Abstract: Providing optical watermark signals for a visual authentication session by performing at least the following: receive, at an anti-spoof engine, an instruction to perform visual authentication operations for a visual authentication session, generate, with the anti-spoof engine, an optical watermark signal based on receiving the instruction, wherein the optical watermark signal includes at least one optical identifier to authenticate images captured during the visual authentication session, obtain, with the anti-spoof engine, an image source that includes captured images of the visual authentication session, determine, with the anti-spoof engine, whether the image source includes a reflected optical watermark signal, and compare, with the anti-spoof engine, whether the reflected optical watermark signal matches the generated optical watermark signal based on the determination that the image source includes the reflected optical watermark signal.

Abstract: Providing secure software defined storage includes identifying data directed to be stored in a software defined storage location, intercepting the data, performing a security operation on the intercepted data, and transmitting the data to the software defined storage.

Abstract: There is disclosed in one example a computing apparatus, including: a hardware platform including a processor and a memory; a network interface to communicatively couple to an enterprise service bus (ESB); instructions encoded within the memory to provide a data exchange layer (DXL) application programming interface (API), the DXL API to provide communication with a plurality of other DXL endpoints via a DXL broker; and instructions encoded within the memory to provide an asset management engine to: subscribe to a DXL location services topic via the DXL broker; receive a DXL location services query from a DXL endpoint via the DXL broker; and publish network location data via the DXL broker.

Abstract: There is disclosed in one example a computing apparatus, including: a hardware platform including a processor and a memory; and instructions encoded within the memory to instruct the processor to: receive an unknown file object; select the unknown file object for visual analysis; compute first, second, and third property sets for the unknown object; and construct an n×m bitmap of pixels, including comparing the unknown file object to n×m known file objects, wherein the pixels include first, second, and third color channels, wherein the first, second, and third color channels represent similarity of the first, second, and third properties to corresponding first, second, and third properties of a known file object from among the n×m file objects.

Abstract: An appliance includes a processor, a medium, a registration application, and a monitoring application. The registration application includes instructions in the medium that, when read and executed by the processor, configure the registration application to write a transaction identifier to a start message, the transaction identifier identifying the appliance, write a dataset of interest identifier to the start message, and send the start message to a database. The dataset of interest identifies a group of appliances including the appliance. The monitoring application includes instructions in the medium that, when read and executed by the processor, configure the monitoring application to monitor operations executed on the appliance, write data resulting from the operations to a data message, and send the data message anonymously to the database. The data message is signed with a member key associated with the group of appliances.

Abstract: Methods, apparatus, systems and articles of manufacture are disclosed to verify application permission safety.

Abstract: Particular embodiments described herein provide for system that can be configured to deliver a notification to a user based on the user's preference for each device that receives the notification. The user's preference is based on how the user interacted with similar notifications in the past and the system can change how it will deliver similar notifications to the user in the future based on how the user interacts with the notification.

Abstract: Example methods, apparatus, systems and articles of manufacture (e.g., physical storage media) to implement contextual key management for data encryption are disclosed. Example apparatus disclosed herein to perform contextual encryption key management, which are also referred to herein as contextual key managers, include an example context discoverer to discover context information associated with a request to access first encrypted data. Such disclosed example apparatus also include an example contextual key mapper to identify a combination of context rules associated with a key that is to provide access to the first encrypted data, validate the context information associated with the request based on the combination of context rules associated with the key to determine whether the request to access the first encrypted data is valid, and obtain the key from a key management service when the request to access the first encrypted data is valid.

Abstract: There is disclosed in one example a computing apparatus, including: a processor and a memory; a data store having stored thereon trained models MGLOBAL and MENT, wherein model MGLOBAL includes a clustering model of proximity and prevalence of a first body of computing objects, and MENT includes a clustering model of proximity and prevalence of a second body of computing object; and instructions encoded within the memory to instruct the processor to: receive an object under analysis; apply a machine learning model to compute a global variance score between the object under analysis and MGLOBAL; apply the machine learning model to compute an enterprise variance score between the object under analysis and MENT; compute from the global variance score and the enterprise variance score a cross-sectional variance score; and assign the object under analysis an analysis priority according to the cross-sectional variance score.

Abstract: A computing apparatus to provide endpoint detect and response (EDR) filtering to an enterprise, including: a processor and memory; a network interface; a network protocol to communicatively couple to a data source via the network interface; and instructions encoded within the memory to provide an EDR filtering pipeline to receive an unfiltered EDR stream via the network interface, extract an EDR record from the EDR stream, and apply a hash to the EDR record to determine that the EDR record is uncommon in context of the enterprise; and a decorator module to decorate the EDR record for in-depth analysis.

