Abstract: Methods and systems are presented for automatically detecting positions of various webpage elements within a webpage when the webpage is rendered, based on analyzing the programming code of the webpage. A position detection system obtains and parses the programming code of the webpage to identify webpage elements within the webpage. A group of related webpage elements is identified based on a shared programming structure. The position detection system generates a DOM tree based on the programming code, and determines relative positions of the webpage elements within the group by traversing the DOM tree using a breadth-first search algorithm.

Abstract: Examples of a data transmission method and apparatus in TEE systems are described. One example of the method includes: obtaining first data; obtaining a write offset address by reading a first address; obtaining a read offset address by reading a second address; determining whether the number of bytes in the first data is less than or equal to the number of writable bytes, where the number of writable bytes is determined based on the write offset address and the read offset address, and each address corresponds to one byte; when the number of bytes in the first data is less than or equal to the number of writable bytes, writing the first data into third addresses starting from the write offset address; and updating the write offset address in the first address.

Abstract: Examples herein describe techniques for generating dataflow graphs using source code for defining kernels and communication links between those kernels. In one embodiment, the graph is formed using nodes (e.g., kernels) which are communicatively coupled by edges (e.g., the communication links between the kernels). A compiler converts the source code into a bit stream and/or binary code which configure a heterogeneous processing system of a SoC to execute the graph. The compiler uses the graph expressed in source code to determine where to assign the kernels in the heterogeneous processing system. Further, the compiler can select the specific communication techniques to establish the communication links between the kernels and whether synchronization should be used in a communication link. Thus, the programmer can express the dataflow graph at a high-level (using source code) without understanding about how the operator graph is implemented using the heterogeneous hardware in the SoC.

Abstract: Disclosed are an apparatus and method of verifying an application installation procedure. One example method of operation may include receiving an application at a computer device and initiating the installation of the application on the computer device. The method may also provide executing the application during the installation procedure and creating a hash value corresponding to the executed application data. The method may further provide storing the hash value in memory and comparing the hash value to a pre-stored hash value to determine whether to continue the installation of the application.

Abstract: A method of cleaning up a virus program, in an electronic terminal including at least one processor, is provided. An operable interface is displayed on a terminal locked page in response to a first operation instruction on the terminal locked page, the terminal locked page being a page of the virus program and displayed on a screen of the electronic terminal. A second operation instruction on the operable interface is obtained, and identifier information of the virus program is obtained in response to the second operation instruction. The virus program is controlled to run by displaying an auxiliary page on the screen of the electronic terminal in a bring-to-front manner. The virus program is cleaned up based on the identifier information.

Abstract: A system, method and storage medium for operating a stealth mode of an emergency vehicle includes receiving input data including at least one of an input from an operator or one or more program input parameters; determining a data operation mode based on the received input data, wherein the data operation mode is one of a normal mode and one or more stealth modes; and generating a control signal based on the determined operation mode. When the data operation mode is one of the one or more stealth modes, the control signal is adapted to control a first device to suspend a transmission of at least one data group among candidate suspended data to at least one second device in communication with the first device.

Abstract: A computerized method for logical identification of malicious threats across a plurality of end-point devices (EPD) communicatively connected by a network, comprising collecting over the network an identifier associated with each file of a plurality of files, wherein each file of the plurality of files is installed on at least one of the plurality of EPDs and wherein the identifier is the same for each like file of the plurality of file. Information associated with an identified subset of files is collected, wherein the information indicates at least a time at which the at least one file was installed on one or more of the plurality of EPDs and the way the at least one file spread within the network. The collected information is analyzed according to a set of predetermined computerized investigation rules. The analysis is used to determine whether at least a file of the identified subset files is a suspicious file.

Abstract: The disclosed computer-implemented method for protecting against malicious content may include intercepting, by a security application installed on the computing device, an original message intended for a target application installed on the same computing device. The original message may include potentially malicious content. The security application may forward the original message to a security service. The computing device may receive a clean message from the security service, wherein the clean message includes a safe representation of the potentially malicious content. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: Simulating user interactions during dynamic analysis of a sample is disclosed. A sample is received for analysis. Prior to execution of the sample, a baseline screenshot of a desktop is generated by accessing frame buffer data stored on a graphics card. The sample is caused to execute, at least in part using one or more hypervisor instructions to move a pointing device to an icon associated with the sample. A current screenshot of the desktop is generated by accessing current frame buffer data stored on the graphics card.

