarrages ou arrêts sécurisés, suivis de version, contrôles de logiciel système, mises à jour sécurisées ou évaluation de vulnérabilité
26.
Estimating cost of query execution on a set of data accessible to a computing system
Estimating a cost of executing a query on a set of data involves executing logic to: estimate a size of each datum in the set of data; receive a query specifying a value for a first datum and a plurality of additional datum in the set of data associated with the first datum, and a maximum number of first datum to be retrieved from the set of data that have the specified value; estimate a cost of executing the query based on the maximum number of first datum to be retrieved from the set of data that have the specified value, the plurality of additional datum associated with the first datum, and the estimated size of the first datum and each of the additional datum associated with the first datum; and execute the query on the set of data responsive to the estimated cost.
G06F 15/16 - Associations de plusieurs calculateurs numériques comportant chacun au moins une unité arithmétique, une unité programme et un registre, p. ex. pour le traitement simultané de plusieurs programmes
A cloud-based service assesses sequences of bits/bytes in natural language using a large byte model representing a large language model trained using a byte vocabulary expansion. The byte vocabulary expansion allows the large language model's textual vocabulary to also include byte-related information associated with different sequences of bits/bytes (e.g., 1's and 0's). The large byte model may thus be given a binary input, and optionally a textual instruction, and the large byte model generates simple natural language descriptions explaining/describing binary input.
A repository scanning coordinator is disclosed herein. The repository scanning coordinator manages parallel scanning of multiple source code repositories by multiple scanners, while also avoiding conflicts by preventing simultaneous scanning of any one single source code repository by more than one scanner at a time.
The present disclosure provides an approach of generating a request to obtain information corresponding to a data sample. The approach produces, by a processing device, sample metadata using an artificial intelligence (AI) model trained to analyze the data sample and generate the sample metadata. In turn, the approach enriches the data sample based on the sample metadata to produce an enriched data sample.
The present disclosure provides an approach of producing, by a first artificial intelligence (AI) model, decision values corresponding to data samples in a validation dataset. The processing device determines a decision value order of the data samples based on the decision values. In turn, the processing device trains a second AI model based on the decision value order and the data samples to generate an output from an input dataset.
42 - Services scientifiques, technologiques et industriels, recherche et conception
45 - Services juridiques; services de sécurité; services personnels pour individus
Produits et services
(1) Computer security consulting; consulting in the field of information technology; computer security and network security consulting, namely, consultation in the fields of protecting data and information from unauthorized access, identifying malware on computer systems, identifying the source and genealogy of malware, and identifying the objectives of computer system attackers; computer security consultancy in the field of scanning and penetration testing of computers and networks to assess information security vulnerability; maintenance and updating of computer software relating to computer and network security and prevention of computer risks; computer security consultancy for protecting data and information from unauthorized access, namely, developing plans for improving computer and network security and preventing criminal activity; cloud computing featuring software for detecting breaches for use in computer and network security; cloud computing services featuring software for authorizing access to databases in the field of computer and network security; computer services, namely, online scanning, detecting, quarantining, and eliminating viruses, worms, trojans, spyware, adware, malware and unauthorized data and programs on computers, networks, and electronic devices; computer systems analysis; monitoring of computer systems for protecting data and information from unauthorized access; computer security consultancy for protecting data and information from unauthorized access; computer technology consulting in the field of systems for the surveillance and monitoring of vulnerability and security problems in computer hardware, networks, and software; computer security consultancy for protecting data and information from unauthorized access in the field of endpoint protection software or curated cyberthreat data for computer security assurance and identification of malicious intrusions into computers, computer networks or computer endpoints; software as a service (SAAS) services featuring software for ensuring the security of computers and computer networks; software as a service (SAAS) services, namely, hosting software for use by others for detecting, blocking, and removing computer viruses and threats; application service provider (ASP) featuring non-downloadable computer software for ensuring the security of computers and computer networks; computer services, namely, acting as an application service provider in the field of knowledge management to host computer application software for creating databases of information and data related to malware and computer and network security; computer security consultancy in the field of administration of digital keys and digital certificates.
(2) Licensing of software, namely, computer and network security software.
The present disclosure provides techniques for biometric and trusted ID verification. A method includes transmitting, by a first device during a communication session between the first device and a second device, a challenge to an identity of a user of the second device to at least one of a server or the second device. The method includes receiving, at the first device and based on the challenge during the communication session, a response from the server indicating a verification status of the identity of the user, where the response is based on associations of trusted IDs and biometric IDs maintained by the server, and where the response is further based on biometric data of the user. The method includes presenting, at the first device during the communication session, an indication of the response.
Prediction of CPEs using banners greatly improves computer functioning. Many web services have an unknown common platform enumeration (CPE). When the CPE is unknown, a computer system is unable to obtain cybersecurity flaws and software fixes for a software product or web service. A CPE, though, is predicted by banner-prompting an AI/ML model using a web service banner. Once the CPE is predicted, vulnerabilities may be identified.
H04L 41/16 - Dispositions pour la maintenance, l’administration ou la gestion des réseaux de commutation de données, p. ex. des réseaux de commutation de paquets en utilisant l'apprentissage automatique ou l'intelligence artificielle
34.
SYSTEM AND METHOD FOR INTERPRETING SUPERCLASS BEHAVIOR IN DYNAMIC LANGUAGE COMPUTER CODE
A method of interpreting superclass behavior in dynamic language computer code includes generating a first code object including a first class of a plurality of classes defined by a common superclass in code of application in a dynamic programming language, generating a second code object including a second class of the plurality of classes defined by the common superclass and generating an analyzable dynamic language computer code including the first code object and the second code object. The method further includes resolving an attribute in the analyzable dynamic language computer code for each of the first code object and the second code object, performing a comparison of the attribute resolved for the first code object and the second code object, and identifying a deviation in behavior of the first class or the second class based on the comparison of the first attribute and the second attribute.
A method includes accessing code of an application written in a dynamic programming language, wherein the application includes a set of transition points, detecting values in the code of the application, wherein a first value of the values is associated with a first transition point of the set transition points, and iteratively resolving the first transition point to the first value of the plurality of values or another transition point. The method further includes generating a value transition graph comprising a set of nodes and a set of edges connecting the set of nodes, wherein each node of the set of nodes represents a resolved transition point of the set of transition points and generating a node in the value transition graph for the first transition point in response to resolving the first transition point to the first value.
