Maarten Van Horenbeeck

A method and apparatus for risk scoring in a graph are disclosed. In the method and apparatus, a graph includes a first node that is connected with a node of a plurality of nodes using a communication link of a plurality of communication links. A plurality of link risk measures are then determined, whereby a link risk measure of the plurality of link risk measures pertains to the communication link of the plurality of communication links. Furthermore, a risk measure associated with the first… Show more

A method and apparatus for risk scoring in a graph are disclosed. In the method and apparatus, a graph includes a first node that is connected with a node of a plurality of nodes using a communication link of a plurality of communication links. A plurality of link risk measures are then determined, whereby a link risk measure of the plurality of link risk measures pertains to the communication link of the plurality of communication links. Furthermore, a risk measure associated with the first node is determined based at least in part on the plurality of link risk measures. The risk measure is monitored to determine if one or more conditions placed on the risk measure are met and one or more actions are taken as a result of the one or more conditions being met. Show less

A method and apparatus for path detection are disclosed. In the method and apparatus, a data path may link two path-end nodes in a network. Event data for the network may be received and may be used to determine, for each node resident on the path, proximity measures to each path-end node. The proximity measure of network nodes may be evaluated to determine whether a path exists between the two path-end nodes.

Techniques described and suggested herein include various systems and methods for determining risk levels associated with transiting data, and routing portions of the data in accordance with the determined risk levels. For example, a risk analyzer may apply risk classifiers to transiting data to determine overall risk levels of some or all of the transiting data. A traffic router may route transiting data according to determined risk profiles for the data. A sandbox may be implemented to… Show more

Techniques described and suggested herein include various systems and methods for determining risk levels associated with transiting data, and routing portions of the data in accordance with the determined risk levels. For example, a risk analyzer may apply risk classifiers to transiting data to determine overall risk levels of some or all of the transiting data. A traffic router may route transiting data according to determined risk profiles for the data. A sandbox may be implemented to compare, for a given input, expected and observed outputs for a subset of transiting data, so as to determine risk profiles associated with at least the subset. Show less

Method and apparatus for identifying a flow of data from a first data store to a second data store are disclosed. In the method and apparatus, a service may send the data from the first data store to the second data store, whereby the service may be associated with an access control policy that specifies whether the service is permitted to send or receive the data. The access control policy may be used as a basis for the evaluation of executable instructions of the service, and evaluation of… Show more

Method and apparatus for identifying a flow of data from a first data store to a second data store are disclosed. In the method and apparatus, a service may send the data from the first data store to the second data store, whereby the service may be associated with an access control policy that specifies whether the service is permitted to send or receive the data. The access control policy may be used as a basis for the evaluation of executable instructions of the service, and evaluation of the executable instructions may be used to identify the first data store or the second data store. Show less

A method and system are provided that create a limited use secure environment (LSE) image such as a limited use operating system installation that can be booted from a removable medium (e.g. CD or flash drive). The limited use secure environment is a limited purpose OS, web browser, etc. that prevents undesired activities. When the limited use secure environment boots, it initiates a pairing operation in which a pairing code and user credentials are conveyed to an authorization server. Once the… Show more

A method and system are provided that create a limited use secure environment (LSE) image such as a limited use operating system installation that can be booted from a removable medium (e.g. CD or flash drive). The limited use secure environment is a limited purpose OS, web browser, etc. that prevents undesired activities. When the limited use secure environment boots, it initiates a pairing operation in which a pairing code and user credentials are conveyed to an authorization server. Once the pairing code and credentials are confirmed, a provisioning service provides configuration credentials to the limited use secure environment to enable the limited use secure environment to establish a secure connection through a gateway to resources of interest. Show less

Techniques for detecting access to computer system data by applications running on a computer system are described herein. Data access event log entries are recorded, the log entries including one or more metadata items associated with how the computer system application accessed the computer system data. The log entries are analyzed using correlations with other computer system events and, if improper access is detected, one or more operations relating to the type of data accessed and the type… Show more

Techniques for detecting access to computer system data by applications running on a computer system are described herein. Data access event log entries are recorded, the log entries including one or more metadata items associated with how the computer system application accessed the computer system data. The log entries are analyzed using correlations with other computer system events and, if improper access is detected, one or more operations relating to the type of data accessed and the type of violation are performed to mitigate the improper data access. Show less

