Abstract: There is disclosed in an example a computing apparatus, including: a process deprivilging engine operable for: recognizing that a process has an undetermined reputation; intercepting a first access request directed to a first resource; determining that the first resource is not owned by the process; and at least partially blocking access to the first resource. There is further disclosed a method of providing the process deprivileging engine, and one or more computer-readable mediums having stored thereon executable instructions for providing the process deprivileging engine.

Abstract: A method, system, and computer program product for protecting a computer system provides bootstrap operating system detection and recovery and provides the capability to detect malware, such as rootkits, before the operating system has been loaded and provides the capability to patch malfunctions that block the ability of the computer system to access the Internet. A method for protecting a computer system includes reading stored status information indicating whether network connectivity was available the last time an operating system of the computer system was operational, when the stored status information indicates that network connectivity was not available, obtaining a software patch, and executing and applying the software patch.

Abstract: Systems and methods for real-time user verification in online education are disclosed. In certain example embodiments, user identifying information associated with a user and a request to access online education content may be received from a user device. A face template including historical facial image data for the user can be identified. Current facial image data can be compared to the face template to determine if a match exists. Biometric sensor data, such as heart rate data, may also be received for the user. The biometric sensor data may be evaluated to determine if the user is currently located at the user device. If the user is currently located at the user device and the current facial image data matches the face template, access to the online education content may be provided to the user at the user device.

Abstract: Particular embodiments described herein provide for an electronic device that can be configured to receive untrusted input data at an enclave in an electronic device, isolate the untrusted input data from at least a portion of the enclave, communicate at least a portion of the untrusted data to an integrity verification module using an attestation channel, and receive data integrity verification of the untrusted input data from the integrity verification module. The integrity verification module can perform data integrity attestation functions to verify the untrusted data and the data integrity attestation functions include a data attestation policy and a whitelist.

Abstract: Particular embodiments described herein provide for an electronic device that can be configured to determine when a peripheral is connected to the electronic device, determine a peripheral identification for the peripheral, and monitor the data going to and from the peripheral. Based on the monitored data, a type for the peripheral can be determine. The peripheral identification can be compared with the determined type for the peripheral and if they do not match, then communication to and from the peripheral can be blocked.

Abstract: A file stored in a first portion of a computer memory of a computer is determined to be a malicious file. A duplicate of the file is stored in a quarantine area in the computer memory, the quarantine area being in a second portion of the computer memory that is different from the first portion of the computer memory. One or more protection processes are performed on the file. The determination that the file is a malicious file is determined to be a false positive and the file is restored, during a boot sequence, to a state prior to the one or more protection processes being performed on the file.

Abstract: A method for detecting memory modifications includes allocating a contiguous block of a memory of an electronic device, and loading instructions for detecting memory modifications into the contiguous block of memory. The electronic device includes a plurality of processing entities. The method also includes disabling all but one of a plurality of processing entities of the electronic device, scanning the memory of the electronic device for modifications performed by malware, and, if a memory modification is detected, repairing the memory modification. The method also includes enabling the processing entities that were disabled. The remaining processing entity executes the instructions for detecting memory modifications.

Abstract: A first user computing device is identified as being collocated with a second user computing device and an invitation is sent over a wireless communication channel for delivery to the first user computing device. The invitation invites the first user computing device to join a collaborative search session with the second user computing device. A first one of a plurality of search contexts is selected for use by the second user computing device within the collaborative search session. The first user computing device uses a second, different one of the plurality of search contexts during the collaborative search session, and presentations of search results within the collaborative search session are organized according to the first search context on the second user computing device and organized according to the second search context on the first user computing device.

Abstract: A method for applying policies to an email message includes receiving, by an inbound policy module in a protected network, message metadata of an email message. The method also includes determining, based on the message metadata, whether receiving the email message in the protected network is prohibited by at least one metadata policy. The method further includes blocking the email message from being forwarded to the protected network if receiving the email message in the protected network is prohibited by the metadata policy. In specific embodiments, the method includes requesting scan results data for the email message if receiving the email message in the protected network is not prohibited by one or more metadata policies. In further embodiments, the method includes receiving the scan results data and requesting the email message if receiving the email message in the protected network is not prohibited by one or more scan policies.

Abstract: Embodiments of the present disclosure are directed to a self-check application to determine whether an indirect branch execution is permissible for an executable application. The self-check application uses one or more parameters received from an execution profiling module to determine whether the indirect branch execution is permitted by one or more self-check policies.

