Techniques related to communication between independent containers are provided. In an embodiment, a first programmatic container includes one or more first namespaces in which an application program is executing. A second programmatic container includes one or more second namespaces in which a monitoring agent is executing. The one or more first namespaces are independent of the one or more second namespaces. A monitoring agent process hosts the monitoring agent. The monitoring agent is programmed to receive an identifier of the application program. The monitoring agent is further programmed to switch the monitoring agent process from the one or more second namespaces to the one or more first namespaces. After the switch, the monitoring agent process continues to execute in the second programmatic container, but communication is enabled between the application program and the monitoring agent via the monitoring agent process.

An anomaly detection and recovery system (ADRS) for an open platform communications united architecture (OPC UA)-based industrial automation network that includes OPC UA devices includes an anomaly detector is configured to monitor an OPC UA traffic stream comprising OPC UA messages of the OPC UA devices and analyze the OPC UA traffic stream using OPC UA semantics of the industrial automation network for anomaly detection.

In accordance with some embodiments, a method and system for establishing the trustworthiness of software and running systems by analyzing software and its provenance using automated means. In some embodiments, a risk score is produced. In some embodiments, software is analyzed for insecure behavior or structure. In some embodiments, parts of the software are hardened by producing possibly multiple different versions of the software with different hardening techniques applied, and a choice can be made based on user or environmental needs. In some embodiments, the software is verified and constraints are enforced on the endpoint using techniques such as verification injection and secure enclaves. In some embodiments, endpoint injection is managed through container orchestration.

A method for user-defined validation of content stored in a storage system, the method may include receiving a request to execute a user-defined validation process (UDVP) on the content that is stored in the storage system; wherein the request is associated with means for executing the UDVP, and a content identifier; scheduling, by the storage system, at least one execution of the UDVP; executing the UDVP according to the scheduling to provide one or more validation results; and finding that the one or more validation results are indicative of potential security issues and performing one or more validation-triggered security measures.

Graph computing over micro and macro views includes expanding, with a processor at run-time, a set of nodes to include a node generated in response to received data corresponding to an event query. A first inference of an inference ensemble is determined by traversing a base graph whose nodes are associated with a discriminant power that exceeds a predetermined entity threshold. A second inference of the inference ensemble is determined by traversing a micro-view graph whose nodes are selected based on a number of references that exceeds a predetermined reference threshold. A third inference of the inference ensemble is determined by traversing a macro-view graph having one or more committee nodes and computing for each committee node a macro-node vote and generating a response to the event query based on the inference ensemble.

An electronic device is provided. The electronic device includes a communication circuit, a display, a memory including a first display driver, a processor functionally connected with the communication circuit, the display, and the memory, and a secure module which is physically separated from the processor, and includes a secure processor and a second display driver, and the secure processor is configured to: when secure data is received from an external server through the communication circuit, disable the first display driver and enable the second display driver, and output a user interface including a first object corresponding to the secure data to the display by using the enabled second display driver.

A computer implemented method of identifying anomalous behavior of a computer system in a set of intercommunicating computer systems, each computer system in the set being uniquely identifiable, the method including monitoring communication between computer systems in the set for a predetermined baseline time period to generate a baseline vector representation of each of the systems; monitoring communication between computer systems in the set for a subsequent predetermined time period to generate a subsequent vector representation of each of the systems; comparing baseline and subsequent vector representations corresponding to a target computer system using a vector similarity function to identify anomalous behavior of the target system in the subsequent time period compared to the baseline time period, wherein a vector representation of the target system for a time period is generated based on a deterministic walk of a graph representation of communications between the computer systems in which nodes of the graph correspond to computer systems in the set and weighted directed edges between nodes of the graph correspond to a characteristic of communication between pairs of computer systems in the set.

Techniques are described that enable an IT and security operations application to prioritize the processing of selected events for a defined period of time. Data is obtained reflecting activity within an IT environment, wherein the data includes a plurality of events each representing an occurrence of activity within the IT environment. A severity level is assigned to each event of the plurality of events, where the events are processed by the IT and security operations application in an order that is based at least in part on the severity level assigned to each event. Input is received identifying at least one event of the plurality of events for expedited processing to obtain a set of expedited events, and the identified events are processed by the IT and security operations application before processing events that are not in the set of expedited events.

Systems and methods for detecting and/or identifying an attack on a battery management system (BMS) or a battery system. The voltage and/or state of charge (SOC) of the BMS or battery system can be monitored, and one or more datasets can be obtained. A principal component analysis (PCA) based unsupervised k-means approach can be applied on the one or more datasets to monitor for irregularities that indicate an attack.

Generally discussed herein are devices, systems, and methods for improving phishing webpage content detection. A method can include identifying first webpage content comprises phishing content, determining, using a reinforcement learning (RL) agent, at least one action, generating, based on the determined at least one action and the identified first webpage content, altered first webpage content, identifying that the altered first webpage content is benign, generating, based on the determined at least one action and second webpage content, altered second webpage content, and training, based on the altered second webpage content and a corresponding label of phishing, a phishing detector.