A login agent interacts with a foundation model(s) until successful login to an application or an assessment of a failed login can be obtained. Initially, a web page corresponding to login for a web application will be indicated to the login agent. The login agent captures interactive elements of the web page. The login agent prompts a foundation model(s) to select which of the captured interactive elements to interact with and how to interact with the selected elements. The login agent determines commands based on the response(s) and, with the commands, uses a tool to automatically interact with the web page via a browser. The login agent captures a web page resulting from the user emulated interaction and prompts the foundation model(s) to determine whether log in was successful or failed. The response from the foundation model(s) guides the login agent to either retry login or report results.
With invocations of a software development pipeline, organization specific remediations/fixes for a software project can be learned from scanning results of code submissions (e.g., commits or merges) across an organization for a software project(s). Fixes of detected program code flaws can be detected and/or specified across scans and associated with flaw identifiers and used for training machine learning models to identify candidate fixes for detected flaws. This ongoing learning during development propagates fixes created or chosen by experts (e.g., software engineers working on the software project) relevant to the software project. The experts can choose from suggestions mined from the learned fixes of the organization and suggestions generated from a pipeline created with the trained machine learning models. The selections are then used for further training of the machine learning models that form the pipeline.
G06F 21/57 - Certification ou préservation de plates-formes informatiques fiables, p. ex. démarrages ou arrêts sécurisés, suivis de version, contrôles de logiciel système, mises à jour sécurisées ou évaluation de vulnérabilité
The technical solutions can provide a timely and consistent monitoring of SD-WAN by combining network topology data acquired via API calls with SD-WAN performance data gathered from one or more network communication protocols. A solution can include a system, having one or more processors coupled with memory to receive, responsive to BFD monitoring, BFD session data in a first format. The BFD session data can correspond to a tunnel between devices of a SD-WAN. The one or more processors can receive, responsive to IPFIX monitoring, flow metrics in a second format, the flow metrics corresponding to one or more flows of a network traffic traversing the tunnel. The one or more processors can aggregate the BFD session data and the flow metrics into aggregated metrics according to a third format and determine an action to take based at least on the aggregated metrics in the third format.
H04L 41/0631 - Gestion des fautes, des événements, des alarmes ou des notifications en utilisant l’analyse des causes profondesGestion des fautes, des événements, des alarmes ou des notifications en utilisant l’analyse de la corrélation entre les notifications, les alarmes ou les événements en fonction de critères de décision, p. ex. la hiérarchie ou l’analyse temporelle ou arborescente
H04L 41/40 - Dispositions pour la maintenance, l’administration ou la gestion des réseaux de commutation de données, p. ex. des réseaux de commutation de paquets en utilisant la virtualisation des fonctions réseau ou ressources, p. ex. entités SDN ou NFV
H04L 43/0876 - Utilisation du réseau, p. ex. volume de charge ou niveau de congestion
H04L 43/10 - Surveillance active, p. ex. battement de cœur, utilitaire Ping ou trace-route
An embodiment of the present invention describes means by which a proxy can maintain visibility between a client and a server when the client initiates a Transport Layer Security connection with Encrypted Client Hello (ECH). The proxy uses intelligence data has the ability to identify connections between clients and servers that are utilizing the Encrypted Client Hello extension to Transport Layer Security (TLS) Protocol Version 1.3 and triggers the client to fallback to utilizing a new connection that does not utilize ECH. This preserves the proxy's ability to determine the true destination of the client and identify the risks and characteristics of the request and response and act based on the administrator's authored policy.
In an embodiment, a method for generating a graph database includes identifying at least one new package in at least one source database and generating a download request associated with the at least one new package. The method includes, based on the download request, downloading the at least one new package from the at least one source database associated with the at least one new package. The method includes preprocessing the at least one new package to define at least one text representation of the at least one new package. The method includes cataloging the at least one new package based on the at least one text representation and generating a graph database based on the cataloged at least one package.
A device to detect a first piece of equipment of a plurality of pieces of equipment, identify a first node of a plurality of nodes that represents the first piece of equipment of the plurality of pieces of equipment, receive an identification of the first piece of equipment of the plurality of pieces of equipment, update a record to include the identification of the first piece of equipment of the plurality of pieces of equipment and an indication that the first node of the plurality of nodes represents the first piece of equipment of the plurality of pieces of equipment, determine that a second piece of equipment of the plurality of pieces of equipment is absent from a first section of the plurality of sections, and query one or more devices of a plurality of devices to identify the second piece of equipment of the plurality of pieces of equipment.
H04L 41/12 - Découverte ou gestion des topologies de réseau
H04L 41/0604 - Gestion des fautes, des événements, des alarmes ou des notifications en utilisant du filtrage, p. ex. la réduction de l’information en utilisant la priorité, les types d’éléments, la position ou le temps
H04L 41/22 - Dispositions pour la maintenance, l’administration ou la gestion des réseaux de commutation de données, p. ex. des réseaux de commutation de paquets comprenant des interfaces utilisateur graphiques spécialement adaptées [GUI]
7.
AUTO-FIXING CODE VULNERABILITIES WITH ARTIFICIAL INTELLIGENCE
A generative artificial intelligence (AI) driven code fixing pipeline has been created that uses a large language model (LLM) to recommend fixes for vulnerabilities detected in program code. A scanner generates indications of flaws in program code and weakness types for those flaws. One or more example code pairs are retrieved based on weakness type and programming language, an example code pair including an example flaw and an example fix of that flaw. The LLM is then prompted with a code fragment corresponding to a detected vulnerability, context for the code fragment, and the one or more example code pairs to generate a modification of existing program code that fixes the vulnerability.
Novel systems and methods for canvas sanitization are provided. In various embodiments, a system and method include: receiving a request to open a web page from a client device; replacing, via an agent, a first function with a second function, the agent being loaded to a browser; loading the web page from a web server to the browser; in response to an attempt to perform the first function on the web page, performing, via the browser, the second function corresponding to the first function to generate a drawing for a predetermined period of time; converting, via the agent, the drawing to an image; and transmitting the image to the client device. Other aspects, embodiments, and features are also claimed and described.
The systems and methods described provide a seamless end-to-end email delivery between secure email clusters without reliance on prior sharing of encryption keys or protocol configurations. The solution can receive a request to transmit an email to a recipient identified by a domain of the recipient. The solution can transmit a first query to a domain name service (DNS) to fetch one or more records corresponding to the domain of the recipient. The one or more records can identify a key service. The solution can receive, from the key service responsive to a second query to the key service, a key for encrypting the email. The solution can encrypt at least a portion of the email based at least on the key and transmit the encrypted email to the recipient.
Operations of a security device are provided herein. The operations may include receiving, via a first network interface, a network packet, and evaluating attributes of the received network packet against a ruleset to identify a first rule match, wherein the attributes comprise an identifier of the first network interface, a source address, and a destination address. The operations may further include comparing the attributes of the received network packet against a table listing one or more network devices associated with the first network interface or a second network interface. The operations may further include switching the attributes of the received network packet by changing the identifier of the first network interface to an identifier of the second network interface and swapping the source address and the destination address, and evaluating the switched attributes of the received network packet against the ruleset to identify a second rule match. The switched attributes of the received network packet may be compared against the table, and one of the first rule match or the second rule match may be selected based on the comparisons of the network packet attributes and the switched network packet attributes against the table. The received network packet may be processed according to the selected one of the first rule match or the second rule match.
Novel solutions for monitoring and analyzing networks in terms of the volatility of various devices. Some solutions consider a weighted set of metrics in determining such volatility. Evaluation of devices against peers in view of these factors can produce insight about network conditions.
H04L 43/0817 - Surveillance ou test en fonction de métriques spécifiques, p. ex. la qualité du service [QoS], la consommation d’énergie ou les paramètres environnementaux en vérifiant la disponibilité en vérifiant le fonctionnement
H04L 43/045 - Traitement des données de surveillance capturées, p. ex. pour la génération de fichiers journaux pour la visualisation graphique des données de surveillance
H04L 43/062 - Génération de rapports liés au trafic du réseau
A generative artificial intelligence (AI) driven code fixing pipeline has been created that uses a transformer-based large language model (LLM) to patch flawed program code. A pre-trained LLM is fine-tuned to generate a response that is a modified version of a code fragment in a prompt to the pre-trained model. After fine-tuning, the pre-trained LLM (hereinafter “code fix model”) is integrated into a pipeline that includes a program code cybersecurity scanner and a prompt generator. The scanner generates indications of flaws in program code and weakness types for those flaws. These indications flow into the prompt generator. The prompt generator retrieves reference code pairs based on weakness type and programming language to generate a batch of prompts to run inference on with the code fix model. The responses generated by the code fix model are presented as patching alternatives.