Abstract: The technology disclosed relates to detecting a data attack on a local file system. The detecting includes scanning a list to identify files of the local file system that have been updated within a timeframe, reading payloads of files identified by the scanning, calculating current content properties from the payload of the files, obtaining historical content properties of the files, determining that a malicious activity is in process by analyzing the current content properties and the historical content properties to identify a pattern of changes that exceeds a predetermined change velocity. Further, the detecting includes determining that the malicious activity is in process by analyzing the current content properties and known patterns of malicious metadata to identify a match between the current metadata and the known patterns of malicious metadata, determining a machine/user that initiated the malicious activity, and implementing a response mechanism that restricts file modifications by the machine/user.

Abstract: In an embodiment, a computer system comprises a page protection layer. The page protection layer may be the component in the system which manages the page tables for virtual to physical page mappings. Transactions to the page protection layer are used to create/manage mappings created in the page tables. The page protection layer may enforce dynamic security policies in the system (i.e. security policies that may not be enforced using only a static hardware configuration). In an embodiment, the page protection layer may ensure that it is the only component which is able to modify the page tables. The page protection layer may ensure than no component in the system is able to modify a page that is marked executable in any process' address space. The page protection may ensure that any page that is marked executable has code with a verified code signature, in an embodiment.

Abstract: There is provided a method for application behaviour control on a computer system. The method includes grouping applications into a set of clusters, wherein each application is grouped to a specific cluster on the basis of predefined event profiles for applications in the specific cluster; monitoring procedures that a specific cluster performs on one or more computer devices; and generating a list of expected events and prohibited events of the specific cluster based on monitoring for enabling the one or more client computer devices and/or an administrator of the one or more client computer devices to take further action related to the applications installed on the one or more client computer devices.

Abstract: Data is analyzed using feature hashing to detect malware. A plurality of features in a feature set is hashed. The feature set is generated from a sample. The sample includes at least a portion of a file. Based on the hashing, one or more hashed features are indexed to generate an index vector. Each hashed feature corresponds to an index in the index vector. Using the index vector, a training dataset is generated. Using the training dataset, a machine learning model for identifying at least one file having a malicious code is trained.

Abstract: A method of probing a computer system includes steps of compiling a script that includes a call to a first function with first parameters, to generate executable code that includes a call to a second function with second parameters, wherein the second function and the second parameters are specified as values of the first parameters of the first function in the call to the first function, injecting the executable code into an executing module of the computer system, and as the executing module is running, executing the executable code to call the second function.

Abstract: Disclosed herein are embodiments of systems, methods, and products comprising an analytic server, which automatically detects malicious electronic files. The analytic server receives electronic files, runs a file extraction module to recursively scan the electronic files, and extracts all of the embedded and linked electronic files. The analytic server runs an exploit scanner against the extracted electronic files, and extracts code included in the electronic files. The analytic server deobfuscates the extracted code and examines the deobfuscated code by applying a set of malicious behavior rules against the deobfuscated rules. The analytic server identifies potentially malicious electronic files based on the examination. The analytic server applies a set of whitelist rules on the potentially malicious electronic files to eliminate false alarms. The analytic server transmits alert notifications to an analyst regarding the malicious electronic files and updates the whitelist rules based on analyst's feedback.

Abstract: A system for evaluating files for cyber threats includes a machine learning model and a locality sensitive hash (LSH) repository. When the machine learning model classifies a target file as normal, the system searches the LSH repository for a malicious locality sensitive hash that is similar to a target locality sensitive hash of the target file. When the machine learning model classifies the target file as malicious, the system checks if response actions are enabled for the target file. The system reevaluates files that have been declared as normal, and updates the LSH repository in the event of false negatives. The system disables response actions for files that have been reported as false positives.

