The technology disclosed relates to systems and methods for analyzing data posture in a computing environment. In one example, a computer-implemented method includes identifying one or more computing services in a target computing environment to scan for data posture analysis, obtaining an access permission corresponding to the one or more computing services in the target computing environment, and deploying, to a scanner cloud environment that is distinct from the target computing environment, a scanner in accordance with a scanner definition and based on the access permission corresponding to the one or more computing services. The method includes obtaining a scanner result from the scanner deployed to the scanner cloud environment. The scanner result represents a scan of storage resources in the one or more computing services in the target computing environment using the access permission. The method further includes generating a data posture analysis result based on the scanner result.
Aspects of the disclosure relate to generating threat intelligence information. A computing platform may receive forensics information corresponding to message attachments. For each message attachment, the computing platform may generate a feature representation. The computing platform may input the feature representations into a neural network, which may result in a numeric representation for each message attachments. The computing platform may apply a clustering algorithm to cluster each message attachments based on the numeric representations, which may result in clustering information. The computing platform may extract, from the clustering information, one or more indicators of compromise indicating that one or more attachments corresponds to a threat campaign. The computing platform may send, to an enterprise user device, user interface information comprising the one or more indicators of compromise, which may cause the enterprise user device to display a user interface identifying the one or more indicators of compromise.
Aspects of the disclosure relate to anomaly detection in cybersecurity training modules. A computing platform may receive information defining a training module. The computing platform may capture a plurality of screenshots corresponding to different permutations of the training module. The computing platform may input, into an auto-encoder, the plurality of screenshots corresponding to the different permutations of the training module, wherein inputting the plurality of screenshots corresponding to the different permutations of the training module causes the auto-encoder to output a reconstruction error value. The computing platform may execute an outlier detection algorithm on the reconstruction error value, which may cause the computing platform to identify an outlier permutation of the training module. The computing platform may generate a user interface comprising information identifying the outlier permutation of the training module. The computing platform may send the user interface to at least one user device.
G06V 10/778 - Apprentissage de profils actif, p. ex. apprentissage en ligne des caractéristiques d’images ou de vidéos
G06F 18/21 - Conception ou mise en place de systèmes ou de techniquesExtraction de caractéristiques dans l'espace des caractéristiquesSéparation aveugle de sources
G06F 18/214 - Génération de motifs d'entraînementProcédés de Bootstrapping, p. ex. ”bagging” ou ”boosting”
G06F 18/2433 - Perspective d'une seule classe, p. ex. une classification "une contre toutes"Détection de nouveautéDétection de valeurs aberrantes
42 - Services scientifiques, technologiques et industriels, recherche et conception
Produits et services
Providing on-line non-downloadable software for for cybersecurity education and employee training; Providing a website featuring non-downloadable software for for cybersecurity education and employee training
5.
COMPUTING SYSTEM DATA POSTURE ANALYSIS USING SIGNATURE ENCODERS WITH SIMILARITY QUERIES
The technology disclosed relates to a computer-implemented method for detecting data posture of a computing environment. The method includes performing a scan of one or more data structures, detecting a plurality of classified data substructures based on the scan of the one or more data structures and, for each respective data substructure, transforming a plurality of data items from the respective data substructure into a respective data substructure signature using a signature encoder. The method includes applying a similarity query to identify a set of data substructures, from the plurality of classified data substructures, having a threshold level of similarity based on data substructure signatures associated with the set of data substructures.
H04L 9/32 - Dispositions pour les communications secrètes ou protégéesProtocoles réseaux de sécurité comprenant des moyens pour vérifier l'identité ou l'autorisation d'un utilisateur du système
G06F 16/25 - Systèmes d’intégration ou d’interfaçage impliquant les systèmes de gestion de bases de données
6.
Distributed Attribute Based Access Control as means of Data Protection and Collaboration in Sensitive (Personal) Digital Record and Activity Trail Investigations
A distributed system provides access by a principal to a resource associated with sensitive data. Micro-services in communication with an authorization engine each include a resource provider that receives a resource action request from the principal to access the resource, determines a context for the request, and transmits the context to the authorization engine in an authorization request. The authorization engine receives the authorization request, resolves the authorization request context against a plurality of pre-defined resource conditions, and responds to the resource provider with an authorization response of allow, deny, or allow-with-conditions. The context for the request includes metadata regarding attributes of the principal, and each of the resource conditions includes a logical expression operating upon the attributes.
09 - Appareils et instruments scientifiques et électriques
42 - Services scientifiques, technologiques et industriels, recherche et conception
Produits et services
Downloadable and recorded computer application software for desktop computers, handheld computers, smart phones, embedded computer systems, namely, software for fraud activity detection in the fields of computer security, computer networks security, banking, and online advertising and commerce; downloadable and recorded computer software and hardware for fraud activity detection in the fields of computer security, computer networks security, banking, and online advertising and commerce; Downloadable cloud computer software for fraud activity detection in the fields of computer security, computer networks security, banking, and online advertising and commerce; Downloadable computer software for fraud activity detection in the fields of computer security, computer networks security, banking, and online advertising and commerce Fraud detection services via a global computer network, namely, Electronic monitoring of credit card activity to detect fraud via the internet in the field of computer security, computer networks security, banking, and online advertising and commerce; Providing fraud detection services in the nature of computer security threat analysis for protecting data for electronic funds transfer, credit and debit card and electronic check transactions via a global computer network
8.
Uniform Resource Locator Classifier and Visual Comparison Platform for Malicious Site Detection
Aspects of the disclosure relate to detecting and identifying malicious sites using machine learning. A computing platform may receive a uniform resource locator (URL). The computing platform may parse and/or tokenize the URL to reduce the URL into a plurality of components. The computing platform may identify human-engineered features of the URL. The computing platform may compute a vector representation of the URL to identify deep learned features of the URL. The computing platform may concatenate the human-engineered features of the URL to the deep learned features of the URL, resulting in a concatenated vector representation. By inputting the concatenated vector representation of the URL to a URL classifier, the computing platform may compute a phish classification score. In response to determining that the phish classification score exceeds a first phish classification threshold, the computing platform may cause a cybersecurity server to perform a first action.
G06F 16/51 - IndexationStructures de données à cet effetStructures de stockage
G06F 16/955 - Recherche dans le Web utilisant des identifiants d’information, p. ex. des localisateurs uniformisés de ressources [uniform resource locators - URL]
G06F 18/21 - Conception ou mise en place de systèmes ou de techniquesExtraction de caractéristiques dans l'espace des caractéristiquesSéparation aveugle de sources
G06F 21/56 - Détection ou gestion de programmes malveillants, p. ex. dispositions anti-virus
The technology disclosed relates to a system and method for detecting risk events in a cloud environment that obtains a set of risk signature definitions and deploys an event log scanner to the cloud environment. The event log scanner is configured to detect instances of candidate risk events in accordance with the set of risk signature definitions based on a scan of an event log and to label each detected instance with a signature identifier. Result metadata is received indicative of the detected instances. A cloud infrastructure graph is accessed that defines nodes that represent resources in the cloud environment and edges, between the nodes, that represent relationships between the resources. Context information is derived from the cloud infrastructure graph based on the result metadata. An output is generated representing a classification of one or more of the detected instances of candidate risk events as a risk event based on the context information relative to the set of risk signature definitions.
Aspects of the disclosure relate to processing external messages using a secure email relay. A computing platform may receive, from a message source server associated with a first domain, a first email message and a first set of authentication credentials. Based on validating the first set of authentication credentials, the computing platform may inject, into the first email message, a DomainKeys Identified Mail (DKIM) signature of a second domain different from the first domain, which may produce a signed message that identifies itself as originating from the second domain. Based on scanning and validating content of the signed message, the computing platform may send the signed message to a message recipient server, which may cause the message recipient server to validate the DKIM signature of the signed message and determine that the signed message passes Domain-based Message Authentication, Reporting and Conformance (DMARC) with respect to the second domain.
The technology disclosed herein relates to streamlined analysis of security posture of a cloud environment. In particular, the technology relates to computer-implemented method of content scanning that includes obtaining access to a cloud environment account for content scanning of storage resources, queuing objects in the cloud environment account, partitioning the objects into a number of object chunks, and initializing a number of serverless, containerized scanners based on the number of object chunks. Each serverless, containerized scanner, of the number of serverless, containerized scanners, is deployed locally on the cloud environment account and scans a corresponding object chunk to detect a plurality of different data patterns. The number of object chunks is at least one hundred times the number of serverless, containerized scanners.
G06F 21/57 - Certification ou préservation de plates-formes informatiques fiables, p. ex. démarrages ou arrêts sécurisés, suivis de version, contrôles de logiciel système, mises à jour sécurisées ou évaluation de vulnérabilité
G06F 21/62 - Protection de l’accès à des données via une plate-forme, p. ex. par clés ou règles de contrôle de l’accès
12.
Computing System Access Path Detection And Governance For Data Security Posture Management
A system for detection and organization of access paths in a computing environment includes a processor and memory accessible by the processor. The memory includes instructions executable to access permissions data and access control data for one or more computing resources in the computing environment, assemble a set of access paths to the one or more computing resources based on the permissions data and the access control data, trace the set of access paths to enumerate constituent elements along the access paths to the one or more computing resources, and automatically construct a unified access path graph representing the set of access paths. The unified access path graph includes node display elements connected by edge display elements to represent interdependencies between the constituent elements at one or more levels of granularity along the access paths to the one or more computing resources.
H04L 41/22 - Dispositions pour la maintenance, l’administration ou la gestion des réseaux de commutation de données, p. ex. des réseaux de commutation de paquets comprenant des interfaces utilisateur graphiques spécialement adaptées [GUI]
A query term analytics system receives a search query from a user device. The system has an engine enhanced with the ability to track query terms using in-memory counters and leveraging an inverted index of content stored in a content repository. The search query is run on the content and, contemporaneously the engine performs a query term analysis on the query terms to produce query term analytics. The query term analysis includes an impact analysis that determines an impact of removing a keyword or keyword criteria from the search query. A compressed bitset can be used to indicate whether a keyword is in the content. The engine can accumulate statistics using the in-memory counters while the search query is being processed. Using the statistics thus accumulated, a query term analytics report is generated and provided to the user device for presentation on the user device.