A generative AI based pipeline has been created that ranks generated responses that are candidate software patches. The ranking is based on predicted quality measures of code fragments within a corresponding prompt to a generated AI model. The predicted quality measures are generated by a machine learning model that has been trained based on features that are values/measures of similarity metrics between code fragments, between code fragment changes, between code structures, and/or between changes of code structures.
In some embodiments, a computing system includes a communication interface; and a processor that is coupled to the communication interface. In some embodiments, least one of the communication interface or the processor receives a network packet from the network via a network adapter port; encapsulates the received network packet with a tunnel header, wherein the tunnel header comprises network identifier information identifying the network adapter port; addresses, based on the network identifier information, an outer Internet protocol (IP) header of the encapsulated network packet with an outer IP address corresponding to a network function in a first computing device; and sends the encapsulated network packet toward the network function identified by the outer IP address.
H04L 61/251 - Traduction d'adresses de protocole Internet [IP] entre versions IP différentes
H04L 67/1001 - Protocoles dans lesquels une application est distribuée parmi les nœuds du réseau pour accéder à un serveur parmi une pluralité de serveurs répliqués
H04L 69/167 - Adaptation pour la transition entre deux versions IP, p. ex. entre IPv4 et IPv6
H04L 69/22 - Analyse syntaxique ou évaluation d’en-têtes
15.
LANGUAGE-INDEPENDENT APPLICATION MONITORING THROUGH ASPECT-ORIENTED PROGRAMMING
To support adding functionality to applications at a layer of abstraction above language-specific implementations of AOP, a language for implementing AOP facilitates runtime monitoring and analysis of an application independent of the language of the application. Aspects can be created for applications written in any supported language. Program code underlying implementations of aspects can be executed based on detecting triggering events during execution of the application. Routines written with the AOP language comprise event-based aspect code triggers that indicate an event which may occur during execution of the application and the associated aspect code to be executed. An agent deployed to a runtime engine to monitor the application detects events and evaluates contextual information about the detected events against the aspect triggers to determine if aspect code should be executed to perform further monitoring and analysis of the executing application.
G06F 21/57 - Certification ou préservation de plates-formes informatiques fiables, p. ex. démarrages ou arrêts sécurisés, suivis de version, contrôles de logiciel système, mises à jour sécurisées ou évaluation de vulnérabilité
After a first pass of type inferencing for application program code, global variables that share a name but correspond to different types and thus also correspond to different memory locations are identified and renamed. A static analyzer evaluates identified variables and their inferred types from the first pass of type inferencing and, if two global variables having a same name but different types are identified based on multiple disparate types being inferred for one global variable, the global variables are distinguished via renaming of at least one of the global variables before a second pass of type inferencing and data flow analysis are performed for the program code having the renaming incorporated. Renaming a global variable(s) in the case of same-named but differently typed global variables distinguishes the instances of the global variable to provide for correct propagation of type information and values without ambiguity for improved data flow analysis.
Type definitions of user-defined types in application program code for which definitions are absent (“unknown types”) are inferred. A static analyzer implements two passes of a fixed-point type inference algorithm. Each pass encompasses a plurality of traversals of the application's control flow to build inferred definitions of unknown types until the inferred definitions are maximally built. To build an inferred definition, based on inferring a variable is an unknown type, the static analyzer infers member variables/functions of the unknown type based on contextual information associated with the variable. Type information of unknown types is propagated along control flow paths. After the first pass terminates, unknown types can be assigned known types based on matching of inferred definitions. Inferred definitions of remaining unknown types are incorporated into the application program code. A second pass of type inferencing and data flow analysis are then performed with the inferred definitions incorporated therein.
To facilitate runtime monitoring and analysis of an application without modifying the actual application code, an agent monitors and analyzes an application through detection and evaluation of invocations of an API of a runtime engine provided for execution of the application. The agent registers to receive events which are generated upon invocation of target functions of the runtime engine API based on its load. Once loaded, the agent initially determines the language and language version number of the runtime engine. The agent determines associations of events for which to monitor and corresponding analysis code to execute upon detection of the invocations based on the language and version number information. When the agent detects an event during execution of the application based on invocations of the runtime engine API, the agent can monitor and analyze execution of the application based on execution of analysis code corresponding to the detected event.
G06F 11/3604 - Analyse de logiciel pour vérifier les propriétés des programmes
G06F 21/57 - Certification ou préservation de plates-formes informatiques fiables, p. ex. démarrages ou arrêts sécurisés, suivis de version, contrôles de logiciel système, mises à jour sécurisées ou évaluation de vulnérabilité
19.
AUTOMATED TRIAGE OF CODE FLAWS WITH MACHINE LEARNING
Flaws in a codebase for an organization are triaged with a naïve Bayes classifier that determines likelihoods of triage decisions corresponding to actions (e.g., remediating via code change, deferring to due network mitigation, labeling as false positive) given the context of the flaw, application, and organization. The naïve Bayes classifier is trained on the triage outcomes of previously detected flaw instances in the codebase and provides interpretable results including feature-level likelihood scores of each triage approach. In addition to recommending the highest likelihood triage outcome provided by the naïve Bayes model, a flaw similarity model identifies previously triaged flaw instances from the organization to recommend more granular triage instructions that have been documented alongside the previous flaw instances.
G06F 21/57 - Certification ou préservation de plates-formes informatiques fiables, p. ex. démarrages ou arrêts sécurisés, suivis de version, contrôles de logiciel système, mises à jour sécurisées ou évaluation de vulnérabilité
20.
Systems of and methods for managing tenant and user identity information in a multi-tenant environment
A system and method for managing user identity information in a multi-tenant environment can perform operations including assigning a first address from an address pool for a first user session, storing first information for the first user session in the memory linked to the first address, and assigning a second address from the address pool for a second user session. The operations can also include storing second information for the second user session in the memory linked to the second address from the address pool for the second user session if the second address does not match a third address from the address pool for a third session in the memory, and forwarding communication data for the second user session after the second information has been stored.
Identifying a second party reusable software component involves analyzing source code of applications to identify an external dependency that does not refer to third party software components and occurs in multiple applications. After identifying second party software components, the occurrence of the external dependencies corresponding to second party software components can be reported and can facilitate triage of flaws found for the second party software components, as well as other component management actions (e.g., increasing collaboration and communication among teams using and creating reusable software components, version awareness, flaw surface awareness, etc.).
Network rules established on a device can establish communication protocol between applications running on the device and interfaces connected to the device. For example, a network rule can establish which application(s) can access which interface(s), and when an application is not assigned to an interface, the application is not granted network access to the interface(s). In some instances, interfaces can be aggregated together to create an aggregation (e.g., link aggregation or a bridge aggregation), thus allowing the network rule to use the aggregation for multiple applications. An aggregation, such as a link aggregation, can be established as a shared rule that allows access to the interface by multiple applications. Alternatively, an aggregation, such as a bridge aggregation, can be established as a reserve rule that permits only a particular application, and no other application(s), access to the interface.
Aspects of the disclosure include replacing, by a DNS proxy in DNS responses, a cryptographic key associated with a client-facing server for an origin content server with another cryptographic key received from a TLS proxy. A device may encrypt an extension of a ClientHello message with the other cryptographic key, such that the encrypted ClientHello (ECH) extension can be decrypted by the TLS proxy. The TLS proxy can then allow or deny the connection using a TLS intercept policy and decrypted information in the ClientHello message, and if the TLS connection is allowed, re-encrypt the ECH with the cryptographic key in the DNS response for the client-facing server to decrypt for establishment of the TLS connection with the origin content server. To preserve selective intercept while using ECH, a TLS Intercept Policy may be used to decide whether the TLS proxy feeds an Application Layer Proxy.
The disclosed computer-implemented method for preparing a secure search index for securely detecting personally identifiable information may include (i) receiving, at a computing device, a dataset including a record, where the record has a field including a value describing personally identifiable information and (ii) performing, at the computing device, a security action. The security action may include (i) generating, using a perfect hash function, a respective hashed key from the value and (ii) adding, to the secure search index (a) the respective hashed key or (b) a subsequent hashed key created from the respective hashed key. Various other methods, systems, and computer-readable media are also disclosed.
