Abstract: Methods, apparatus, systems and articles of manufacture are disclosed to improve anti-malware scan responsiveness, in response to a performance issue on a user computing device, determine a symptom associated with the performance issue based on a user input from the user computing device, the user input corresponding to highlighting an area of a display associated with the performance issue, a window having been rendered on the display by an operating system of the user computing device, identify a scan parameter for a targeted anti-malware scan based on positive results of malware scans from other user computing devices that experienced the symptom, and transmit the scan parameter to the user computing device to facilitate a targeted anti-malware scan of the user computing device based on the scan parameter.

Abstract: There is disclosed a method and system therefor, the method for validating a machine learning (ML) model, wherein the ML model is a binary classifier, the method including training the ML model on a training set comprising labeled objects from a first class and a second class; and validating the ML model on a training set, wherein the training set comprises at least some unlabeled objects, and for unlabeled objects, using an estimated classification as a proxy for a known label, wherein the estimated classification is based on computing a smallest distance to respective known feature vector clusters for the first and second classes.

Abstract: There is disclosed in one example a mobile telephone, including: a hardware platform including a processor and a memory; a telecommunication transceiver; and instructions encoded within the memory to instruct the processor to: identify a call made via the telecommunication transceiver; analyze the call and assign the call a predicted local reputation according to the analysis, including a legitimacy confidence score; if the legitimacy confidence score is less than a first threshold, terminate the call; if the legitimacy confidence score is greater than a second threshold, cease analysis of the call; and if the legitimacy confidence score is between the first and second thresholds, continue analysis of the call.

Abstract: There is disclosed in one example an enrollment over secure transport (EST)-capable gateway device, including: a hardware platform including a processor and a memory; a first network interface to communicatively couple to an external network, including an external DNS server; a second network interface to communicatively couple to a home network; a caching DNS server including a local DNS cache, and logic to provide DNS services to the home network; and an EST proxy to authenticate to a local endpoint on the home network, provision a DNS server certificate on the local endpoint, provision an authentication domain name (ADN) on the local endpoint, and provide encrypted domain name system (DNS) services to the local endpoint.

Abstract: An attempted transaction is identified involving a customer device and the first customer device is redirected to a security broker. A security report for the first customer device is received from the security broker. The security report is based on security data transmitted from the customer device to the security broker. An action can be performed in association with the attempted transaction based at least in part on the received security report. In some aspects, the security broker receives security data describing security conditions on the customer device in connection with the transaction between the customer device and a transaction partner. A risk tolerance policy is identified that corresponds to the transaction partner, such as an ecommerce provider. A security report is generated based on a comparison of the risk tolerance policy and the security data and the security report.

Abstract: The present disclosure relates to a system and method for performing anti-malware scanning of data files that is data-centric rather than device-centric. In the example, a plurality of computing devices are connected via a network. An originating device creates or first receives data, and scans the data for malware. After scanning the data, the originating device creates and attaches to the data a metadata record including the results of the malware scan. The originating device may also scan the data for malware contextually-relevant to a second device.

Abstract: There is disclosed in one example a computing apparatus, including: a hardware platform including a processor and a memory; and an anomaly detection engine including instructions encoded within the memory to instruct the processor to: periodically collect telemetry for a performance parameter; compute and maintain a local trend line for the performance parameter; receive from a cloud service a global trend line for the performance parameter for a class of devices including the computing apparatus; and perform anomaly detection including analyzing the local trend line and the global trend line to detect an anomaly.

Abstract: There is disclosed in an example a gateway device, including a hardware computing platform, and a secure domain name system (DNS) engine having circuitry and stored instructions to-program the circuitry, the secure DNS engine to communicatively couple to an endpoint via a local network, begin a secure DNS transaction with the endpoint, determine whether the endpoint supports delegated credentials, and after determining that the endpoint supports delegated credentials, establish a secure DNS session with the endpoint using a delegated credential.

Abstract: Methods, apparatus, systems and articles of manufacture to implement a virtual private network with probe for network connectivity are disclosed. An example non-transitory computer readable storage medium is disclosed comprising instructions which, when executed, cause a machine to at least, in response to a first instruction from an operating system to establish a network tunnel, transmit a probe request to a server; and in response to not receiving, from the server, a probe response to the probe request, report that the network tunnel has been established to prevent the operating system from transmitting subsequent instructions to establish the network connection until a response to a probe request is received.

Abstract: Particular embodiments described herein provide for an electronic device that can be configured to identify a process running on the electronic device, assign a reputation to the process if the process has a known reputation, determine if the process includes executable code, determine a reputation for the executable code, and combine the reputation for the executable code with the reputation assigned to the process to create a new reputation for the process.