G06F 11/34 - Enregistrement ou évaluation statistique de l'activité du calculateur, p. ex. des interruptions ou des opérations d'entrée–sortie
G06F 16/31 - IndexationStructures de données à cet effetStructures de stockage
G06F 16/383 - Recherche caractérisée par l’utilisation de métadonnées, p. ex. de métadonnées ne provenant pas du contenu ou de métadonnées générées manuellement utilisant des métadonnées provenant automatiquement du contenu
14.
SYSTEMS AND METHODS FOR IN-PROCESS URL CONDEMNATION
A universal resource locator (URL) collider processes a click event referencing a URL and directs a browser to a page at the URL. While the page is being rendered by the browser with page data from a web server, the URL collider intercepts the page data including events associated with rendering the page, determines microfeatures of the page such as Document Object Model objects and any URLs referenced by the page, applies detection rules, tags as evidence any detected bad microfeature, bad URL, or suspicious sequence of events, and stores the evidence in an evidence database. Based on the evidence, a judge module dynamically determines whether to condemn the URL before or just in time as the page at the URL is fully rendered by the browser. If so, the browser is directed to a safe location or a notification page.
G06F 16/22 - IndexationStructures de données à cet effetStructures de stockage
G06F 16/955 - Recherche dans le Web utilisant des identifiants d’information, p. ex. des localisateurs uniformisés de ressources [uniform resource locators - URL]
G06F 16/958 - Organisation ou gestion de contenu de sites Web, p. ex. publication, conservation de pages ou liens automatiques
G06F 21/51 - Contrôle des utilisateurs, des programmes ou des dispositifs de préservation de l’intégrité des plates-formes, p. ex. des processeurs, des micrologiciels ou des systèmes d’exploitation au stade du chargement de l’application, p. ex. en acceptant, en rejetant, en démarrant ou en inhibant un logiciel exécutable en fonction de l’intégrité ou de la fiabilité de la source
G06F 21/56 - Détection ou gestion de programmes malveillants, p. ex. dispositions anti-virus
G06F 21/57 - Certification ou préservation de plates-formes informatiques fiables, p. ex. démarrages ou arrêts sécurisés, suivis de version, contrôles de logiciel système, mises à jour sécurisées ou évaluation de vulnérabilité
15.
Data discovery and classification using sampling-based scanning techniques
The technology disclosed herein relates to data discovery in computing environments, that provide access to data. In one example, a computer-implemented method includes identifying a first sampling criterion used for classification of a data store with respect to a target data type during a previous scan of the data store. The data store stores a set of data objects. The method includes selecting a second sampling criterion, from a plurality of sampling criteria, based on the first sampling criterion, and deploying one or more scanners configured to select a subset of data objects, from the set of data objects stored in the data store, based on the second sampling criterion. The subset comprises some, but not all, of the set of data objects. The method includes generating a classification result based on a number of instances of the target data type in the subset of data objects.
Systems, methods, and apparatuses directed to efficiently determining whether a device making a request to access an application or service is a managed device and using that information to set an appropriate security policy for the device or the request to access the application or service. In some embodiments, a service or server (referred to as a Managed Device Identification Service) is configured to request a client certificate from a device that is requesting access to a cloud-based application or service as part of a protocol handshake. If a certificate is received, it is compared to a stored certificate to determine if the device is a managed device and as a result, the appropriate security policy.
H04L 9/32 - Dispositions pour les communications secrètes ou protégéesProtocoles réseaux de sécurité comprenant des moyens pour vérifier l'identité ou l'autorisation d'un utilisateur du système
17.
Dynamic Message Analysis Platform for Enhanced Enterprise Security
Aspects of the disclosure relate to dynamic message analysis using machine learning. A computing platform may apply a security scoring process to an endpoint relationship to compute a weighted security score for the endpoint relationship. Subsequently, the computing platform may determine a weighted grade for the endpoint relationship based on the weighted security score for the endpoint relationship. Based on identifying that the weighted grade exceeds a predetermined threshold, the computing platform may tag the endpoint relationship as compromised. Subsequently, the computing platform may monitor an electronic messaging server to detect messages corresponding to the compromised endpoint relationship. Based on detecting that the electronic messaging server has received a first message, corresponding to an endpoint of the compromised endpoint relationship, the computing platform may rewrite a URL included in the first message to point to a security service that is configured to open the URL in an isolation environment.
G06F 21/53 - Contrôle des utilisateurs, des programmes ou des dispositifs de préservation de l’intégrité des plates-formes, p. ex. des processeurs, des micrologiciels ou des systèmes d’exploitation au stade de l’exécution du programme, p. ex. intégrité de la pile, débordement de tampon ou prévention d'effacement involontaire de données par exécution dans un environnement restreint, p. ex. "boîte à sable" ou machine virtuelle sécurisée
G06F 16/955 - Recherche dans le Web utilisant des identifiants d’information, p. ex. des localisateurs uniformisés de ressources [uniform resource locators - URL]
09 - Appareils et instruments scientifiques et électriques
42 - Services scientifiques, technologiques et industriels, recherche et conception
Produits et services
downloadable software suite featuring cybersecurity software, e-mail threat protection and intelligence software, cyber threat detection, prevention, and response software, software for digital impersonation protection, and software for cybersecurity education and employee training. Non-downloadable software suite featuring software as a service (SaaS) software featuring cybersecurity software, e-mail threat protection and intelligence software, cyber threat detection, prevention, and response software, software for digital impersonation protection, and software for cybersecurity education and employee training; Non-downloadable software suite featuring platform as a service (PaaS) software featuring cybersecurity software, e-mail threat protection and intelligence software, cyber threat detection, prevention, and response software, software for digital impersonation protection, and software for cybersecurity education and employee training.
09 - Appareils et instruments scientifiques et électriques
42 - Services scientifiques, technologiques et industriels, recherche et conception
Produits et services
downloadable software suite featuring cybersecurity software, e-mail threat protection and intelligence software, cyber threat detection, prevention, and response software, software for digital impersonation protection, and software for cybersecurity education and employee training. Non-downloadable software suite featuring software as a service (SaaS) software featuring cybersecurity software, e-mail threat protection and intelligence software, cyber threat detection, prevention, and response software, software for digital impersonation protection, and software for cybersecurity education and employee training; Non-downloadable software suite featuring platform as a service (PaaS) software featuring cybersecurity software, e-mail threat protection and intelligence software, cyber threat detection, prevention, and response software, software for digital impersonation protection, and software for cybersecurity education and employee training.
A method for determining risks associated with an identity in an organization network, including scanning an active directory for a network including a plurality of identities, to extract a plurality of attributes of the identities and their corresponding values. analyzing the extracted attribute values for an identity in the network to identify one or more risks associated with that identity, which an attacker can exploit, assigning a score to each risk identified by said analyzing, and further assigning a score to the identity based on the scores of the one or more risks associated with the identity.
A domain processing system receives or collects raw data containing sample domains each having a known class identity indicating whether a domain is conducting an email campaign. The domain processing system extracts features from each of the sample domains and selects features of interest from the features, including at least a feature particular to a seed domain and features particular to email activities over a time line that includes days before and after a domain creation date. The features of interest are used to create feature vectors which, in turn, are used to train a machine learning model, the training including optimizing a neural network structure iteratively until stopping criteria are satisfied. The trained model functions as an email campaign domain classifier operable to classify candidate domains with unknown class identities such that each of the candidate domain is classified as conducting or not conducting an email campaign.
Aspects of the disclosure relate to providing secure shortened URLs in character-limited messages. A computing platform may receive one or more character-limited messages sent to a user device. The computing platform may detect a URL within the one or more character-limited messages for replacement and generate a shortened URL corresponding to the detected URL, wherein a domain of the shortened URL is hosted by the message security system. The computing platform may then modify the one or more character-limited messages by replacing the URL with the shortened URL, and then cause transmission of the modified one or more character-limited messages to the user device. Next, the computing platform may receive, from the user device, a request to access the shortened URL, and redirect the user device to the detected URL corresponding to the shortened URL.
A system preventing upload of a source file to an upload destination includes a computer, a user application, and an agent application. The agent registers for a notification of a user interface action with the computer operating system (OS), and receives notice from the OS of the user interface action associated with the registering. The agent determines the user interface action is indicative of a data file upload operation of a source file to an upload destination. The agent compares a property of the source file and a property of the upload destination to a blocking criteria and prevents the user application from receiving the user interface action. The user interface action includes detection by the OS of a user interaction with a controller of a graphical user interface pointer and/or a pressing of one or more keys on a keyboard user interface.
A URL velocity monitor is integrated with a message-hold decision maker of an electronic mail processing system that processes electronic messages for a protected computer network. The URL velocity monitor receives or obtains a URL, decomposes the URL into URL features based on logical boundaries, and determines features of interest from the URL features for velocity tracking. Examples of URL features can include a randomized URL segment. The velocity of each feature of interest is tracked over a period of time using a counting algorithm that employs a slow counter or a fast counter. The two different counters track two types of velocities which represent different domain behaviors targeting the protected computer network. The URL velocity monitor determines whether the velocity of a feature of interest is accelerating within the time period. If so, the URL is placed in a queue or a sandbox.
Automatically triaging network events such as data loss prevention (DLP) incidents is disclosed. A system can automatically triage or classify an incident using a prediction model. The prediction model can determine the classification based on similar incidents that were previously classified. Similar incidents are those incidents having profiles that match a profile of the incident. The profile can include one or more attributes that are representative of an incident. The system can arrive at a specific classification for the incident based on a classification of the similar incidents if the similar incidents satisfy one or more conditions.
H04L 41/06 - Gestion des fautes, des événements, des alarmes ou des notifications
H04L 41/16 - Dispositions pour la maintenance, l’administration ou la gestion des réseaux de commutation de données, p. ex. des réseaux de commutation de paquets en utilisant l'apprentissage automatique ou l'intelligence artificielle
26.