Abstract: Website data security is provided by conditionally accessing, assessing, and processing website content file attribute data and website content files used to host websites with a first set of servers configured with website content security breach analysis, detection, and repair functionality. The website content files are conditionally accessed based on a file modification date without heavily loading the servers hosting the website. The website content is analyzed by decoding PHP code and executing code in a hardened execution environment. Repair is accomplished through removing or replacing breached content.

Abstract: A method for side-channel attack mitigation in streaming encryption includes reading into a decryption process executing in memory of a computer, an input stream and extracting from the input stream both an encryption envelope and cipher text and extracting from the encryption envelope, a wrapped key. Then, decryption may be performed in constant time of the cipher text using one of two different keys, a first for authenticated decryption comprising the wrapped key, and a second for unauthenticated encryption comprising a dummy key, with no difference in timing of execution regardless of which of the two different keys are utilized during decryption of the cipher text.

Abstract: The technology disclosed relates to detecting a data attack on a file system stored on an independent data store. The detecting includes scanning a list to identify files of the independent data store that have been updated within a timeframe, assembling current metadata for files identified by the scanning, obtaining historical metadata of the files, determining that a malicious activity is in process by analyzing the current metadata of the files and the historical metadata to identify a pattern of changes that exceeds a predetermined change velocity. Further, the detecting includes determining that the malicious activity is in process by analyzing the current metadata of the files and known patterns of malicious metadata to identify a match between the current metadata and the known patterns of malicious metadata, determining a machine/user that initiated the malicious activity, and implementing a response mechanism that restricts file modifications by the determined machine/user.

Abstract: Disclosed herein are systems and methods for detecting unauthorized alteration with regard to a certificate store. In one aspect, an exemplary method comprises, tracking changes in a file system or a system registry of an operating system of a device with regard to the certificate store, detecting an alteration or an attempted alteration with regard to the certificate and sending information about the alternation or the attempted alteration to an analysis module, obtaining information about at least one certificate with which a change in the file system or the system registry with regard to the certificate store is connected, and determining a class of the change, where the class of the change is determined from a portion of the respective system registry or the file system in which the change occurred and from an action associated with the change, and comparing the obtained information to similar information on known certificates.

Abstract: A first security policy associated with a first tenant in a multi-tenant hosting data processing environment is created. A first virtual machine is caused to execute on a first host, the first virtual machine associated with a first group defined by the first security policy. A controller is caused to send, from the controller to an agent executing on the first host, authorized communication information, the authorized communication information specifying a set of virtual machines associated with the first group. The agent is caused to configure a second routing entry in the first host, the second routing entry derived from the authorized communication information, the second routing entry causing the first virtual machine to reject outgoing network traffic intended for a second IP address, the second IP address associated with a third virtual machine outside the first group.

Abstract: System and method for managing security-relevant information in a computer network uses a security information plane (SIP) manager to which different types of security-relevant data are uploaded from components in the computer network and from which networkwide aggregated security information produced from the security-relevant data is download to a global security controller. The downloaded networkwide aggregated security information is used by the global security controller to control security applications running in the computer network.

Abstract: A threat protection system provides for detecting links in a document and analyzing whether one of the detected links is a malicious link that may direct a user of the document to a malicious universal resource locator (URL). In one implementation of the described technology, when a user selects a link in a document, a link activation module calls a threat protection client module that performs a reputation check for the link. If the selected link is malicious, the threat protection client module sends a URL of a warning page to the link activation module.

Abstract: Computer security vulnerability assessment is performed with product binary data and product vulnerability data that correspond with product identification data. A correspondence between the product binary data and the product vulnerability data is determined, and a binaries-to-vulnerabilities database is generated. The binaries-to-vulnerabilities database is used to scan binary data from a target device to find matches with the product binary data. A known security vulnerability of the target device is determined based on the scanning and the correspondence between the product binary data and the vulnerability data. In some embodiments, the target device is powered off and used as an external storage device to receive the binary data therefrom.

Abstract: A malware profile is received. The malware profile comprises a set of one or more activities associated with executing a copy of a known malicious application that is associated with the malware profile. A set of one or more log entries is analyzed for a set of entries that matches the malware profile. Based at least in part on identifying the set of entries matching the malware profile, a determination is made that a host was compromised.