The present disclosure provides techniques for selective removal of leaf nodes. A processing device tracks a count of leaf nodes associated with a parent node within a key space. The processing device identifies whether the count of the leaf nodes exceeds a threshold. The processing device removes the parent node within the key space in response to the count of leaf nodes exceeding the threshold. The processing device frees the resources utilized by the leaf node removed from the key space for use by other leaf nodes within the key space.
A computer-implemented method for a digital security system receives unlabeled event data associated with a computing environment, clusters via an unsupervised machine learning model the unlabeled event data into clusters of unlabeled event data where unlabeled event data in one cluster are more similar to each other than to unlabeled event data in other clusters, selects a respective subset of unlabeled event data for each cluster of unlabeled event data, translates via a large language model artificial neural network each unlabeled event datum in each respective subset of unlabeled event data into a description for the unlabeled event datum, and applies a label via a labeling algorithm to at least one unlabeled event datum in a respective cluster responsive to and representative of the respective description for the unlabeled event datum in the respective subset, thereby transforming the at least one unlabeled event datum to a labeled event datum.
Timestamped events involving entities occurring over a time period are maintained in a graph where each node represents a respective entity and edges connected to a node represent corresponding timestamped events involving the entity represented by the node. A respective array of values corresponding to the edges is created for each node. A number of embedding vectors is created for each node, each comprising numerical values corresponding to a portion of the respective array of values for the node for a portion of the time period of timestamped events involving the entity represented by the node. Similarity is measured in the numerical values of one of the embedding vectors relative to the numerical values of another one or more of the embedding vectors obtained for the node. An action is taken with regard to the entity represented by the node responsive to the measured similarity.
The present disclosure provides techniques for event detection. A processing device computes a first score corresponding to an event at a first host based on a first timestamp of the event, a second timestamp, and a base rate. The processing device computes, based on the first score exceeding a first threshold value, a second score based on: the first timestamp, a third timestamp corresponding to an occurrence of the event at a second host, and the base rate. The processing device outputs an indication of the event based on the first score and the second score.
Techniques for enriching events with entity state data to provide distributing tracking of entity state data are provided. A cyber-security management (CSM) system may provide a set of configurations that each define entity identification information indicating when an entity(s) is referenced by an event being processed. When an event that is part of a stream of events is received, the set of configurations may be used by the CSM to identify an entity referenced by the event. The event may be routed to each node of a set of nodes of the CSM that is associated with the identified entity, where each of the nodes associated with the identified entity may update state information of the identified entity maintained by the node. Each of the nodes associated with the identified entity may also enrich the event with the state information of the entity.
Deployments of microservices executing in a cloud are automatically managed. Some microservices are deployed on dedicated nodes, others in serverless configurations. Rates of invocation and runtime data of microservices are monitored. Responsive to the monitored rate of invocation of a microservice running serverless exceeding a given threshold, the microservice is automatically redeployed to a dedicated node. A microservice executing on a dedicated node may be redeployed serverless if the infrequency with which it is called is sufficient. Microservices can be automatically redeployed between different dedicated nodes with different capacities based on monitored usage. The underlying cloud service provider may be automatically monitored for changes in serverless support functionality. Responsive to these changes, the thresholds at which microservices are redeployed can be automatically adjusted. Microservices may also be redeployed, and thresholds adjusted, in response to serverless microservice failures resulting from insufficient support provided by the underlying cloud service provider.
Techniques for exchanging data between a host device and a computing device in a cloud computing environment using a protocol are discussed herein. The protocol can, for example, define a schema for identifying and/or tracking data packets associated with one or more events at the host device. The techniques can include assigning information to the data packets that enable recovery of a data packet and/or arranging the data packets regardless of whether data packets are received out of order. The protocol can improve reliability of data exchanges and perform synchronization in less time and using fewer computational resources (than not implementing the techniques).
Techniques for automatically determining semantic information for images associated with a data stream using a multimodal large language model (m-LLM) are discussed herein. For example, a system can implement the m-LLM to receive image data as input and output human-readable descriptions for portions of the image data. The techniques can include receiving input data from a variety of different data sources, and interpreting a meaning of the data regardless of an operating system, data format, or other data type associated with the input data.
G06V 30/262 - Techniques de post-traitement, p. ex. correction des résultats de la reconnaissance utilisant l’analyse contextuelle, p. ex. le contexte lexical, syntaxique ou sémantique
G06F 40/40 - Traitement ou traduction du langage naturel
G06V 30/42 - Reconnaissance des formes à partir d’images axée sur les documents basées sur le type de document
The present disclosure provides techniques for determining and mitigating AI model vulnerabilities. A processing device generates, via a first AI model, a plurality of prompt variations based on an indication of a vulnerability. The processing device determines that a second AI model is vulnerable to the vulnerability based on at least one prompt variation in the plurality of prompt variations. The processing device generates a plurality of filter variations based on a plurality of filters and the at least one prompt variation. The processing device tests the plurality of filter variations and the at least one prompt variation on the second AI model. The processing device generates, based on the testing, a report indicative of an effectiveness of the plurality of filter variations in mitigating the vulnerability with respect to the second AI model.
G06F 21/55 - Détection d’intrusion locale ou mise en œuvre de contre-mesures
G06F 21/57 - Certification ou préservation de plates-formes informatiques fiables, p. ex. démarrages ou arrêts sécurisés, suivis de version, contrôles de logiciel système, mises à jour sécurisées ou évaluation de vulnérabilité
A preliminary tag search improves computer functioning by reducing cross-cluster searches. Today's cloud service providers maintain large, distributed datasets stored by multiple clusters having many nodes. Many cross-cluster searches generate no search results, but unsuccessful cross-cluster searches still consume much hardware resources, network bandwidth, and electrical energy. The preliminary tag search eliminates unfruitful cross-cluster searches. The preliminary tag search may identify only the cross-cluster searches that will generate positive search results. The preliminary tag search may identify wasteful cross-cluster searches that would generate no search results. Prior to conducting cross-cluster searches, a distributed database service may first perform the preliminary tag search that identifies successful/unsuccessful cross-cluster searches. The distributed database service may then decline or skip unsuccessful cross-cluster searches.
