Abstract: There is disclosed in one example a computing apparatus, including: a hardware platform including a processor and a memory; a network interface; an operating system including a native internet protocol (IP) stack; and a security agent, including instructions encoded within the memory to instruct the processor to: establish a split virtual private network (VPN) tunnel with a remote VPN service; receive outgoing network traffic; direct a first portion of the outgoing traffic to the VPN tunnel, including determining that the first portion includes an outgoing domain name service (DNS) request; and direct a second portion of the outgoing traffic to the native IP stack.

Abstract: A method including receiving a feature vector of an unknown sample, computing a MinHash of the unknown sample based on Jaccard-compatible features, querying a Locality Sensitive Hashing forest of known samples with the MinHash of the unknown sample to identify a first subset of known samples that are similar to the unknown sample, receiving for each individual known sample in the first subset, a feature vector including non-Jaccard distance-compatible features, computing a first sub-distance and a second sub-distance between the unknown sample and the known samples in the first subset, calculating a total distance for each known sample in the first subset by combining the first and the second sub-distances, identifying, based on the calculated total distances, a second subset of known samples that are most similar to the unknown sample, and classifying the unknown sample based on the second subset.

Abstract: A technique for collecting and using signal reputation data, comprising obtaining a plurality of signal reputation data corresponding to a plurality of locations, categorizing the signal reputation data into groups, calculating signal circles for at least some of the groups based on a representative signal value for the corresponding group, calculating a signal reputation score for each signal circle, determining a best signal circle for a user mobile device within a predetermined distance of dead zones, and sending the best signal circle to the user mobile device based at least in part on the signal reputation score and a location of the user mobile device. In some embodiments, the technique may include some but not all of these actions and additional actions, such as suspending obtaining signal reputation data based on battery status.

Abstract: Methods, systems, articles of manufacture and apparatus to identify an application (app) are disclosed. An example apparatus includes a data labeler to associate first router data with application identification data, a metrics manager to generate metric values associated with a segment of the first router data and generate histograms of the metric values, a classification engine to generate a signature model based on the histograms, and an application identifier to identify the application based on second router data by applying the second router data to the signature model.

Abstract: Technologies for a distributed Internet of Things (IoT) system including a plurality of IoT devices are disclosed. An example IoT device includes an input device to receive an input from a user and a processor to determine if a pattern is recognized in the input. The example IoT device also includes a communication circuit to: in response to a determination that a pattern is not recognized in the input, communicate a first message indicative of the input over a universal bus; and in response to a determination that a pattern is recognized in the input, communicate a second message indicative of the input directly to another IoT device without using the universal bus.

Abstract: A query is received from a particular endpoint device identifying a particular wireless access point encountered by the particular endpoint device. Pre-existing risk assessment data is identified for the identified particular wireless access point and query result data is sent to the particular endpoint device characterizing pre-assessed risk associated with the particular wireless access point. In some instances, the query result data is generated based on the pre-existing risk assessment data. In some instances, pre-existing risk assessment data can be the result of an earlier risk assessment carried-out at least in part by an endpoint device interfacing with and testing the particular wireless access point.

Abstract: In accordance with one embodiment of the present disclosure, a method for determining the similarity between a first data set and a second data set is provided. The method includes performing an entropy analysis on the first and second data sets to produce a first entropy result, wherein the first data set comprises data representative of a first one or more computer files of known content and the second data set comprises data representative of a one or more computer files of unknown content; analyzing the first entropy result; and if the first entropy result is within a predetermined threshold, identifying the second data set as substantially related to the first data set.

Abstract: Code of a particular application is analyzed against a semantic model of a software development kit of a particular platform. The semantic model associates a plurality of application behaviors with respective application programming interface (API) calls of the particular platform. A set of behaviors of the particular application is identified based on the analysis of the code and a particular one of the set of behaviors is identified as an undesired behavior. The particular application can be automatically modified to remediate the undesired behavior. The particular application can be assigned to one of a plurality of device modes, and access to the particular application on a user device can be based on which of the plurality of device modes is active on the user device.

Abstract: Dynamically identifying and utilizing an opportunistic device by performing at least the following within a discovery offloading module: receive an offloading alert message from a service device, wherein the offloading alert message indicates the service device is unable to provide one or more services to the client device, receive a discovery message from a candidate device, wherein the discovery message indicates the candidate device is capable of performing the services provided to the client device, select, using the dedicated execution environment, an opportunistic service device based on the discovery message from the candidate device; and trigger the restart of host execution instruction within the client device by obtaining the one or more services from the opportunistic service device, wherein the discovery offloading module operates independently from the host execution instructions within the client device.

Abstract: Methods, apparatus, systems and articles of manufacture are disclosed. An example apparatus includes a detector to detect a user-initiated switch between a closed operating system type and an open operating system type; an adapter to, in response to a notification, from the detector, of the switch, transition activation from a first interface to a second interface; and a scanner including a first scanning engine to operate via the first interface when the detector detects that the operating system is in the closed operating system type and the second interface when the detector detects that the operating system is in the open operating system type.

