Described are a system, method, and computer program product for user network activity anomaly detection. The method includes receiving network resource data associated with network resource activity of a plurality of users and generating a plurality of layers of a multilayer graph from the network resource data. Each layer of the plurality of layers may include a plurality of nodes, which are associated with users, connected by a plurality of edges, which are representative of node interdependency. The method also includes generating a plurality of adjacency matrices from the plurality of layers and generating a merged single layer graph based on a weighted sum of the plurality of adjacency matrices. The method further includes generating anomaly scores for each node in the merged single layer graph and determining a set of anomalous users based on the anomaly scores.

Event processing is a vital aspect of modern information systems, but is poorly supported and homogenous in nature. The present disclosure recognizes that any detector speaks a language of events. This language of events can be translated into a “Universal Language” such that events from multiple arbitrary detectors may be compared together. The present disclosure uses regular expressions to explore possible relations and patterns across events and across time. The present disclosure further describes a hierarchical architecture such that the events from peer detectors are aggregated and collated and only conglomerate events, those events matching inter- or intra-detector behaviors, are propagated upstream in the hierarchy. Ultimately, this architecture offers a means to merge the event data from an arbitrary number of heterogeneous detectors into a meaningful stream of events that reflect wider breadth of knowledge, improved scalability, and provide a wider context for expression of patterns through the use of regular expressions.

A system for mitigation of cyberattacks employing an advanced cyber decision platform comprising a time series data store, a directed computational graph module, an action outcome simulation module, and observation and state estimation module, wherein the state of a network is monitored and used to produce a cyber-physical graph representing network resources, simulated network events are produced and monitored, and the network events and their effects are analyzed to produce security recommendations.

Disclosed herein are an apparatus and method for detecting abnormal behavior in a main device and a terminal device, included in a control network, using a whitelist. The apparatus for detecting abnormal behavior includes an information collection unit for collecting system information about the main device and system information about the terminal device and a detection unit for detecting abnormal behavior in the main device and the terminal device by comparing a whitelist with system information that includes the system information about the main device and the system information about the terminal device, wherein the whitelist includes a process whitelist, a file whitelist, and a network whitelist.

MITM attacks are detected by intercepting network configuration traffic (name resolution, DHCP, ARP, ICMP, etc.) in order to obtain a description of network components. A computer system generates artificial requests for network configuration information and monitors responses. Multiple responses indicate a MITM attack. Responses that are different from previously-recorded responses also indicate a MITM attack. MITM attacks may be confirmed by transmitting fake credentials to a source of a response to a request for network configuration information. If the fake credentials are accepted or are subsequently used in an access attempt, then a MITM attack may be confirmed.

Automated malware detection for application file packages using machine learning (e.g., trained neural network-based classifiers) is described. A particular method includes generating, at a first device, a first feature vector based on occurrences of character n-grams corresponding to a first subset of files of multiple files of an application file package. The method includes generating, at the first device, a second feature vector based on occurrences of attributes in a second subset of files of the multiple files. The method includes sending the first feature vector and the second feature vector from the first device to a second device as inputs to a file classifier. The method includes receiving, at the first device from the second device, classification data associated with the application file package based on the first feature vector and the second feature vector. The classification data indicates whether the application file package includes malware.

Web security methods and apparatus are disclosed herein. A method includes receiving a detection model for detecting malicious webpages via a transceiver of the computing device, and storing the detection model in a non-volatile memory of the computing device. One or more JavaScripts are detected in the webpage, wherein each of the JavaScripts can be separately executed. A feature vector for each of the JavaScripts may be generated, either incrementally as the web page is being loaded or prefetching the JavaScript for the web page, to produce one or more feature vectors for the webpage, wherein a particular feature vector includes values for different features of a JavaScript. Each of the feature vectors are analyzed with the multi-instance learning based detection model to determine whether the webpage from which the JavaScripts originate is malicious or benign.

Briefly, systems and methods for managing Internet of Things (IoT) devices provide platforms featuring an architecture for user and device authentication as well as IoT system self-healing.

Systems and methods for periodically modifying data privacy elements are provided. The systems and methods may identify a set of data privacy elements. A data privacy element can characterizes a feature of a computing device and can be detectable by a network host. A first artificial profile can be generated by modifying a first data privacy element based on an artificial profile model that defines a relationship associated with one or more constraints between the set of data privacy elements. Subsequent to generating the first artificial profile, a second artificial profile can be generated by periodically modifying a second data privacy element in accordance with the relationship defined by the artificial profile model. The computer device can be masked from being identified by the network host by sending the second artificial profile including the second data privacy element to a requested network location.

Methods, systems, and apparatus, including computer programs encoded on a computer storage medium, that protect analytics for resources of a publisher from traffic directed to such resources by malicious entities. An analytics server receives a first message that includes an encrypted token and analytics data for a publisher-provided resource. The token includes a portion of the analytics data and a trust score indicating a likelihood that activity on the resource is attributed to a human (rather than an automated process). The analytics server decrypts the token. The analytics server determines a trustworthiness measure for the analytics data included in the first message based on the trust score (in the decrypted token) and a comparison of the analytics data in the first message and the portion of the analytics data (in the decrypted token). Based on the measure of trustworthiness, the analytics server performs analytics operations using the analytics data.