A method of communicating in a secure communication system, comprises the steps of assembling a message at a sender, then determining a security level, and including an indication of the security level in a header of the message. The message is then sent to a recipient.

A flexible security system has been created that allows for fluid security operations that adapt to the dynamic nature of user behavior while also allowing the security related operations themselves to be dynamic. This flexible system includes ongoing collection and/or updating of multi-perspective “security contexts” per actor and facilitating consumption of these multi-perspective security contexts for security related operations on the users. These security related operations can include policy-based security enforcement and inspection. A security platform component or security entity uses a multi-perspective security context for a user or actor. Aggregating and maintaining behavioral information into a data structure for an actor over time from different sources allows a security platform component or entity to have historical context for an actor from one or more security perspectives. Descriptors that form a security context can originate from various sources having visibility of user behavior and/or user attributes.

Systems and methods are provided for facilitating voice authentication of a user in connection with a network transaction. One exemplary method includes receiving an authentication request for a transaction, initiated at a voice interactive device, from a merchant plug-in (MPI) associated with a merchant involved in the transaction, where the authentication request includes a pre-authentication indicator based on voice authentication of a user by the voice interactive device or by a voice authentication service. The method also includes generating a risk score for the transaction based at least in part on the pre-authentication indicator, transmitting the risk score with the authentication request for the transaction to an access controller server (ACS) associated with an issuer of an account to which the transaction is directed, and returning a result response to the MPI where the result response indicates permission to proceed in the transaction based on authentication of the user.

Techniques for establishing a risk score for Internet of Things (IoT) device parameters and acting in response thereto are disclosed. One or more data packets transmitted to or from an Internet of Things (IoT) device are analyzed to obtain event parameters. The event parameters are analyzed to determine a context of the IoT device. A behavior of the IoT device is determined based at least in part on the event parameters and the context. A progressive risk score is obtained for the IoT device. Subsequent to obtaining the progressive risk assessment score, the progressive risk assessment score is updated based at least in part on an analysis of one or more additional data packets.

Techniques for establishing a risk score for Internet of Things (IoT) device parameters and acting in response thereto are disclosed. One or more data packets transmitted to or from an Internet of Things (IoT) device are analyzed to obtain event parameters. The event parameters are analyzed to determine a context of the IoT device. A behavior of the IoT device is determined based at least in part on the event parameters and the context. A progressive risk score is obtained for the IoT device. Subsequent to obtaining the progressive risk assessment score, the progressive risk assessment score is updated based at least in part on an analysis of one or more additional data packets.

A method of computer authentication of a user request for a Subscriber Identity Module (SIM) card transfer by a biometric signature from a user equipment (UE) comprising assigning a risk score, by a mobile service provider, to a user account based on user activity in the user account, wherein the user activity includes a SIM card transfer authorization. The mobile service provider then sends a message requesting a biometric signature from an authentication application executing in memory on the UE. The authentication application on the UE then proceeds capturing a biometric signature, encrypting the biometric signature, and sending an encrypted biometric signature to the mobile service provider using a wireless communication protocol. The mobile service provider then compares the biometric signature to an authorized signature and modifies the risk score based on the comparison.

A method of computer authentication of a user request for a Subscriber Identity Module (SIM) card transfer by a biometric signature from a user equipment (UE) comprising assigning a risk score, by a mobile service provider, to a user account based on user activity in the user account, wherein the user activity includes a SIM card transfer authorization. The mobile service provider then sends a message requesting a biometric signature from an authentication application executing in memory on the UE. The authentication application on the UE then proceeds capturing a biometric signature, encrypting the biometric signature, and sending an encrypted biometric signature to the mobile service provider using a wireless communication protocol. The mobile service provider then compares the biometric signature to an authorized signature and modifies the risk score based on the comparison.

An illicit signal is detected on an in-vehicle communication network of an autonomous vehicle. A severity level corresponding to the illicit signal is identified, among multiple severity levels, based on one or more characteristics associated with the illicit signal. The severity level is indicative of a level of adverse impact on safety related to an autonomous vehicle environment. The adverse impact is to be caused by the autonomous vehicle when the autonomous vehicle is compromised by the illicit signal. A security operation is selected from multiple security operations based on the identified severity level. The security operation is performed to mitigate the adverse impact on safety related to the autonomous vehicle environment.

Disclosed in some examples are systems, methods, and machine readable mediums for identifying insider threats by determining file system element activity models that correlate to undesirable behavior and then utilizing the determined model to detect insider threats. Events involving file system elements of a client computing device (e.g., a network endpoint) may be monitored by a file system element monitoring application on the client computing device. The values of these signals are aggregated across all events of the same type that have occurred within a predetermined time window (e.g., an hour) for a particular client computing device. Each time an aggregated signal has a value over the threshold, an anomaly is recorded. Anomaly counts for each signal are then calculated as the aggregate number of anomalies for a particular signal over a second time period, the span of which is determined by the generation of first anomaly to the close of an alert by the network monitor. The anomaly counts for the signals are then weighted and summed to produce a risk score.

Disclosed in some examples are systems, methods, and machine readable mediums for identifying insider threats by determining file system element activity models that correlate to undesirable behavior and then utilizing the determined model to detect insider threats. Events involving file system elements of a client computing device (e.g., a network endpoint) may be monitored by a file system element monitoring application on the client computing device. The values of these signals are aggregated across all events of the same type that have occurred within a predetermined time window (e.g., an hour) for a particular client computing device. Each time an aggregated signal has a value over the threshold, an anomaly is recorded. Anomaly counts for each signal are then calculated as the aggregate number of anomalies for a particular signal over a second time period, the span of which is determined by the generation of first anomaly to the close of an alert by the network monitor. The anomaly counts for the signals are then weighted and summed to produce a risk score.