G06F 21/62 - Protection de l’accès à des données via une plate-forme, p. ex. par clés ou règles de contrôle de l’accès
H04L 9/32 - Dispositions pour les communications secrètes ou protégéesProtocoles réseaux de sécurité comprenant des moyens pour vérifier l'identité ou l'autorisation d'un utilisateur du système
H04L 9/06 - Dispositions pour les communications secrètes ou protégéesProtocoles réseaux de sécurité l'appareil de chiffrement utilisant des registres à décalage ou des mémoires pour le codage par blocs, p. ex. système DES
With invocations of a software development pipeline, organization specific remediations/fixes for a software project can be learned from scanning results of code submissions (e.g., commits or merges) across an organization for a software project(s). Fixes of detected program code flaws can be detected and/or specified across scans and associated with flaw identifiers and used for training machine learning models to identify candidate fixes for detected flaws. This ongoing learning during development propagates fixes created or chosen by experts (e.g., software engineers working on the software project) relevant to the software project. The experts can choose from suggestions mined from the learned fixes of the organization and suggestions generated from a pipeline created with the trained machine learning models. The selections are then used for further training of the machine learning models that form the pipeline.
G06F 21/57 - Certification ou préservation de plates-formes informatiques fiables, p. ex. démarrages ou arrêts sécurisés, suivis de version, contrôles de logiciel système, mises à jour sécurisées ou évaluation de vulnérabilité
42 - Services scientifiques, technologiques et industriels, recherche et conception
Produits et services
Computer software risk assessment services; computer
security services in the nature of network security
assessments; providing temporary use of non-downloadable
cloud-based software for detecting and identifying access to
computer networks and resources, performing vulnerability
scans, and/or penetration testing; computer software
consultation, namely, providing an online, automated,
on-demand service for identifying exploitable
vulnerabilities in software.
09 - Appareils et instruments scientifiques et électriques
Produits et services
Computer software, namely, downloadable computer utility program for analyzing function and performance of other computer programs; server software, namely, downloadable computer utility program for analyzing function and performance of other computer programs
42 - Services scientifiques, technologiques et industriels, recherche et conception
Produits et services
(1) Computer software risk assessment services; computer security services in the nature of network security assessments; providing temporary use of non-downloadable cloud-based security software for detecting and identifying access to computer networks and resources, performing vulnerability scans, and/or penetration testing; computer software consultation, namely, providing an online, automated, on-demand service for identifying exploitable vulnerabilities in software.
42 - Services scientifiques, technologiques et industriels, recherche et conception
Produits et services
Computer software risk assessment services; Computer
security services in the nature of network security
assessments; providing temporary use of non-downloadable
cloud-based software for detecting and identifying access to
computer networks and resources, performing vulnerability
scans, and penetration testing; Computer software
consultation, namely, providing an online, automated,
on-demand service for identifying exploitable
vulnerabilities in software.
31.
DEIDENTIFYING CODE FOR CROSS-ORGANIZATION REMEDIATION KNOWLEDGE
To preserve privacy when leveraging organization-specific remediation knowledge for flaw remediation across organizations, program code is deidentified to remove code which potentially identifies its source/origin. Deidentification operates based on structure of flaws and fixes at the level of source code constructs based on an abstract syntax tree (AST) or other structural context representation of a fix and corresponding flaw. Potentially identifying portions of a fix indicated in its AST are determined and modified (e.g., removed or obfuscated) without impacting AST structure. Deidentified remediation knowledge originating from different organizations is used to train a fix suggestion model(s) which learns structural context of fixes and corresponding flaws and, once trained, generates predictions indicating suggested fixes to flaws based on structural contexts of the flaws. Deidentification can occur before training of the fix suggestion model(s) or during prediction so potentially identifying program code is removed before suggested fixes are consumed by different organizations.
42 - Services scientifiques, technologiques et industriels, recherche et conception
Produits et services
(1) Computer software risk assessment services; Computer security services in the nature of network security assessments; providing temporary use of non-downloadable cloud-based security software for detecting and identifying access to computer networks and resources, performing vulnerability scans, and penetration testing; Computer software consultation, namely, providing an online, automated, on-demand service for identifying exploitable vulnerabilities in software.
A method for securing cloud applications is described. The method may include establishing a connection between a cloud application isolation portal, a cloud access security broker, and a cloud application based on an indication of the cloud application and a set of credentials associated with an end user of the cloud application, and managing, via the cloud application isolation portal and the cloud access security broker, a session between the cloud application and a computing device associated with the end user based on the connection between the cloud application isolation portal with the cloud access security broker and the cloud application.
H04L 67/60 - Ordonnancement ou organisation du service des demandes d'application, p. ex. demandes de transmission de données d'application en utilisant l'analyse et l'optimisation des ressources réseau requises
H04L 67/10 - Protocoles dans lesquels une application est distribuée parmi les nœuds du réseau
Machine learning adversarial campaign mitigation on a computing device. The method may include deploying an original machine learning model in a model environment associated with a client device; deploying a classification monitor in the model environment to monitor classification decision outputs in the machine learning model; detecting, by the classification monitor, a campaign of adversarial classification decision outputs in the machine learning model; applying a transformation function to the machine learning model in the model environment to transform the adversarial classification decision outputs to thwart the campaign of adversarial classification decision outputs; determining a malicious attack on the client device based in part on detecting the campaign of adversarial classification decision outputs; and implementing a security action to protect the computing device against the malicious attack.
G06F 21/00 - Dispositions de sécurité pour protéger les calculateurs, leurs composants, les programmes ou les données contre une activité non autorisée
42 - Services scientifiques, technologiques et industriels, recherche et conception
Produits et services
Computer software cybersecurity vulnerabilities risk assessment services; Computer security services in the nature of network security assessments; providing temporary use of non-downloadable cloud-based software for detecting and identifying access to computer networks and resources, performing vulnerability scans, and application security penetration testing; Computer software consultation, namely, providing an online, automated, on-demand service for identifying exploitable vulnerabilities in software
36.
Knowledge-aware detection of attacks on a client device conducted with dual-use tools
Knowledge-aware detection of attacks on a client device conducted with dual-use tools. A method may include obtaining dual-use tool data related to a plurality of dual-use tools; collecting from a client device, by the computing device, user input related to the use of a dual-use tool of the plurality of dual-use tools; determining that the user input contains a feature of the dual-use tool data; creating a behavioral index of the user input, the behavioral index stored on the client device; detecting new input on the client device; determining a similarity level between the user input and the new input; flagging a malicious attack on the client device based on determining that the similarity level does not satisfy a pre-determined threshold; and implementing a security action on the client device based on flagging the malicious attack.
42 - Services scientifiques, technologiques et industriels, recherche et conception
Produits et services
Computer software cybersecurity vulnerabilities risk assessment services; Computer security services in the nature of network security assessments; providing temporary use of non-downloadable cloud-based software for detecting and identifying access to computer networks and resources, performing vulnerability scans, and application security penetration testing; Computer software consultation, namely, providing an online, automated, on-demand service for identifying exploitable vulnerabilities in software
38.
Secure access to a corporate web application with translation between an internal address and an external address
Secure access to a corporate application with translation between an internal address and an external address. In some embodiments, a method may include receiving, at a secure access cloud point of delivery (PoD), from a client application on a client device, a request to access a corporate web application that is deployed in a corporate datacenter. The method may also include forwarding, from the secure access cloud PoD, to a connector that is also deployed in the corporate datacenter, the request to access the corporate web application. The method may further include brokering, by the connector and the secure access cloud PoD, authentication of a user, authorization of access by the user, and a secure communication session between the client application and the corporate web application by translating between an internal address of the corporate web application and an external address of the corporate web application.