The present disclosure provides an approach of collecting vulnerability data corresponding to a vulnerability of a target product. The approach provides the vulnerability data to an artificial intelligence model that is trained to determine a complexity indicator from the vulnerability data. The complexity indicator corresponds to applying a vulnerability patch to remediate the vulnerability. The approach determines a patch complexity classification by providing the complexity indicator to the artificial intelligence model and, in turn, provides the patch complexity classification to a target system corresponding to the target product.
G06F 21/57 - Certification ou préservation de plates-formes informatiques fiables, p. ex. démarrages ou arrêts sécurisés, suivis de version, contrôles de logiciel système, mises à jour sécurisées ou évaluation de vulnérabilité
47.
PROTECTED TRAINING OF PRIVATE ADAPTER MODELS FOR A HOSTED FOUNDATION MODEL
Methods and systems are provided for training copies of a private adapter network at respective client computing devices; and aggregating of trained weight sets in a common parameter space as a weight set of a hosted foundation model at a cloud computing system. A private adapter model can be a subdivision of a hosted foundation model, segmented from some number of layers of a hosted foundation model or can be distinct from the hosted foundation model, given that the private adapter model configures a computing host to update a weight set in a common parameter space as a weight set of the hosted foundation model. By performing a protected update to a weight set, true values of the coefficients of the weight set derived from inputting features of a labeled dataset at a first layer of the private adapter model are obfuscated.
Estimated and actual processor runtimes improve computer functioning in fairly sharing computing resources. Today's computers and cloud-based services serve many users and many software applications sharing CPU resources. An operating system thus implements a scheduling policy that fairly allocates CPU time. A scheduler thread implements the scheduling policy based on estimated processor runtimes, and actual processor runtimes, associated with tasks. The operating system may maintain running tallies or totals for a user/group/organization based on credits (e.g., the estimated processor runtimes) and/or on penalties (e.g., the actual processor runtimes). The scheduler thread may select tasks for worker threads based on the credits and/or the penalties, thus ensuring that no user/group/organization unfairly consumes CPU time.
Methods and systems for implementing enhanced data pruning strategy for malware detection models are described herein. According to an implementation, a computer device may distribute data associated with detected events into a plurality of storages. The computer device may sequentially perform one or more sampling operations to construct a dataset for malware detection model training. The computer device may first select a subset of the plurality of storages, each having a size equal to or less than a threshold, to be used for model training without pruning. The computer device may then select top-n most recent samples and top-n least confident samples from each of rest storages. Further, the computer device may perform Monte Carlo sampling enhanced with a power transformation on the rest storages to generate additional samples. The compute device may then generate the training dataset for the malware detection model training based on the sequentially sampling results.
The present disclosure provides techniques for red teaming with artificial intelligence (AI) models. A processing device generates, via a first AI model, an agent action space based on security data, where the agent action space is indicative of actions to perform to potentially compromise at least one of a computing system, a network, or an application. The processing device performs a reinforcement learning process with an agent based on the agent action space to obtain a log of the reinforcement learning process. The processing device generates, via a second AI model, a report based on the security data and at least a portion of the log, where the report is indicative of a security weakness of the at least one of the computing system, the network, or the application.
A method of monitoring an endpoint for malicious code includes deploying an artificial intelligence (AI) model to a endpoint protection system, the AI model trained on a plurality of executable code files in byte form, monitoring a target system for execution of a target executable file. The method further includes analyzing, by the AI model, the target executable file in the byte form of the target executable file and determining, based on an output of the AI model, a decision variable for the target executable file.
A method of monitoring an endpoint for malicious code includes obtaining a corpus of files collected by an endpoint protection system, selecting a subset of the corpus of files comprising labeled files, wherein the subset of the corpus is representative of the corpus of files, and training a first artificial intelligence (AI) model, using the subset of the corpus of files in byte form, to infer labels for unlabeled data. The method further includes applying the first AI model to unlabeled files of the corpus of files in byte form to generate labels for the unlabeled files, performing supervised training of a second AI model using the corpus of files and the labels generated for the unlabeled data, and deploying the second AI model to the endpoint protection system.
The present disclosure provides techniques for context-sensitive token-bucket rate limiting. A processing device obtains, in a kernel space of an operating system (OS), a message comprising a unique process identifier (UPID) and a message type. The processing device determines whether to send the message from the kernel space to a user space of the OS based on at least one of: the UPID, the message type, or a token count and a discrete time unit in an entry in a data structure in the kernel space. The processing device processes the message based on the determination of whether to send the message from the kernel space to the user space.
G06F 21/54 - Contrôle des utilisateurs, des programmes ou des dispositifs de préservation de l’intégrité des plates-formes, p. ex. des processeurs, des micrologiciels ou des systèmes d’exploitation au stade de l’exécution du programme, p. ex. intégrité de la pile, débordement de tampon ou prévention d'effacement involontaire de données par ajout de routines ou d’objets de sécurité aux programmes
G06F 21/55 - Détection d’intrusion locale ou mise en œuvre de contre-mesures
A cloud-based, machine-learned cybersecurity command line interpretation service simplifies complex command lines using plain language. Command lines are input to the cybersecurity command line interpretation service for an interpretation by a machine learning model. If, however, a command line is known and been previously interpreted, then the cybersecurity command line interpretation service may conserve hardware and software resources by retrieving a historical command line interpretation. If the command line is unknown or not historically logged, then the cybersecurity command line interpretation service may generate a current command line interpretation using the machine learning model. The cybersecurity command line interpretation service may then generate a cybersecurity prediction associated with the command line based on the historical or current command line interpretation. The cybersecurity command line interpretation service thus provides a much faster interpretation and cybersecurity prediction for assessing command lines as malicious or benign.
A cloud-based file integrity monitoring service identifies content changes to a computer file. An endpoint cybersecurity agent monitors its host client device for read/write and other operating system events associated with the computer file. When the endpoint cybersecurity agent detects each operating system event, the endpoint cybersecurity agent captures and reports, in real time or near real time, a snapshot of the file content representing the computer file. So, as the host client device changes the computer file with each operating system event, the endpoint cybersecurity agent uploads timestamped snapshots of the file content to a cloud-based file integrity monitoring service. The cloud-based file integrity monitoring service stores each snapshot of the file content, thus logging a change history for the computer file. The cloud-based file integrity monitoring service may thus retrieve and analyze different snapshots at different points in time, thus quickly identifying the content changes to the computer file.
