The disclosed technology is generally directed to device security in an IoT environment. For example, such technology is usable in IoT security. In one example of the technology, a set of security rules that is associated with an expected condition of at least one IoT device is stored. IoT data associated with the at least one IoT device is received. The IoT data may be aggregated data that includes at least two different types of data. A determination is made, based on the IoT data, as to whether the set of security rules has been violated. An alert is selectively sent based on the determination.

Disclosed herein are systems and methods for determining a coefficient of harmfulness of a file using a trained learning model. In one aspect, an exemplary method includes forming a first vector containing a plurality of attributes of a known malicious file. A learning model is trained using the first vector to identify a plurality of significant attributes that influence identification of the malicious file. A second vector is formed containing a plurality of attributes of known safe files. The learning model is trained using the second vector to identify attributes insignificant to the identification of the malicious file. An unknown file is analyzed by the learning model. The learning model outputs a numerical value identifying a coefficient of harmfulness relating to a probability that the unknown file will prove to be harmful.

The present invention relates to a file system protection technology, which is applied to an auxiliary storage device (20), and to an apparatus and method for protecting a file system in a manner of blocking or warning about, in advance, an access to a file system or a change of the file system and identifying permission of a user as necessary. A control device (60) is connected to a host interface (30), a data storage device (40), and a user input device (50) to control an operation mode of the auxiliary storage device or manage and protect a file system object to be protected, according to a user command. When the operation mode of the auxiliary storage device is a management mode, the user can designate file system objects to be protected by the user and set a protection type, wherein information set by the user is stored in an object DB (70) to be protected. In a normal mode, when an access by a host computer targets a file system object listed in the object DB to be protected, a protection operation is performed by referring to the protection type of the object DB to be protected. In the normal mode, the host computer cannot access the object DB (70) to be protected, set in a setting mode by the user, and thus, the object DB (70) to be protected can be prevented from being changed or damaged by malicious code.

Method and apparatus for cooperative early threat detection. In some aspects, the apparatus detects one or more object data signals having data that interferes with wireless resources utilized in automated driving decisions. The apparatus transmits, to at least a second wireless device, a message indicating the one or more object data signals having the data that interferes with wireless resources utilized in automated driving decisions. The one or more object data signals may correspond to a misbehaving wireless device. The data of the misbehaving wireless device may comprise implausible data related to at least one characteristic of the misbehaving wireless device.

A system and method for optimizing a defense model using available security capabilities are provided. The method includes obtaining a defense model and an optimal security application implementation associated with the defense model; evaluating available security capabilities deployed in an enterprise environment to determine a plurality of variant security applications implementing the defense model; determining a quality score for each of the plurality of the variant security applications; selecting, from the plurality of variant security applications, a variant security application having a highest quality score; and executing the selected variant security application.

Adaptive scanning is described. The adaptive scanning may include performing a passive scan of communications associated with a device, where the passive scan comprises observing one or more communications of the device over a network. One or more attributes associated with the device based on the passive scan are determined and an active scan of the device is performed based on the one or more attributes based on the passive scan. The active scan is customized for the device based on the one or more attributes determined based on the passive scan and the active scan comprises sending one or more requests to the device. One or more attributes associated with the device may be determined based on the active scan. The one or more attributes based on the passive scan and the one or more results based on the active scan associated with the device are stored.

A storage device configured for hardware verification is disclosed. The storage device comprises a first hardware component comprising a connector and a first verification logic. The first validation logic is configured to detect a criterion and generate a first signal via the connector in response to detecting the criterion. The storage device also comprises a second hardware component coupled to the first hardware component via the connector. The second hardware component comprises a second validation logic, where the second validation logic is configured to monitor and receive the first signal via the connector. In response to receiving the first signal, the second validation logic is configured to compare the received first signal to an expected signal and generate a result. The storage device is configured to take an action in response to the result.

Gene expression programming-based behavior monitoring is disclosed. A machine receives, as input, a plurality of data examples. A method can include receiving data indicating behaviors of the device, determining, using a gene expression programming (GEP) method, a data model that explains the data, and comparing further data indicating further behavior of the device to the data model to determine whether the further behavior is explained by the data model.

IPRID reputation assessment enhances cybersecurity. IPRIDs include IP addresses, domain names, and other network resource identities. A convolutional neural network or other machine learning model is trained with data including aggregate features or rollup features or both. Aggregate features may include aggregated submission counts, classification counts, HTTP code counts, detonation statistics, and redirect counts, for instance. Rollup features reflect hierarchical rollups of data using <unknown> value placeholders specified in IPRID templates. The trained model can predictively infer a label, or produce a rapid lookup table of IPRIDs and maliciousness probabilities. Training data may be organized in grids with rows, columns, planes, branches, and slots. Training data may include whois data, geolocation data, and tenant data. Training data tuple sets may be expanded by date or by original IPRID. Trained models can predict domain labels accurately at scale, even when most of the domains encountered have never been classified before.

A system and method for optimizing a defense model using available security capabilities are provided. The method includes obtaining a defense model and an optimal security application implementation associated with the defense model; evaluating available security capabilities deployed in an enterprise environment to determine a plurality of variant security applications implementing the defense model; determining a quality score for each of the plurality of the variant security applications; selecting, from the plurality of variant security applications, a variant security application having a highest quality score; and executing the selected variant security application.