09 - Appareils et instruments scientifiques et électriques
42 - Services scientifiques, technologiques et industriels, recherche et conception
Produits et services
(1) Downloadable computer programs for project management, digital product management, work collaboration, information technology portfolio management, and business process management (1) Software as a service (SaaS) services featuring non-downloadable, cloud-based computer programs for project management, digital product management, work collaboration, information technology portfolio management, and business process management
42 - Services scientifiques, technologiques et industriels, recherche et conception
Produits et services
(1) Software as a service (SAAS) services featuring software for project management, digital product management, work collaboration, and computer software development and implementation
09 - Appareils et instruments scientifiques et électriques
42 - Services scientifiques, technologiques et industriels, recherche et conception
Produits et services
Downloadable computer programs for project management, product management, work collaboration, information technology portfolio management, and business process management, all aforementioned goods only in the context of financial investment management software and not in the context of security, law-enforcement, defense and military software; none of the aforementioned goods in the context of energy production and distribution; none of the aforementioned goods in the context of chemistry for health sciences, biomedicine, biology, biotechnology, clinical biochemistry, pharmaceutical and pharmacology chemistry. Providing online, non-downloadable, cloud-based computer programs for project management, product management, work collaboration, information technology portfolio management, and business process management, all aforementioned services only in the context of financial investment management software and not in the context of security, law-enforcement, defense and military software; none of the aforementioned services in the context of energy production and distribution; none of the aforementioned services in the context of chemistry for health sciences, biomedicine, biology, biotechnology, clinical biochemistry, pharmaceutical and pharmacology chemistry.
42 - Services scientifiques, technologiques et industriels, recherche et conception
Produits et services
Software as a service (SAAS) services featuring software for project management, product management, work collaboration, and software development and implementation.
43.
Open source vulnerability prediction with machine learning ensemble
A system to create a stacked classifier model combination or classifier ensemble has been designed for identification of undisclosed flaws in software components on a large-scale. This classifier ensemble is capable of at least a 54.55% improvement in precision. The system uses a K-folding cross validation algorithm to partition a sample dataset and then train and test a set of N classifiers with the dataset folds. At each test iteration, trained models of the set of classifiers generate probabilities that a sample has a flaw, resulting in a set of N probabilities or predictions for each sample in the test data. With a sample size of S, the system passes the S sets of N predictions to a logistic regressor along with “ground truth” for the sample dataset to train a logistic regression model. The trained classifiers and the logistic regression model are stored as the classifier ensemble.
G06F 21/57 - Certification ou préservation de plates-formes informatiques fiables, p. ex. démarrages ou arrêts sécurisés, suivis de version, contrôles de logiciel système, mises à jour sécurisées ou évaluation de vulnérabilité
09 - Appareils et instruments scientifiques et électriques
42 - Services scientifiques, technologiques et industriels, recherche et conception
Produits et services
Downloadable computer programs for project management, product management, work collaboration, information technology portfolio management, and business process management; all aforementioned goods/services only in the context of financial investment management software and not in the context of security, law-enforcement, defense and military software Non-downloadable, cloud-based computer programs for project management, product management, work collaboration, information technology portfolio management, and business process management; all aforementioned goods/services only in the context of financial investment management software and not in the context of security, law-enforcement, defense and military software
42 - Services scientifiques, technologiques et industriels, recherche et conception
Produits et services
Software as a service (SAAS) services featuring software for project management, product management, work collaboration, and software development and implementation
46.
Systems and methods for producing adjustments to malware-detecting services
The disclosed computer-implemented method for producing adjustments to malware-detecting services may include (1) receiving, from a plurality of malware-detecting services executing on a plurality of client computing devices, a respective plurality of probability scores with corresponding model identifiers for an analyzed file and a plurality of respective identifiers describing the malware-detecting services, (2) building a training dataset from at least a portion of the received plurality of probability scores with corresponding model identifiers, and (3) performing a security action including (A) training, with the training dataset, a malware-detecting linear regression ensemble machine learning model that is specific to an identifier in the plurality of identifiers and (B) sending the trained linear regression ensemble machine learning model to one of the plurality of malware-detecting services executing on one of the client computing devices. Various other methods, systems, and computer-readable media are also disclosed.
Techniques are disclosed relating to increasing the amount of training data available to machine learning algorithms. A computer system may access an initial set of training data that specifies a plurality of sequences, each of which may define a set of data values. The computer system may amplify the initial set of training data to create a revised set of training data. The amplifying may include identifying sub-sequences of data values in ones of the plurality of sequences in the initial set of training data and using an inheritance algorithm to create a set of additional sequences of data values, where each one of the set of additional sequences may include sub-sequences of data values from at least two different sequences in the initial set of training data. The computer system may process the set of additional sequences using the machine learning algorithm to train a machine learning model.
G06F 18/214 - Génération de motifs d'entraînementProcédés de Bootstrapping, p. ex. ”bagging” ou ”boosting”
G06V 10/82 - Dispositions pour la reconnaissance ou la compréhension d’images ou de vidéos utilisant la reconnaissance de formes ou l’apprentissage automatique utilisant les réseaux neuronaux
48.
Secure access to a corporate application in an SSH session using a transparent SSH proxy
Secure access to a corporate application in an SSH session using a transparent SSH proxy. In some embodiments, a method may include receiving, at a secure access cloud point of delivery (PoD), from a client application on a client device, a request to access a corporate application that is deployed in a corporate datacenter. The method may also include forwarding, from the secure access cloud PoD, to a connector that is also deployed in the corporate datacenter, the request. The method may further include brokering, by the connector and the secure access cloud PoD, authentication of a user, authorization of access by the user, and an SSH session between the client application and the corporate application using a transparent SSH proxy, with the client application being unaware that the SSH session is brokered by the connector and the secure access cloud PoD.
Secure access to a corporate application using a facade. In some embodiments, a method may include receiving, at a secure access cloud point of delivery (PoD), from a client application on a client device, a request to access a corporate application that is deployed in a corporate datacenter. The method may also include creating, at the secure access cloud PoD, a facade representing the corporate application. The method may further include forwarding, from the facade, to a connector that is also deployed in the corporate datacenter, the request. The method may also include brokering, by the connector and the facade, authentication of a user, authorization of access by the user, and a secure communication session between the client application and the corporate application via the facade, with the client application being unaware that the secure communication session is brokered by the connector and the facade.
The disclosed computer-implemented method for dynamically augmenting machine learning models based on contextual factors associated with execution environments may include (1) generating a base machine learning model and a supplemental set of machine learning models, (2) determining at least one contextual factor associated with an execution environment of a machine learning system that is configured to make predictions regarding a set of input data using at least the base machine learning model, (3) selecting, based on the contextual factor, a continuation set of machine learning models from the supplemental set of machine learning models, and (4) directing the machine learning system to utilize both the base machine learning model and the continuation set of machine learning models when making predictions regarding the set of input data. Various other methods, systems, and computer-readable media are also disclosed.
G06K 9/62 - Méthodes ou dispositions pour la reconnaissance utilisant des moyens électroniques
G06F 21/53 - Contrôle des utilisateurs, des programmes ou des dispositifs de préservation de l’intégrité des plates-formes, p. ex. des processeurs, des micrologiciels ou des systèmes d’exploitation au stade de l’exécution du programme, p. ex. intégrité de la pile, débordement de tampon ou prévention d'effacement involontaire de données par exécution dans un environnement restreint, p. ex. "boîte à sable" ou machine virtuelle sécurisée
G06F 21/56 - Détection ou gestion de programmes malveillants, p. ex. dispositions anti-virus
Secure access to a corporate application with translation between an internal address and an external address. In some embodiments, a method may include receiving, at a secure access cloud point of delivery (PoD), from a client application on a client device, a request to access a corporate web application that is deployed in a corporate datacenter. The method may also include forwarding, from the secure access cloud PoD, to a connector that is also deployed in the corporate datacenter, the request to access the corporate web application. The method may further include brokering, by the connector and the secure access cloud PoD, authentication of a user, authorization of access by the user, and a secure communication session between the client application and the corporate web application by translating between an internal address of the corporate web application and an external address of the corporate web application.
G06F 15/16 - Associations de plusieurs calculateurs numériques comportant chacun au moins une unité arithmétique, une unité programme et un registre, p. ex. pour le traitement simultané de plusieurs programmes
The disclosed computer-implemented method for protecting a cloud computing device from malware may include (i) intercepting, at a computing device, a malicious attempt by the malware to (A) access sensitive information in an encrypted file stored on the computing device and (B) send the sensitive information to the cloud computing device and (ii) performing, responsive to the attempt to access the encrypted file, a security action. Various other methods, systems, and computer-readable media are also disclosed.
A method for identifying suspicious activity on a monitored computing device is described. In one embodiment, the method may include monitoring a local procedure call interface of the monitored computing device, identifying, based at least in part on the monitoring, a remote procedure call (RPC) of a suspicious process, the RPC being transmitted over a local procedure call message of the local procedure call interface, analyzing the RPC of the suspicious process, and performing a security action based at least in part on the analyzing.