The present disclosure provides techniques for AI model-based detection explainability. A processing device obtains computer-readable text and an indication of a false positive detection of malicious behavior with respect to the computer-readable text by a cybersecurity system, The processing device obtains, via an artificial intelligence (AI) model trained to generate language, a reason for the false positive detection of the malicious behavior. The processing device provides an indication of the reason for the false positive detection to a destination device.
Systems and methods for smart generation of content for a deceptive honeynet environment. The systems and methods generate a first prompt to an artificial intelligence (AI) model to generate a first output based on an initial input, receive the first output from the AI model, the first output comprising a first set of content, generate a second prompt to the AI model to generate a second output comprising a network configuration based on the first set of content and the initial input, receive the second output from the AI model, the second output comprising the network configuration, wherein the network configuration is consistent with the first set of content and the initial input, and store the first set of content and the network configuration.
A system and method of securing a Function as a Service (FaaS) cloud computing system without using access rights to operating system (OS) kernels of the cloud service system. The method includes receiving a request to invoke a user-function associated with a computing language. The method includes executing the user-function within an operating system that executes on a processing device of the cloud service system. The method includes monitoring, by the processing device, a real-time behavior of the user-function using a security sensor that executes within the operating system, wherein the security sensor is without access rights to a kernel of the operating system. The method includes acquiring behavioral data indicative of the real-time behavior of the user-function.
The present disclosure provides techniques for fine-grained access to system commands run via an installed agent application. A processing device receives, from an agent application, a user identifier and an indication of an agent application command with respect to a target endpoint, wherein the agent application command is included in a plurality of agent application commands assigned to a first user type that is different from a second user type corresponding to the user identifier. The processing device maps the agent application command to a permission level assigned to the agent application command. The processing device determines, based on the mapping, that the permission level is assigned to the user identifier. The processing device enables, based on the determination, the agent application to execute the agent application command with respect to the target endpoint.
Malicious indicators rule generation using historical data is provided. A method includes receiving, from threat detection engines of a plurality of vendor systems, a plurality of threat detection indications for a dataset. Each threat detection indication of the plurality of threat detection indications receives a vendor-specific tokenization based on historical data associated with the plurality of vendor systems. The method further includes identifying, from the plurality of threat detection indications, a lead detection from a first vendor system of the plurality of vendor systems and an accuracy detection from at least one second vendor system of the plurality of vendor systems. The lead detection and the accuracy detection have overlapping data from the dataset. The method further includes generating, by a processing device, a malicious behavior detection procedure based on the lead detection, the accuracy detection, and the vendor-specific tokenization being used to detect a malicious behavior in dataset.
42 - Services scientifiques, technologiques et industriels, recherche et conception
Produits et services
Computer security consulting; consulting in the field of information technology; Computer security and network security consulting, namely, consultation in the fields of protecting data and information from unauthorized access, identifying malware on computer systems, identifying the source and genealogy of malware, and identifying the objectives of computer system attackers; computer security consultancy in the field of scanning and penetration testing of computers and networks to assess information security vulnerability; maintenance and updating of computer software relating to computer and network security and prevention of computer risks; computer security consultancy for protecting data and information from unauthorized access, namely, developing plans for improving computer and network security and preventing criminal activity; cloud computing featuring software for detecting breaches for use in computer and network security; cloud computing services featuring software for authorizing access to databases in the field of computer and network security; computer services, namely, online scanning, detecting, quarantining, and eliminating viruses, worms, trojans, spyware, adware, malware and unauthorized data and programs on computers, networks, and electronic devices; computer systems analysis; monitoring of computer systems for protecting data and information from unauthorized access; computer security consultancy for protecting data and information from unauthorized access; computer technology consulting in the field of systems for the surveillance and monitoring of vulnerability and security problems in computer hardware, networks, and software; computer security consultancy for protecting data and information from unauthorized access in the field of endpoint protection software or curated cyberthreat data for computer security assurance and identification of malicious intrusions into computers, computer networks or computer endpoints; software as a service (SAAS) services featuring software for ensuring the security of computers and computer networks; software as a service (SAAS) services, namely, hosting software for use by others for detecting, blocking, and removing computer viruses and threats; application service provider (ASP) featuring non-downloadable computer software for ensuring the security of computers and computer networks; computer services, namely, acting as an application service provider in the field of knowledge management to host computer application software for creating databases of information and data related to malware and computer and network security; computer security consultancy in the field of administration of digital keys and digital certificates
A cloud-based cybersecurity detection prioritization service prioritizes cybersecurity detections reported by endpoint client devices. The endpoint client devices report the cybersecurity detections to a cloud computing environment providing the cloud-based cybersecurity detection prioritization service. The endpoint client devices also report client machine contexts sampled from the endpoint client devices. The client machine contexts are compared to a cybersecurity machine contextual profile generated by a machine learning model trained using the client machine contexts sampled from the endpoint client devices. The cybersecurity detection prioritization service prioritizes the cybersecurity detections based on the cybersecurity machine contextual profile. The cloud-based cybersecurity detection prioritization service thus provides a quick ranking or categorization for queuing thousands of daily reports of viruses, hacks, and other cybersecurity detections. Prioritization allows for timely mitigations by humans of these alerts that minimize breaches.
A cloud-based, external attack surface management (or EASM) service identifies computers, servers, smartphones, and other devices that are exposed to the public Internet. Any device that can connect to the public Internet may be vulnerable to cybersecurity attacks. The EASM service identifies a device exposed to the public Internet by comparing connection notifications to an address scan of the entire Internet. The connection notifications are sent by cybersecurity sensory agents installed at client devices. When a connection notification and the address scan of the entire Internet references a matching IP address and/or a matching port within a timeframe, the corresponding device is identified as being exposed to the public Internet.
Hosts of a digital security system receive event data sent by sensors on endpoints that correspond with the hosts. The hosts locally maintain enrichment caches of information regarding the endpoints, and may update the enrichment caches based on information indicated by received event data. The hosts may also generate enriched event data, corresponding to received event data, by adding enrichment data indicated in the enrichment caches that was omitted from the event data sent by sensors.