CLOUD INFRASTRUCTURE EXCESSIVE RESOURCE PERMISSION DETECTION BASED ON SEMANTIC GROUPING
A computer-implemented method includes parsing a collection of granular privileges to generate a plurality of privilege groups. Each respective privilege group, of the plurality of privilege groups, groups two or more granular privileges having a threshold similarity to a target action represented by the respective privilege group. The method includes identifying a set of privilege grant times each representing a time at which a corresponding granular privilege was granted to a subject identity. The method includes mapping the set of privilege grant times to the plurality of privilege groups, and generating an infrastructure graph based on the mapping. The infrastructure graph includes identity nodes that represent the subject identities, resource nodes that represent the subject resources, and edges that represent the set of privilege grant times mapped to the plurality of privilege groups.
Aspects of the disclosure relate to data loss prevention. A computing platform may detect input of a first target recipient domain into a first email message. The computing platform may identify, in real time and prior to sending the first email message, that the first target recipient domain is an unintended recipient domain instead of an intended recipient domain. The computing platform may identify, in real time and prior to sending the first email message, that the first email message violates one or more data loss prevention rules. Based on identifying the violation, the computing platform may send a notification that the first target recipient domain is flagged as an unintended recipient domain and one or more commands directing a user device of the message sender to display the notification.
A computer system detects whether a new document has been opened at a user computer on the computer system. The system includes a user computer, a user application accessible by a human user at the user computer, and an agent application hosted by the user computer. The agent is configured to register to receive notifications of user interface actions with an operating system (OS) of the user computer. The agent receives a notification from the OS of a user interface action, and determines whether a new document was opened at a display screen of the user computer by the user interface action.
The technology disclosed relates to detecting security posture of a cloud environment. In particular, the technology disclosed relates to detecting a triggering criterion. In response to detecting the triggering criterion, the technology disclosed automatically discovers a plurality of databases in the cloud environment. The technology disclosed then deploys a plurality of log analyzer microservices on the plurality of databases. Each log analyzer microservice, of the plurality of log analyzer microservices, is configured to scan a respective database log that represents database activities on a respective database of the plurality of databases. The technology disclosed then receives analysis results from the plurality of log analyzer microservices.
In a method for controlling access to customer data of a multi-tenant software as a service (SaaS) system, a SaaS agent at a user endpoint sends a request for storage credentials to a SaaS agent facing application interface (API) of a SaaS system cloud. The storage credentials provide access to a SaaS encrypted data store of the multi-tenant SaaS system. The SaaS agent receives the storage credentials from the SaaS agent facing API, and the SaaS agent uses the storage credentials to store customer data in the SaaS encrypted data store. A customer-controlled encryption key is maintained on a customer-controlled cloud hosting a key management system (KMS). The customer-controlled cloud is in communication with the SaaS agent facing API.
Aspects of the disclosure relate to identifying domain name lookalikes. A computing platform may generate a plurality of lookalike domain names for an input domain name. The computing platform may generate, by applying a hash algorithm to the plurality of lookalike domain names, a dictionary index. The computing platform may identify a first domain name. The computing platform may identify, by performing a lookup function in the dictionary index using the first domain name, that the first domain name is a lookalike domain name corresponding to the input domain name. The computing platform may send, to a user device, one or more commands directing the user device to display a user interface that includes the lookalike domain name, which may cause the user device to display the user interface.
Threat detection systems and methods in which feature syntax language (FSL) statements are used to define functions that generate features corresponding to detected text within textual non-attachment, non-URL input data. Generated features are aggregated in a core object, and classification rules are applied to the core object to determine a threat classification and theme associated with the input data. Using FSL statements and classification rules enable the system to rapidly generate thematic threat classifications identifying socially engineered attacks. A user interface enables users to rapidly update the FSL statements that define the functions used to generate the features, as well as the threat classification rules that are applied to the features in the core object to classify the input data. The modified statements and rules can be immediately used by the system.
09 - Appareils et instruments scientifiques et électriques
41 - Éducation, divertissements, activités sportives et culturelles
42 - Services scientifiques, technologiques et industriels, recherche et conception
Produits et services
Downloadable and record computer software for searching, detecting, blocking, filtering, tagging, compiling, indexing, analyzing, and reporting on information over and in information networks, global information networks, individual workstations, personal computers, software, e-mail, and workgroup communications; Downloadable computer software for internet and network security, cyber threat detection and prevention, and secure and safe browsing Providing web-based, virtual, and in-person training courses in the fields of cybersecurity and IT Computer security service, namely, restricting access to and by computer networks to and of undesired web sites, media and individuals and facilities; Providing information in the field of cybersecurity via a website.; Application service provider featuring application programming interface (API) software; Non-downloadable software suite featuring platform as a service (PaaS) and software as a service (SaaS) software featuring cybersecurity software, e-mail threat protection and intelligence software, cyber threat detection, prevention, and response software, software for digital impersonation protection, system administration, monitoring, testing, analyzing, and reporting on internet traffic control and content control of the web sites of others, email filtering,and software for cybersecurity education and employee training; Platform as a service (PAAS) featuring, machine learning and artificial intelligence for real-time threat intelligence, risk analysis and identifying, preventing and mitigating risk to IT infrastructure, computer systems, email systems, and data systems from human and digital threats; Platform-as-a-Service (PaaS) and Software as a Service (SaaS) featuring computer software that aggregates and correlates threat data points across email, the cloud, mobile, local, and outside computer networks and uses a combination of advanced machine learning and artificial intelligence to detect and prevent cybersecurity attacks, software for comprehensive threat intelligence featuring artificial intelligence, software for detecting, analyzing, and monitoring cybersecurity threats, software for obtaining and navigating threat intelligence, running threat assessments on cloud storage, local networks, email, mobile, and social channels, and orchestrating response actions
Aspects of the disclosure relate to data loss prevention. A computing platform may detect input of a first target recipient domain into a first email message. The computing platform may identify, in real time and prior to sending the first email message, that the first target recipient domain comprises an unintended recipient domain instead of an intended recipient domain. The computing platform may send, based on the identification of the unintended recipient domain and to a user device, a notification that the first target recipient domain is flagged as an unintended recipient domain and one or more commands directing the user device to display the notification.
Aspects of the disclosure relate to message verification. A computing platform may generate a cryptographic key pair comprising a public key and a private key. The computing platform may publish, to a server, the public key. The computing platform may generate a short message service (SMS) message. The computing platform may sign, using the private key, the SMS message, which may include computing a cryptographic hash of the SMS message using the private key and embedding the cryptographic hash in an SMPP field of the SMS message. The computing platform may send, to a downstream computing system, the signed SMS message, where the downstream computing system may be configured to validate the signed SMS message using the cryptographic hash embedded in the SMPP field of the SMS message and by accessing the public key.
H04L 9/32 - Dispositions pour les communications secrètes ou protégéesProtocoles réseaux de sécurité comprenant des moyens pour vérifier l'identité ou l'autorisation d'un utilisateur du système
H04L 9/30 - Clé publique, c.-à-d. l'algorithme de chiffrement étant impossible à inverser par ordinateur et les clés de chiffrement des utilisateurs n'exigeant pas le secret
Aspects of the disclosure relate to URL classification. A computing platform may receive, from an enterprise user device, a request to evaluate a URL. The computing platform may execute one or more feature enrichment actions on the URL to identify one or more data points corresponding to the URL, which may include crawling the URL to extract metadata for the URL. The computing platform may input, into a URL classification model, the one or more data points corresponding to the URL, which may cause the URL classification model to output a maliciousness score indicative of a degree to which the URL is malicious. The computing platform may send, to the enterprise user device, a malicious score notification and one or more commands directing the enterprise user device to display the malicious score notification, which may cause the enterprise user device to display the malicious score notification.
G06F 16/951 - IndexationTechniques d’exploration du Web
G06F 16/955 - Recherche dans le Web utilisant des identifiants d’information, p. ex. des localisateurs uniformisés de ressources [uniform resource locators - URL]
Aspects of the disclosure relate to detecting and identifying malicious sites using machine learning. A computing platform may receive image data of a graphical rendering of a resource available at a uniform resource locator (URL). The computing platform may compute a computer vision vector representation of the image data. The computing platform may compare the computer vision vector representation of the image data to stored numeric vectors representing page elements, resulting in a feature indicating whether the computer vision vector representation of the image data is visually similar to a known page element, and may input the feature to a classifier. The computing platform may receive, from the classifier, a phish classification score indicating a likelihood that the URL is malicious. In response to determining that the phish classification score exceeds a first phish classification threshold, the computing platform may cause a cybersecurity server to perform a first action.
G06F 16/51 - IndexationStructures de données à cet effetStructures de stockage
G06F 16/955 - Recherche dans le Web utilisant des identifiants d’information, p. ex. des localisateurs uniformisés de ressources [uniform resource locators - URL]
G06F 18/21 - Conception ou mise en place de systèmes ou de techniquesExtraction de caractéristiques dans l'espace des caractéristiquesSéparation aveugle de sources
G06F 21/56 - Détection ou gestion de programmes malveillants, p. ex. dispositions anti-virus
Aspects of the disclosure relate to detecting and preventing transmission of spam messages using modified source numbers. A computing platform may detect that a first message, sent to a recipient device from a sender device, includes suspicious content. Subsequently, the computing platform may receive, from the recipient device, user interaction information indicating that a user of the recipient device has sent a reply message in response to the first message. Then, the computing platform may generate a modified message by modifying a first source number corresponding to the reply message. Next, the computing platform may cause transmission of the modified message with the modified first source number to the sender device. Thereafter, the computing platform may intercept one or more additional messages between the sender device and the modified first source number and redirect the one or more additional messages.
Aspects of the disclosure relate to providing training and information based on simulated cybersecurity attack difficulty. A computing platform may retrieve data associated with a plurality of attack templates for simulating cybersecurity attacks. Subsequently, the computing platform may use one or more models to compute a predicted failure rate for each template of the plurality of attack templates in order to yield a plurality of predicted failure rates for an organization. Based on the plurality of predicted failure rates, the computing platform may use one or more of the plurality of attack templates to configure a simulated cybersecurity attack on the organization. Then, the computing platform may send, via the communication interface, to an administrator user device associated with the organization, information about the simulated cybersecurity attack and may execute the simulated cybersecurity attack.
