Human interaction with a webpage may be determined by processing an event stream generated by the client device during the webpage interaction. A classification server receives the event stream and compares components of the event stream, including components of an event header message, with prerecorded datasets. The datasets include prerecorded event streams having a known interaction type. Training clients may be provided for generating the prerecorded datasets.

Techniques for determining and presenting security status are described herein. The disclosed techniques include collecting information associated with an item; determining a security status associated with the item by classifying the item into one of a plurality of classifications based on the information associated with the item; presenting on a first interface information indicative of the security status, wherein the first interface further comprises at least one selectable interface element in relation to the information indicative of the security status; and performing an operation related to the item in response to receiving input indicative of a selection by a user of the at least one selectable interface element.

The disclosed computer-implemented method for protecting against misleading clicks on websites may include (i) detecting a user click event on a uniform resource locator (URL) for navigating to a website during a web browsing session, (ii) analyzing the user click event to identify expected domain behavior associated with navigating to the website based on the URL, (iii) determining, based on the analysis, that the user click event deviates from the expected domain behavior associated with navigating to the website based on the URL, and (iv) performing a security action that protects against potentially malicious activity caused by the user click event deviating from the expected domain behavior associated with navigating to the website based on the URL. Various other methods, systems, and computer-readable media are also disclosed.

Generally discussed herein are devices, systems, and methods for improving phishing webpage content detection. A method can include identifying first webpage content comprises phishing content, determining, using a reinforcement learning (RL) agent, at least one action, generating, based on the determined at least one action and the identified first webpage content, altered first webpage content, identifying that the altered first webpage content is benign, generating, based on the determined at least one action and second webpage content, altered second webpage content, and training, based on the altered second webpage content and a corresponding label of phishing, a phishing detector.

A method may include obtaining a request to unblock a predetermined website in a network and that is associated with a predetermined list. The predetermined list may be used to determine whether a respective user device among various user devices can access one or more websites. The method may further include determining an impact level of the predetermined website for an organization using a machine-learning algorithm and website gateway data. The method may further include determining a probability of a security breach using the machine-learning algorithm and threat data. The method may further include determining whether to unblock the predetermined website based on the impact level and the probability of a security breach. The method may further include transmitting, in response to determining that the predetermined website should be unblocked, a command that modifies the predetermined list to enable the respective user device to access the predetermined website.

Web security methods and apparatus are disclosed herein. A method includes receiving a detection model for detecting malicious webpages via a transceiver of the computing device, and storing the detection model in a non-volatile memory of the computing device. One or more JavaScripts are detected in the webpage, wherein each of the JavaScripts can be separately executed. A feature vector for each of the JavaScripts may be generated, either incrementally as the web page is being loaded or prefetching the JavaScript for the web page, to produce one or more feature vectors for the webpage, wherein a particular feature vector includes values for different features of a JavaScript. Each of the feature vectors are analyzed with the multi-instance learning based detection model to determine whether the webpage from which the JavaScripts originate is malicious or benign.

The present disclosure provides techniques for calculating an entity's cybersecurity risk based on identified relationships between the entity and one or more vendors. Customer/vendor relationships may impact the cybersecurity risk for each of the parties involved because a security compromise of a downstream or upstream provider can lead to a compromise of multiple other companies. For example, if organization A uses B (e.g., a cloud service provider) to store files, and B is compromised, this may lead to organization A being compromised (e.g., the files organization A stored using B may have been compromised by the breach of B's cybersecurity). Embodiments of the present disclosure further provide a technique for calculating a cybersecurity risk score for an organization based on identified customer/vendor relationships.

Aspects of the disclosure relate to dynamically controlling access to linked content in electronic communications. A computing platform may receive, from a user computing device, a request for a uniform resource locator associated with an email message and may evaluate the request using one or more isolation criteria. Based on evaluating the request, the computing platform may identify that the request meets at least one isolation condition associated with the one or more isolation criteria. In response to identifying that the request meets the at least one isolation condition associated with the one or more isolation criteria, the computing platform may initiate a browser mirroring session with the user computing device to provide the user computing device with limited access to a resource corresponding to the uniform resource locator associated with the email message.

Embodiments of the present invention provide methods, apparatus, systems, computing devices, computing entities, and/or the like for permitting or blocking tracking tools used through webpages. In particular embodiments, the method involves: scanning a webpage to identify a tracking tool configured for processing personal data; determining a data destination location that is associated with the tracking tool; and generating program code configured to: determine a location associated with a user who is associated with a rendering of the webpage; determine a prohibited data destination location based on the location associated with the user; determine that the data destination location associated with the tracking tool is not the prohibited data destination location; and responsive to the data destination location associated with the tracking tool not being the prohibited data destination location, permit the tracking tool to execute.

Methods and systems for scanning an endpoint terminal across an open computer network are disclosed. An exemplary method includes providing a scanner engine in a computer server in communication with an open computer network, and establishing a secure connection across the open computer network between the scanner engine and a scanner agent installed on the endpoint terminal in communication with the open computer network. Commands for collecting data regarding the endpoint terminal are sent from the scanner engine across the secure connection to the scanner agent. The scanner engine then receives the collected data from the scanner agent across the secure connection, analyzes the data to assess a current posture of the endpoint terminal, and determines any updates for the endpoint terminal from the analysis. Updates are sent across the secure connection to the scanner agent for installation on the endpoint terminal, and the secure connection may then be terminated.