G06F 11/14 - Détection ou correction d'erreur dans les données par redondance dans les opérations, p. ex. en utilisant différentes séquences d'opérations aboutissant au même résultat
65.
Scalable key value storage in a distributed storage system
Techniques for implementing a scalable key value storage in a distributed storage separate the storage of the collection of data objects from the storage of the index corresponding to the collection. According to an implementation, a database service may receive a request to create a collection of data objects in an object storage. A schema may be specified for the collection. The database service may generate a unique identifier (ID) corresponding to the collection and create the collection in the object storage. The objects in the collection and the associated schema may be further written to an object table and a schema table, respectively. The database service may further validate the schema and extract one or more indexable fields from the schema. The database service may send a request to a database search service to create an index for the collection in an index storage.
An event detection service detects hardware and software events at endpoint devices. The event detection service deploys templates to agents in the field. Each template is created in the cloud to describe kernel-mode and user-mode events of interest. Each agent installs the templates without rebooting. Each agent monitors its host's event behaviors according to the templates. If the host's event behaviors satisfy the template, then the agent has a Multi-Instance Generic Operation pipeline that determines a template disposition specified by the template. The agent may thus dynamically detect event behaviors for a purpose, as specified by the template.
A cybersecurity detection prediction service pre-screens database queries reported by endpoint client devices. The endpoint client devices may report the database queries to a cloud computing environment providing the cybersecurity detection prediction service. The endpoint client devices, however, may locally assess the database queries. The database queries are compared to a cybersecurity assessment profile generated by a machine learning model trained using endpoint cybersecurity detections. The cybersecurity detection prediction service thus provides a much faster cybersecurity prediction.
Systems and methods for an eBPF general allocator for an eBPF program is provided. The method includes receiving, by a first eBPF program, a first entry based on an atomic operation. The first entry is from a number of entries in a free list that indicates available space in a buffer. The available space is indexed by the number of entries in the free list. The method further includes identifying, based on the first entry, a pointer to the buffer. The pointer is associated with an allocation of the available space in the buffer based on the first entry. The allocation of the available space is to the first eBPF program. The method further includes executing, by a processing device, the first eBPF program with exclusive access to the allocation of the available space in the buffer during an execution instance of the first eBPF program.
Methods and systems for injected byte buffer data classification are disclosed. According to an implementation, a security agent can detect process injection events, gather byte buffer data associated with the process injection events, and send the byte buffer data to a security service comprising a byte buffer classification function. The byte buffer classification function can be implemented as a trained transformer type neural network machine learning model, which can analyze the byte buffer data and generate a classification output comprising a probability that the byte buffer data is associated with a malicious process injection.
G06F 21/54 - Contrôle des utilisateurs, des programmes ou des dispositifs de préservation de l’intégrité des plates-formes, p. ex. des processeurs, des micrologiciels ou des systèmes d’exploitation au stade de l’exécution du programme, p. ex. intégrité de la pile, débordement de tampon ou prévention d'effacement involontaire de données par ajout de routines ou d’objets de sécurité aux programmes
G06F 21/56 - Détection ou gestion de programmes malveillants, p. ex. dispositions anti-virus
42 - Services scientifiques, technologiques et industriels, recherche et conception
45 - Services juridiques; services de sécurité; services personnels pour individus
Produits et services
Computer security consulting; consulting in the field of information technology; Computer security and network security consulting, namely, consultation in the fields of protecting data and information from unauthorized access, identifying malware on computer systems, identifying the source and genealogy of malware, and identifying the objectives of computer system attackers; computer security consultancy in the field of scanning and penetration testing of computers and networks to assess information security vulnerability; maintenance and updating of computer software relating to computer and network security and prevention of computer risks; computer security consultancy for protecting data and information from unauthorized access, namely, developing plans for improving computer and network security and preventing criminal activity; cloud computing featuring software for detecting breaches for use in computer and network security; cloud computing services featuring software for authorizing access to databases in the field of computer and network security; computer services, namely, online scanning, detecting, quarantining, and eliminating viruses, worms, trojans, spyware, adware, malware and unauthorized data and programs on computers, networks, and electronic devices; computer systems analysis; monitoring of computer systems for protecting data and information from unauthorized access; computer security consultancy for protecting data and information from unauthorized access; computer technology consulting in the field of systems for the surveillance and monitoring of vulnerability and security problems in computer hardware, networks, and software; computer security consultancy for protecting data and information from unauthorized access in the field of endpoint protection software or curated cyberthreat data for computer security assurance and identification of malicious intrusions into computers, computer networks or computer endpoints; software as a service (SAAS) services featuring software for ensuring the security of computers and computer networks; software as a service (SAAS) services, namely, hosting software for use by others for detecting, blocking, and removing computer viruses and threats; application service provider (ASP) featuring non-downloadable computer software for ensuring the security of computers and computer networks; computer services, namely, acting as an application service provider in the field of knowledge management to host computer application software for creating databases of information and data related to malware and computer and network security; computer security consultancy in the field of administration of digital keys and digital certificates licensing of software, namely, computer and network security software
36 - Services financiers, assurances et affaires immobilières
Produits et services
Financial services, namely, providing financing for purchasing cybersecurity software and services; financial services, namely, providing loans, lines of credit, and lease-purchase financing for cybersecurity technologies; financial management and consulting services related to budgeting, payment planning, and cash flow optimization for the acquisition of cybersecurity software and services; providing information and advisory services in the field of financing cybersecurity purchasing; financial transaction services, namely, providing secure commercial transactions and payment options for cybersecurity products and services
72.
System and method for timing-based network entity resolution
A first request message is received from a first device that specifies a destination network address and identifier for a second device, and a first timestamp. A first acceptance message is received from the second device that specifies a destination network address and identifier for the first device, and a second timestamp. A second request message is received from the first device that specifies the destination network address and identifier for the second device, and a third timestamp. A second acceptance message is received from the second device that specifies the destination network address and identifier for the first device, and a fourth timestamp. The first device is determined to be communicating with the second device when the first and second timestamps indicate the first request and acceptance messages, and when the third and the fourth timestamps indicate the second request and acceptance messages, occurred at substantially the same time.