The technology disclosed relates to analysis of security posture of a cloud environment. In particular, the disclosed technology relates to a system and method of risk event detection and remediation. An event is detected in a cloud environment and a pre-defined risk signature is obtained that identifies one or more entities in the cloud environment and represents an instance of a risk event relative to the one or more entities. The pre-defined risk signature includes a reference to a remediation workflow having one or more commands for one or more remediation actions in the cloud environment. Th pre-defined risk signature is determined to have a threshold match to the event and, based on the determination that the pre-defined risk signature has a threshold match to the event, the remediation workflow is obtained based on the reference. The one or more commands are executed in the cloud environment.
The technology disclosed relates to a system and method for detecting risk events in cloud environment that obtains set of risk signature definitions and deploys an event log scanner to the cloud environment. The event log scanner is configured to detect instances of candidate risk events in accordance with the set of risk signature definitions based on a scan of event log and to label each detected instance with a signature identifier that identifies one or more risk signatures that corresponds to the detected instance. Result metadata is received indicative of the detected instances, based on the result metadata, context information associated with the detected instances is obtained based on cloud infrastructure graph. An output is generated representing a classification of one or more of the detected instances of candidate risk events as a risk event based on the context information relative to the set of risk signature definitions.
The technology disclosed relates to analysis of security posture of a cloud environment that invokes an incremental change detector to perform an infrastructure scan of the cloud environment and return a scan result that identifies one or more changes to one or more infrastructure assets in the cloud environment. The scan result includes, for each particular change in the one or more changes, first information indicative of the particular change. A data scan is constrained to the one or more infrastructure assets having the one or more changes and second information associated with the one or more changes is obtained based on the data scan. A cloud infrastructure graph is updated based on one or more of the first information or the second information. The cloud infrastructure graph defines nodes that represent resources in the cloud environment and edges, between the nodes, that represent relationships between the resources.
The disclosed technology receives a control input identifying a sampling criterion for classifying a data store storing a set of data objects in a computing environment as corresponding to a target data type and deploys one or more scanners configured to select a representative subset of data objects, from the set of data objects, based on the sampling criterion. A scanner result generated by the one or more scanners is received that represents detected instances, in the representative subset of data objects, of one or more pre-defined data patterns of the target data type. A classification result is generated based on a comparison of the number of detected instances of the one or more pre-defined data patterns to a threshold. The classification result represents a classification of the data store as having correspondence to the target data type. A computing action is performed based on the classification result.
The technology disclosed relates to detection of data traffic in computing environments, such as cloud environments. Example systems and methods detect a plurality of workloads in a virtual network in a computing environment and deploy a plurality of probe agents to the plurality of workloads. Each respective probe agent detects network traffic on a respective workload of the plurality of workloads, scans a data packet that is at least one of sent or received by the respective workload, generates a data classification relative to the data packet, and generates a scan result that includes packet payload information and an indication of the data classification. The scan results are received from the plurality of probe agents and a computing action is performed based on scan results.
A computer-implemented method includes detecting occurrence of an event in a cloud environment, obtaining an indication of an identity associated with the event, obtaining an indication of a usage time stamp representing usage time of a privilege in association with the identity for the event, and classifying the privilege into a classification group selected from a plurality of predefined classification groups. Each respective classification group groups a respective set of privileges defined in the cloud environment. The method includes obtaining a grant time stamp representing a grant time of at least one privilege, in the respective set of privileges in the classification group, to the identity and, based on the usage time stamp and the grant time stamp, generating an excessive privilege determination that indicates the classification group includes at least one excessive privilege. The method includes performing a computing action based on the excessive privilege determination.
A method includes monitoring user activities at an endpoint device on a network, determining if a user activity at the endpoint device presents a potential threat to network security, creating an alert of the threat, and providing the alert with a redacted version of a screenshot from the endpoint device. One or more open windows are obscured or removed in the redacted version of the screenshot of the endpoint device. Providing the redacted includes receiving data describing physical characteristics of the open window(s) from an operating system, receiving a screenshot of the screen of the endpoint device, and obscuring the one or more open windows by creating one or more visual covers. Each visual cover matches a size and shape of one of the open windows based on the data that describes the physical characteristics of the open window(s). Each visual cover is placed over the corresponding open window.
Aspects of the disclosure relate to identifying legitimate websites and removing false positives from domain discovery analysis. Based on a list of known legitimate domains, a computing platform may generate a baseline dataset of feature vectors corresponding to the known legitimate domains. Subsequently, the computing platform may receive information identifying a first domain for analysis and may execute one or more machine learning algorithms to compare the first domain to the baseline dataset. Based on execution of the one or more machine learning algorithms, the computing platform may generate first domain classification information indicating that the first domain is a legitimate domain. In response to determining that the first domain is a legitimate domain, the computing platform may send one or more commands directing a domain identification system to remove the first domain from a list of indeterminate domains maintained by the domain identification system.
H04L 61/4511 - Répertoires de réseauCorrespondance nom-adresse en utilisant des répertoires normalisésRépertoires de réseauCorrespondance nom-adresse en utilisant des protocoles normalisés d'accès aux répertoires en utilisant le système de noms de domaine [DNS]
48.
DETECTING INSIDER USER BEHAVIOR THREATS BY COMPARING A USER’S BEHAVIOR TO THE USER’S PRIOR BEHAVIOR
A computer method includes recording user activity data at endpoints on a computer network, generating a sampled activity matrix representing occurrences of activity-sets performed by the user over multiple time windows, computing a user activity weight for each activity-set based on a variance over the time windows, computing a historical user activity score and a contextual user activity score, computing a user behavior vector and user behavior score, using the user behavior scores to detect a deviation beyond a threshold amount from a baseline behavior for the user; creating an internal user behavior threat notification in response to detecting a deviation beyond the threshold amount and, optionally, taking real world steps, as a human, to react to the threat notification.
The technology disclosed relates to analysis of data posture of a cloud environment. In particular, disclosed technology relates to a system and method for analyzing cloud assets, such as storage resources, compute resources, etc. to detect peak signals based on occurrences of sensitive data types or other data classifications in cloud assets. A computing system is configured to access data in plurality of cloud resources and, on a cloud resource-by-cloud resource basis, attribute a plurality of data sensitivity parameters to the data in a given cloud resource of the plurality of cloud resources, and generate a peak value indicating an appraisal of the data in given cloud resource based on the plurality of data sensitivity parameters attributed to the data. A graphical interface includes graphical objects configured to visually represent plurality of cloud resources, plurality of data sensitivity parameters, and the peak values generated for the plurality of cloud resources.
G06F 21/57 - Certification ou préservation de plates-formes informatiques fiables, p. ex. démarrages ou arrêts sécurisés, suivis de version, contrôles de logiciel système, mises à jour sécurisées ou évaluation de vulnérabilité
H04L 29/06 - Commande de la communication; Traitement de la communication caractérisés par un protocole
50.
Dynamically Controlling Access to Linked Content in Electronic Communications
Aspects of the disclosure relate to dynamically controlling access to linked content in electronic communications. A computing platform may receive, from a user computing device, a request for a uniform resource locator associated with an email message and may evaluate the request using one or more isolation criteria. Based on evaluating the request, the computing platform may identify that the request meets at least one isolation condition associated with the one or more isolation criteria. In response to identifying that the request meets the at least one isolation condition associated with the one or more isolation criteria, the computing platform may initiate a browser mirroring session with the user computing device to provide the user computing device with limited access to a resource corresponding to the uniform resource locator associated with the email message.
G06F 21/62 - Protection de l’accès à des données via une plate-forme, p. ex. par clés ou règles de contrôle de l’accès
G06F 21/53 - Contrôle des utilisateurs, des programmes ou des dispositifs de préservation de l’intégrité des plates-formes, p. ex. des processeurs, des micrologiciels ou des systèmes d’exploitation au stade de l’exécution du programme, p. ex. intégrité de la pile, débordement de tampon ou prévention d'effacement involontaire de données par exécution dans un environnement restreint, p. ex. "boîte à sable" ou machine virtuelle sécurisée
G06F 21/56 - Détection ou gestion de programmes malveillants, p. ex. dispositions anti-virus
Aspects of the disclosure relate to detecting impersonation in email body content using machine learning. Based on email data received from user accounts, a computing platform may generate user identification models that are each specific to one of the user accounts. The computing platform may intercept a message from a first user account to a second user account and may apply a user identification model, specific to the first user account, to the message, so as to calculate feature vectors for the message. The computing platform then may apply impersonation algorithms to the feature vectors and may determine that the message is impersonated. Based on results of the impersonation algorithms, the computing platform may modify delivery of the message.
H04L 51/212 - Surveillance ou traitement des messages utilisant un filtrage ou un blocage sélectif
H04L 51/224 - Surveillance ou traitement des messages en fournissant une notification sur les messages entrants, p. ex. des poussées de notifications des messages reçus
52.
Dynamically Controlling Access to Linked Content in Electronic Communications
Aspects of the disclosure relate to dynamically controlling access to linked content in electronic communications. A computing platform may receive, from a user computing device, a request for a uniform resource locator associated with an email message. Subsequently, the computing platform may identify that the uniform resource locator associated with the email message corresponds to a potentially-malicious site. In response to identifying that the uniform resource locator associated with the email message corresponds to the potentially-malicious site, the computing platform may determine a risk profile associated with the request received from the user computing device. Based on the risk profile associated with the request, the computing platform may execute an isolation method to provide limited access to the uniform resource locator associated with the email message. In some instances, executing the isolation method may include initiating a browser mirroring session to provide the limited access to the potentially-malicious site.
