A cyber security protection system includes a plurality of threat information updating devices; and a proactive suspicious domain alert system, which including: a domain information monitoring device; a domain information storage device; and a security threat analysis device, arranged to operably communicate data with the plurality of threat information updating devices through a network. If the domain information monitoring device detects that a domain mapping of a suspect domain is changed and the new domain mapping of the suspect domain points to a predetermined local address, the domain information monitoring device would further monitor a domain mapping variation frequency of the suspect domain. If the domain mapping variation frequency of the suspect domain exceeds a predetermined value, the security threat analysis device adds the suspect domain into an alert list to render the plurality of threat information updating devices to block their member devices from accessing the suspect domain.

Embodiments are disclosed for a method for a security model. The method includes generating a Bloch sphere based on a system information and event management (SIEM) of a security domain and a structured threat information expression trusted automated exchange of indicator information. The method also includes generating a quantum state probabilities matrix based on the Bloch sphere. Further, the method includes training a security threat model to perform security threat classifications based on the quantum state probabilities matrix. Additionally, the method includes performing a machine learning classification of the security domain based on the quantum state probabilities matrix.

This disclosure is related to methods and apparatus used to for preventing malicious content from reaching a destination via a dynamic analysis engine may operate in real-time when packetized data is received. Data packets sent from a source computer may be received and be forwarded to an analysis computer that may monitor actions performed by executable program code included within the set of data packets when making determinations regarding whether the data packet set should be classified as malware. In certain instances all but a last data packet of the data packet set may also be sent to the destination computer while the analysis computer executes and monitors the program code included in the data packet set. In instances when the analysis computer identifies that the data packet set does include malware, the malware may be blocked from reaching the destination computer by not sending the last data packet to the destination computer.

An estimation device includes: a collection section configured to collect related information when cyber threat intelligence of a maliciousness estimation target is input, the related information being related to the cyber threat intelligence and other cyber threat intelligence different from the cyber threat intelligence; a feature generation section configured to generate a feature based on the related information, the feature representing a feature of the cyber threat intelligence; a graph information generation section configured to generate graph information based on the related information and the other cyber threat intelligence, the graph information indicating a graph in which each of the cyber threat intelligence and the other cyber threat intelligence is a node and a relationship between the nodes is an edge; and an estimation section configured to estimate the maliciousness of the cyber threat intelligence by a graph convolutional neural network using the feature of the cyber threat intelligence when a graph indicated by the graph information has a graph structure between the cyber threat intelligence and the other cyber threat intelligence.

Various implementations of the present application set forth a method comprising generating three-dimensional data and two-dimensional data representing a physical space that includes a real-world asset, generating an extended-reality (XR) stream representing a remote collaboration session between a host device and a set of remote devices, where the XR stream includes a combination of the three-dimensional data and the two-dimensional data, a set of augmented-reality (AR) elements associated with the real-world asset, and a set of performed actions associated with a portion of the digital representation or at least one AR element, serializing the XR stream into a set of serialized chunks, transmitting the serialized chunks to the remote devices, where the remote devices recreate the XR stream in a set of remote XR environments, and transmitting the serialized chunks to a remote storage device, where a device subsequently retrieves the serialized chunks to replay the remote collaboration session.

A method for a cyber threat defense system is provided. The method comprises receiving a first abnormal behavior pattern where the first abnormal behavior pattern represents behavior on a first network deviating from a normal benign behavior of that network; and receiving a second abnormal behavior pattern where the second abnormal behavior pattern representing either behavior on the first network or on a second network deviating from a normal benign behavior of that network. The method further comprises comparing the first and second abnormal behavior patterns to determine a similarity score between the first and second abnormal behavior patterns and determining, based on the comparison, that the first abnormal behavior pattern likely corresponds to malicious behavior when the similarity score is above a threshold. A corresponding non-transitory computer readable medium is also provided.

A detection device monitors a communication event including communication by humans when a legitimate user accesses sensitive data for each legitimate user. The detection device builds a profile of the user indicating normal behavior when the user accesses the sensitive data by performing machine learning on a result of the monitoring. After that, the detection device acquires a communication event when a user to be authenticated accesses sensitive data. The detection device determines whether behavior of the user to be authenticated indicated in the acquired communication event corresponds to normal behavior when the user accesses the sensitive data indicated in a profile of the user, and outputs a result of the determination.

A method and system for characterizing application layer flood denial-of-service (DDoS) attacks carried by advanced application layer flood attack tools. The method comprises receiving an indication on an on-going DDoS attack directed toward a protected entity; analyzing requests received during the on-going DDoS attack to determine a plurality of different attributes of the received requests; generating a dynamic applicative multi-paraphrase signature by clustering at least one value of the plurality of different attributes, wherein the multi-paraphrase signature characterizes requests with different attributes as generated by an advanced application layer flood attack tool executing the on-going DDoS attack; and characterizing each incoming request based on the multi-paraphrase signature, wherein the characterization provides an indication for each incoming request whether a request is generated by the attack tool.

Identifying Internet of Things (IoT) devices with packet flow behavior including by using machine learning models is disclosed. Information associated with a network communication of an IoT device is received. A determination of whether the IoT device has previously been classified is made. In response to determining that the IoT device has not previously been classified, a determination is made that a probability match for the IoT device against a behavior signature exceeds a threshold. Based at least in part on the probability match, a classification of the IoT device is provided to a security appliance configured to apply a policy to the IoT device.

A method for providing a software based secure, robust, flexible, usable, and auditable single method that can practically eliminate threat occurring from phishing, man-in-middle theft, pharming/channel redirection, piggybacking of spyware, and application modification in client applications. These can be very strongly achieved using dynamic virtualization technology. This virtualization technology entirely protects applications from such threats is by creating highly dynamic virtual images of real data that are private, relative, one-time use, and short-lived. These virtual images are strongly made private and relative by creating virtual device id of the client device, virtual application signature of the client application, virtual private network of the network and virtual certificate of the server.