Abstract: A technique for detecting malware involves loading known malware information, finding a string in the known malware information, saving the string in a first database, identifying a first contiguous string block from the known malware information, assigning a confidence indicator to the first contiguous string block, attempting to find the first contiguous string block in a second database containing one or more contiguous string blocks extracted from known malware, and responsive to a determination the first contiguous string block meets a predetermined threshold of similarity with a second contiguous string block contained in the second database, labelling the first contiguous string block.

Abstract: Methods, apparatus, systems and articles of manufacture are disclosed for defending against exploitation of vulnerable software. An example apparatus comprises an inventory controller to identify a vulnerable application corresponding to one or more files including a security defect, an origination identifying generator to identify an origination source of incoming data, the origination source tagged as suspicious, a workload analyzing controller to query, in response to the suspicious origination source, an inventory datastore to determine if the incoming data is to be accessed by the vulnerable application, and a policy application executor to, in response to determining the incoming data is to be accessed by the vulnerable application, apply a policy action to the vulnerable application to protect the vulnerable application from exposing the security defect to malicious data in the incoming data.

Abstract: Methods, apparatus, systems, and articles of manufacture are disclosed. An example apparatus includes at least one memory, instructions; and processor circuitry to execute the instructions to train a neural network with a plurality of raw byte data samples, perform feature extraction on ones of the plurality of raw byte data samples, determine whether ones of the plurality of raw byte data samples are clean or malicious using the extracted features, and determine a family of malware to which an identified malicious sample belongs.

Abstract: There is disclosed in one example a computing apparatus, including: a hardware platform including a processor and a memory; a network interface; a userspace application store including a plurality of userspace applications, wherein at least some of the userspace applications are programmed to communicate via the network interface; and instructions encoded within the memory to: enumerate social connections of a user via the userspace applications; assign the social connections to virtual groups according, at least in part, to correlated connection services; assign data transfer policies to the virtual groups; detect an attempted data transfer to a social connection; and enforce the data transfer policy for a virtual group of the social connection of the attempted data transfer.

Abstract: There is disclosed in one example a computing apparatus, including: a processor and a memory; a network interface to communicatively couple to a backup client; a storage to receive backup data from the client, including a plurality of versions and an associated reputation for each version, the associated reputation to indicate a probability that the version is valid; and instructions encoded within the memory to instruct the processor to: receive from the backup client a request to store a new version of the backup data; determine that the client has exceeded a backup threshold; identify a backup version having a lowest reputation for validity; and expunge the backup version having the lowest reputation for validity.

Abstract: Methods, apparatus, systems, and articles of manufacture are disclosed to defend against dynamic-link library (DLL) side-loading attacks. An example apparatus includes a fingerprint generator to determine a first DLL fingerprint of a first DLL stored at a first OS path referenced by an operating system (OS) event generated by a computing device, and, in response to determining that a second DLL having the same name as the first DLL is stored at a second OS path superseding the first OS path, determine a second DLL fingerprint of the second DLL, a fingerprint comparator to determine whether at least one of the first or the second DLL fingerprint satisfies a deviation threshold based on a comparison of the first and the second DLL fingerprint to a reference DLL fingerprint, and a security action enforcer to execute a security action to protect a computing device from an attack.

Abstract: There is disclosed in one example a computing apparatus, including: a network interface; a hardware platform, including at least a processor and a memory; and instructions encoded in the memory to instruct the processor to: identify an executable object to be run on the apparatus, the executable object to provision a plurality of local files or objects with unknown local reputations; query via the network interface a remote service with an identification of the executable object; responsive to the query, receive from the remote service a reputation batch for the local files or object; and selectively permit installation of the executable object and/or the plurality of local files or objects based at least in part on individual reputations within the reputation batch.

Abstract: Methods, apparatus, systems, and articles of manufacture are disclosed to defend against dynamic-link library (DLL) side-loading attacks. An example apparatus includes a fingerprint generator to determine a first DLL fingerprint of a first DLL stored at a first OS path referenced by an operating system (OS) event generated by a computing device, and, in response to determining that a second DLL having the same name as the first DLL is stored at a second OS path superseding the first OS path, determine a second DLL fingerprint of the second DLL, a fingerprint comparator to determine whether at least one of the first or the second DLL fingerprint satisfies a deviation threshold based on a comparison of the first and the second DLL fingerprint to a reference DLL fingerprint, and a security action enforcer to execute a security action to protect a computing device from an attack.

Abstract: Methods, apparatus, systems and articles of manufacture are disclosed for defending against exploitation of vulnerable software. An example apparatus comprises an inventory controller to identify a vulnerable application corresponding to one or more files including a security defect, an origination identifying generator to identify an origination source of incoming data, the origination source tagged as suspicious, a workload analyzing controller to query, in response to the suspicious origination source, an inventory datastore to determine if the incoming data is to be accessed by the vulnerable application, and a policy application executor to, in response to determining the incoming data is to be accessed by the vulnerable application, apply a policy action to the vulnerable application to protect the vulnerable application from exposing the security defect to malicious data in the incoming data.