G06F 21/62 - Protection de l’accès à des données via une plate-forme, p. ex. par clés ou règles de contrôle de l’accès
G06F 21/53 - Contrôle des utilisateurs, des programmes ou des dispositifs de préservation de l’intégrité des plates-formes, p. ex. des processeurs, des micrologiciels ou des systèmes d’exploitation au stade de l’exécution du programme, p. ex. intégrité de la pile, débordement de tampon ou prévention d'effacement involontaire de données par exécution dans un environnement restreint, p. ex. "boîte à sable" ou machine virtuelle sécurisée
G06F 21/56 - Détection ou gestion de programmes malveillants, p. ex. dispositions anti-virus
A computer network includes user endpoint devices geographically distributed relative to one another such that at least one of the endpoint devices is subject to a different set of data protection or privacy restrictions than other endpoint devices and data processing facilities coupled to the user endpoint devices over a network. The data processing facilities are in different geographical regions or sovereignties. A computer-based endpoint agent is in each of the endpoint devices. Each endpoint agent is configured to collect telemetry data relating to user activity at its associated endpoint device and transmit the collected telemetry data to a selected one of the data processing facilities, according to an applicable realm definition, in compliance with the data protection or privacy restrictions that apply to the agent's endpoint device.
The technology disclosed relates to analysis of security posture of a cloud environment. A computing system is configured to automatically discover a plurality of databases in the cloud environment and configure an orchestration engine to deploy a plurality of log analyzer microservices on the plurality of databases. Each log analyzer microservice, of the plurality of log analyzer microservices, is configured to scan a respective database log that represents database activities on a respective database of the plurality of databases. Analysis results are received from the plurality of log analyzer microservices. The analysis results represent detection of at least one of a performance criterion or a security criterion in one or more databases of the plurality of databases. An action signal representing the analysis results is generated.
An electronic device will identify an electronic message received by a messaging client that is associated with a first recipient, and it will analyze the electronic message to determine whether the electronic message is a simulated malicious message. Upon determining that electronic message is a simulated malicious message, the device will identify an actuatable element in the electronic message. The actuatable element will include a service address. The device will modify the electronic message by appending a user identifier of the first recipient to the service address of the actuatable element. Then, when the actuatable element is actuated, the system may determine whether the first recipient actuated the actuatable element or an alternate recipient did so based on whether the user identifier of the first recipient is still appended (or is the only user identifier appended) to the actuatable element.
42 - Services scientifiques, technologiques et industriels, recherche et conception
Produits et services
Computer services, namely, computer system administration for others; Cybersecurity services in the nature of restricting unauthorized access to computer systems; providing a platform as a service (PAAS) featuring computer software for information technology (IT) security; Computer services, namely, monitoring, testing, analyzing, and reporting on the Internet traffic control and content control of the web sites of others; Platform as a service (PAAS) featuring computer software platforms for the identification, detection, prevention, management, mitigation, and analysis of threats to IT infrastructure, computer systems, email systems, and data systems; Computer systems integration services; Computer services, namely, integration of computer software into multiple systems and networks; Platform-as-a-Service (PaaS) featuring computer software that aggregates and correlates threat data points across email, the cloud, mobile, local, and outside computer networks and uses a combination of advanced machine learning and artificial intelligence to detect and prevent cybersecurity attacks; Platform as a service (PAAS) featuring software for detecting, analyzing, and monitoring cybersecurity threats; Platform-as-a-service (PaaS) featuring computer software for obtaining and navigating threat intelligence, running threat assessments on cloud storage, local networks, email, mobile, and social channels, and orchestrating response actions; Computer security service, namely, restricting access to and by computer networks to and of undesired web sites, media and individuals and facilities; Platform as a service (PAAS) featuring computer software for risk analysis; Computer services, namely, filtering of unwanted e-mails; Platform as a service (PAAS) featuring computer software for comprehensive threat intelligence featuring artificial intelligence, ?machine learning and real-time threat intelligence; Platform as a service (PAAS) featuring computer software for conducting risk analysis and identifying, preventing and mitigating risk to computer systems from human and digital threats
42 - Services scientifiques, technologiques et industriels, recherche et conception
Produits et services
Software as a service (SAAS) services featuring software using artificial intelligence (AI) for identifying, analyzing, monitoring, and preventing threats to IT systems, email systems, and data systems; Providing on-line non-downloadable software for human risks analytics; Software as a service (SAAS) services featuring software for identifying, analyzing, monitoring, and preventing threats to IT systems, email systems, and data systems.; Providing on-line non-downloadable software for identifying, analyzing, monitoring, and preventing threats to IT systems, email systems, and data systems.; Providing on-line non-downloadable software for use in text and language analytics; Providing on-line non-downloadable software for email and email systems security
42 - Services scientifiques, technologiques et industriels, recherche et conception
Produits et services
Computer services, namely, computer system administration for others; Cybersecurity services in the nature of restricting unauthorized access to computer systems; computer services, namely, IT security provided via platform as a service featuring computer software platforms for cybersecurity; Computer services, namely, monitoring, testing, analyzing, and reporting on the Internet traffic control and content control of the web sites of others; Platform as a service (PAAS) featuring computer software platforms for the identification, detection, prevention, management, mitigation, and analysis of threats to IT infrastructure, computer systems, email systems, and data systems; Computer systems integration services; Computer services, namely, integration of computer software into multiple systems and networks; Platform-as-a-Service (PaaS) featuring computer software that aggregates and correlates threat data points across email, the cloud, mobile, local, and outside computer networks and uses a combination of advanced machine learning and artificial intelligence to detect and prevent cybersecurity attacks; Platform as a service (PAAS) featuring software for detecting, analyzing, and monitoring cybersecurity threats; Platform-as-a-service (PaaS) featuring computer software for obtaining and navigating threat intelligence, running threat assessments on cloud storage, local networks, email, mobile, and social channels, and orchestrating response actions; Computer security service, namely, restricting access to and by computer networks to and of undesired web sites, media and individuals and facilities; Platform as a service (PAAS) featuring computer software for risk analysis; Computer services, namely, filtering of unwanted e-mails; Platform as a service (PAAS) featuring computer software for comprehensive threat intelligence featuring artificial intelligence, ?machine learning and real-time threat intelligence; Platform as a service (PAAS) featuring computer software for conducting risk analysis and identifying, preventing and mitigating risk to computer systems from human and digital threats
42 - Services scientifiques, technologiques et industriels, recherche et conception
Produits et services
Software as a service (SAAS) services featuring software using artificial intelligence (AI) for identifying, analyzing, monitoring, and preventing threats to IT systems, email systems, and data systems; Providing on-line non-downloadable software for human risks analytics; Providing on-line non-downloadable software using artificial intelligence (AI) for email and email systems security; Providing on-line non-downloadable software using artificial intelligence (AI) for detecting and preventing cyber attacks; Software as a service (SAAS) services featuring software for identifying, analyzing, monitoring, and preventing threats to IT systems, email systems, and data systems.; Providing on-line non-downloadable software for identifying, analyzing, monitoring, and preventing threats to IT systems, email systems, and data systems.; Providing on-line non-downloadable software for use in text and language analytics; Software as a service (SAAS) services featuring software for detecting and preventing cyber attacks; Providing on-line non-downloadable software for email and email systems security; Software as a service (SAAS) services featuring software for providing real-time updates on emerging threats, attacker tactics and system vulnerabilities
42 - Services scientifiques, technologiques et industriels, recherche et conception
Produits et services
Providing on-line non-downloadable software for use in behavioral analytics; Software as a service (SAAS) services featuring software using artificial intelligence (AI) for identifying, analyzing, monitoring, and preventing threats to IT systems, email systems, and data systems; Providing on-line non-downloadable software for human risks analytics; Providing on-line non-downloadable software using artificial intelligence (AI) for email and email systems security; Providing on-line non-downloadable software using artificial intelligence (AI) for anomaly detection in digital environments; Software as a service (SAAS) services featuring software using artificial intelligence (AI) for identifying anomalous user behavior, IT infrastructure risks, and cybersecurity risks; Providing on-line non-downloadable software using artificial intelligence (AI) for detecting and preventing cyber attacks; Software as a service (SAAS) services featuring software for identifying, analyzing, monitoring, and preventing threats to IT systems, email systems, and data systems; Providing on-line non-downloadable software for identifying, analyzing, monitoring, and preventing threats to IT systems, email systems, and data systems; Software as a service (SAAS) services featuring software for detecting and preventing cyber attacks; Providing on-line non-downloadable software for email and email systems security; Software as a service (SAAS) services featuring software for behavioral analytics
42 - Services scientifiques, technologiques et industriels, recherche et conception
Produits et services
Software as a service (SAAS) services featuring software using artificial intelligence (AI) for identifying, analyzing, monitoring, and preventing threats to IT systems, email systems, and data systems; Software as a service (SAAS) services featuring software for detecting and preventing vision-based cybersecurity threats; Providing on-line non-downloadable software for human risks analytics; Providing on-line non-downloadable software using artificial intelligence (AI) for email and email systems security; Providing on-line non-downloadable software using artificial intelligence (AI) for detecting and preventing cyber attacks; Software as a service (SAAS) services featuring software for identifying, analyzing, monitoring, and preventing threats to IT systems, email systems, and data systems; Providing on-line non-downloadable software for identifying, analyzing, monitoring, and preventing threats to IT systems, email systems, and data systems; Software as a service (SAAS) services featuring software for detecting and preventing cyber attacks; Providing on-line non-downloadable software for email and email systems security; Providing on-line non-downloadable software for use in detecting and preventing vision-based cybersecurity threats
63.
Incremental cloud infrastructure detection for data security posture management
The technology disclosed relates to analysis of security posture of a cloud environment. In particular, the disclosed technology relates to a system and method for analysis of infrastructure posture of a cloud environment, that include detecting a triggering criterion corresponding to initiation of an update scan of the infrastructure posture of the cloud environment, and invoking an incremental change detector based on the triggering criterion. The incremental change detector is configured to scan the cloud environment and return a scan result that identifies one or more changes to a set of infrastructure assets in the cloud environment within a selected time period. A cloud infrastructure graph is updated based on the one or more changes to the set of infrastructure assets, wherein the cloud infrastructure graph defines nodes that represent resources in the cloud environment and edges, between the nodes, that represent relationships between the resources.
Systems and methods for data discovery within documents in one or more data repositories in a computer network or cloud infrastructure for protection of sensitive data are provided. The method includes selecting a data discovery starting point within the documents in the one or more data repositories in the computer network or the cloud infrastructure and identifying a user associated with one or more documents at the data discovery starting point. The method further includes discovering data using activities and/or relationships of the user to discover subsequent documents to identify the sensitive data.