The disclosed computer-implemented method for detecting code implanted into a published application may include retrieving a published version of an application and a source version of the application, and determining, based on an analysis of the source version and the published version, a transformation process for transforming from the source version to the published version. The method may also include performing the transformation process on the source version to produce a build version, comparing the build version with the published version, and identifying, based on the comparison, implanted code in the published version. The method may further include performing, in response to identifying the implanted code, a security action. Various other methods, systems, and computer-readable media are also disclosed.
The disclosed computer-implemented method for malware detection using localized machine learning may include (i) generating a global score for a file using a global machine learning model, (ii) generating a localized score for the file using a localized machine learning model, (iii) determining that the file is malware using the global score, the localized score, and the local conviction threshold, and (iv) in response to determining that the file is malware, performing a security action to protect the computing device against malware. Various other methods, systems, and computer-readable media are also disclosed.
e.ge.g., removed or obfuscated) without impacting AST structure. Deidentified remediation knowledge originating from different organizations is used to train a fix suggestion model(s) which learns structural context of fixes and corresponding flaws and, once trained, generates predictions indicating suggested fixes to flaws based on structural contexts of the flaws. Deidentification can occur before training of the fix suggestion model(s) or during prediction so potentially identifying program code is removed before suggested fixes are consumed by different organizations.
The disclosed computer-implemented method for managing a need-to-know domain name system may include (i) intercepting, by an agent of the computing device, network traffic received on the computing device, (ii) generating, by the agent, a one-time password based on a unique identifier of the agent of the computing device, (iii) wrapping, by the agent, the network traffic with the one-time password, and (iv) pushing, by the agent, the wrapped network traffic to a cloud server using a local domain name system (DNS) of the agent of the computing device, wherein the local DNS comprises a private domain name unpublished in a global DNS. Various other methods, systems, and computer-readable media are also disclosed.
G06F 13/00 - Interconnexion ou transfert d'information ou d'autres signaux entre mémoires, dispositifs d'entrée/sortie ou unités de traitement
H04L 29/06 - Commande de la communication; Traitement de la communication caractérisés par un protocole
H04L 67/10 - Protocoles dans lesquels une application est distribuée parmi les nœuds du réseau
H04L 61/4511 - Répertoires de réseauCorrespondance nom-adresse en utilisant des répertoires normalisésRépertoires de réseauCorrespondance nom-adresse en utilisant des protocoles normalisés d'accès aux répertoires en utilisant le système de noms de domaine [DNS]
With invocations of a software development pipeline, organization specific remediations/fixes for a software project can be learned from scanning results of code submissions (e.g., commits or merges) across an organization for a software project(s). Fixes of detected program code flaws can be detected and/or specified across scans and associated with flaw identifiers and used for training machine learning models to identify candidate fixes for detected flaws. This ongoing learning during development propagates fixes created or chosen by experts (e.g., software engineers working on the software project) relevant to the software project. The experts can choose from suggestions mined from the learned fixes of the organization and suggestions generated from a pipeline created with the trained machine learning models. The selections are then used for further training of the machine learning models that form the pipeline.
Telemetry data from client file reputation queries is collected over time. Directories/sub-directories under which files of queries are located are identified. The files including the reputations for the files under a given directory/sub-directory are identified and used to calculate the reputation score for the directory/sub-directory. The directory/sub-directory is then classified based on the calculated score for the directory/sub-directory. After the classification of directories/sub-directories, reputation for a file with unknown reputation is then determined based on the classification of the directory/sub-directory under which the file is located.
G06F 21/00 - Dispositions de sécurité pour protéger les calculateurs, leurs composants, les programmes ou les données contre une activité non autorisée
G06F 21/56 - Détection ou gestion de programmes malveillants, p. ex. dispositions anti-virus
G06F 16/185 - Systèmes de gestion de stockage hiérarchisé, p. ex. migration de fichiers ou politiques de migration de fichiers
60.
Pre-filtering detection of an injected script on a webpage accessed by a computing device
Pre-filtering detection of an injected script on a webpage accessed by a computing device. The method may include receiving an indication of access to the webpage at a web browser of the computing device; identifying a web form associated with the webpage; determining that the webpage has been previously visited by the computing device; recording at least one current domain associated with at least one current object request made by the web form; determining a difference of a count of the at least one current domain associated with the at least one current object request and a count of at least one historical domain associated with at least one historical object request previously made by the webpage; identifying the webpage as suspicious based on determining that the difference is greater than zero and less than a domain threshold; and initiating a security action on the webpage based on the identifying.
H04L 29/06 - Commande de la communication; Traitement de la communication caractérisés par un protocole
H04L 67/56 - Approvisionnement des services mandataires
G06F 21/53 - Contrôle des utilisateurs, des programmes ou des dispositifs de préservation de l’intégrité des plates-formes, p. ex. des processeurs, des micrologiciels ou des systèmes d’exploitation au stade de l’exécution du programme, p. ex. intégrité de la pile, débordement de tampon ou prévention d'effacement involontaire de données par exécution dans un environnement restreint, p. ex. "boîte à sable" ou machine virtuelle sécurisée
Identifying and protecting against an attack against an anomaly detector machine learning classifier (ADMLC). In some embodiments, a method may include identifying training data points in a manifold space for an ADMLC, dividing the manifold space into multiple subspaces, merging each of the training data points into one of the multiple subspaces, training a subclassifier for each of the multiple subspaces to determine a decision boundary for each of the multiple subspaces between normal training data points and anomalous training data points, receiving an input data point into the ADMLC, determining whether the input data point is an attack on the ADMLC due to a threshold number of the subclassifiers classifying the input data point as an anomalous input data point, and, in response to identifying the attack against the ADMLC, protecting against the attack.
A computer-implemented method for detecting and protecting against malicious use of legitimate computing-system tools may include (i) identifying a computing-system tool that can perform benign actions and malicious actions on a computing system, (ii) creating a set of recorded actions by recording actions performed by the computing-system tool on the computing system over a predetermined period of time, (iii) analyzing the set of recorded actions via a machine learning method that, for each action in the set of recorded actions, determines whether the action is anomalous compared to other actions in the set, (iv) classifying an action in the set of recorded actions as malicious based at least in part on determining that the action is anomalous, and (v) initiating, in response to classifying the action as malicious, a security action related to the action. Various other methods, systems, and computer-readable media are also disclosed.
G06F 21/57 - Certification ou préservation de plates-formes informatiques fiables, p. ex. démarrages ou arrêts sécurisés, suivis de version, contrôles de logiciel système, mises à jour sécurisées ou évaluation de vulnérabilité
63.
Identifying and mitigating harm from malicious network connections by a container
Identifying and mitigating harm from malicious network connections by a container. In some embodiments, a method may include receiving, from a shim, notifications of all network connections that a container has sought to establish through the shim. The method may also include monitoring all actual network connections established by the container. The method may further include comparing the notifications to the actual network connections to determine whether any actual network connection established by the container bypassed the shim. The method may also include, in response to determining that any actual network connection established by the container bypassed the shim, identifying the network connection established by the container that bypassed the shim as a malicious network connection, and performing a security action to mitigate harm from the malicious network connection.
To support adding functionality to applications at a layer of abstraction above language-specific implementations of AOP, a language for implementing AOP facilitates runtime monitoring and analysis of an application independent of the language of the application. Aspects can be created for applications written in any supported language. Program code underlying implementations of aspects can be executed based on detecting triggering events during execution of the application. Routines written with the AOP language comprise event-based aspect code triggers that indicate an event which may occur during execution of the application and the associated aspect code to be executed. An agent deployed to a runtime engine to monitor the application detects events and evaluates contextual information about the detected events against the aspect triggers to determine if aspect code should be executed to perform further monitoring and analysis of the executing application.
G06F 21/57 - Certification ou préservation de plates-formes informatiques fiables, p. ex. démarrages ou arrêts sécurisés, suivis de version, contrôles de logiciel système, mises à jour sécurisées ou évaluation de vulnérabilité
To facilitate runtime monitoring and analysis of an application without modifying the actual application code, an agent monitors and analyzes an application through detection and evaluation of invocations of an API of a runtime engine provided for execution of the application. The agent registers to receive events which are generated upon invocation of target functions of the runtime engine API based on its load. Once loaded, the agent initially determines the language and language version number of the runtime engine. The agent determines associations of events for which to monitor and corresponding analysis code to execute upon detection of the invocations based on the language and version number information. When the agent detects an event during execution of the application based on invocations of the runtime engine API, the agent can monitor and analyze execution of the application based on execution of analysis code corresponding to the detected event.