Abstract: An information handling system may include a processor, a memory coupled to the processor, a storage resource, and a basic input/output system (BIOS). The BIOS may be configured to, while the information handling system is in a pre-boot environment and prior to initialization of an operating system of the information handling system: detect a security vulnerability of the information handling system; and store data regarding the security vulnerability in a portion of the storage resource that is accessible to both the BIOS and the operating system. The information handling system may be further configured to, after the initialization of the operating system, execute a security management service to access, from within the operating system, the data regarding the security vulnerability.

Abstract: A cybersecurity server receives an executable file to be classified. A call graph of the executable file is generated. Functions of the executable file are represented as vertices in the call graph, and a vertex value is generated for each vertex. The vertex values are arranged in traversal order of the call graph to generate a call graph pattern. A digest of the call graph pattern is calculated and compared to one or more malicious digests.

Abstract: There is provided a method which forwards an anomaly to cloud based malware analysis and detection system in order to analyze files having this anomaly and increase zero-day malware detection throughput for files attached to emails. The method takes data from a binary file for calculating the true file type and the file extension, then applies a contradiction check to control whether the file extension seen in a file name is consistent with the file type. The file of the attachment is forwarded to a zero-day malware analysis queue, implementing zero-day malware classification, if the file extension is not reflecting the true file type. If the file extension and the true file type are consistent, the method forwards the file of the attachment to a malware analysis and detection queue, implementing traditional unknown file classification.

Abstract: A computer-implemented method, a computer program product, and a computer system. The computer system installs and configures a virtual imitating resource in the computer system, wherein the virtual imitating resource imitates a set of resources in the computer system. Installing and configuring the virtual imitating resource includes modifying respective values of an installed version of the virtual imitating resource for an environment of the computer system, determining whether the virtual imitating resource is a static imitating resource or a dynamic imitating resource, and comparing a call graph of the evasive malware with patterns of dynamic imitating resources on a database. The computer system returns a response from an appropriate element of the virtual imitating resource, in response to a call from the evasive malware to a real computing resource, return, by the computer system.

Abstract: Blockchain technology is used to provide security of electronic systems. The disclosed technology allows for a dynamic bond of trust to be applied to the field of information security without the need for a single point of trust to first be established. The lines of trust between electronic systems or devices is established by distributing information among the systems or devices. This allows for easy identification of commonalities and/or decision making whereby policy(s)/action(s)/monitoring/etc. can be enforced when those commonalities align. Simultaneously, deviations from those commonalities can be identified and policy(s)/action(s)/monitoring/etc. may also be invoked.

Abstract: According to one embodiment of the present invention, a system provides security for a device and includes at least one processor. The system monitors a plurality of networked devices for a security risk. Each networked device is associated with a corresponding security risk tolerance. In response to a monitored security risk for one or more of the plurality of networked devices exceeding the corresponding risk tolerance, a network service is initiated to perform one or more actions on each of the one or more networked devices to alleviate the associated security risk. Embodiments of the present invention further include a method and computer program product for providing security to a device in substantially the same manner described above.

Abstract: A method, computer program product, and computing system for performing an entropy analysis on each of a plurality of candidate data chunks associated with a potential candidate to generate a plurality of candidate data chunk entropies; performing an entropy analysis on each of a plurality of target data chunks associated with a potential target to generate a plurality of target data chunk entropies; identifying a candidate data chunk entropy limit, chosen from the plurality of candidate data chunk entropies, and a target data chunk entropy limit, chosen from the plurality of candidate data chunk entropies; and comparing a specific candidate data chunk associated with the candidate data chunk entropy limit to a specific target data chunk associated with the target data chunk entropy limit to determine if the specific candidate data chunk and the specific target data chunk are identical.

Abstract: A web traffic logging system includes: a log setting unit which performs setting for collecting log from at least one of a web server and a web server operating system; a log gathering unit which creates log information including the log collected in accordance with the setting; and a log transmitting unit which transmits the log information to a cloud server.

Abstract: Systems and methods for threat detection and mitigation for remote wireless communication network control systems. One example method includes receiving a threat detection message identifying a threat to at least one of a plurality of remote wireless network controllers, each associated with one of a plurality of wireless communication networks. The method includes determining a threat rating based on the threat detection message and determining, based on the rating, a threat mitigation action identifying at least a first remote wireless network controller of the plurality of remote wireless network controllers. The method includes executing the threat mitigation action by commanding a shift in an operational function of the first remote wireless network controller to a first on-premise wireless network controller associated with the same wireless communication network as the first remote wireless network controller.