Systems and methods for privacy-preserving transformer model training are provided. The system includes one or more data repositories in a computer network or cloud infrastructure having data stored therein. The system anonymizes the data in the one or more documents, and trains a transformer model on the data outside of the network. The data includes sensitive information. Anonymizing the data includes extracting the data from the one or more documents and irreversibly transforming the data in the one or more documents into context-preserving tensors. Training the transformer model on the data comprises using the context-preserving tensors instead of the data to train the transformer model on the data.
Systems, methods and products for increasing efficiency of resource usage by determining the reliability of reporters of unwanted messages and prioritizing evaluation of messages based on the reliability scores. Reports of unwanted messages are evaluated to determine whether they are bad. If an unwanted message is bad, a score for the reporter is updated to reflect a positive credit. A set of safe rules are applied to the message to determine whether it is safe and if the message is determined to be safe, the reporter score corresponding to the reporter is updated to reflect a non-positive (zero or negative) credit. If the message is determined to be neither bad nor safe, the message is entered in a reevaluation queue and, after a waiting period, the message evaluation is repeated using updated threat information, and the reporter score is updated according to the reevaluation.
A system monitors access to a computer file via a dynamically changeable non-heterogeneous collection load balanced across two hash tables. User activity is monitored on a target device to detect a user entered pattern including a wildcard character, selects one of the two hash tables, and calculates an index for the selected hash table based on the user entered pattern. The index is used to access the selected hash table to receive a stored pattern. The hash tables each have a plurality of entries, and each entry includes a list of one or more patterns that have the same hash index but different pattern values sorted by length in characters from longest to shortest. The first hash table is a direct hash table, and the second hash table is a reverse hash table.
G06F 21/55 - Détection d’intrusion locale ou mise en œuvre de contre-mesures
G06F 21/54 - Contrôle des utilisateurs, des programmes ou des dispositifs de préservation de l’intégrité des plates-formes, p. ex. des processeurs, des micrologiciels ou des systèmes d’exploitation au stade de l’exécution du programme, p. ex. intégrité de la pile, débordement de tampon ou prévention d'effacement involontaire de données par ajout de routines ou d’objets de sécurité aux programmes
68.
INTELLIGENT CLUSTERING SYSTEMS AND METHODS USEFUL FOR DOMAIN PROTECTION
An intelligent clustering system has a dual-mode clustering engine for mass-processing and stream-processing. A tree data model is utilized to describe heterogenous data elements in an accurate and uniform way and to calculate a tree distance between each data element and a cluster representative. The clustering engine performs element clustering, through sequential or parallel stages, to cluster the data elements based at least in part on calculated tree distances and parameter values reflecting user-provided domain knowledge on a given objective. The initial clusters thus generated are fine-tuned by undergoing an iterative self-tuning process, which continues when new data is streamed from data source(s). The clustering engine incorporates stage-specific domain knowledge through stage-specific configurations. This hybrid approach combines strengths of user domain knowledge and machine learning power. Optimized clusters can be used by a prediction engine to increase prediction performance and/or by a network security specialist to identify hidden patterns.
G06F 16/901 - IndexationStructures de données à cet effetStructures de stockage
69.
USING A MACHINE LEARNING SYSTEM TO PROCESS A CORPUS OF DOCUMENTS ASSOCIATED WITH A USER TO DETERMINE A USER-SPECIFIC AND/OR PROCESS-SPECIFIC CONSEQUENCE INDEX
Aspects of the disclosure relate to using a machine learning system to process a corpus of documents associated with a user to determine a user-specific consequence index. A computing platform may load a corpus of documents associated with a user. Subsequently, the computing platform may create a first plurality of smart groups based on the corpus of documents, and then may generate a first user interface comprising a representation of the first plurality of smart groups. Next, the computing platform may receive user input applying one or more labels to a plurality of documents associated with at least one smart group. Subsequently, the computing platform may create a second plurality of smart groups based on the corpus of documents and the received user input. Then, the computing platform may generate a second user interface comprising a representation of the second plurality of smart groups.
Aspects of the disclosure relate to detecting random and/or algorithmically-generated character sequences in domain names. A computing platform may train a machine learning model based on a set of semantically-meaningful words. Subsequently, the computing platform may receive a seed string and a set of domains to be analyzed in connection with the seed string. Based on the machine learning model, the computing platform may apply a classification algorithm to the seed string and the set of domains, where applying the classification algorithm to the seed string and the set of domains produces a classification result. Thereafter, the computing platform may store the classification result.
Systems, methods and products for identifying “similar” threats by clustering the threats based on corresponding forensics. A corpus of forensic data for a plurality of threat URLs is obtained by a threat protection system, the data including forensic elements corresponding to each threat URLs. For each pair of threat URLs, the corresponding forensic elements are examined to identify shared forensic elements. A similarity score is then generated for the pair of threat URLs based on the comparison of the corresponding forensic elements, including both malicious and non-malicious elements. Based on the similarity score generated for each pair of threat URLs, clusters of the threat URLs are identified, with each cluster including a subset of the plurality of threat URLs. Clusters of URLs similar to a selected URL may be identified by accessing the threat cluster information using a similar-threat search interface or through internal APIs of the threat protection system.
The technology disclosed relates to resource activity management in a cloud environment. A computer-implemented method includes detecting a plurality of virtual networks in the cloud environment and deploying a plurality of sensors in the plurality of virtual networks using an orchestration engine of the cloud environment. Each sensor, of the plurality of sensors, includes an executable package configured to execute in a respective virtual network, of the plurality of virtual networks, independent of other sensors, of the plurality of sensors, to manage activities in the respective virtual network. The method includes identifying an activity management task to be performed in a particular virtual network of the plurality of virtual networks, sending a task command representing the activity management task to the sensor deployed in the particular virtual network, and receiving an execution result representing execution of the activity management task by the sensor deployed in the particular virtual network.
G06F 9/455 - ÉmulationInterprétationSimulation de logiciel, p. ex. virtualisation ou émulation des moteurs d’exécution d’applications ou de systèmes d’exploitation
Aspects of the disclosure relate to data loss prevention. A computing platform may detect input of a first target recipient domain into a first email message. The computing platform may identify, in real time and prior to sending the first email message, that the first target recipient domain comprises an unintended recipient domain instead of an intended recipient domain. The computing platform may send, based on the identification of the unintended recipient domain and to a user device, a notification that the first target recipient domain is flagged as an unintended recipient domain and one or more commands directing the user device to display the notification.
Disclosed is a new location threat monitoring solution that leverages deep learning (DL) to process data from data sources on the Internet, including social media and the dark web. Data containing textual information relating to a brand is fed to a DL model having a DL neural network trained to recognize or infer whether a piece of natural language input data from a data source references an address or location of interest to the brand, regardless of whether the piece of natural language input data actually contains the address or location. A DL module can determine, based on an outcome from the neural network, whether the data is to be classified for potential location threats. If so, the data is provided to location threat classifiers for identifying a location threat with respect to the address or location referenced in the data from the data source.
A universal resource locator (URL) collider processes a click event referencing a URL and directs a browser to a page at the URL. While the page is being rendered by the browser with page data from a web server, the URL collider intercepts the page data including events associated with rendering the page, determines microfeatures of the page such as Document Object Model objects and any URLs referenced by the page, applies detection rules, tags as evidence any detected bad microfeature, bad URL, or suspicious sequence of events, and stores the evidence in an evidence database. Based on the evidence, a judge module dynamically determines whether to condemn the URL before or just in time as the page at the URL is fully rendered by the browser. If so, the browser is directed to a safe location or a notification page.
G06F 16/22 - IndexationStructures de données à cet effetStructures de stockage
G06F 16/955 - Recherche dans le Web utilisant des identifiants d’information, p. ex. des localisateurs uniformisés de ressources [uniform resource locators - URL]
G06F 16/958 - Organisation ou gestion de contenu de sites Web, p. ex. publication, conservation de pages ou liens automatiques
G06F 21/51 - Contrôle des utilisateurs, des programmes ou des dispositifs de préservation de l’intégrité des plates-formes, p. ex. des processeurs, des micrologiciels ou des systèmes d’exploitation au stade du chargement de l’application, p. ex. en acceptant, en rejetant, en démarrant ou en inhibant un logiciel exécutable en fonction de l’intégrité ou de la fiabilité de la source
G06F 21/56 - Détection ou gestion de programmes malveillants, p. ex. dispositions anti-virus
G06F 21/57 - Certification ou préservation de plates-formes informatiques fiables, p. ex. démarrages ou arrêts sécurisés, suivis de version, contrôles de logiciel système, mises à jour sécurisées ou évaluation de vulnérabilité
A domain processing system is enhanced with a first-pass domain filter configured for loading character strings representing a pair of domains consisting of a seed domain and a candidate domain in a computer memory, computing a similarity score and a dynamic threshold for the pair of domains, determining whether the similarity score exceeds the dynamic threshold, and iterating the loading, the computing, and the determining for each of a plurality of candidate domains paired with the seed domain. A similarity score between the seed domain and the candidate domain and a corresponding dynamic threshold for the pair are computed. If the similarity score exceeds the corresponding dynamic threshold, the candidate domain is provided to a downstream computing facility. Otherwise, it is dropped. In this way, the first-pass domain filter can significantly reduce the number of domains that otherwise would need to be processed by the downstream computing facility.
H04L 61/30 - Gestion des noms de réseau, p. ex. utilisation d'alias ou de surnoms
H04L 61/4511 - Répertoires de réseauCorrespondance nom-adresse en utilisant des répertoires normalisésRépertoires de réseauCorrespondance nom-adresse en utilisant des protocoles normalisés d'accès aux répertoires en utilisant le système de noms de domaine [DNS]
77.
Systems and methods for promissory image classification
Systems, methods and products for classifying images according to a visual concept where, in one embodiment, a system includes an object detector and a visual concept classifier, the object detector being configured to detect objects depicted in an image and generate a corresponding object data set identifying the objects and containing information associated with each of the objects, the visual concept classifier being configured to examine the object data set generated by the object detector, detect combinations of the information in the object data set that are high-precision indicators of the designated visual concept being contained in the image, generate a classification for the object data set with respect to the designated visual concept, and associate the classification with the image, wherein the classification identifies the image as either containing the designated visual concept or not containing the designated visual concept.