G06F 11/36 - Prévention d'erreurs par analyse, par débogage ou par test de logiciel
G06F 21/57 - Certification ou préservation de plates-formes informatiques fiables, p. ex. démarrages ou arrêts sécurisés, suivis de version, contrôles de logiciel système, mises à jour sécurisées ou évaluation de vulnérabilité
66.
Systems and methods for utilizing metadata for protecting against the sharing of images in a computing network
The disclosed computer-implemented method for utilizing metadata for protecting against the sharing of images in a computing network may include (i) identifying an image file stored in a public folder on a computing device, (ii) storing a copy of the image file within a secure data storage application, (iii) encoding metadata for revealing an image in the image file, (iv) performing a security action that protects against sharing the image file from the public folder by masking the image in the image file with the encoded metadata, and (v) rendering the image in the image file as an unmasked version of the image from the image file or the copy of the image file in the secure data storage application by decoding the metadata utilized to mask the image. Various other methods, systems, and computer-readable media are also disclosed.
42 - Services scientifiques, technologiques et industriels, recherche et conception
Produits et services
Software as a service (SAAS) services, namely, hosting software for use by others for security data analysis; Computer security consultancy in the field of cyber security
Methods, systems, and devices for protecting against abnormal computer behavior are described. The method may include monitoring a computer process related to an application running on a computing device of one or more computing devices, analyzing a database including a set of digital fingerprints, where a digital fingerprint of the set of digital fingerprints relates to the application, the digital fingerprint including an indication of a set of computer processes related to the application that are classified as normal computer processes for the application, determining that the computer process related to the application is an abnormal computer process based on analyzing, and performing a security action on the computing device to protect the computing device against the abnormal computer process based on the determining.
Methods and systems are provided for automatically generating malware definitions and using generated malware definitions. One example method generally includes receiving information associated with a malicious application and extracting malware strings from the malicious application. The method further includes filtering the malware strings using a set of safe strings to produce filtered strings and scoring the filtered strings to produce string scores by evaluating words of the filtered strings based on word statistics of a set of known malicious words. The method further includes selecting a set of candidate strings from the filtered strings based on the string scores and generating a malware definition for the malicious application based on the set of candidate strings. The method also includes performing one or more security actions to protect against the malicious application, using the malware definition.
The disclosed computer-implemented method for safely executing unreliable malware may include (i) intercepting a call to an application programming interface (API) in a computing operating system, the API being utilized by malware for disseminating malicious code, (ii) determining an incompatibility between the API call and the computing operating system that prevents successful execution of the API call, (iii) creating a proxy container for receiving the API call, (iv) modifying, utilizing the proxy container, the API call to be compatible with the computing operating system, (v) sending the modified API call from the proxy container to the computing operating system for retrieving the API utilized by the malware, and (vi) performing a security action during a threat analysis of the malware by executing the API to disseminate the malicious code in a sandboxed environment. Various other methods, systems, and computer-readable media are also disclosed.
G06F 21/53 - Contrôle des utilisateurs, des programmes ou des dispositifs de préservation de l’intégrité des plates-formes, p. ex. des processeurs, des micrologiciels ou des systèmes d’exploitation au stade de l’exécution du programme, p. ex. intégrité de la pile, débordement de tampon ou prévention d'effacement involontaire de données par exécution dans un environnement restreint, p. ex. "boîte à sable" ou machine virtuelle sécurisée
G06F 21/54 - Contrôle des utilisateurs, des programmes ou des dispositifs de préservation de l’intégrité des plates-formes, p. ex. des processeurs, des micrologiciels ou des systèmes d’exploitation au stade de l’exécution du programme, p. ex. intégrité de la pile, débordement de tampon ou prévention d'effacement involontaire de données par ajout de routines ou d’objets de sécurité aux programmes
G06F 21/56 - Détection ou gestion de programmes malveillants, p. ex. dispositions anti-virus
71.
Systems and methods for protecting against malicious content
The disclosed computer-implemented method for protecting against malicious content may include intercepting, by a security application installed on the computing device, an original message intended for a target application installed on the same computing device. The original message may include potentially malicious content. The security application may forward the original message to a security service. The computing device may receive a clean message from the security service, wherein the clean message includes a safe representation of the potentially malicious content. Various other methods, systems, and computer-readable media are also disclosed.
The disclosed computer-implemented method for managing endpoint security states using passive data integrity attestations may include (i) receiving passively collected network data from an endpoint device of a computing environment, (ii) determining a security state of the endpoint device using the passively collected network data from the endpoint device, (iii) determining that the security state of the endpoint device is below a threshold, and (iv) in response to determining that the security state of the endpoint device is below a threshold, performing a security action to protect the computing environment against malicious actions. Various other methods, systems, and computer-readable media are also disclosed.
The present disclosure relates to using correlations between support interaction data and telemetry data to discover emerging incidents for remediation. One example method generally includes receiving a corpus of support interaction data and a corpus of telemetry data. Topics indicative of underlying problems experienced by users of an application are extracted from the corpus of support interaction data. A topic having a rate of appearance in the support interaction data above a threshold value is identified. A set of telemetry data relevant to the topic is extracted from the corpus of telemetry data, and a subset of the relevant set of telemetry data having a frequency in the relevant set of telemetry data above a second threshold value is identified. The topic and the subset of telemetry data are correlated to an incident to be remediated, and one or more actions are taken to remedy the incident.
To facilitate runtime monitoring and analysis of an application without modifying the actual application code, an agent monitors and analyzes an application through detection and evaluation of invocations of an API of a runtime engine provided for execution of the application. The agent registers to receive events which are generated upon invocation of target functions of the runtime engine API based on its load. Once loaded, the agent initially determines the language and language version number of the runtime engine. The agent determines associations of events for which to monitor and corresponding analysis code to execute upon detection of the invocations based on the language and version number information. When the agent detects an event during execution of the application based on invocations of the runtime engine API, the agent can monitor and analyze execution of the application based on execution of analysis code corresponding to the detected event.
To support adding functionality to applications at a layer of abstraction above language-specific implementations of AOP, a language for implementing AOP facilitates runtime monitoring and analysis of an application independent of the language of the application. Aspects can be created for applications written in any supported language. Program code underlying implementations of aspects can be executed based on detecting triggering events during execution of the application. Routines written with the AOP language comprise event-based aspect code triggers that indicate an event which may occur during execution of the application and the associated aspect code to be executed. An agent deployed to a runtime engine to monitor the application detects events and evaluates contextual information about the detected events against the aspect triggers to determine if aspect code should be executed to perform further monitoring and analysis of the executing application.
G06F 9/44 - Dispositions pour exécuter des programmes spécifiques
G06F 11/36 - Prévention d'erreurs par analyse, par débogage ou par test de logiciel
G06Q 10/06 - Ressources, gestion de tâches, des ressources humaines ou de projetsPlanification d’entreprise ou d’organisationModélisation d’entreprise ou d’organisation
The disclosed computer-implemented method for executing decision trees may include (i) executing a security classification decision tree that classifies an input data item, (ii) gathering, simultaneously using a gather instruction, values for both a current threshold at a parent node of the security classification decision tree and a subsequent threshold at a child node of the parent node, (iii) gathering, simultaneously using the gather instruction, values for both a current measurement at the parent node and a subsequent measurement at the child node, (iv) comparing, simultaneously using a comparison instruction, the current threshold at the parent node with the current measurement at the parent node and the subsequent threshold at the child node with the subsequent measurement at the child node, and (v) performing a security action to protect the computing device. Various other methods, systems, and computer-readable media are also disclosed.
The disclosed computer-implemented method for protection of storage systems using decoy data may include identifying an original file comprising sensitive content to be protected against malicious access and protecting the sensitive content. Protecting the sensitive content may include (i) processing the original file to identify a structure of the original file and the sensitive content of the original file, (ii) generating a decoy file using the structure of the original file and using substitute content in a location corresponding to the sensitive content of the original file, and (iii) storing the decoy file with the original file. Various other methods, systems, and computer-readable media are also disclosed.