The present disclosure provides an approach of receiving a hash corresponding to a sample file, and providing the hash to an artificial intelligence (AI) model. The AI model is trained to utilize prevalence data corresponding to the hash to predict whether the corresponding sample file includes malware. The approach produces, by a processing device using the AI model, a confidence level based on the hash. In turn, the approach associates a label to the sample file based on the confidence level to produce a labeled sample file.
09 - Appareils et instruments scientifiques et électriques
42 - Services scientifiques, technologiques et industriels, recherche et conception
45 - Services juridiques; services de sécurité; services personnels pour individus
Produits et services
Downloadable computer software for computer and network
security. Computer consultation; consulting in the field of
information technology; computer consultation in the field
of computer and network security; computer security
consultancy in the field of scanning and penetration testing
of computers and networks to assess information security
vulnerability; software as a service (SAAS) services
featuring software in the field of computer and network
security; software as a service (SAAS)services, namely,
hosting software for use by others for detecting, blocking,
and removing computer viruses and threats; application
service provider (ASP) featuring non-downloadable computer
software for use in computer and network security;
maintenance and updating of computer software relating to
computer and network security and prevention of computer
risks; computer security consultancy, namely, developing
plans for improving computer and network security for
businesses and governmental agencies; cloud computing
featuring software for use in computer and network security;
cloud computing services in the field of computer and
network security; application service provider [ASP],
namely, hosting computer software applications of others in
the field of knowledge management for creating searchable
databases of information and data related to malware and
computer and network security; computer services, namely,
online scanning, detecting, quarantining, and eliminating
viruses, worms, Trojans, spyware, adware, malware and
unauthorized data and programs on computers, networks, and
electronic devices; computer systems analysis; implementing
plans for improving computer and network security and
preventing criminal activity for businesses and governmental
agencies, namely, identifying malware on computer systems,
identifying the source and genealogy of malware, and
identifying the objectives of computer system attackers;
provision of systems for the management of computer and
network threats, namely, surveillance and monitoring of
vulnerability and security problems in computer hardware,
networks, and software; implementing plans for improving
computer and network security for businesses and
governmental agencies, namely, computer security assurance
and administration of digital keys and digital certificates
via a global computer network. Monitoring of computer systems for security purposes.
75.
Double Subscription Service & Reactive Event Notification Loop
A hierarchical subscription-publication service distributes an event notification. The event notification is associated with a database. The event notification is also associated to a graph having nodes and to a subgroup of the nodes. A first subscription service publishes the event notification to all subscribers associated with the database. A second or intermediary subscription service hierarchically nests within the outer subscription service and publishes the event notification to a subscriber subgroup of the subscribers associated with the subgroup of the nodes.
A method for detecting a private set intersection includes receiving, at a third computing device, a first plurality of transformed data elements from a first computing device; receiving, at the third computing device, a second plurality of transformed data elements from a second computing device, wherein an identity of the first computing device is unknown to the second computing device and an identity of the second computing device is unknown to the first computing device; and transmitting, by a processing device executing on the third computing device to the first computing device and the second computing device, an indication of a subset of transformed data elements that are present in both the first plurality of transformed data elements and the second plurality of transformed data elements.
Embodiments disclosed herein provide a computer-implemented method including operations of executing a first query against a nodal graph resulting in retrieval of a state node, wherein the state node includes state information in the nodal graph, wherein the first query is comprised of a first trigger that represents a predetermined condition, determining whether the first trigger forms a portion of a first rule stored in the nodal graph, wherein the first rule is comprised of the first trigger and a list of one or more actions to be taken when the predetermined condition of the first trigger appears in the nodal graph, responsive to determining that the first trigger forms the portion of the first rule, executing a second query against the nodal graph resulting in retrieval of the first rule, and executing the first rule based on context extracted from the state node.
A system and method of a localization middleware. The method includes receiving a request for a particular dataset that is stored in a data store. The particular dataset includes a plurality of textual strings in a first format. The method includes selecting a first configuration file indicating that a first textual string of the plurality of textual strings should be localized and a second textual string of the plurality of textual strings should not be localized. The method includes generating, based on the first configuration file and a string replacement procedure, a localized dataset in a second format by replacing the first textual string of the plurality of textual strings with a previously translated string stored in a library of previously translated strings and abstaining from replacing the second textual string of the plurality of textual strings with another translated string.
Computer nodes associated with a cluster store a distributed database. As the cluster provides a distributed database service, some or all of the nodes may interface with one or more external services. The external services may be specified by a service agreement, or the external services may be dynamically specified by a user/customer of the distributed database service. The external services may be available to any node of the cluster, or the external services may only be accessible to particular nodes and/or to particular cluster/service roles. In a mapreduce database framework, for example, the external services may be restricted to reducer/coordinator nodes. Whichever nodes are permitted, the nodes may use remote procedure calls to access external services.
G06F 16/25 - Systèmes d’intégration ou d’interfaçage impliquant les systèmes de gestion de bases de données
G06F 16/27 - Réplication, distribution ou synchronisation de données entre bases de données ou dans un système de bases de données distribuéesArchitectures de systèmes de bases de données distribuées à cet effet
80.
AUTOMATED VULNERABILITY REMEDIATION GUIDANCE BASED ON DETECTION LOGIC ELEMENTS
The present disclosure provides an approach of receiving a detection element that includes a vulnerability identifier and a version identifier. The vulnerability identifier corresponds to a vulnerability of an application and the version identifier corresponds to a version of the application effected by the vulnerability. The approach determines a remediation version identifier based on the vulnerability identifier and the version identifier. The remediation version identifier corresponds to a remediation version of the application that remediates the vulnerability. The approach then initiates an update at a client system based on the vulnerability identifier and the remediation version identifier.
G06F 21/57 - Certification ou préservation de plates-formes informatiques fiables, p. ex. démarrages ou arrêts sécurisés, suivis de version, contrôles de logiciel système, mises à jour sécurisées ou évaluation de vulnérabilité
81.
