Abstract: The disclosed computer-implemented method for detecting covert channels structured in Internet Protocol (IP) transactions may include (1) intercepting an IP transaction including textual data and a corresponding address, (2) evaluating the textual data against a model to determine a difference score, (3) determining that the textual data is suspicious when the difference score exceeds a threshold value associated with the model, (4) examining, upon determining that the textual data is suspicious, the address in the transaction to determine whether the address is invalid, (5) analyzing the transaction to determine a frequency of address requests that have been initiated from a source address over a predetermined period, and (6) identifying the transaction as a covert data channel for initiating a malware attack when the address is determined to be invalid and the frequency of the address requests exceeds a threshold value. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: Isolating an iframe of a webpage. In one embodiment, a method may include targeting an iframe in a webpage for isolation, executing, in a server browser, iframe code, sending, from the remote isolation server to the local client, the webpage with the iframe code of the iframe replaced with isolation code, executing, in a client browser, webpage code and the isolation code, intercepting, in the client browser, webpage messages sent from the webpage code and intended to be delivered to the iframe, sending, to the remote isolation server, the intercepted webpage messages to be injected into the iframe code executing at the server browser, intercepting, at the server browser, iframe messages sent from the iframe code and intended to be delivered to the webpage, and sending, to the local client, the intercepted iframe messages to be injected into the webpage code executing at the client browser.

Abstract: A cloud device is configured in an email transmission pathway. The cloud device receives an email attachment whose maliciousness status is determined to be unknown. The cloud device encrypts the email attachment and delivers the encrypted attachment to the recipient. When the recipient attempts to access the encrypted attachment, the cloud device re-determines the maliciousness status of the attachment. If the re-determined maliciousness status is benign, the cloud device allows the encrypted attachment to be decrypted and opened locally on the recipient's device. If the re-determined maliciousness status is still unknown, the cloud device provides a cloud-based viewing solution to the recipient using an isolation service.

Abstract: A method for detecting and protecting against abnormal user behavior is described. The method may include generating a tensor model based on a set of user information within a temporal period. The tensor model may include a behavioral profile associated with a user of a set of users. In some examples, the method may include determining that a behavior associated with the user of the set of users is abnormal based on the tensor model, adapting the tensor model based on feedback from an additional user of a set of additional users different from the set of users, and performing a security action on at least one computing device to protect against the abnormal user behavior based on the adapting.

Abstract: Methods of managing an information technology (IT) infrastructure include detecting by a configuration management system an unauthorized change to one of a plurality of network elements, determining by the configuration management system that the unauthorized change to the one of the plurality of network elements creates a risk condition to an operation of one of the services provided by the IT infrastructure, and initiating an action to remedy the unauthorized change in response to determining that the unauthorized change to the one of the plurality of network elements creates the risk condition to the operation of one of the services provided by the IT infrastructure. Related systems and computer program products are disclosed.

Abstract: A computer-implemented method of generating a security policy for a microsegmented computing system is provided. The method includes generating a port service map that indicates inbound packet activity by port for a plurality of network addresses within the microsegmented computing system and a port distribution map that indicates inbound packet activity by port for a plurality of network addresses within the microsegmented computing system, and generating a list of security policy recommendations based on the port service map and/or the port distribution map.

Abstract: A topology-based transversal analysis service has been created that correlates topologies of different domains of a distributed application and creates cross-domain “stories” for the different types of transactions provided by the distributed application. A “story” for a transaction type associates an event(s) with a node in an execution path of the transaction type. This provides context to the event(s) with respect to the transaction type (“transaction contextualization”) and their potential business impact. The story is a journal of previously detected events and/or information based on previously detected events. The events have been detected over multiple instances of a transaction type and the journal is contextualized within an aggregate of execution paths of the multiple instances of the transaction type. The story can be considered a computed, ongoing narrative around application and infrastructure performance events, and the narrative grows as more performance-related events are detected.

Abstract: The disclosed computer-implemented method for preventing data loss from data containers may include (1) identifying, at a computing device, a process running in a data container on the computing device, (2) intercepting an attempt by the process to exfiltrate information from the computing device via at least one of a file system operation or a network operation, and (3) performing a security action to prevent the intercepted attempt. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: Provided is a process of determining a future battery level of one or more battery-powered computing devices, the process including: accessing an event record in memory describing a scheduled event in which a user of a plurality of computing devices is scheduled to participate, inferring a subset of the plurality of computing devices to be used in that time period, determining present battery levels of the computing devices, the levels being values indicative of an amount of energy stored by batteries, determining present usage rates of battery energy, inferring battery outlooks corresponding to the scheduled event, a battery outlook being an estimated amount of energy consumption attributable to the scheduled event, and predicting future battery levels of computing devices based on at least a present battery level, a present usage rate, and a battery outlook corresponding to the scheduled event.

Abstract: A method of dynamic adaptive authentication includes receiving a request from a user to access a resource of a network and determining whether the resource is protected. In response to determining that the resource is protected, a dynamic authentication chain is generated. The dynamic authentication chain includes a plurality of authentication schemes that are arranged in a particular order. The method also includes challenging the user with the dynamic authentication chain and receiving a set of credentials from the user based at least in part on the particular order of the dynamic authentication chain. The method includes determining whether the set of credentials satisfies the dynamic authentication chain. In response to determining that the set of credentials satisfies the dynamic authentication chain, the user is authenticated.