Abstract: There is disclosed in one example a computing apparatus, including: a network interface; a hardware platform, including at least a processor and a memory; and instructions encoded in the memory to instruct the processor to: identify an executable object to be run on the apparatus, the executable object to provision a plurality of local files or objects with unknown local reputations; query via the network interface a remote service with an identification of the executable object; responsive to the query, receive from the remote service a reputation batch for the local files or object; and selectively permit installation of the executable object and/or the plurality of local files or objects based at least in part on individual reputations within the reputation batch.

Abstract: There is disclosed in one example a computing apparatus, including: a hardware platform including a processor and a memory; a contextual reputation store; and instructions encoded within the memory to provision a security agent configured to: create a user persona in the contextual reputation store based at least in part on the user's interaction with the computing apparatus; compute a persona-weighted reputation for an action and store the persona-weighted reputation action to the contextual reputation store; intercept a user action on the computing apparatus; determine a current user persona; determine from the contextual reputation store a persona-weighted reputation for the user action; and take a security action based at least in part on the persona-weighted reputation for the user action.

Abstract: A technique for detecting malware looks at startup hooks that may be created by malware to assist in ensuring that the malware is started upon a reboot of a programmable device. After enumerating startup hooks in the system, startup hooks associated with untrusted executables are deleted. If the startup hook is restored, that is an indication that the untrusted executable may be malware. An indication may then be passed to an anti-malware software to analyze the executable further.

Abstract: There is disclosed in one example a computing apparatus, including: a processor and a memory; a network interface to communicatively couple to a backup client; a storage to receive backup data from the client, including a plurality of versions and an associated reputation for each version, the associated reputation to indicate a probability that the version is valid; and instructions encoded within the memory to instruct the processor to: receive from the backup client a request to store a new version of the backup data; determine that the client has exceeded a backup threshold; identify a backup version having a lowest reputation for validity; and expunge the backup version having the lowest reputation for validity.

Abstract: A technique for detecting malware looks at startup hooks that may be created by malware to assist in ensuring that the malware is started upon a reboot of a programmable device. After enumerating startup hooks in the system, startup hooks associated with untrusted executables are deleted. If the startup hook is restored, that is an indication that the untrusted executable may be malware. An indication may then be passed to an anti-malware software to analyze the executable further.

Abstract: A technique for detecting malware involved loading known malware information, finding a string in the known malware information, saving the string in a first database, identifying a first contiguous string block from the known malware information, assigning a confidence indicator to the first contiguous string block, attempting to find the first contiguous string block in a second database containing one or more contiguous string blocks extracted from known malware, and labelling the first contiguous string block, responsive to a determination the first contiguous string block meets a predetermined threshold of similarity with a second contiguous string block contained in the second database.

Abstract: A technique for detecting malware looks at startup hooks that may be created by malware to assist in ensuring that the malware is started upon a reboot of a programmable device. After enumerating startup hooks in the system, startup hooks associated with untrusted executables are deleted. If the startup hook is restored, that is an indication that the untrusted executable may be malware. An indication may then be passed to an anti-malware software to analyze the executable further.

Abstract: A technique for detecting malware looks at startup hooks that may be created by malware to assist in ensuring that the malware is started upon a reboot of a programmable device. After enumerating startup hooks in the system, startup hooks associated with untrusted executables are deleted. If the startup hook is restored, that is an indication that the untrusted executable may be malware. An indication may then be passed to an anti-malware software to analyze the executable further.

Abstract: Assessing ransomware impact includes receiving an indication of a first plurality of files stored on a user device and a classification for each of the first plurality of files, determining a second plurality of files stored in a remote storage, wherein the second plurality of files corresponds to an indication of files stored on the user device at a first prior time, wherein each of the second plurality of files are associated with a second classification, determining a third plurality of files comprising files included in the first plurality of files and not included in the second plurality of files, and calculating a risk assessment based on classifications for each of the third plurality of files.

Abstract: Technologies for securing an electronic device include trapping an attempt to access a secured system resource of the electronic device, determining a module associated with the attempt, determining a subsection of the module associated with the attempt, the subsection including a memory location associated with the attempt, accessing a security rule to determine whether to allow the attempted access based on the determination of the module and the determination of the subsection, and handling the attempt based on the security rule. The module includes a plurality of distinct subsections.

Abstract: Technologies for securing an electronic device include trapping an attempt to access a secured system resource of the electronic device, determining a module associated with the attempt, determining a subsection of the module associated with the attempt, the subsection including a memory location associated with the attempt, accessing a security rule to determine whether to allow the attempted access based on the determination of the module and the determination of the subsection, and handling the attempt based on the security rule. The module includes a plurality of distinct subsections.