AI model based cybersecurity detection prioritization for cybersecurity management systems
The present disclosure provides an approach of collecting historical cybersecurity detection data comprising a plurality of cybersecurity detections and a plurality of detection times. The approach transforms the historical cybersecurity detection data into a plurality of rank ordered detection datasets that rank order each one of the plurality of cybersecurity detections based on the plurality of detection times. In turn, the approach trains an artificial intelligence (AI) model using the plurality of rank ordered detection datasets to generate a prioritized output dataset from an input dataset.
H04L 41/16 - Dispositions pour la maintenance, l’administration ou la gestion des réseaux de commutation de données, p. ex. des réseaux de commutation de paquets en utilisant l'apprentissage automatique ou l'intelligence artificielle
82.
Blocking of exfiltration events via browser extensions
A cybersecurity data loss prevention service stops users from stealing, or exfiltrating, sensitive data. An endpoint cybersecurity agent coordinates the installation of a browser extension. The browser extension adds content scripts to a web browser that monitor for exfiltration events. The exfiltration events represent a user's browser inputs (such as cut-n-paste or drag-n-drop) that can be used to exfiltrate usernames, passwords, credit card numbers, company secrets, and any other sensitive data. When the browser extension detects any exfiltration event, the browser extension intercepts and synchronously blocks the exfiltration event from the web browser. Moreover, the browser extension sends a duplicate copy of the exfiltration event to the cybersecurity agent for evaluation. If the cybersecurity agent determines that the user's browser inputs should have been allowed, then the browser extension is instructed to trigger the duplicate copy. The web browser thus asynchronously processes the user's browser inputs, albeit slightly delayed.
G06F 21/55 - Détection d’intrusion locale ou mise en œuvre de contre-mesures
G06F 21/54 - Contrôle des utilisateurs, des programmes ou des dispositifs de préservation de l’intégrité des plates-formes, p. ex. des processeurs, des micrologiciels ou des systèmes d’exploitation au stade de l’exécution du programme, p. ex. intégrité de la pile, débordement de tampon ou prévention d'effacement involontaire de données par ajout de routines ou d’objets de sécurité aux programmes
The present disclosure provides an approach of computing a plurality of feature attribution vectors from a plurality of samples. The approach determines a plurality of low entropy distribution samples from the plurality of samples based on the plurality of feature attribution vectors, and determines a feature value distribution corresponding to the plurality of low entropy distribution samples. Then, the approach identifies a false positive candidate sample based on the feature value distribution and, in turn, constructs a mitigation rule, based on the false positive candidate sample, to mitigate a future false positive sample.
G06F 21/56 - Détection ou gestion de programmes malveillants, p. ex. dispositions anti-virus
G06F 18/21 - Conception ou mise en place de systèmes ou de techniquesExtraction de caractéristiques dans l'espace des caractéristiquesSéparation aveugle de sources
The present disclosure describes an approach that schedules a collector application, comprising executable code, to collect data from a workload. The approach executes the executable code to perform an operation to collect data from the workload. In turn, the approach removes the collector application from the workload in response to completion of the operation by the collector application.
The present disclosure provides an approach of analyzing multiple modalities of a file to produce multiple analysis tokens. Each one of the analysis tokens corresponds to a respective modality of the file. The approach provides the multiple analysis tokens to an artificial intelligence model, which is trained to produce an intermediate representation vector based on the plurality of analysis tokens. In turn the approach uses the artificial intelligence model to produce, based on the intermediate representation vector, a classification that indicates whether the file corresponds to a cybersecurity threat.
Data prefiltering techniques for large scale data classification are disclosed herein. According to an implementation, a machine learning (ML) model can be trained to classify data elements. The ML model can be applied to a first data volume, resulting in determinations of data elements that belong in a relevant classification. The determined data elements can then be used to configure a prefilter. The prefilter can be applied to a second data volume to identify filtered data elements of types that are similar to the determined data elements. The filtered data elements can be provided to the ML model for classification.
Contextual session-based operational prediction greatly improves computer functioning. As a cloud service is provided, a current contextual session is generated using multiple events provided by the cloud service. The current contextual session is compared to a contextual session profile. The contextual session profile represents historical contextual sessions that have been historically logged in associated with the cloud service. If the current contextual session conforms to the contextual session profile, then the cloud service is normally operating as historically observed and may be predicted as normal operation. If, however, the current contextual session fails to conform to the contextual session profile, then the cloud service is not operating as historically observed and may be predicted as abnormal operation. Alerts and warning may be generated to notify of abnormal cloud service operation. The contextual session-based operational prediction produces a faster and more accurate detection of the abnormal operation.
Techniques for automatically determining metadata for fields of a data string, byte slice, or byte array using a semantic data model framework (SDMF) and a large language model (LLM) are discussed herein. The LLM can provide field descriptions to the SDMF which outputs additional or finer field descriptions. The techniques can include determining descriptions for fields of a non-standardized data string from a third-party or other entity thereby enabling analysis of third-party data strings for a potential security threat. The techniques can reduce an amount of time to identify missing metadata caused by lack of standardization of field names and evolving data feeds (e.g., third-parties).
Computer nodes associated with a cluster store a distributed database. The computer nodes are polled to retrieve their individual nodal query states. A coordinator node then merges the individual nodal query states to determine an overall query state associated with the distributed database. The coordinator node, though, has a memory capacity that can be overcome by some nodal query states. The coordinator node thus imposes a data size limit on the nodal query states to prevent memory failures. The coordinator node specifies the data size limit during any polling cycle, and the coordinator node receives compliant nodal query states that satisfy the data size limit. The coordinator node may adjust or revise the data size limit for subsequent polling cycles, based on a count of the nodal query states yet to be retrieved. The data size limit thus ensures that the memory capacity is not overcome during any polling cycle.
A system and method of using generative AI to generate natural language descriptions of code for enhanced threat analysis and malware detection. The method includes determining that a file comprises source code for causing malicious activity. The method includes generating, by a processing device and using one or more large language models (LLMs), natural language (NL) descriptions of the source code responsive to determining whether the file comprises the source code to cause the malicious activity. The method includes providing the NL descriptions of the source code to a classification model trained to generate a first set of maliciousness scores each indicating whether source codes are associated with one or more types of malicious activity. The method includes generating, using the classification model, a maliciousness score for the source code indicating that the source code is associated with the one or more types of malicious activity.
