Techniques are disclosed for establishing a level of security for a virtual meeting similar to a level of security associated with in person meetings. A communication system may use an application programming interface (API) of an operating system to secure the device by terminating any applications or processes operating on the computing device that are not consistent with a security policy. The system may also use machine learning techniques to monitor audio and/or video streams for participant behaviors that are not consistent with a security policy.

A system and a method for distributing components of a threat detection model for a threat control network, the threat control network comprising interconnected network nodes. The threat control network comprises security agent modules which collect data related to the respective network node of the security agent module, share information based on the collected data in the established internal network and use the collected data and information received from the internal network for generating and adapting threat detection models related to the respective network node. At least part of the nodes comprise at least the following components of the threat detection model: detection logic part comprising detection rules, detection logic parameter part comprising parameter values, core data primitive part comprising a set of key primitives. The method comprises distributing the said components of a threat detection model to a node independently from the other said components of the same node.

A system and method for cybersecurity reconnaissance, analysis, and scoring that uses distributed, cloud-based computing services to provide sufficient scalability for analysis of enterprise IT networks using only publicly available characterizations. The system and method comprise an in-memory associative array which manages a queue of vulnerability search tasks through a public-facing proxy network. The public-facing proxy network has search nodes configurable to present the network to search tools in a desired manner to control certain aspects of the search to obtain the desired results. A distributed data processing engine and cloud-based storage are used to provide scalable computing power and storage. A data packet modifier is used to reveal the IP address of a threat actor behind a port scan and subsequently block the threat actor. Each of the cloud-based computing services is containerized and orchestrated for management and efficient scaling purposes.

A method, including identifying, in network traffic during multiple periods, scans, each scan including an access of multiple ports on a given destination node by a given source node, and computing, for each given source in the scans, an average of destinations whose ports were accessed by the given source during any scan by the given source, and a fraction of periods when the given source accessed at least one of the destinations in at least one scan performed by the given source node. A whitelist is assembled sources for which one or more of the following conditions applies: the average of destinations accessed in the scans was greater than a first threshold, and the fraction of periods during which at least one destination was accessed in at least one scan was greater than a second threshold. Upon detecting a scan by any non-whitelisted node, a preventive action is initiated.

Systems and methods are provided for detecting the presence of a hidden camera on a network. When video is encoded and transmitted over/across a network, the data packet carrying the video tend to exhibit certain characteristics or features specific to video traffic from a hidden camera. A machine learning model for detecting the presence of a hidden camera can be trained based on these characteristics and features. Once trained, the machine learning model can be operationalized on an access point that can analyze real-time network traffic to determine whether a hidden camera(s) is operating on the network.

Methods and systems for penetration testing of a networked system by a penetration testing system. In some embodiments, both active and passive validation methods are used during a single penetration testing campaign in a single networked system. In other embodiments, a first penetration testing campaign uses only active validation and a second penetration campaign uses only passive validation, where both campaigns are performed by a single penetration testing system in a single networked system. Node-by-node determination of whether to use active or passive validation can be based on expected extent and/or likelihood of damage from actually compromising a network node using active validation.

Aspects of the subject disclosure may include, for example, selecting, a group of International Mobile Subscriber Identities (IMSIs), selecting a group of traffic simulator devices, and provisioning each of the group of IMSIs to each of the group of traffic simulator devices. Further embodiments can include providing first instructions to a first portion of the group of traffic simulator devices. The first instructions cause the first portion of the group of traffic simulator devices to generate simulated voice traffic over a first plurality of time periods. Additional embodiments can include providing second instructions to a second portion of the group of traffic simulator devices. The second instructions cause the second portion of the group of traffic simulator devices to generate simulated data traffic over a second plurality of time periods. Other embodiments are disclosed.

An example operation may include one or more of dividing a data file into a plurality of data chunks, generating a randomness value for each data chunk based on one or more predefined randomness tests, and accumulating generated randomness values of the plurality of data chunks to generate an accumulated randomness value, detecting whether the data file is one or more of encrypted and compressed based on the accumulated randomness value and a predetermined threshold value, and storing information about the detection via a storage.

Presented herein are systems and methods to determine whether a dynamic host configuration protocol (DHCP) server in DHCP snooping environment is a trusted device without requiring trusted port configuration. In one or more embodiments, a DHCP snooping-enable switch/router adds an indicator to a message intended for a DHCP server, thereby notifying the DHCP server that the DHCP switch/router is enabled for or capable of “detection of trusted DHCP server.” The DHCP server includes a unique trusted identifier in its reply that the DHCP switch/router uses to verify whether the DHCP server can be considered a trusted device.

A method includes identifying, from online clustering data, an internet protocol (IP) pair. The method further includes determining, by a processing device during an offline process, that the IP pair is part of a botnet. The method further includes, in response to the determining, appending data associated with the botnet to the online clustering data.