Abstract: Protecting against potentially harmful app (PHA) installation on a mobile device. In some embodiments, a method may include identifying apps already installed on multiple mobile devices, identifying PHAs in the apps already installed on the multiple mobile devices, training a machine learning classifier, based on the apps already installed on multiple mobile devices, to predict a likelihood that each of the PHAs will be installed on any mobile device, identifying one or more apps already installed on a particular mobile device, predicting, using the machine learning classifier, a likelihood that a target PHA of the PHAs will be installed on the particular mobile device based on the one or more apps already installed on the particular mobile device, and in response to the likelihood being higher than a threshold, performing a remedial action to protect the particular mobile device from the target PHA.

Abstract: The disclosed computer-implemented method for providing web tracking transparency to protect user data privacy may include (i) receiving a browser request for target websites during a browsing session, (ii) identifying a tracking type for website trackers utilized by the target websites, the tracking type including a direct tracking type or a tracking sharing type, (iii) extracting an information category for the target websites, (iv) detecting text patterns shared between the target websites in a common information category, (v) determining information collected about a user by the website trackers by combining the tracking type for the website trackers, the information category for the target websites, and the detected text patterns, and (v) performing a security action that protects against unsolicited website tracking in future browsing sessions by providing the information collected by the website trackers to the user. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: The disclosed computer-implemented method for identifying software vulnerabilities in embedded device firmware may include (i) collecting a firmware image for an Internet-of-Things device, (ii) extracting library dependencies from the firmware image for the Internet-of-Things device, (iii) identifying a true version of a library specified in the firmware image by checking a ground truth database that records confirmed values for true versions for previously encountered libraries, and (iv) performing a security action to protect a user from a security risk based on identifying the true version of the library specified in the firmware image. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: The disclosed computer-implemented method for fingerprinting devices may include (i) detecting that a new device has attempted to connect to a network gateway, (ii) attempting to fingerprint the new device as an instance of a known candidate device type by (a) transmitting to the new device, from a security application, a set of network messages that mimic network messages that a second application is configured to transmit to instances of the known candidate device type and (b) confirming, by the security application based on a response from the new device to the set of network messages, that the new device is the instance of the known candidate device type, and (iii) performing a security action to protect a network corresponding to the network gateway based on confirming that the new device is the instance of the known candidate device type. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: Securing a network device by forecasting an attack event using a recurrent neural network. In one embodiment, a method may include collecting event sequences of events that occurred on multiple network devices, generating training sequences, validation sequences, and test sequences from the event sequences, training a recurrent neural network using the training sequences, the validation sequences, and the test sequences, collecting an event sequence of the most recent events that occurred on a target network device, forecasting, using the recurrent neural network and based on the event sequence of the most recent events that occurred on the target network device, the next event that will occur on the target network device, and in response to the forecasted next event being an attack event, performing a security action to prevent harm to the target network device from the attack event.

Abstract: Methods and systems are provided for generating a security profile for a new computing system. One example method generally includes obtaining, over a network, information associated with a plurality of existing computing systems and generating, by a clustering algorithm, a set of clusters based on the information associated with the plurality of existing computing systems. The method further includes obtaining external data associated with the computing system and classifying the computing system into a cluster in the set of clusters based on the external data associated with the computing system. The method further includes determining the security profile based on statistics associated with the cluster and transmitting, over the network, an indication of the security profile.

Abstract: Disclosed computer-implemented methods for identifying malicious domain names from a passive domain name system server log (DNS log) may include, in some examples, (1) creating a pool of domain names from the DNS log, (2) identifying respective features of each name in the pool, (3) preparing a list of known benign names and respective features of each known benign name, (4) preparing a list of known malicious names and features of each known malicious name, (5) computing a classification model based on (A) the features of each benign name on the list of benign names and (B) the features of each malicious name on the list of malicious names, (6) identifying respective features of an unclassified domain name, and (7) classifying, using the classification model, the unclassified domain name as malicious, based on the respective features of the unclassified domain name. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: Securing network devices by forecasting future security incidents for a network based on past security incidents. In one embodiment, a method may include constructing past inside-in security features for a network, constructing past outside-in security features for the network, and employing dynamic time warping to generate a similarity score for each security feature pair in the past inside-in security features, in the past outside-in security features, and between the past inside-in security features and the past outside-in security features. The method may further include generating a Coupled Gaussian Latent Variable (CGLV) model based on the similarity scores, forecasting future inside-in security features for the network using the CGLV model, and performing a security action on one or more network devices of the network based on the forecasted future inside-in security features for the network.

Abstract: The disclosed computer-implemented method for mapping services utilized by network domains may include (i) receiving a request to perform a risk assessment on a domain, (ii) querying a database for records associated with the domain, where each record links to a network resource that enables functionality of the domain, (iii) generating a service map that matches each network resource to a corresponding service type and service provider, (v) performing the risk assessment of the domain, and (vi) facilitating a security measure for the domain based on a result of the risk assessment. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A computer-implemented method for assessing cyber risks using incident-origin information may include (1) receiving a request for a cyber-risk assessment of an entity of interest, (2) using an Internet-address data source that maps identifiers of entities to public Internet addresses of the entities to translate an identifier of the entity into a set of Internet addresses of the entity, (3) using an incident-origin data source that maps externally-detected security incidents to public Internet addresses from which the security incidents originated to translate the set of Internet addresses into a set of security incidents that originated from the entity, and (4) using the set of security incidents to generate the cyber-risk assessment of the entity. Various other methods, systems, and computer-readable media may have similar features.