G06F 18/2433 - Perspective d'une seule classe, p. ex. une classification "une contre toutes"Détection de nouveautéDétection de valeurs aberrantes
G06F 18/214 - Génération de motifs d'entraînementProcédés de Bootstrapping, p. ex. ”bagging” ou ”boosting”
G06F 18/2413 - Techniques de classification relatives au modèle de classification, p. ex. approches paramétriques ou non paramétriques basées sur les distances des motifs d'entraînement ou de référence
G06V 30/40 - Reconnaissance des formes à partir d’images axée sur les documents
78.
Cloud data peak signal detection and prioritization for data security posture management
The technology disclosed relates to analysis of data posture of a cloud environment. In particular, the disclosed technology relates to a system and method for analyzing cloud assets, such as storage resources, compute resources, etc. to detect peak signals based on occurrences of sensitive data types or other data classifications in the cloud assets. A system for prioritized presentation of high-value cloud resources susceptible to cloud security risks includes a processor, a display, and memory accessible by the processor and executable to, on a cloud resource-by-cloud resource basis, analyze data in a given cloud resource, and attribute a plurality of data sensitivity parameters to the data in the given cloud resource, and a peak value indicating an appraisal of the data in the given cloud resource. A graphical interface includes graphical objects configured to display the given cloud resource, the plurality of data sensitivity parameters, and the peak value.
G06F 21/57 - Certification ou préservation de plates-formes informatiques fiables, p. ex. démarrages ou arrêts sécurisés, suivis de version, contrôles de logiciel système, mises à jour sécurisées ou évaluation de vulnérabilité
H04L 29/06 - Commande de la communication; Traitement de la communication caractérisés par un protocole
79.
Detecting and Protecting Against Cybersecurity Attacks Using Unprintable Tracking Characters
Aspects of the disclosure relate to detecting and protecting against cybersecurity attacks using unprintable tracking characters. A computing platform may receive a character-limited message sent to a user device. Subsequently, the computing platform may detect that the character-limited message sent to the user device includes suspicious content. Then, the computing platform may generate a modified character-limited message by inserting one or more special characters into the character-limited message and cause transmission of the modified character-limited message to the user device. Next, the computing platform may receive, from the user device, a spam report that includes the modified character-limited message. Then, the computing platform may identify a presence of the one or more special characters included in the modified character-limited message and adjust one or more filters based on the identification.
Systems, methods and products for identifying “similar” threats by clustering the threats based on corresponding forensics. A corpus of forensic data for a plurality of threat URLs is obtained by a threat protection system, the data including forensic elements corresponding to each threat URLs. For each pair of threat URLs, the corresponding forensic elements are examined to identify shared forensic elements. A similarity score is then generated for the pair of threat URLs based on the comparison of the corresponding forensic elements, including both malicious and non-malicious elements. Based on the similarity score generated for each pair of threat URLs, clusters of the threat URLs are identified, with each cluster including a subset of the plurality of threat URLs. Clusters of URLs similar to a selected URL may be identified by accessing the threat cluster information using a similar-threat search interface or through internal APIs of the threat protection system.
Aspects of the disclosure relate to providing commercial and/or spam messaging detection and enforcement. A computing platform may receive a plurality of text messages from a sender. It may then tokenize the plurality of text messages to yield a plurality of tokens. The computing platform may then match one or more tokens of the plurality of tokens in the plurality of text messages to one or more bulk string tokens. Next, it may detect one or more homoglyphs in the plurality of text messages, and then detect one or more URLs in the plurality of text messages. The computing platform may flag the sender based at least on the one or more matching tokens, the one or more detected homoglyphs, and the one or more detected URLs. Based on flagging the sender, the computing platform may block one or more messages from the sender.
H04L 51/212 - Surveillance ou traitement des messages utilisant un filtrage ou un blocage sélectif
G06F 16/955 - Recherche dans le Web utilisant des identifiants d’information, p. ex. des localisateurs uniformisés de ressources [uniform resource locators - URL]
The technology disclosed relates to streamlined analysis of security posture of a cloud environment. In particular, the disclosed technology relates to accessing permissions data and access control data for pairs of compute resources and storage resources, tracing network communication paths between the pairs of the compute resources and the storage resources based on the permissions data and the access control data, accessing sensitivity classification data for objects in the storage resources, and qualifying a subset of the pairs of the compute resources and the storage resources as vulnerable to breach attack based on an evaluation of the permissions data, the access control data, and the sensitivity classification data against at least one risk criterion. A representation of propagation of the breach attack along the network communication paths is generated, the representation identifying relationships between the subset of the pairs of the compute resources and the storage resources.
G06F 21/57 - Certification ou préservation de plates-formes informatiques fiables, p. ex. démarrages ou arrêts sécurisés, suivis de version, contrôles de logiciel système, mises à jour sécurisées ou évaluation de vulnérabilité
G06F 21/62 - Protection de l’accès à des données via une plate-forme, p. ex. par clés ou règles de contrôle de l’accès
83.
Processing external messages using a secure email relay
Aspects of the disclosure relate to processing external messages using a secure email relay. A computing platform may receive, from a message source server associated with a first domain, a first email message and a first set of authentication credentials. Based on validating the first set of authentication credentials, the computing platform may inject, into the first email message, a DomainKeys Identified Mail (DKIM) signature of a second domain different from the first domain, which may produce a signed message that identifies itself as originating from the second domain. Based on scanning and validating content of the signed message, the computing platform may send the signed message to a message recipient server, which may cause the message recipient server to validate the DKIM signature of the signed message and determine that the signed message passes Domain-based Message Authentication, Reporting and Conformance (DMARC) with respect to the second domain.
A cyberthreat detection system queries a content database for unstructured content that contains a set of keywords, clusters the unstructured content into clusters based on topics, and determines a cybersecurity cluster utilizing a list of vetted cybersecurity phrases. The set of keywords represents a target of interest such as a newly discovered cyberthreat, an entity, a brand, or a combination thereof. The cybersecurity cluster thus determined is composed of unstructured content that has the set of keywords as well as some percentage of the vetted cybersecurity phrases. If the size of the cybersecurity cluster, as compared to the amount of unstructured content queried from the content database, meets or exceeds a predetermined threshold, the query is saved as a new classifier rule that can then be used by a cybersecurity classifier to automatically, dynamically and timely identify the target of interest in unclassified unstructured content.
G06F 16/00 - Recherche d’informationsStructures de bases de données à cet effetStructures de systèmes de fichiers à cet effet
G06F 16/338 - Présentation des résultats des requêtes
G06F 16/355 - Création ou modification de classes ou de grappes
G06F 16/36 - Création d’outils sémantiques, p. ex. ontologie ou thésaurus
G06F 21/57 - Certification ou préservation de plates-formes informatiques fiables, p. ex. démarrages ou arrêts sécurisés, suivis de version, contrôles de logiciel système, mises à jour sécurisées ou évaluation de vulnérabilité
85.
Generating simulated spear phishing messages and customized cybersecurity training modules using machine learning
Aspects of the disclosure relate to spear phishing simulation using machine learning. A computing platform may send, to an enterprise user device, a spear phishing message. The computing platform may receive initial user interaction information indicating how a user of the enterprise user device interacted with the spear phishing message. Based on the initial user interaction information and using a series of branching message templates, the computing platform may generate additional spear phishing messages. The computing platform may receive additional user interaction information indicating how the user interacted with the additional spear phishing messages. Based on the initial user interaction information and the additional user interaction information, the computing platform may compute spear phishing scores. Based on a comparison of the spear phishing scores to spear phishing thresholds, the computing platform may generate training modules for the user, and may send the training modules to the enterprise user device.
G06F 21/56 - Détection ou gestion de programmes malveillants, p. ex. dispositions anti-virus
G06F 21/57 - Certification ou préservation de plates-formes informatiques fiables, p. ex. démarrages ou arrêts sécurisés, suivis de version, contrôles de logiciel système, mises à jour sécurisées ou évaluation de vulnérabilité
Aspects of the disclosure relate to detecting and identifying malicious sites using machine learning. A computing platform may receive a uniform resource locator (URL). The computing platform may parse and/or tokenize the URL to reduce the URL into a plurality of components. The computing platform may identify human-engineered features of the URL. The computing platform may compute a vector representation of the URL to identify deep learned features of the URL. The computing platform may concatenate the human-engineered features of the URL to the deep learned features of the URL, resulting in a concatenated vector representation. By inputting the concatenated vector representation of the URL to a URL classifier, the computing platform may compute a phish classification score. In response to determining that the phish classification score exceeds a first phish classification threshold, the computing platform may cause a cybersecurity server to perform a first action.
G06F 16/51 - IndexationStructures de données à cet effetStructures de stockage
G06F 16/955 - Recherche dans le Web utilisant des identifiants d’information, p. ex. des localisateurs uniformisés de ressources [uniform resource locators - URL]
G06F 18/21 - Conception ou mise en place de systèmes ou de techniquesExtraction de caractéristiques dans l'espace des caractéristiquesSéparation aveugle de sources
G06F 21/56 - Détection ou gestion de programmes malveillants, p. ex. dispositions anti-virus
A URL velocity monitor is integrated with a message-hold decision maker of an electronic mail processing system that processes electronic messages for a protected computer network. The URL velocity monitor receives or obtains a URL, decomposes the URL into URL features based on logical boundaries, and determines features of interest from the URL features for velocity tracking. Examples of URL features can include a randomized URL segment. The velocity of each feature of interest is tracked over a period of time using a counting algorithm that employs a slow counter or a fast counter. The two different counters track two types of velocities which represent different domain behaviors targeting the protected computer network. The URL velocity monitor determines whether the velocity of a feature of interest is accelerating within the time period. If so, the URL is placed in a queue or a sandbox.