Abstract: Methods, apparatus, systems and articles of manufacture to generate regex and detect data similarity are disclosed. An example apparatus includes a token graph generator to generate a token graph including nodes based on a cluster of strings corresponding to a group of messages that are known to be spam; a pivot engine to identify pivot nodes in the cluster of strings; a pivot applicator to tag corresponding ones of the nodes of the token graph as the pivot nodes; and a regex converter to generate the anti-spam signature based on: (a) the tagged nodes and (b) at least one of the node of the token graph that is not tagged as a pivot node.

Abstract: The present disclosure relates to a system and method for providing a service on a wearable device where the wearable device is limited in its functionality in some way when compared with a companion device. In particular, the disclosure describes use cases for configuring the wearable device, and use cases for configuring a wearable device and performing service application functions on the wearable device while leveraging a companion device.

Abstract: Examples for device-driven auto-recovery using multiple recovery sources are disclosed herein. At least one storage device or storage disk includes instructions that, when executed, cause at least one processor to at least detect a flaw in a first configuration of a program to be installed on a programmable device, the first configuration recorded on a first chain of a distributed ledger of a blockchain; correct the flaw in the first configuration to generate a corrected configuration; commit the corrected configuration to the distributed ledger, the corrected configuration to create a second chain of the distributed ledger; detect an update of the first configuration to a first updated configuration and an update to the corrected configuration to an updated corrected configuration; and prevent the first updated configuration from being installed on the programmable device by replacing the first updated configuration with the updated corrected configuration on the second chain.

Abstract: There is disclosed in one example a hardware computing platform, including: a processor; a memory; a network interface; and a security module, including instructions to cause the processor to: receive a request to download a file via the network interface; download a first portion of the file into a buffer of the memory; analyze the first portion for malware characteristics; assign a security classification to the file according to the analysis of the first portion; and act on the security classification.

Abstract: A method for halting malware includes: monitoring plural file system events with a system driver to detect an occurrence of a file system event having a predetermined file type and log event type; triggering a listening engine for file system event stream data of a file associated with the detection of the file system event, the file system event stream data indicating data manipulation associated with the file due to execution of a process; obtaining one or more feature values for each of plural different feature combinations of plural features of the file based on the file system event stream data; inputting one or more feature values into a data analytics model to predict a target label value based on the one or more feature values of the plural different feature combinations and agnostic to the process; and performing a predetermined operation based on the target label value.

Abstract: Methods and apparatus for secure software defined storage are disclosed. An example apparatus includes memory and a processor to access a read request for data written to a software defined storage location, obtain the requested data from the software defined storage location, perform a classification operation on the requested data to obtain classification data corresponding to the requested data, the classification data to represent whether the requested data includes personally identifiable information, in response to determining that the requested data includes personally identifiable information, apply data loss prevention to the requested data to create response data, determine whether a client requesting the data from the software defined storage location is authorized to access the requested data, and in response to determining that the client requesting data is authorized to access the requested data, transmit the response data to the client.

Abstract: Methods, apparatus, systems and articles of manufacture are disclosed to detect malware based on network traffic analysis. An example apparatus includes a classification controller to: in response to a first classification score of a first network traffic sample satisfying a first threshold, determine whether a second classification score of a second network traffic sample satisfies a second threshold; and in response to the second classification score of the second network traffic sample satisfying the second threshold, classify network traffic associated with the first network traffic sample and the second network traffic sample as potentially malicious network traffic; and a remediation controller to, in response to the network traffic being classified as the potentially malicious network traffic, execute a remediation action to remediate malicious activity associated with the potentially malicious network traffic.

Abstract: Methods, apparatus, systems, and articles of manufacture to provide and monitor efficacy of artificial intelligence models are disclosed. An example apparatus includes a model trainer to train an artificial intelligence (AI) model to classify malware using first training data; an interface to deploy the AI model to a processing device; a model implementor to locally apply second training data to the AI model to generate output classifications, the second training data generated after generation of the first training data; and a report generator to generate a report including an efficacy of the AI model based on the output classifications.

Abstract: Providing optical watermark signals for a visual authentication session by performing at least the following: receive, at an anti-spoof engine, an instruction to perform visual authentication operations for a visual authentication session, generate, with the anti-spoof engine, an optical watermark signal based on receiving the instruction, wherein the optical watermark signal includes at least one optical identifier to authenticate images captured during the visual authentication session, obtain, with the anti-spoof engine, an image source that includes captured images of the visual authentication session, determine, with the anti-spoof engine, whether the image source includes a reflected optical watermark signal, and compare, with the anti-spoof engine, whether the reflected optical watermark signal matches the generated optical watermark signal based on the determination that the image source includes the reflected optical watermark signal.

Abstract: In an example, there is disclosed a computing apparatus having: a network interface to communicate with a second device; a contextual data interface to receive and store contextual data; and one or more logic elements comprising a contextual security agent, operable to: receive a contextual data packet via the network interface; compare the contextual data packet to stored contextual data; and act on the comparing. The contextual data packet may optionally be provided out of band, and may be used to authenticate a substantive data packet, such as a patch or update.