Abstract: Particular embodiments described herein provide for an electronic device that can be configured to analyze data using an ensemble and assign a classification to the data based, at least in part, on the results of the analyses using the ensemble. The ensemble can include one or more multinomial classifiers and each multinomial classifier can assign two or more classifications to the data.

Abstract: Particular embodiments described herein provide for an electronic device that can be configured to receive a message, determine that at least a portion of the message includes sensitive data, obfuscate the portion of the message that includes sensitive data, and communicate the message to an electronic device, where the obfuscated portion of the message can be recognized and understood by a recipient associated with the electronic device. In an example, the obfuscated portion of the message can be recognized and understood by a user without the need of special software or hardware but cannot be readily analyzed by a text parsing bot. In some instances, the obfuscation is a human intelligence task element.

Abstract: In an example, there is disclosed an electronic apparatus, comprising: a hardware-encoded internal private key; and one or more logic elements comprising a key generation engine to: receive an third-party key; and operate on the third-party key and the internal private key to generate a hardware-generated dynamic identifier (HGDI). There is also disclosed a method of providing an HGDI engine, and one or more computer-readable mediums having stored thereon executable instructions for providing an HGDI.

Abstract: Particular embodiments described herein provide for an electronic device that can be configured to receive a broadcast query from a network element, receive information from a plurality of devices, process the information, and generate an integrated group response, wherein the integrated group response summarizes the information about the plurality of devices and removes identification information that could allow data to be linked to a specific device from the plurality of devices. The integrated group response can be communicated back to the network element in response to the query.

Abstract: Embodiments include identifying, at a logical path node, a first logical path and a second logical path; executing, by a processor implemented at least partially in hardware, a first set of instructions to follow the first logical path; storing, in a memory, a first set of information obtained from following the first logical path; evaluating, by a malware handler module implemented at least partially in hardware, the first set of information for malware; restoring, from the memory, environmental data for the first logical path node; executing, by the processor, a second set of instructions to follow the second logical path; storing, in a memory, a second set of information obtained from following the second logical path; and evaluating, by the malware handler module, the second set of information for malware.

Abstract: Embodiments of this disclosure are directed to an execution profiling handler configured for intercepting an invocation of memory allocation library and observing memory allocation for an executable application process. The observed memory allocation can be used to update memory allocation meta-data for tracking purposes. The execution profiling handler can also intercept indirect branch calls to prevent heap allocation from converting to execution and intercept exploitation of heap memory to block execution.

Abstract: Systems and methods for real-time emergency vehicle authentication at traffic signal and tollgates are disclosed. In certain example embodiments, a dispatch server can provide identifying credentials and time-bounded intersection tickets (TBIT) to traffic signals and tollgates for conducting authentication of emergency vehicles. The emergency vehicles can transmit a traffic light control message requesting expedited access through a traffic signal or tollgate. The traffic signal or tollgate can decrypt the message using the TBIT. It can further determine if the identifying credential received from the emergency vehicle is authorized for expedited access and if the message was received within a required time period. In response, the traffic signal or tollgate can determine its current signal or gate position and determine if a change needs to be made to provide expedited access to the emergency vehicle.

Abstract: Computing platform security methods and apparatus are disclosed. An example apparatus includes a security application to configure a security task, the security task to detect a malicious element on a computing platform, the computing platform including a central processing unit and a graphics processing unit; and an offloader to determine whether the central processing unit or the graphics processing unit is to execute the security task; and when the graphics processing unit is to execute the security task, offload the security task to the graphics processing unit for execution.

Abstract: In an example, there is disclosed a computing apparatus having: a network interface to communicate with a second device; a contextual data interface to receive and store contextual data; and one or more logic elements comprising a contextual security agent, operable to: receive a contextual data packet via the network interface; compare the contextual data packet to stored contextual data; and act on the comparing. The contextual data packet may optionally be provided out of band, and may be used to authenticate a substantive data packet, such as a patch or update.

Abstract: In an example, there is disclosed a computing apparatus, having: a network interface to communicatively couple to a software-defined network (SDN); first one or more logic elements providing an SDN controller engine to provide a control function for the SDN; and second one or more logic elements providing a route tracing engine to: receive a tunneling notification from a network device agent, the tunneling notification associated with a network flow; and perform a backtracking traceroute operation to deterministically identify a source device for the flow. There is also disclosed a method of providing the foregoing, and one or more tangible, non-transitory computer-readable storage mediums for providing the foregoing.