Techniques for analyzing a dataset may be provided. For example, a configuration file may be accessed. The dataset may be analyzed based on a condition identified in the configuration file. A report may be generated and transmitted based on the analysis. Another report generated based on an analysis of another dataset according to another configuration file may be accessed. The dataset may be further analyzed based on this report to determine if a reported observation may also be associated… Show more

Techniques for analyzing a dataset may be provided. For example, a configuration file may be accessed. The dataset may be analyzed based on a condition identified in the configuration file. A report may be generated and transmitted based on the analysis. Another report generated based on an analysis of another dataset according to another configuration file may be accessed. The dataset may be further analyzed based on this report to determine if a reported observation may also be associated with the dataset. If so, a confirmation may be generated and transmitted. Show less

A method and apparatus for path detection are disclosed. In the method and apparatus, a data path may link two path-end nodes in a network. Event data for the network may be received and may be used to determine, for each node resident on the path, proximity measures to each path-end node. The proximity measure of network nodes may be evaluated to determine whether a path exists between the two path-end nodes.

Based on an access of a client device to the network-based document, information associated with this access may be recorded. The information may be analyzed to determine whether a condition associated with the direct access may be violated. An issue may be detected with the client device access based on a determination that the condition may be violated.

Techniques described and suggested herein include various systems and methods for determining risk levels associated with transiting data, and routing portions of the data in accordance with the determined risk levels. For example, a risk analyzer may apply risk classifiers to transiting data to determine overall risk levels of some or all of the transiting data. A traffic router may route transiting data according to determined risk profiles for the data. A sandbox may be implemented to… Show more

Techniques described and suggested herein include various systems and methods for determining risk levels associated with transiting data, and routing portions of the data in accordance with the determined risk levels. For example, a risk analyzer may apply risk classifiers to transiting data to determine overall risk levels of some or all of the transiting data. A traffic router may route transiting data according to determined risk profiles for the data. A sandbox may be implemented to compare, for a given input, expected and observed outputs for a subset of the transiting data, so as to determine risk profiles associated with at least the subset. Show less

Techniques for analyzing access to a network-based document may be provided. For example, a portion of the network-based document for hashing may be identified. A client hash of the portion may be accessed. The client hash may be based on an access of a client to the network-based document over a network. A provider hash of the portion may be also accessed. The provider hash may be based on a trusted version of the portion. The client hash and the provider hash may be compared. Based on the… Show more

Techniques for analyzing access to a network-based document may be provided. For example, a portion of the network-based document for hashing may be identified. A client hash of the portion may be accessed. The client hash may be based on an access of a client to the network-based document over a network. A provider hash of the portion may be also accessed. The provider hash may be based on a trusted version of the portion. The client hash and the provider hash may be compared. Based on the comparison, an issue associated with the access to the network-based document over the network may be detected. Show less

Techniques for analyzing access to a network-based resource may be provided. For example, a client record associated with the access to the network-based resource over a network may be compared to a provider record. The client record may indicate an address of the network based resource and can be received from a computing resource. The provider record can also indicate the address and can be received from a trusted computing resource. Based on the comparison, an issue associated with the… Show more

Techniques for analyzing access to a network-based resource may be provided. For example, a client record associated with the access to the network-based resource over a network may be compared to a provider record. The client record may indicate an address of the network based resource and can be received from a computing resource. The provider record can also indicate the address and can be received from a trusted computing resource. Based on the comparison, an issue associated with the access to the network-based resource over the network may be detected. Show less

A computing device analyzes digital certificates received from various different sites (e.g., accessed via the Internet or other network) in order to automatically detect fraudulent digital certificates. The computing device maintains a record of the digital certificates it receives from these various different sites. A certificate screening service operating remotely from the computing device also accesses these various different sites and maintains a record of the digital certificates that… Show more

A computing device analyzes digital certificates received from various different sites (e.g., accessed via the Internet or other network) in order to automatically detect fraudulent digital certificates. The computing device maintains a record of the digital certificates it receives from these various different sites. A certificate screening service operating remotely from the computing device also accesses these various different sites and maintains a record of the digital certificates that the service receives from these sites. In response to a request to access a target site the computing device receives a current digital certificate from the target site. The computing device determines whether the current digital certificate is genuine or fraudulent based on one or more of previously received digital certificates for the target site, confirmation certificates received from the certificate screening service, and additional characteristics of the digital certificates and/or the target site. Show less