Abstract: Telemetry data from client file reputation queries is collected over time. Directories/sub-directories under which files of queries are located are identified. The files including the reputations for the files under a given directory/sub-directory are identified and used to calculate the reputation score for the directory/sub-directory. The directory/sub-directory is then classified based on the calculated score for the directory/sub-directory. After the classification of directories/sub-directories, reputation for a file with unknown reputation is then determined based on the classification of the directory/sub-directory under which the file is located.

Abstract: Pre-filtering detection of an injected script on a webpage accessed by a computing device. The method may include receiving an indication of access to the webpage at a web browser of the computing device; identifying a web form associated with the webpage; determining that the webpage has been previously visited by the computing device; recording at least one current domain associated with at least one current object request made by the web form; determining a difference of a count of the at least one current domain associated with the at least one current object request and a count of at least one historical domain associated with at least one historical object request previously made by the webpage; identifying the webpage as suspicious based on determining that the difference is greater than zero and less than a domain threshold; and initiating a security action on the webpage based on the identifying.

Abstract: Identifying and protecting against an attack against an anomaly detector machine learning classifier (ADMLC). In some embodiments, a method may include identifying training data points in a manifold space for an ADMLC, dividing the manifold space into multiple subspaces, merging each of the training data points into one of the multiple subspaces, training a subclassifier for each of the multiple subspaces to determine a decision boundary for each of the multiple subspaces between normal training data points and anomalous training data points, receiving an input data point into the ADMLC, determining whether the input data point is an attack on the ADMLC due to a threshold number of the subclassifiers classifying the input data point as an anomalous input data point, and, in response to identifying the attack against the ADMLC, protecting against the attack.

Abstract: A computer-implemented method for detecting and protecting against malicious use of legitimate computing-system tools may include (i) identifying a computing-system tool that can perform benign actions and malicious actions on a computing system, (ii) creating a set of recorded actions by recording actions performed by the computing-system tool on the computing system over a predetermined period of time, (iii) analyzing the set of recorded actions via a machine learning method that, for each action in the set of recorded actions, determines whether the action is anomalous compared to other actions in the set, (iv) classifying an action in the set of recorded actions as malicious based at least in part on determining that the action is anomalous, and (v) initiating, in response to classifying the action as malicious, a security action related to the action. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: Identifying and mitigating harm from malicious network connections by a container. In some embodiments, a method may include receiving, from a shim, notifications of all network connections that a container has sought to establish through the shim. The method may also include monitoring all actual network connections established by the container. The method may further include comparing the notifications to the actual network connections to determine whether any actual network connection established by the container bypassed the shim. The method may also include, in response to determining that any actual network connection established by the container bypassed the shim, identifying the network connection established by the container that bypassed the shim as a malicious network connection, and performing a security action to mitigate harm from the malicious network connection.

Abstract: The disclosed computer-implemented method for utilizing metadata for protecting against the sharing of images in a computing network may include (i) identifying an image file stored in a public folder on a computing device, (ii) storing a copy of the image file within a secure data storage application, (iii) encoding metadata for revealing an image in the image file, (iv) performing a security action that protects against sharing the image file from the public folder by masking the image in the image file with the encoded metadata, and (v) rendering the image in the image file as an unmasked version of the image from the image file or the copy of the image file in the secure data storage application by decoding the metadata utilized to mask the image. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: Methods, systems, and devices for protecting against abnormal computer behavior are described. The method may include monitoring a computer process related to an application running on a computing device of one or more computing devices, analyzing a database including a set of digital fingerprints, where a digital fingerprint of the set of digital fingerprints relates to the application, the digital fingerprint including an indication of a set of computer processes related to the application that are classified as normal computer processes for the application, determining that the computer process related to the application is an abnormal computer process based on analyzing, and performing a security action on the computing device to protect the computing device against the abnormal computer process based on the determining.

Abstract: Methods and systems are provided for automatically generating malware definitions and using generated malware definitions. One example method generally includes receiving information associated with a malicious application and extracting malware strings from the malicious application. The method further includes filtering the malware strings using a set of safe strings to produce filtered strings and scoring the filtered strings to produce string scores by evaluating words of the filtered strings based on word statistics of a set of known malicious words. The method further includes selecting a set of candidate strings from the filtered strings based on the string scores and generating a malware definition for the malicious application based on the set of candidate strings. The method also includes performing one or more security actions to protect against the malicious application, using the malware definition.

Abstract: A client can be authenticated with an identity provider. The identity provider can generate an identity provider token after successful authentication. Prior to issuing a request to a service provider, the client can request a temporary (one time use) token from the identity provider. The request may include a client token to verify the client's identity. The identity provider can validate the client token using details saved in the identity provider token and issue the temporary token to the client. The client can provide the temporary token to a service provider in a request for service. The service provider can validate the temporary token with the identity provider. If the temporary token is valid (i.e., has not already been used), the service provider can respond to the request. The use of a temporary token and not sharing the identity provider token with the client can prevent security breaches.