Abstract: The disclosed computer-implemented method for mapping Internet Protocol addresses for an organization may include (1) receiving information for an organization from an organizational server, (2) extracting data from a plurality of server data sources associated with the information, (3) mapping the data from the plurality of sever data sources to the information, and (4) determining, based at least in part on the mapped data, a list of IP addresses identifying one or more relationships associated with the organization thereby facilitating performing a security posture analysis against a malicious attack. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: The disclosed computer-implemented method for determining the reputations of unknown files may include (1) identifying a file that was downloaded by the computing device from an external file host, (2) creating a node that represents the file in a dynamic file relationship graph, (3) connecting the node in the dynamic file relationship graph with at least one other node that represents an attribute of the external file host, and (4) labeling the node with a reputation score calculated based at least in part on a reputation score of the at least one other node that represents the attribute of the external file host. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: The disclosed computer-implemented method for evaluating infection risks based on profiled user behaviors may include (1) collecting user-behavior profiles that may include labeled profiles (e.g., infected profiles and/or clean profiles) and/or unlabeled profiles, (2) training a classification model to distinguish infected profiles from clean profiles using features and labels of the user-behavior profiles, and (3) using the classification model to predict (a) a likelihood that a computing system of a user will become infected based on a profile of user behaviors of the user and/or (b) a likelihood that a user behavior in the user-behavior profiles will result in a computing-system infection. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: The disclosed computer-implemented method for detecting vulnerabilities on servers may include (i) sending requests to servers for information about services potentially executing on the servers, (ii) receiving, in response to requests, messages from the servers that comprise the information about the services, wherein the set of messages use different formats for transmitting the information, (iii) creating, by analyzing the set of the messages, at least one heuristic that is capable of automatically extracting, from a message, an identifier of a service that executes on a server that sent the message, (iv) extracting, from the message, via the heuristic, the identifier of the service executes on the server that sent the message, and (v) determining, based on the identifier of the service, that the service contributes to a vulnerability on the server that sent the message. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: The disclosed computer-implemented method for detecting vulnerabilities on servers may include (i) sending requests to servers for information about services potentially executing on the servers, (ii) receiving, in response to requests, messages from the servers that comprise the information about the services, wherein the set of messages use different formats for transmitting the information, (iii) creating, by analyzing the set of the messages, at least one heuristic that is capable of automatically extracting, from a message, an identifier of a service that executes on a server that sent the message, (iv) extracting, from the message, via the heuristic, the identifier of the service executes on the server that sent the message, and (v) determining, based on the identifier of the service, that the service contributes to a vulnerability on the server that sent the message. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: The disclosed computer-implemented method for mapping Internet Protocol addresses for an organization may include (1) receiving information for an organization from an organizational server, (2) extracting data from a plurality of server data sources associated with the information, (3) mapping the data from the plurality of sever data sources to the information, and (4) determining, based at least in part on the mapped data, a list of IP addresses identifying one or more relationships associated with the organization thereby facilitating performing a security posture analysis against a malicious attack. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A system and method for detecting malicious hijack events in real-time is provided. The method may include receiving routing data associated with a Border Gateway Protocol (BGP) event from at least one BGP router. The method may further include generating a hijack detection model using a machine learning technique, such as Positive Unlabeled learning. The machine learning technique may include at least one data input and a probability output; wherein, the data input couples to receive a set of historically confirmed BGP hijacking data and the routing data, while the probability output transmits a probability value for the malicious event which may be calculated based upon the data input. Finally, the method may include classifying the BGP event as a malicious event or a benign event using the BGP hijack model and correcting routing tables that have been corrupted by a malicious event.

Abstract: The disclosed computer-implemented method for evaluating infection risks based on profiled user behaviors may include (1) collecting user-behavior profiles that may include labeled profiles (e.g., infected profiles and/or clean profiles) and/or unlabeled profiles, (2) training a classification model to distinguish infected profiles from clean profiles using features and labels of the user-behavior profiles, and (3) using the classification model to predict (a) a likelihood that a computing system of a user will become infected based on a profile of user behaviors of the user and/or (b) a likelihood that a user behavior in the user-behavior profiles will result in a computing-system infection. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A system and method for detecting malicious hijack events in real-time is provided. The method may include receiving routing data associated with a Border Gateway Protocol (BGP) event from at least one BGP router. The method may further include processing the routing data to generate a list of features representing ownership and various other details relating to origin and upstream equipment. The method may further include generating a hijack detection model using the routing data and the list of features, where a machine learning technique, such as Positive Unlabeled learning technique is employed. The machine learning technique may include at least one data input and a probability output; wherein, the data input couples to receive a set of historically confirmed BGP hijacking data and the routing data, while the probability output transmits a probability value for the malicious event which may be calculated based upon the data input.