Abstract: In one approach, a method includes: receiving a login event input from a user, the login event input being associated with a session of the user logging into an account; accessing a machine learning model; and authenticating, with the machine learning model, the user for the account, based at least in part on the login event input. In examples, the login event input comprises one or more items of biometric data associated with the user, an item of the one or more items of biometric data associated being generated by interaction of the user with an input device for logging into the account, and the interaction communicating a login credential of the user. In examples, an item of the one or more items of biometric data associated with the user is keyboard event-related biometric data, or mouse event-related biometric data.

Abstract: Anti-impersonation techniques using device-context information and user behavior information from a session. The session can include a time period where a user of the client computer is performing an activity on the client computer (e.g., the session includes the user logging into an account online). The behavior information can include information on ways the user uses user input devices during the session. The device-context information can include HTTP session information. The techniques can include generating feature vector(s) for the received information, and comparing the feature vector(s) against model(s) of related historical information. The comparisons can provide level(s) of deviation of the feature vector(s) from the model(s). Also, the techniques can include determining whether the session is anomalous or normal according to the level(s) of deviation, and performing a security action in response to determining the session is anomalous.

Abstract: The disclosed techniques utilize round-trip times (RTTs) from back-and-forth communications with distant servers to detect impersonations in a computer network, such as impersonations using IP spoofing. Also, the techniques can use machine learning to enhance analysis in spoofing detection. The techniques can include sending a computer program to a client device. The client device can have an IP address, and the computer program can be executed by the client device after it is received by the client device. The computer program can measure RTTs for messages the computer program sends to multiple pre-selected location servers at different remote or distant locations and for corresponding reply messages that are returned to the computer program. The IP address of the client device and the measured RTTs can then be received and used to determine whether the measured RTTs are anomalous or not; and thus, determine a possible impersonator or a legitimate user.

Abstract: Techniques to remotely detect behavior associated with malware and identify compromised user-sessions, regardless of the malware variant or family, and independently of the page structure.

Abstract: The disclosed techniques include systems and methods for implementing liveliness detection in an authentication process using pupil or iris tracking. The disclosed techniques can utilize a combination of facial recognition and pupil or iris tracking for liveliness detection in an authentication process to provide an extra layer of security against impersonation attacks.

Abstract: Technologies for classification of web security certificates using artificial neural networks. Some of the example technologies disclosed herein are directed specifically at classification of TLS certificates using artificial neural networks. The technologies include methods for identifying malicious use and generation of web security certificates, by using deep neural networks. In one example embodiment, content of TLS certificates can be used as input for deep neural networks to successfully identify certificates of malicious actors as well as malicious patterns used by attackers.

Abstract: Phishing enhancement and phishing detection enhancement technologies. The technologies can include determinations of an effectiveness rate of one or more phishing threat actors. The technologies can also include selection of effective URLs from at least one effective phishing threat actor. The technologies can also include generation or adjustment of a phishing system using a machine learning process to identify patterns in the selected effective URLs that enable the selected effective URLs to avoid detection by the phishing detection system. The technologies can also include generation of synthetic phishing URLs using the phishing system and the identified patterns. The technologies can also include adjustments or training of the phishing system or the phishing detection system according to the synthetic phishing URLs to enhance the systems.

Abstract: Systems and methods to detect remote access malware activities, via: detecting, in a computing device, first input events in an operating system of the computing device; detecting, in the computing device, second input events received in an application running in the computing device; detecting, in the computing device, a mismatch between the first input events detected in the operating system and the second input events received in the application running in the computing device; and in response to the mismatch being detected, generating an alert indicating a threat of the application being attached by remote access malware.

Abstract: Systems and methods to detect the identities of victims of phishing activities, in which embedding, in an item, an element having a reference to a server, is embedded in an item (e.g., a webpage or a mobile application) that may be copied by attackers. When used on a user computer, the element generates a request to the server. Based on the request, the server identifies a user of the element embedded in the item or a copy of the item. Based on uses of the element, the server tracks a history of the user using the item or the copy of the item. In response to a determination that the element is currently being used by the user in the item and the history indicates that the user has used the copy of the item, the server identifies the user as a victim of the copy of the item.

Abstract: Systems and methods to detect remote access malware activities, via: detecting, in a computing device, first input events in an operating system of the computing device; detecting, in the computing device, second input events received in an application running in the computing device; detecting, in the computing device, a mismatch between the first input events detected in the operating system and the second input events received in the application running in the computing device; and in response to the mismatch being detected, generating an alert indicating a threat of the application being attached by remote access malware.

Abstract: Among other things, embodiments of the present disclosure help provide entities with the ability to remotely detect behavior associated with malware and identify compromised user-sessions, regardless of the malware variant or family, and independently of the page structure.

Abstract: Among other things, embodiments of the present disclosure help provide entities with the ability to remotely detect behavior associated with malware and identify compromised user-sessions, regardless of the malware variant or family, and independently of the page structure.