Abstract: The disclosed computer-implemented method for safely executing unreliable malware may include (i) intercepting a call to an application programming interface (API) in a computing operating system, the API being utilized by malware for disseminating malicious code, (ii) determining an incompatibility between the API call and the computing operating system that prevents successful execution of the API call, (iii) creating a proxy container for receiving the API call, (iv) modifying, utilizing the proxy container, the API call to be compatible with the computing operating system, (v) sending the modified API call from the proxy container to the computing operating system for retrieving the API utilized by the malware, and (vi) performing a security action during a threat analysis of the malware by executing the API to disseminate the malicious code in a sandboxed environment. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: The disclosed computer-implemented method for protecting against malicious content may include intercepting, by a security application installed on the computing device, an original message intended for a target application installed on the same computing device. The original message may include potentially malicious content. The security application may forward the original message to a security service. The computing device may receive a clean message from the security service, wherein the clean message includes a safe representation of the potentially malicious content. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: The disclosed computer-implemented method for detecting anomalous behavior within computing sessions may include (i) identifying, by the computing device, a set of execution events that correspond to a computing session, (ii) providing, by the computing device, the set of execution events as input to an autoencoder, (iii) receiving, by the computing device and from the autoencoder, a reconstruction error associated with autoencoding the set of execution events, (iv) detecting, by the computing device and based on the reconstruction error, an anomaly within the computing session, and (v) performing, by the computing device, a security action to address the anomaly within the computing session. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: The disclosed computer-implemented method for managing endpoint security states using passive data integrity attestations may include (i) receiving passively collected network data from an endpoint device of a computing environment, (ii) determining a security state of the endpoint device using the passively collected network data from the endpoint device, (iii) determining that the security state of the endpoint device is below a threshold, and (iv) in response to determining that the security state of the endpoint device is below a threshold, performing a security action to protect the computing environment against malicious actions. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: The present disclosure relates to using correlations between support interaction data and telemetry data to discover emerging incidents for remediation. One example method generally includes receiving a corpus of support interaction data and a corpus of telemetry data. Topics indicative of underlying problems experienced by users of an application are extracted from the corpus of support interaction data. A topic having a rate of appearance in the support interaction data above a threshold value is identified. A set of telemetry data relevant to the topic is extracted from the corpus of telemetry data, and a subset of the relevant set of telemetry data having a frequency in the relevant set of telemetry data above a second threshold value is identified. The topic and the subset of telemetry data are correlated to an incident to be remediated, and one or more actions are taken to remedy the incident.

Abstract: An autonomous controller for SDN, virtual, and/or physical networks can be used to optimize a network automatically and determine new optimizations as a network scales. The controller trains models that can determine in real-time the optimal path for the flow of data from node A to B in an arbitrary network. The controller processes a network topology to determine relative importance of nodes in the network. The controller reduces a search space for a machine learning model by selecting pivotal nodes based on the determined relative importance. When a demand to transfer traffic between two hosts is detected, the controller utilizes an AI model to determine one or more of the pivotal nodes to be used in routing the traffic between the two hosts. The controller determines a path between the two hosts which comprises the selected pivotal nodes and deploys a routing configuration for the path to the network.

Abstract: The disclosed computer-implemented method for protection of storage systems using decoy data may include identifying an original file comprising sensitive content to be protected against malicious access and protecting the sensitive content. Protecting the sensitive content may include (i) processing the original file to identify a structure of the original file and the sensitive content of the original file, (ii) generating a decoy file using the structure of the original file and using substitute content in a location corresponding to the sensitive content of the original file, and (iii) storing the decoy file with the original file. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: The disclosed computer-implemented method for executing decision trees may include (i) executing a security classification decision tree that classifies an input data item, (ii) gathering, simultaneously using a gather instruction, values for both a current threshold at a parent node of the security classification decision tree and a subsequent threshold at a child node of the parent node, (iii) gathering, simultaneously using the gather instruction, values for both a current measurement at the parent node and a subsequent measurement at the child node, (iv) comparing, simultaneously using a comparison instruction, the current threshold at the parent node with the current measurement at the parent node and the subsequent threshold at the child node with the subsequent measurement at the child node, and (v) performing a security action to protect the computing device. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A computer-executed process receives an object that characterizes a navigation capability of a website. The object includes a navigation parameter that specifies a navigation page of the web site, and a query parameter that specifies a subset of content of the navigation page. The process also executes a script to dynamically generate a navigation structure based upon the object data. The process detects selection of a navigation component of the navigation structure, and updates an address in a Uniform Resource Locator (URL) bar of the browser with a composite resource identifier to retrieve a requested subset of content of the selected navigation page. The composite resource identifier includes a subordinate resource identifier that identifies the navigation page, which is derived from the navigation parameter and at least one query derived from the query parameter, which specifies the requested subset of content of the navigation page.

Abstract: The disclosed computer-implemented method for detecting covert channels structured in Internet Protocol (IP) transactions may include (1) intercepting an IP transaction including textual data and a corresponding address, (2) evaluating the textual data against a model to determine a difference score, (3) determining that the textual data is suspicious when the difference score exceeds a threshold value associated with the model, (4) examining, upon determining that the textual data is suspicious, the address in the transaction to determine whether the address is invalid, (5) analyzing the transaction to determine a frequency of address requests that have been initiated from a source address over a predetermined period, and (6) identifying the transaction as a covert data channel for initiating a malware attack when the address is determined to be invalid and the frequency of the address requests exceeds a threshold value. Various other methods, systems, and computer-readable media are also disclosed.