Abstract: Mobile device security, device management, and policy enforcement are described in a cloud-based system where the “cloud” is used to pervasively enforce security and policy and perform device management regardless of device type, platform, location, etc. A cloud-based method includes monitoring traffic between a mobile device and a network in a cloud-based system that is implemented as an overlay network relative to the mobile device and the network; analyzing the traffic from the mobile device to the network, for enforcing policy thereon, wherein the policy includes a set of use guidelines associated with the user of the mobile device; and blocking or allowing the traffic from the mobile device to the network based on the analyzing.

Abstract: An interrupt recovery manager detects that a compute instance has exited a state in which interrupts from one or more interrupt sources were not processed at the compute instance. The recovery manager identifies a source from which interrupts may have been missed by the compute instance, and causes an indication of a potential missed interrupt from that source to be delivered to the compute instance.

Abstract: In one respect, there is provided a system for classifying malware. The system may include a data processor and a memory. The memory may include program code that provides operations when executed by the processor. The operations may include: providing, to a display, contextual information associated with a file to at least enable a classification of the file, when a malware classifier is unable to classify the file; receiving, in response to the providing of the contextual information, the classification of the file; and updating, based at least on the received classification of the file, the malware classifier to enable the malware classifier to classify the file. Methods and articles of manufacture, including computer program products, are also provided.

Abstract: A production host includes a persistent storage for storing backup policies and a production agent that obtains a backup generation request for a virtual machine of the virtual machines; in response to the backup generation request, performs a continuity chain verification of a continuity chain associated with the virtual machine to identify a continuity state of backups associated with the virtual machine; makes a first determination, based on the continuity state of the backups associated with the virtual machine, that the backups associated with the virtual machine are in a remediable state; and, in response to the first determination, performs a remediation of the continuity chain to change the backups associated with the virtual machine to be in a continuous state; and generates a backup of the virtual machine using the backup policies while the continuity state of the backups associated with the virtual machine are in the continuous state.

Abstract: A method and apparatus for identifying computer virus variants are disclosed to improve the accuracy of virus identification and removal, and may relate to the field of internet technology. The method includes running a virus sample to be tested and recording an API call sequence produced during running of the virus sample. The method further includes obtaining a characteristic API call sequence for each one of a plurality of virus families, matching the API call sequence produced during running of the virus sample to be tested with the characteristic API call sequences of the virus families, and obtaining a matching result. The method also includes determining the virus sample to be tested is a virus variant by extent of a match between the API call sequence produced by the virus sample and any characteristic API call sequence of any one of the virus families.

Abstract: There is disclosed a method for determining malicious files in a network traffic, the method executable by a server. The method comprises: receiving the network traffic from a data communication network, retrieving a plurality of files from the network traffic, analyzing the plurality of files in order to detect at least one suspicious file, running the at least one suspicious file in at least one virtual machine, the at least one virtual machine associated with a set of the status parameters, determining changes in the set of the status parameters of the at least of one virtual machine, analyzing the changes in the set of status parameters using a set of the analysis rules such that to classify the at least one suspicious file as a malicious file based on the changes in the set of status parameters being indicative of the at least one file being the malicious file.

Abstract: Disclosed herein are systems and methods of selecting security virtual machines (SVMs) for a virtual machine (VM) in a virtual infrastructure. In one aspect, an exemplary method comprises, forming a list of SVMs, wherein SVM performs security tasks for the VM, and VM includes a security agent configured to interact with the SVM, determining restriction requirements of the security agent and removing from the list SVMs not conforming to restriction requirements on limits of interaction area of the security agent, polling SVMs remaining on the list to determine network accessibility of said SVMs and removing inaccessible SVMs, for each accessible SVM remaining on the list, determining whether a marker of the SVM matches that of the security agent of the VM and removing SVMs whose markers do not match the marker of the security agent, and providing the list of remaining SVMs to the security agent of the VM.