Abstract: A multivariate clustering-based anomaly detector can generate an event for consumption by an APM manager that indicates detection of an anomaly based on multivariate clustering analysis after topology-based feature selection. The anomaly detector accumulates time-series data across a series of time instants to form a multivariate time-series data slice or multivariate data slice. The anomaly detector then performs multivariate clustering analysis with the multivariate data slice. The anomaly detector determines whether a multivariate data slice is within a cluster of multivariate data slices. If the multivariate data slice is within the cluster and the cluster is a known anomaly cluster, then the anomaly detector generates an anomaly detection event indicating detection of the known anomaly. The anomaly detector can also determine that a multivariate data slice is within an unknown cluster and generate an event indicating detection of an unknown anomaly.

Abstract: Detecting and protecting against computing breaches based on lateral movement of a computer file within an enterprise. A method may include obtaining data associated with an existence a computer file in a first computing device and a second computing device of an enterprise, detecting a pattern of lateral movement of the computer from the first computing device to the second computing device over a predetermined period of time, based on the data, calculating a likelihood score that the computer file is malicious based on the detected pattern, determining that the likelihood score satisfies a predetermined breach threshold, and in response to determining that the likelihood score satisfies the predetermined breach threshold, initiating remedial action on the computer file to protect the enterprise against the computer file.

Abstract: The disclosed computer-implemented method for preserving system contextual information in an encapsulated packet may include (1) receiving, at a computing device, a network packet from the network via a network adapter port, (2) encapsulating the received network packet with a tunnel header, where a network identifier field in the tunnel header comprises information identifying the network adapter port, (3) determine an outer Internet protocol (IP) address for the encapsulated network packet, where the destination IP address corresponds to a destination on the network, (4) addressing an outer header of the encapsulated network packet with the IP address, and (5) sending the encapsulated network packet toward the destination identified by the destination IP address. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A computer-implemented method for preventing electronic form data from being electronically transmitted to untrusted domains may include (i) identifying a web page that includes an electronic form with field for data entry, (ii) detecting that the web page is electronically sending first and second messages that each include data from the field of the electronic form and that are directed to first and second destinations, respectively, (iii) determining that the first destination includes an untrusted destination, and (iv) blocking the web page from electronically sending the data from the field of the electronic form to the untrusted destination by blocking the first message from being electronically sent. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: The disclosed computer-implemented method for tuning application network behavior may include identifying an application for a closed operating system. The closed operating system may prevent applications from implementing machine-level traffic control for network traffic. The method may include determining an expected network behavior of the application, intercepting network traffic of the application on the closed operating system, determining whether the intercepted network traffic conforms to the expected network behavior, and modifying, based on the determining whether the intercepted network traffic conforms to the expected network behavior, the network traffic. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: The disclosed computer-implemented method for providing an integrated cyber threat defense exchange platform may include (i) receiving unnormalized security data from a plurality of disparate security data sources that generate security data in differing formats, (ii) normalizing, using a security data schema, the unnormalized security data into normalized security data, (iii) identifying a security action that is responsive to at least one security event identified within the normalized security data, and (iv) coordinating performance of the security action within a plurality of networked computing devices. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: The disclosed computer-implemented method for protecting website visitors may include (i) retrieving an instance of a website that was dynamically generated by aggregating multiple website subcomponents, (ii) decomposing the instance of the website into the multiple website subcomponents, (iii) checking whether a website subcomponent has been previously scanned by a security scanner, (iv) accelerating a review of the instance of the website by reusing results of a previous scan of the website subcomponent that was performed in response to retrieving a different instance of the website subcomponent rather than performing an original scan of the website subcomponent, and (v) protecting a visitor of the website by modifying a display of the instance of the website based on the accelerated review of the instance of the website that reused results of the previous scan of the website subcomponent. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A change management system generates change records corresponding to changes to tracked documents, and stores a master control file comprising metadata records that respectively correspond to the tracked documents and which comprise a tracked metadata field and a time field. Responsive to detecting that a change to a given document is of a predefined type, the tracked metadata field in the corresponding metadata record is modified, and the time field in that metadata record is updated accordingly. In response to a problem event, it is determined that the problem event relates to the given document, and, based on the time field, a subset of the change records is selected. Each change record in the subset corresponds to the given document. A problem change record is identified from the change records in the subset, and used to revert the given document to a state previous to the problem event.

Abstract: Methods and systems are provided for generating a security profile for a new computing system. One example method generally includes obtaining, over a network, information associated with a plurality of existing computing systems and generating, by a clustering algorithm, a set of clusters based on the information associated with the plurality of existing computing systems. The method further includes obtaining external data associated with the computing system and classifying the computing system into a cluster in the set of clusters based on the external data associated with the computing system. The method further includes determining the security profile based on statistics associated with the cluster and transmitting, over the network, an indication of the security profile.

Abstract: The disclosed computer-implemented method for preventing sharing of sensitive content in image data on a closed computing platform may include (i) detecting initiation of a network connection for sending network traffic data to a data storage service on the closed computing platform, (ii) monitoring the sending of the network traffic data to identify a target traffic indicator associated with image data, (iii) interrupting the sending of the network traffic data upon identifying the target traffic indicator, (iv) analyzing the image data to identify sensitive content, and (v) performing a security action that protects against the sensitive content being shared to the data storage service on the closed computing platform. Various other methods, systems, and computer-readable media are also disclosed.