In some embodiments, a computing system includes a communication interface; and a processor that is coupled to the communication interface. In some embodiments, least one of the communication interface or the processor receives a network packet from the network via a network adapter port; encapsulates the received network packet with a tunnel header, wherein the tunnel header comprises network identifier information identifying the network adapter port; addresses, based on the network identifier information, an outer Internet protocol (IP) header of the encapsulated network packet with an outer IP address corresponding to a network function in a first computing device; and sends the encapsulated network packet toward the network function identified by the outer IP address.
H04L 61/251 - Traduction d'adresses de protocole Internet [IP] entre versions IP différentes
H04L 67/1001 - Protocoles dans lesquels une application est distribuée parmi les nœuds du réseau pour accéder à un serveur parmi une pluralité de serveurs répliqués
H04L 69/167 - Adaptation pour la transition entre deux versions IP, p. ex. entre IPv4 et IPv6
H04L 69/22 - Analyse syntaxique ou évaluation d’en-têtes
79.
Systems and methods for detecting covert channels structured in internet protocol transactions
The disclosed computer-implemented method for detecting covert channels structured in Internet Protocol (IP) transactions may include (1) intercepting an IP transaction including textual data and a corresponding address, (2) evaluating the textual data against a model to determine a difference score, (3) determining that the textual data is suspicious when the difference score exceeds a threshold value associated with the model, (4) examining, upon determining that the textual data is suspicious, the address in the transaction to determine whether the address is invalid, (5) analyzing the transaction to determine a frequency of address requests that have been initiated from a source address over a predetermined period, and (6) identifying the transaction as a covert data channel for initiating a malware attack when the address is determined to be invalid and the frequency of the address requests exceeds a threshold value. Various other methods, systems, and computer-readable media are also disclosed.
Isolating an iframe of a webpage. In one embodiment, a method may include targeting an iframe in a webpage for isolation, executing, in a server browser, iframe code, sending, from the remote isolation server to the local client, the webpage with the iframe code of the iframe replaced with isolation code, executing, in a client browser, webpage code and the isolation code, intercepting, in the client browser, webpage messages sent from the webpage code and intended to be delivered to the iframe, sending, to the remote isolation server, the intercepted webpage messages to be injected into the iframe code executing at the server browser, intercepting, at the server browser, iframe messages sent from the iframe code and intended to be delivered to the webpage, and sending, to the local client, the intercepted iframe messages to be injected into the webpage code executing at the client browser.
A cloud device is configured in an email transmission pathway. The cloud device receives an email attachment whose maliciousness status is determined to be unknown. The cloud device encrypts the email attachment and delivers the encrypted attachment to the recipient. When the recipient attempts to access the encrypted attachment, the cloud device re-determines the maliciousness status of the attachment. If the re-determined maliciousness status is benign, the cloud device allows the encrypted attachment to be decrypted and opened locally on the recipient's device. If the re-determined maliciousness status is still unknown, the cloud device provides a cloud-based viewing solution to the recipient using an isolation service.
A method for detecting and protecting against abnormal user behavior is described. The method may include generating a tensor model based on a set of user information within a temporal period. The tensor model may include a behavioral profile associated with a user of a set of users. In some examples, the method may include determining that a behavior associated with the user of the set of users is abnormal based on the tensor model, adapting the tensor model based on feedback from an additional user of a set of additional users different from the set of users, and performing a security action on at least one computing device to protect against the abnormal user behavior based on the adapting.
The disclosed computer-implemented method for preventing data loss from data containers may include (1) identifying, at a computing device, a process running in a data container on the computing device, (2) intercepting an attempt by the process to exfiltrate information from the computing device via at least one of a file system operation or a network operation, and (3) performing a security action to prevent the intercepted attempt. Various other methods, systems, and computer-readable media are also disclosed.
Detecting and protecting against computing breaches based on lateral movement of a computer file within an enterprise. A method may include obtaining data associated with an existence a computer file in a first computing device and a second computing device of an enterprise, detecting a pattern of lateral movement of the computer from the first computing device to the second computing device over a predetermined period of time, based on the data, calculating a likelihood score that the computer file is malicious based on the detected pattern, determining that the likelihood score satisfies a predetermined breach threshold, and in response to determining that the likelihood score satisfies the predetermined breach threshold, initiating remedial action on the computer file to protect the enterprise against the computer file.
G06F 21/00 - Dispositions de sécurité pour protéger les calculateurs, leurs composants, les programmes ou les données contre une activité non autorisée
G06F 21/56 - Détection ou gestion de programmes malveillants, p. ex. dispositions anti-virus
G06F 21/55 - Détection d’intrusion locale ou mise en œuvre de contre-mesures
G06K 9/62 - Méthodes ou dispositions pour la reconnaissance utilisant des moyens électroniques
G06F 11/34 - Enregistrement ou évaluation statistique de l'activité du calculateur, p. ex. des interruptions ou des opérations d'entrée–sortie
The disclosed computer-implemented method for preserving system contextual information in an encapsulated packet may include (1) receiving, at a computing device, a network packet from the network via a network adapter port, (2) encapsulating the received network packet with a tunnel header, where a network identifier field in the tunnel header comprises information identifying the network adapter port, (3) determine an outer Internet protocol (IP) address for the encapsulated network packet, where the destination IP address corresponds to a destination on the network, (4) addressing an outer header of the encapsulated network packet with the IP address, and (5) sending the encapsulated network packet toward the destination identified by the destination IP address. Various other methods, systems, and computer-readable media are also disclosed.
The disclosed computer-implemented method for tuning application network behavior may include identifying an application for a closed operating system. The closed operating system may prevent applications from implementing machine-level traffic control for network traffic. The method may include determining an expected network behavior of the application, intercepting network traffic of the application on the closed operating system, determining whether the intercepted network traffic conforms to the expected network behavior, and modifying, based on the determining whether the intercepted network traffic conforms to the expected network behavior, the network traffic. Various other methods, systems, and computer-readable media are also disclosed.
A computer-implemented method for preventing electronic form data from being electronically transmitted to untrusted domains may include (i) identifying a web page that includes an electronic form with field for data entry, (ii) detecting that the web page is electronically sending first and second messages that each include data from the field of the electronic form and that are directed to first and second destinations, respectively, (iii) determining that the first destination includes an untrusted destination, and (iv) blocking the web page from electronically sending the data from the field of the electronic form to the untrusted destination by blocking the first message from being electronically sent. Various other methods, systems, and computer-readable media are also disclosed.
G06F 21/51 - Contrôle des utilisateurs, des programmes ou des dispositifs de préservation de l’intégrité des plates-formes, p. ex. des processeurs, des micrologiciels ou des systèmes d’exploitation au stade du chargement de l’application, p. ex. en acceptant, en rejetant, en démarrant ou en inhibant un logiciel exécutable en fonction de l’intégrité ou de la fiabilité de la source
H04L 29/06 - Commande de la communication; Traitement de la communication caractérisés par un protocole
H04W 12/106 - Intégrité des paquets ou des messages
88.
Systems and methods for providing an integrated cyber threat defense exchange platform
The disclosed computer-implemented method for providing an integrated cyber threat defense exchange platform may include (i) receiving unnormalized security data from a plurality of disparate security data sources that generate security data in differing formats, (ii) normalizing, using a security data schema, the unnormalized security data into normalized security data, (iii) identifying a security action that is responsive to at least one security event identified within the normalized security data, and (iv) coordinating performance of the security action within a plurality of networked computing devices. Various other methods, systems, and computer-readable media are also disclosed.
The disclosed computer-implemented method for protecting website visitors may include (i) retrieving an instance of a website that was dynamically generated by aggregating multiple website subcomponents, (ii) decomposing the instance of the website into the multiple website subcomponents, (iii) checking whether a website subcomponent has been previously scanned by a security scanner, (iv) accelerating a review of the instance of the website by reusing results of a previous scan of the website subcomponent that was performed in response to retrieving a different instance of the website subcomponent rather than performing an original scan of the website subcomponent, and (v) protecting a visitor of the website by modifying a display of the instance of the website based on the accelerated review of the instance of the website that reused results of the previous scan of the website subcomponent. Various other methods, systems, and computer-readable media are also disclosed.
H04L 29/06 - Commande de la communication; Traitement de la communication caractérisés par un protocole
H04L 29/08 - Procédure de commande de la transmission, p.ex. procédure de commande du niveau de la liaison
G06F 16/955 - Recherche dans le Web utilisant des identifiants d’information, p. ex. des localisateurs uniformisés de ressources [uniform resource locators - URL]
G06F 16/957 - Optimisation de la navigation, p. ex. mise en cache ou distillation de contenus
90.