Abstract: Feature vectors are abstracted from data describing application processes. The feature vectors are grouped to define non-anomalous clusters of feature vectors corresponding to normal application behavior. Subsequent feature vectors are considered anomalous if they do not fall within one of the non-anomalous clusters; alerts are issued for anomalous feature vectors. In addition, the subsequent feature vectors may be used to regroup feature vectors to adapt to changes in what constitutes normal application behavior.

Abstract: An application privacy analysis system is described, where the system obtains an application and analyzes it for privacy related data use. The system may determine privacy related activities of the application from established sources of such data and/or may decompile the application and analyze the resulting code to determine the privacy related activities of the application. The system may execute the application and monitor the communications traffic exchanged by the application to determine privacy related activities of the application. The system may store the results of such analyses for future reference.

Abstract: The disclosed computer-implemented method for providing persistent visual warnings for application launchers may include (i) loading an application launcher into a sandbox, (ii) monitoring one or more functions of an application from the application launcher, (iii) querying a malware detection manager using information obtained from monitoring the functions of the application to determine whether the application is potentially harmful, and (iv) modifying, based on determining that the application is potentially harmful, an icon for the application launched from the sandbox to notify a user that the application is potentially harmful. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: Implementations of the present disclosure relate to method and device for managing a storage system. The method comprises in response to receiving a write request at a storage system, determining whether storage units allocated to a logic storage unit of the storage system are sufficient for data associated with the write request. The method also comprises in response to determining that the allocated storage units are insufficient, allocating a new storage unit to the logic storage unit. The method further comprises updating metadata associated with allocation of the storage units of the storage system, the metadata indicating a mapping between the logic storage unit and the storage units. The method also comprises encrypting the updated metadata. Other implementations of the present disclosure also involve corresponding method, device and computer-readable medium for decryption metadata and recovering the logic storage unit using the decrypted metadata.

Abstract: A method, apparatus, and system for storing data at a multi cloud-based storage system is disclosed. The operations comprise: receiving a data block at a first cloud of a multi cloud-based storage system for storage, the multi cloud-based storage system comprising a first number (n) of clouds; generating the first number (n) of coded blocks at the first cloud based on the data block, wherein the data block is recoverable from any second number (k) out of the first number (n) of coded blocks, and wherein the second number (k) is greater than 1 and less than the first number (n); and distributing, by the first cloud, the first number (n) of coded blocks to the first number (n) of clouds of the multi cloud-based storage system, each of the clouds including the first cloud receiving a respective one of the first number (n) of coded blocks for storage.

Abstract: There is disclosed in one example a computing apparatus, including: a hardware platform including a processor and a memory; and one or more mediums including instructions to instruct the processor to provide a security scanner to: determine that an object to be inspected is an archive including a plurality of bundled files; determine that the archive is encrypted; identify unencrypted data within the encrypted archive that can be made visible to an end user after a failed decryption operation; scan the unencrypted data for a pattern that matches password data; and attempt to decrypt the archive according to the password data.

Abstract: Maintaining system security by receiving metadata associated with at least a part of one data file from a metadata storage unit, generating a priority for the at least a part of one data file according to the metadata, and conducting a scan of the part of the data file. The metadata includes one or more virus indicators.

Abstract: The present invention relates to a method and an apparatus for transmitting content for a streaming service and can provide streaming content without delay even in a heterogeneous mobile network environment utilizing NAT technology, by transmitting and receiving a session key and UDP port information for transmitting the content using a UDP method through a TCP session, generating a UDP session between a terminal device and a content providing device, and providing the streaming content requested from the terminal device through the generated UDP session.

Abstract: Methods and systems of determining a data protection level of a dataset are described. In an example, a processor may encode a dataset and generate a network model of the encoded dataset. The processor may sort a set of edges of the network model based on a descending order of costs of the set of edges. The processor may determine a flow for a first edge among the sorted edges, the first edge may be an edge associated with the least cost. The processor may performing the determining of flows for the other edges in accordance with the descending order of the sorted edges. The processor may determine a metric based on the determined flows of the sorted edges and based on the costs of the sorted edges. The processor may compare the metric with a threshold to determine a level of data protection provided by the encoded dataset.