Abstract: There is disclosed in one example a computing apparatus, including: a processor and memory; and instructions encoded within the memory to instruct the processor to: identify a scripted process for security analysis; hook application programming interface (API) calls of the scripted process to determine a plurality of pre-execution parameters and runtime parameters; assign individual scores to the pre-execution parameters and runtime parameters; compute a sum of the individual scores; compare the sum to a threshold; and detect malicious or suspicious activity if the sum is above the threshold.

Abstract: There is disclosed in one example a computing apparatus, including: a processor and a memory; instructions encoded within the memory to instruct the processor to: identify a downloaded file on a file system; inspect a metadata object attached to the downloaded file; parse the metadata object to extract an advertiser identification string from a GET code portion of a uniform resource locator (URL); query a reputation cache for a reputation for the advertiser identification string; receive a deceptive reputation for the advertiser identification string; and take a remedial action against the downloaded file.

Abstract: A computing apparatus, including: a processor and a memory; a web browser; and a web exploit mitigation engine, including instructions within the memory to instruct the processor to: insert a script into an incoming webpage, the script including instructions to hook application programming interface (API) function calls of a scripting language, the API function calls for a plurality of functions commonly used by browser exploits; observe information passed by a running script to the plurality of API functions; correlate the called API functions to a malware model; detect a web page making the API function calls as containing a browser exploit according to the correlating; and act on the detecting.

Abstract: A system, method, and computer program product are provided for managing a connection between a device and a network. In use, a first device coupled between a second device and a network is identified. Further, the first device is controlled based on predefined criteria utilizing the second device, for managing a connection between the second device and the network.

Abstract: Systems and methods for performing graph-based analysis of computing system threats and incidents, and determining response and/or mitigation actions for the threats and incidents, are described. In some embodiments, the systems and methods generate node graphs of computing system threat artifacts, and perform actions to identify recommended resolutions to the threats, based on information derived from the generated node graphs.

Abstract: Methods, apparatus, systems, and articles of manufacture are disclosed for dynamic network classification using authenticated neighbor detection. An example includes a network comparator to determine whether a network to be connected by a computing device is a managed network based on network configuration information associated with the network, in response to determining the network is not a managed network, a neighbor comparator to determine a number of different computing devices on the network that are managed computing devices, and in response to determining that the number of the managed computing devices satisfies a threshold, a sensor controller to invoke a sensor of the computing device to obtain data from computing devices associated with the network, the computing devices including the managed computing devices.

Abstract: There is disclosed in one example a computing apparatus, including: a processor and a memory; an operating system; an application framework including instructions to search a target directory for one or more shared libraries and to attempt to load the one or more shared libraries if found; and an application including: a library file including a primary feature module to provide a primary feature of the application, the primary feature module structured to operate within the application framework, wherein the library file is not independently executable by the operating system; and an unmanaged executable binary to host the library file, wherein the unmanaged executable binary is not managed by the application framework, and includes hooks to intercept the application framework's attempt to load the one or more shared libraries, and to provide security services to the one or more shared libraries before permitting the application framework to attempt to load the one or more shared libraries.

Abstract: A method, a computer-readable medium, and a device for dynamically identifying criticality of services and data sources. Service-related metrics are received from all IoT network elements in a network. The service-related metrics are parsed to extrapolate a network topology. From the topology, a set of critical service delivery points are determined based on data extracted from the service-related metrics. The critical service delivery points may be monitored for service interruptions and alerts may be generated in response to interruptions. Additionally the extrapolated network topology may be compared to a previously recorded topology of the network, and based on the delta, alerts may be generated when the delta meets a threshold.

Abstract: There is disclosed in one example a computing apparatus, including: a hardware platform including a processor and a memory; a closed operating system including instructions within the memory to sandbox userspace applications; and a sandboxed userspace application, including: instructions to provide a user interface and user application code; and an agentless security library within the sandboxed userspace application, the agentless security library including instructions to provide security or privacy services to the sandboxed userspace application with minimal direct interaction from the user interface and user application code.

Abstract: There is disclosed in one example a computing apparatus, including: a hardware platform including a processor and a memory; a whitelist; an updater, the updater being an executable object authorized to modify files within the whitelist and to launch one or more child processes; and instructions encoded within the memory to provide a system management agent to: maintain a chain of trust between the one or more child processes and the updater, wherein the one or more child processes inherit whitelist permissions associated with the updater; and track the chain of trust across a system reboot, including granting a child process the chain of trust after a reboot only if the child process has associated with it a valid certificate.