Apparatuses, methods, and systems are disclosed for supporting authentication with a mobile core network using a concealed identity. One apparatus includes a processor that sends a first authentication message that includes a concealed identifier to a network function to authenticate with a mobile communication network via a non-3GPP access network. The processor receives a second authentication message from the network function in response to the first authentication message. The second authentication message comprises an authentication response based on the concealed identifier. The processor completes authentication with the mobile communication network in response to the authentication response comprising a challenge packet. The processor receives configuration information for accessing the mobile communication network in response to successful authentication with the mobile communication network.

Embodiments described herein enable the generation of cryptographic material for ranging operations in a manner that reduces and obfuscates potential correlations between leaked and secret information. One embodiment provides for an apparatus including a ranging module having one or more ranging sensors. The ranging module is coupled to a secure processing system through a hardware interface to receive at least one encrypted ranging session key, the ranging module to decrypt the at least one encrypted ranging session key to generate a ranging session key, generate a sparse ranging input, derive a message session key based on the ranging session key, and derive a derived ranging key via a key derivation cascade applied to the message session key and the sparse ranging input, the derived ranging key to encrypt data transmitted during a ranging session.

A payment reader and a POS terminal may communicate over a wireless connection. The methods and systems include monitoring one or more parameters corresponding to a payment reader and another device in proximity to the payment reader. The first device, through a set of customized instructions, determines whether behavior of the second device substantially corresponds to the first device, in order to detect suspected hardware or software intrusion associated with the secure first device. On successful detection of a suspected intrusion, the first device generates an alert for a user of the first device if illegal intrusion is suspected by the processor.

One or more machine readable storage media, an apparatus, and a method. The apparatus provides a mechanism to implement a trusted telemetry governor (TTG) inside a trusted execution environment. The TTG is to determine a security policy to be applied to telemetry data corresponding to component of a computing infrastructure, receive the telemetry data in encrypted format and, based on the security policy: process the telemetry data including at least one of generating transformed telemetry data or analyzing the telemetry data to generate a report therefrom, and generating telemetry information from the telemetry data. The telemetry information includes at least one of processed telemetry data, a report, or a recommendation based on an analysis of the telemetry data. The TTG is to send the telemetry information outside of the trusted execution environment to a consumer of the telemetry data.

A system for detecting leakage of email addresses generates an alias email address that will be used by a user to register with a web service. The alias email address is an alias for a primary email address of the user, and is paired with the web service. The web service is included in a whitelist upon confirmation from the web service that the alias email address has been registered with the web service. Emails that are addressed to the alias email address and from the web service are forwarded to the primary email address. Emails that are addressed to the alias email address but is not from the web service are detected to be suspicious.

Disclosed are a system, method, and computer program product for user network activity anomaly detection. The method includes generating a multilayer graph from network resource data, and generating an adjacency matrix associated with each layer of the multilayer graph to produce a plurality of adjacency matrices. The method further includes assigning a weight to each adjacency matrix to produce a plurality of weights, and generating a merged single layer graph by merging the plurality of layers based on a weighted sum of the plurality of adjacency matrices using the plurality of weights. The method further includes generating a set of anomaly scores by generating, for each node in the merged single layer graph, an anomaly score. The method further includes determining a set of anomalous users based on the set of anomaly scores, detecting fraudulent network activity based on the set of anomalous users, and executing a fraud mitigation process.

A method, including identifying, in network traffic during multiple periods, scans, each scan including an access of multiple ports on a given destination node by a given source node, and computing, for each given source in the scans, an average of destinations whose ports were accessed by the given source during any scan by the given source, and a fraction of periods when the given source accessed at least one of the destinations in at least one scan performed by the given source node. A whitelist is assembled sources for which one or more of the following conditions applies: the average of destinations accessed in the scans was greater than a first threshold, and the fraction of periods during which at least one destination was accessed in at least one scan was greater than a second threshold. Upon detecting a scan by any non-whitelisted node, a preventive action is initiated.

Conventional email filtering services are not suitable for recognizing sophisticated malicious emails, and therefore may allow sophisticated malicious emails to reach inboxes by mistake. Introduced here are threat detection platforms designed to take an integrative approach to detecting security threats. For example, after receiving input indicative of an approval from an individual to access past email received by employees of an enterprise, a threat detection platform can download past emails to build a machine learning (ML) model that understands the norms of communication with internal contacts (e.g., other employees) and/or external contacts (e.g., vendors). By applying the ML model to incoming email, the threat detection platform can identify security threats in real time in a targeted manner.

Methods and systems are presented for detecting malicious webpages based on dynamically configuring a device to circumvent one or more evasion techniques implemented within the malicious webpages. When a known malicious webpage is obtained, programming code of the known malicious webpage is analyzed to determine one or more evasion techniques implemented within the known malicious webpage. The one or more evasion techniques may cause a webpage classification engine to falsely classify the known malicious webpage as a non-malicious webpage. A software update is generated based on one or more feature parameters extracted from the one or more evasion techniques. The software update is used to for modify the webpage classification engine such that the webpage classification engine would correctly classify the known malicious webpage.

Disclosed herein are methods, systems, and processes to perform granular and selective agent-based throttling of command executions. A resource consumption threshold is allocated to an agent process that is configured to perform data collection tasks on a host computing device. A desired throttle is generated for the agent process based on the resource consumption threshold allocated to the agent process and execution of the agent process is controlled in polling intervals. For each polling interval, a current throttle level for the agent process is determined based on a run count and a skip count of the agent process, the agent process is suspended if the agent process is active and the current throttle is greater than the desired throttle level, and the agent process is resumed if the agent process is idle and the current throttle level is not greater than the desired throttle level.