Abstract: Particular embodiments described herein provide for a system that can be configured to receive a notification that a client device is requesting, to modify original data associated with an online application, wherein the original data is stored in encrypted format in a cloud; decrypt the original data using a first client encryption key; store the decrypted data in a location accessible by the online application; enable editing capability of the decrypted data; receive a notification that the client device is finished modifying the data in decrypted format; determine whether the original data in decrypted format was modified; encrypt, based on a determination that the original data was modified, the modified data using a second client encryption key; and upload the modified data in encrypted format to the cloud.

Abstract: An apparatus, related devices and methods, having a memory element operable to store instructions; and a processor operable to execute the instructions, such that the apparatus is configured to identify sensitive user data stored in the memory by a first application, determine a risk exposure score for the sensitive user data, apply, based on a determination that the risk exposure score is above a threshold, a security policy to restrict access to the sensitive user data, receive a request from a second application to access the sensitive user data, determine whether the first application and the second application are similar applications, and allow access based on a determination that the first application and the second application are similar applications.

Abstract: Methods, apparatus, systems and articles of manufacture are disclosed. An example partitioned computer database system includes a plurality of nodes, a data director to distribute a plurality of portions of database data across the plurality of nodes, queriers associated with respective ones of the plurality of nodes, the queriers to execute respective sub-queries of respective portions of the database data, and a coordinator to receive a request to query the database data, and merge results of the plurality of sub-queries to form a response to the request.

Abstract: Techniques allow identification of credential fields in a credential form on a web page that can be stored in a credential manager database to allow a credential manager application to fill the credential fields with saved credentials managed by the credential manager.

Abstract: There is disclosed in one example a mobile computing apparatus, including: a hardware platform including a processor and a memory; a user display; a global positioning system (GPS) driver; a network interface; and instructions encoded within the memory to instruct the processor to: receive a device location from the GPS driver; via the network interface, query a cloud-based wireless access point (WAP) reputation service for WAP reputation data of nearby WAPs; and drive to the user display an image of nearby WAPs having overlaid thereon WAP reputation data for the nearby WAPs.

Abstract: Methods and apparatus for hardware based file/document expiry timer enforcement is disclosed. An example method includes instructing, by executing an instruction with a processor, a trusted execution environment to generate an encryption key and a certificate for a document, the certificate including expiry information for the document, the certificate associated with identification information of the document, and the expiry information indicative of a time period for which the encryption key is valid to decrypt the document; encrypting, by executing an instruction with the processor, the document using the encryption key; transmitting the certificate to a first remote network storage device; and transmitting the document to a second remote network storage device.

Abstract: Disclosed examples decrypt a first block of sequential blocks using a first decryption key generated based on a first hash of a second decryption key and bit stream data, the first decryption key associated with the first block of the sequential blocks to generate a first segment of a band entropy coded bit stream; generate a third decryption key for a second block of the sequential blocks based on a second hash of the first decryption key and data of the first block of the sequential blocks; decrypt the second block of the sequential blocks using the third decryption key associated with the second block of the sequential blocks to generate a second segment of the band entropy coded bit stream; and merge the first and second segments of the band entropy coded bit stream to generate a source data bit stream using a bit mask for demultiplexing.

Abstract: There is disclosed in one example a malware analysis server, including: a hardware platform including a processor and a memory; a machine learning model; a store of known objects previously classified by the machine learning model; and instructions encoded within the memory to instruct the processor to: receive a test sample; apply the machine learning model to the test sample to provide the test sample with classified features; compute pairwise distances between the test sample and a set of known objects from the store of known objects; select a group of near neighbor samples from the set of known objects; select a group of far neighbor samples from the set of known objects; and generate an explanation for the test sample according to the near neighbor samples and far neighbor samples.

Abstract: Sharing IoT device (IoTd) profile data is provided, comprising: generating at least one access control rule to protect an IoTd; publishing first IoTd profile data in a first new block (FNB) of a blockchain of a blockchain network (BN), wherein the first IoTd profile data comprises the at least one access control rule; and committing the FNB to the blockchain based on a consensus algorithm by: a manufacturer of the IoTd committing the FNB to the blockchain; a security vendor (SV) participating in the BN committing the FNB to the blockchain when the SV is a sole SV participating in the BN; or the SV committing the FNB to the blockchain based on consensus among at least the SV and a plurality of security vendors when the SV and the plurality of security vendors are participating in the BN.

Abstract: Particular embodiments described herein provide for a network element that can be configured to receive, from an electronic device, a request to access a network service. In response to the request, the network element can send data related to the network service to the electronic device and add a test link to the data related to the network service. The network element can also be configured to determine if the test link was successfully executed and classify the electronic device as untrusted if the test link was not successfully executed.