Embodiments disclosed include methods and apparatus for detecting a reputation of infrastructure associated with potentially malicious content. In some embodiments, an apparatus includes a memory and a processor. The processor is configured to identify an Internet Protocol (IP) address associated with potentially malicious content and define each row of a matrix by applying a different subnet mask from a plurality of subnet masks to a binary representation of the IP address to define that row of the matrix. The processor is further configured to provide the matrix as an input to a machine learning model, and receive, from the machine learning model, a score associated with a maliciousness of the IP address.

An apparatus for security management of application information comprises a processor operable to receive the application information associated with a first entity and to receive entity device information for a first entity device associated with the first entity. The processor is operable to determine that a portion of data fields of the application information associated with the first entity corresponds to a portion of data fields of entity account data associated with a second entity and to determine that a portion of the entity device information associated with the first entity device corresponds to a portion of the entity device information associated with a second entity device that is associated with the second entity. The processor is further operable to determine that the first entity is associated with suspicious indicators, wherein suspicious indicators signal that there is suspicious activity associated with the first entity.

According to certain embodiments, a provisioning manager comprises an interface and processing circuitry. The interface is configured to obtain provisioning data from a provisioning database. The processing circuitry is configured to prepare one or more configuration files based on the provisioning data and provide the one or more configuration files to the one or more service instances using file distribution technology. The one or more configuration files indicate how to provision one or more service instances used in sending or receiving electronic messages.

A testing computer system communicates with a client computer system coupled to one or more target computer systems. The testing computer system sends test payloads to the client computer system, which are forwarded to the target computer systems. Based on the test results generated by the target computer system, the testing computer system generates a runtime payload that is executable to perform a response to a security breach identified using the test results and sends the runtime payload to the client computer platform for execution. The testing computer system receives from the client computer platform an indication of the execution of the runtime payload.

Malicious homoglyphic domain name (MHDN) detection and associated cyber security applications are described. A domain name may be received that may be a potential MHDN. Homoglyphic domain name detection may be performed by, for example, generating a normalized character string corresponding to the input domain name by applying one or more normalization operations to the input domain name, wherein the one or more normalization operations may be configured to reduce homoglyphic characteristics in the input domain name; and generating a plurality of segmentations of the normalized character string, wherein generating each segmentation, of the plurality of segmentations, may comprise segmenting the normalized character string into a respective plurality of segments, and wherein each segmentation may comprise a different plurality of segments. A segmentation may be selected based on cost values corresponding to each respective segmentation determined using a cost function. The received domain name may be determined to be a homoglyphic domain name based on a determination that one or more segments of the selected first segmentation match a base of a known domain name in the at least one list of known domain names.

The present disclosure provides an approach for generating one or more firewall rules to regulate communication between containerized services running within containers. The approach includes determining which services communicate with each other, independently of in which containers the services execute. The determining occurs over a period of time. If two services communicated with each other during the period of time, then the firewall allows the services to continue communicating, but only over the same ports as used during the period of time. If two services did not communicate during the period of time, then the firewall does not allow the services to communicate after the expiration of the period of time. In some embodiments, redetermining the communication flow over a new period of time may occur after the initial period of time so as to refresh the firewall rules.

Described herein is a system and method for improving cyber resilience for determining an optimal security policy for a network. The system uses an objective function to balance cyberattack risks, accessibility to network resources, resource limitations, minimum mission availability requirements within a network environment, or a combination thereof. The objective function comprises objectives (one or more variables that enhance accessibility to network resources and reduce cyberattack risks) and constraints (one or more variables that characterize resource limitations or minimum mission availability requirements within a network environment). The optimal security policy is selected by solving one or more optimization problems. The optimization problem may be solved by determining candidate security policies that meet the constraints and selecting among candidate security policies having the highest score for a given objective function.

A cyber defense system using models that are trained on a normal behavior of email activity and user activity associated with an email system. A cyber-threat module may reference the models that are trained on the normal behavior of email activity and user activity. A determination is made of a threat risk parameter that factors in the likelihood that a chain of one or more unusual behaviors of the email activity and user activity under analysis fall outside of a derived normal benign behavior. An autonomous response module can be used, rather than a human taking an action, to cause one or more autonomous rapid actions to be taken to contain the cyber-threat when the threat risk parameter from the cyber-threat module is equal to or above an actionable threshold.

Disclosed herein are systems and methods executing a security server that perform various processes using alert elements containing various data fields indicating threats of fraud or attempts to penetrate an enterprise network. Using alert elements, the security server generate integrated alerts that are associated with customers of the system and assign a risk score for the integrated alerts, which the security server uses to store and sort the integrated alerts according to a priority, based on the relative risk scores. Analyst computers may query and fetch integrated alerts from an integrate alert database, and then present the integrate alerts to be addressed by an analyst according to the priority level of the respective integrated alerts. This allows to ensure that the right customer, is worked by the right analyst, at the right time, to maximize fraud prevention and minimize customer impact.

Packets may be received by a packet security gateway. Responsive to a determination that an overload condition has occurred in one or more networks associated with the packet security gateway, a first group of packet filtering rules may be applied to at least some of the packets. Applying the first group of packet filtering rules may include allowing at least a first portion of the packets to continue toward their respective destinations. Responsive to a determination that the overload condition has been mitigated, a second group of packet filtering rules may be applied to at least some of the packets. Applying the second group of packet filtering rules may include allowing at least a second portion of the packets to continue toward their respective destinations.