G06F 21/51 - Contrôle des utilisateurs, des programmes ou des dispositifs de préservation de l’intégrité des plates-formes, p. ex. des processeurs, des micrologiciels ou des systèmes d’exploitation au stade du chargement de l’application, p. ex. en acceptant, en rejetant, en démarrant ou en inhibant un logiciel exécutable en fonction de l’intégrité ou de la fiabilité de la source
91.
Large language model-based software reverse engineering assistant
Systems and methods of utilizing a large language model (LLM) to reverse engineer software is provided. The method includes obtaining sample assembly language from coded information or data. The sample assembly language is input to a machine learning (ML) model trained to recognize when the sample assembly language includes malicious code. The method further includes identifying, from the sample assembly language, a functionality implemented by the sample assembly language, where the functionality is indicative of whether the sample assembly language includes the malicious code. The method further includes generating, by a processing device, a natural language indication of the functionality implemented by the sample assembly language. The natural language indication is an output of the ML model.
Techniques, systems, and computer-readable media for dynamic behavior-based asset classification are described herein. An asset classification system can detect and receive data associated with a host computer, determine, based on the data, a behavior associated with the host computer, assign the host computer a server classification based on the determination that the behavior represents a behavior of focus, and record the assigned server classification associated with the host computer. In various examples, the asset classification system can determine the behavior is a behavior of focus based on one or more of: a number of connections to other computers associated with a shared customer identifier, a number of unique other host computers connecting to the host computer, and/or a number of unique non-local accounts that have logged in to the host computer, and that the host computer has had an inbound connection on a common port.
The present disclosure provides an approach of generating a target feature vector based on information corresponding to a target entity. The target entity utilizes a target system that includes a target asset. The approach matches the target feature vector to a compatible entity cluster from a plurality of entity clusters. The compatible entity cluster corresponds to a current entity system. The approach generates a target asset prioritization rule based on prioritization information of the current entity system. In turn, the approach prompts the target system to assign a prioritization label to the target asset based on the target asset prioritization rule.
H04L 41/16 - Dispositions pour la maintenance, l’administration ou la gestion des réseaux de commutation de données, p. ex. des réseaux de commutation de paquets en utilisant l'apprentissage automatique ou l'intelligence artificielle
A method of monitoring a network for linked events includes receiving an indication of an occurrence of a first event in a computing environment, calculating a first estimated rate of occurrence of the first event based on a first cache associated with the first event, and identifying an occurrence of a second event within a threshold amount of time prior to the occurrence of the first event. The method further includes calculating a second estimated rate of occurrence of the second event based on a second cache associated with the second event and determining, based on the first estimated rate of occurrence of the first event and the second estimated rate of occurrence of the second event, whether the occurrence of the first event and the occurrence of the second event have a common cause.
Techniques for calculating risk scores of entity assignments are discussed herein. The system generates a probability matrix using a collaborative filtering technique such as singular value decomposition. The probability matrix is populated with probability values for each entity representing a probability that, based on the various relationships or associations of that entity with other entities, the entity has been granted an assignment. Risk values are used to provide a weighting value to assignments, separating relatively higher risk assignments from relatively lower risk assignments. The system thereafter calculates a risk score for one or more of the entities using the information in the assignment matrix, the probability matrix, and the risk values. The system can flag or identity one or more entities whose risk scores do not meet various criteria.
Techniques for calculating risk scores of entity assignments are discussed herein. The system generates a probability matrix using a collaborative filtering technique such as singular value decomposition. The probability matrix is populated with probability values for each entity representing a probability that, based on the various relationships or associations of that entity with other entities, the entity has been granted an assignment. Risk values are used to provide a weighting value to assignments, separating relatively higher risk assignments from relatively lower risk assignments. The system thereafter calculates a risk score for one or more of the entities using the information in the assignment matrix, the probability matrix, and the risk values. The system can flag or identity one or more entities whose risk scores do not meet various criteria.
Techniques for using supervised machine learning to train risk models used to analyze group data for security risks are discussed herein. A system can receive a user input identifying risk values associated with categories or attributes of a group having access to computing resources. The system can use the risk model to generate a risk score for the group. The risk score can be used to further analyze aspects of the group or provide recommendations to reduce or eliminate security risks.
G06F 21/57 - Certification ou préservation de plates-formes informatiques fiables, p. ex. démarrages ou arrêts sécurisés, suivis de version, contrôles de logiciel système, mises à jour sécurisées ou évaluation de vulnérabilité
98.
Conditional bloom filters representing field aliasing
Conditional Bloom filters improve computer functioning when membership testing different data sets. Today's cloud service providers maintain large, distributed datasets often incorporating or absorbing data having different labels and schemes. Nearly all cloud service providers, for example, utilize one or more different log vendors/providers that use different data conventions. The conditional Bloom filters resolve these vendor differences using field aliasing that relates vendor-specific field names to their corresponding common or alias field names. Each vendor's unique dataset may be mapped or normalized to a common scheme, thus ensuring that membership testing using the conditional Bloom filters retains precision and improves computer functioning in the presence of aliases.
Methods and systems for designing a default-deny network egress control architecture in a virtual private cloud (VPC) environment are described herein. According to an implementation, the system may create a first subnet in a private computer network to perform egress control. The system implements a private network address translation (NAT) gateway, a network access control list (NACL), and a private elastic network interface (ENI) in the first subnet. The first subnet may be referred to a “blackhole subnet” or a “terminating subnet.” Upon receiving a traffic destined to a public computer network, e.g., Internet, the private NAT gateway may determine whether the traffic is authorized to egress based on the NACL. The private NAT gateway forwards the traffic to the private ENI to discard the traffic if the traffic is not authorized to egress and logs the information associated with the traffic.
A cybersecurity service assesses, scores, and/or prioritizes activities associated with a directory service. When the directory service is requested to change a directory service assignment, the directory service may first request a verdict from the cybersecurity service. The cybersecurity service may use profiling and/or machine learning to predict directory service assignments. The cybersecurity service may then score and prioritize requests to change/update directory service assignments. Small deviations from predicted directory service assignments, for example, may indicate harmless/normal directory service activity. Larger deviations, though, may indicate abnormal directory service activity. Larger deviations may even indicate malicious directory service activity, such as permission escalation and cyberbreaches. Scoring and prioritization allows for resource allocation and timely mitigations by human experts.