Method to assess internal security posture of a computing system using external variables
Methods and systems are provided for generating a security profile for a new computing system. One example method generally includes obtaining, over a network, information associated with a plurality of existing computing systems and generating, by a clustering algorithm, a set of clusters based on the information associated with the plurality of existing computing systems. The method further includes obtaining external data associated with the computing system and classifying the computing system into a cluster in the set of clusters based on the external data associated with the computing system. The method further includes determining the security profile based on statistics associated with the cluster and transmitting, over the network, an indication of the security profile.
G06F 21/57 - Certification ou préservation de plates-formes informatiques fiables, p. ex. démarrages ou arrêts sécurisés, suivis de version, contrôles de logiciel système, mises à jour sécurisées ou évaluation de vulnérabilité
91.
Systems and methods for preventing sharing of sensitive content in image data on a closed computing platform
The disclosed computer-implemented method for preventing sharing of sensitive content in image data on a closed computing platform may include (i) detecting initiation of a network connection for sending network traffic data to a data storage service on the closed computing platform, (ii) monitoring the sending of the network traffic data to identify a target traffic indicator associated with image data, (iii) interrupting the sending of the network traffic data upon identifying the target traffic indicator, (iv) analyzing the image data to identify sensitive content, and (v) performing a security action that protects against the sensitive content being shared to the data storage service on the closed computing platform. Various other methods, systems, and computer-readable media are also disclosed.
G06K 9/00 - Méthodes ou dispositions pour la lecture ou la reconnaissance de caractères imprimés ou écrits ou pour la reconnaissance de formes, p.ex. d'empreintes digitales
H04L 12/24 - Dispositions pour la maintenance ou la gestion
H04L 29/06 - Commande de la communication; Traitement de la communication caractérisés par un protocole
Image quality optimization during remote isolated sessions. In one embodiment, a method may include a remote isolation server receiving, at a remote isolation server, a request from a local browser on a local network device to obtain webpage data from a webserver, requesting, from the webserver, the webpage data, receiving, from the webserver, the requested webpage data, rendering a first image of the requested webpage data, storing a first copy of the first image of the requested webpage data in memory associated with the remote isolation server, compressing a first portion of the first image using a first compression method, sending, from the remote isolation server, the compressed first portion of the first image to the local browser, compressing a second portion of the first image using a second compression method, and sending the compressed second portion of the first image to the local browser.
Methods and systems are provided for detecting malware. One example method generally includes receiving a reference dataset comprising an aggregation of probability distributions of a plurality of intra-file patterns for a plurality of files of at least a first class and applying a logical query to the reference dataset to generate a template distribution with probability distributions of the plurality of intra-file patterns calculated according to one or more logical operators in the logical query. The method further includes detecting a likely presence of malware in a computer file by indicating one or more areas in the computer file based on at least a portion of the calculated probability distributions of the plurality of intra-file patterns in the template distribution.
Secure Quarantine of Potentially Malicious Content. In one embodiment, a method for secure quarantine of potentially malicious content may include receiving a computer file from a third party, preventing the computer file from initially being accessed by a user associated with the computing device, collecting metadata from the computer file, encrypting the file and the collected metadata using a first encryption key, creating an encrypted computer file, encrypting the first encryption key using an asymmetric key, embedding the encrypted computer file into a new computer file, wherein at least one file object that is in the encrypted computer file is removed from the new computer file, enabling user access to the new computer file and the embedded encrypted computer file.
H04L 9/06 - Dispositions pour les communications secrètes ou protégéesProtocoles réseaux de sécurité l'appareil de chiffrement utilisant des registres à décalage ou des mémoires pour le codage par blocs, p. ex. système DES
In one embodiment, a method for electronic document sanitization may include receiving a first request from a client device to send a first electronic document, the first request including a requested usability level of the first electronic document, removing at least one document object from the first electronic document, the document object having potentially malicious content, the removing based at least in part on receiving the first request, and transmitting the first electronic document to the client device after removing the at least one document object therefrom.
G06F 12/14 - Protection contre l'utilisation non autorisée de mémoire
H04L 29/06 - Commande de la communication; Traitement de la communication caractérisés par un protocole
G06F 21/56 - Détection ou gestion de programmes malveillants, p. ex. dispositions anti-virus
G06F 3/0484 - Techniques d’interaction fondées sur les interfaces utilisateur graphiques [GUI] pour la commande de fonctions ou d’opérations spécifiques, p. ex. sélection ou transformation d’un objet, d’une image ou d’un élément de texte affiché, détermination d’une valeur de paramètre ou sélection d’une plage de valeurs
G06F 40/166 - Édition, p. ex. insertion ou suppression
96.
Systems and methods for improving performance of cascade classifiers for protecting against computer malware
The disclosed computer-implemented method for improving performance of cascade classifiers for protecting against computer malware may include receiving a training dataset usable to train a cascade classifier of a machine-learning classification system. A sample to add to the training dataset may be received. A weight for the sample may be calculated. The training dataset may be modified using the sample and the weight. A weighted training for the cascade classifier of the machine-learning classification system may be performed using the modified training dataset. Computer malware may be identified using the cascade classifier. In response to identifying the computer malware, a security action may be performed to protect the one or more computing devices from the computer malware. Various other methods, systems, and computer-readable media are also disclosed.
In one embodiment, a computer-implemented method for using customer context to detonate malware may be performed by one or more computing devices, each comprising one or more processors. The method may include receiving an artefact associated with a first device being targeted by malware, simulating in a controlled environment attributes of the first device based at least in part on the artefact, executing the malware in the controlled environment while the attributes of the first device are being simulated, and performing a security action with respect to the malware based at least in part on the execution of the malware in the controlled environment.
G06F 9/455 - ÉmulationInterprétationSimulation de logiciel, p. ex. virtualisation ou émulation des moteurs d’exécution d’applications ou de systèmes d’exploitation
G06F 21/56 - Détection ou gestion de programmes malveillants, p. ex. dispositions anti-virus
G06F 21/53 - Contrôle des utilisateurs, des programmes ou des dispositifs de préservation de l’intégrité des plates-formes, p. ex. des processeurs, des micrologiciels ou des systèmes d’exploitation au stade de l’exécution du programme, p. ex. intégrité de la pile, débordement de tampon ou prévention d'effacement involontaire de données par exécution dans un environnement restreint, p. ex. "boîte à sable" ou machine virtuelle sécurisée
The disclosed computer-implemented method for identifying users may include (i) detecting that a user at an endpoint computing device is connecting to an identity provider, (ii) detecting, after detecting that the user at the endpoint computing device is connecting to the identity provider, that a mobile device has received a second-factor authentication message, (iii) discovering, by a security service, that the user at the endpoint computing device matches a known user profile registered to the mobile device by correlating the user at the endpoint computing device connecting to the identity provider with the mobile device receiving the second-factor authentication message, and (iv) applying a security policy to the user at the endpoint computing device based on the known user profile matched to the user by the security service. Various other methods, systems, and computer-readable media are also disclosed.
Systems, apparatuses, methods, and computer readable mediums for implementing an email deception service. A system includes one or more processors coupled to one or more memories storing program instructions. The program instructions are executable by the processor(s) to scan live emails for suspicious emails. The suspicious emails are emails with phishing links, business compromise emails, emails with malware attachments, and so on. When a suspicious email is detected, the processor(s) execute the program instructions to interact with the suspicious email in a way that mimics an end-user. A set of decoy credentials are provided to an attacker during the interaction, and then a decoy account is monitored for accesses by the attacker using the decoy credentials. Accesses to the decoy account are monitored and recorded to obtain intelligence on the attacker.
A method and apparatus utilize a peer-to-peer network of security nodes collectively adhering to a protocol for inter-node communication. The system is comprised a plurality of first security nodes, at least one second security node, and at least one third security node. The plurality of first security nodes receive at least one of pre-trained detection models and rules, monitor at least one of a blockchain and connected devices for malicious behavior based on the received at least one of pre-trained detection models and rules, and report the malicious behavior. The at least one second security node creates and communicates the at least one of pre-trained detection models and rules to the plurality of first security nodes. The at least one third security node is informed by the at least one second security node of the reported malicious behavior.