Aspects of the disclosure relate to data loss prevention. A computing platform may detect input of a first target recipient domain into a first email message. The computing platform may identify, in real time and prior to sending the first email message, that the first target recipient domain is an unintended recipient domain instead of an intended recipient domain. The computing platform may identify, in real time and prior to sending the first email message, that the first email message violates one or more data loss prevention rules. Based on identifying the violation, the computing platform may send a notification that the first target recipient domain is flagged as an unintended recipient domain and one or more commands directing a user device of the message sender to display the notification.
A universal resource locator (URL) collider processes a click event referencing a URL and directs a browser to a page at the URL. While the page is being rendered by the browser with page data from a web server, the URL collider intercepts the page data including events associated with rendering the page, determines microfeatures of the page such as Document Object Model objects and any URLs referenced by the page, applies detection rules, tags as evidence any detected bad microfeature, bad URL, or suspicious sequence of events, and stores the evidence in an evidence database. Based on the evidence, a judge module dynamically determines whether to condemn the URL before or just in time as the page at the URL is fully rendered by the browser. If so, the browser is directed to a safe location or a notification page.
G06F 16/955 - Recherche dans le Web utilisant des identifiants d’information, p. ex. des localisateurs uniformisés de ressources [uniform resource locators - URL]
G06F 16/958 - Organisation ou gestion de contenu de sites Web, p. ex. publication, conservation de pages ou liens automatiques
90.
Using neural networks to process forensics and generate threat intelligence information
Aspects of the disclosure relate to generating threat intelligence information. A computing platform may receive forensics information corresponding to message attachments. For each message attachment, the computing platform may generate a feature representation. The computing platform may input the feature representations into a neural network, which may result in a numeric representation for each message attachments. The computing platform may apply a clustering algorithm to cluster each message attachments based on the numeric representations, which may result in clustering information. The computing platform may extract, from the clustering information, one or more indicators of compromise indicating that one or more attachments corresponds to a threat campaign. The computing platform may send, to an enterprise user device, user interface information comprising the one or more indicators of compromise, which may cause the enterprise user device to display a user interface identifying the one or more indicators of compromise.
To find enriching contextual information for an abbreviated domain name, a data enrichment engine can comb through web content source code corresponding to the abbreviated domain name. From textual content in the web content source code, the data enrichment engine can identify words with initial characters that match characters of the abbreviated domain name to thereby establish a relationship there-between. This relationship can facilitate more accurate and efficient domain name classification. The data enrichment engine can query a WHOIS server to find out if candidate domains having initial characters that match the characters of the abbreviated domain name are registered to the same entity. If so, keywords can be extracted from the candidate domains and used to find more relevant domains for domain risk analysis and detection. Candidate domains determined by the data enrichment engine can be provided to a downstream computing facility such as a domain filter.
Aspects of the disclosure relate to providing secure shortened URLs in character-limited messages. A computing platform may receive one or more character-limited messages sent to a user device. The computing platform may detect a URL within the one or more character-limited messages for replacement and generate a shortened URL corresponding to the detected URL, wherein a domain of the shortened URL is hosted by the message security system. The computing platform may then modify the one or more character-limited messages by replacing the URL with the shortened URL, and then cause transmission of the modified one or more character-limited messages to the user device. Next, the computing platform may receive, from the user device, a request to access the shortened URL, and redirect the user device to the detected URL corresponding to the shortened URL.
The technology disclosed relates to a computing system configured to execute a cloud scanner in a cloud environment to discover one or more data stores in the cloud environment and return metadata representing a data schema of data objects in the one or more data stores, traverse the data objects in the one or more data stores based on the metadata to identify a plurality of data items, execute a content-based data classifier against the plurality of data items to identify a set of data items, in the plurality of data items, as conforming to one or more data profiles, and generate a graphical interface including one or more graphical objects configured to display a representation of the one or more data profiles, wherein the graphical interface is configured to filter the plurality of data items based on a selected data profile selected from the one or more data profiles.
G06F 21/57 - Certification ou préservation de plates-formes informatiques fiables, p. ex. démarrages ou arrêts sécurisés, suivis de version, contrôles de logiciel système, mises à jour sécurisées ou évaluation de vulnérabilité
G06F 21/62 - Protection de l’accès à des données via une plate-forme, p. ex. par clés ou règles de contrôle de l’accès
94.
Prompting users to annotate simulated phishing emails in cybersecurity training
Aspects of the disclosure relate to dynamically generating simulated attack messages configured for annotation by users as part of cybersecurity training. A computing platform may generate a simulated attack message including a plurality of elements and send the simulated attack message to an enterprise user device. Subsequently, the computing platform may receive, from the enterprise user device, user selections annotating selected elements of the plurality of elements of the simulated attack message. The computing platform may thereafter identify one or more training areas for the user based on the user selections received from the enterprise user device, generate a customized training module specific to the identified one or more training areas, and send the customized training module to the enterprise user device. Sending the customized training module to the enterprise user device may cause the enterprise user device to display the customized training module.
Aspects of the disclosure relate to dynamic message analysis using machine learning. A computing platform may monitor a messaging server associated with an enterprise organization. Based on monitoring the messaging server, the computing platform may identify bi-directional messaging traffic between enterprise domains associated with the enterprise organization and external domains not associated with the enterprise organization. Based on identifying the bi-directional messaging traffic, the computing platform may select external domains for a conversation detection process. The computing platform may compute an initial set of rank-ordered external domains by: determining, based on a number of messages sent to and received from each enterprise domain/external domain pair, weighted difference values and ranking the plurality of external domains selected for the conversation detection process based the weighted difference values. The computing platform may remove, from the initial set of rank-ordered external domains, known outlier domains, and may execute enhanced protection actions.
H04L 61/4511 - Répertoires de réseauCorrespondance nom-adresse en utilisant des répertoires normalisésRépertoires de réseauCorrespondance nom-adresse en utilisant des protocoles normalisés d'accès aux répertoires en utilisant le système de noms de domaine [DNS]
Disclosed is a domain engineering analysis solution that determines relevance of a domain name to a brand name in which a domain name, brand name, and identification of a substring of the domain name may be provided to or obtained by a computer embodying a domain engineering analyzer. A list of features may be determined. The list of features may include a lexicon, or a set of key-value pairs that encode information about terms included as substrings in the domain name. Determining the features may include obtaining a language model for each term, analyzing a cluster of language models closest to the obtained language model, and determining and scoring a relevance of each term to the brand name. The determined relevance and score of each term may be provided to a client. This relevance analysis can be dynamically applied in an online process or proactively applied in an offline process.
H04L 61/4511 - Répertoires de réseauCorrespondance nom-adresse en utilisant des répertoires normalisésRépertoires de réseauCorrespondance nom-adresse en utilisant des protocoles normalisés d'accès aux répertoires en utilisant le système de noms de domaine [DNS]
97.
Cloud environment database log analyzer with risk signature detection
The technology disclosed relates to analysis of security posture of a cloud environment. In particular, the disclosed technology relates to a system and method that detects a triggering criterion and, in response to the triggering criterion, automatically discovers a plurality of databases in the cloud environment. An orchestration engine is configured to deploy a plurality of log analyzer microservices on the plurality of databases, each log analyzer microservice, of the plurality of log analyzer microservices, being configured to scan a respective database log that represents database activities on a respective database of the plurality of databases. Analysis results are received from the plurality of log analyzer microservices, the analysis results represent detection of at least one of a performance criterion or a security criterion in one or more databases of the plurality of databases. An action signal representing the analysis results is generated.
Aspects of the disclosure relate to message verification. A computing platform may generate a cryptographic key pair comprising a public key and a private key. The computing platform may publish, to a server, the public key. The computing platform may generate a short message service (SMS) message. The computing platform may sign, using the private key, the SMS message, which may include computing a cryptographic hash of the SMS message using the private key and embedding the cryptographic hash in an SMPP field of the SMS message. The computing platform may send, to a downstream computing system, the signed SMS message, where the downstream computing system may be configured to validate the signed SMS message using the cryptographic hash embedded in the SMPP field of the SMS message and by accessing the public key.
H04L 9/32 - Dispositions pour les communications secrètes ou protégéesProtocoles réseaux de sécurité comprenant des moyens pour vérifier l'identité ou l'autorisation d'un utilisateur du système
H04L 9/30 - Clé publique, c.-à-d. l'algorithme de chiffrement étant impossible à inverser par ordinateur et les clés de chiffrement des utilisateurs n'exigeant pas le secret
A URL velocity monitor is integrated with a message-hold decision maker of an electronic mail processing system that processes electronic messages for a protected computer network. The URL velocity monitor receives or obtains a URL, decomposes the URL into URL features based on logical boundaries, and determines features of interest from the URL features for velocity tracking. Examples of URL features can include a randomized URL segment. The velocity of each feature of interest is tracked over a period of time using a counting algorithm that employs a slow counter or a fast counter. The two different counters track two types of velocities which represent different domain behaviors targeting the protected computer network. The URL velocity monitor determines whether the velocity of a feature of interest is accelerating within the time period. If so, the URL is placed in a queue or a sandbox.
Aspects of the disclosure relate to anomaly detection in cybersecurity training modules. A computing platform may receive information defining a training module. The computing platform may capture a plurality of screenshots corresponding to different permutations of the training module. The computing platform may input, into an auto-encoder, the plurality of screenshots corresponding to the different permutations of the training module, wherein inputting the plurality of screenshots corresponding to the different permutations of the training module causes the auto-encoder to output a reconstruction error value. The computing platform may execute an outlier detection algorithm on the reconstruction error value, which may cause the computing platform to identify an outlier permutation of the training module. The computing platform may generate a user interface comprising information identifying the outlier permutation of the training module. The computing platform may send the user interface to at least one user device.
G06V 10/778 - Apprentissage de profils actif, p. ex. apprentissage en ligne des caractéristiques d’images ou de vidéos
G06F 18/21 - Conception ou mise en place de systèmes ou de techniquesExtraction de caractéristiques dans l'espace des caractéristiquesSéparation aveugle de sources
G06F 18/214 - Génération de motifs d'entraînementProcédés de Bootstrapping, p. ex. ”bagging” ou ”boosting”
G06F 18/2433 - Perspective d'une seule classe, p. ex. une classification "une contre toutes"Détection de nouveautéDétection de valeurs aberrantes
