Abstract: Methods, apparatus, systems and articles of manufacture to improve deepfake detection with explainability are disclosed. An example apparatus includes a deepfake classification model trainer to train a classification model based on a first portion of a dataset of media with known classification information, the classification model to output a classification for input media from a second portion of the dataset of media with known classification information; an explainability map generator to generate an explainability map based on the output of the classification model; a classification analyzer to compare the classification of the input media from the classification model with a known classification of the input media to determine if a misclassification occurred; and a model modifier to, when the misclassification occurred, modify the classification model based on the explainability map.

Abstract: Methods, apparatus, systems, and articles of manufacture are disclosed that determine a dynamic password update notification interval based on a breach risk classification and an automatic password update mechanism of an online service with which a user has an account. The disclosed methods, apparatus, systems, and articles of manufacture generate a password update suggestion and/or an automatic password update for the user at the dynamic password update notification interval determined by the processor circuitry.

Abstract: Methods, apparatus, systems, and articles of manufacture are disclosed to improve detection of malware in executable code. Examples disclosed herein include an apparatus comprising: a log file filtration controller to exclude at least one known clean function from a log file to generate a filtered log file; a log file normalization controller to normalize mnemonics of functions in the filtered log file to generate normalized functions; a feature vector generation controller to populate a feature vector with n-gram groupings of the normalized functions; and a machine learning engine to train a machine learning model with the feature vector, the machine learning model to be deployed to an end-user device to detect malware in executable code.

Abstract: Methods and apparatus for hardware based file/document expiry timer enforcement is disclosed. An example method includes instructing, by executing an instruction with a processor, a trusted execution environment to generate an encryption key and a certificate for a document, the certificate including expiry information for the document, the certificate associated with identification information of the document, and the expiry information indicative of a time period for which the encryption key is valid to decrypt the document; encrypting, by executing an instruction with the processor, the document using the encryption key; transmitting the certificate to a first remote network storage device; and transmitting the document to a second remote network storage device.

Abstract: Systems and methods for detection of domain generated algorithms (DGA) and their command and control (C&C) servers are disclosed. In one embodiment, such an approach includes examining DNS queries for DNS resolution failures, and monitoring certain set of parameters such as number of levels, length of domain name, lexical complexity, and the like for each failed domain. These parameters may then be compared against certain thresholds to determine if the domain name is likely to be part of a DGA malware. Domain names identified as being part of a DGA malware may then be grouped together. Once a DGA domain name has been identified, activity from that domain name can be monitored to detect successful resolutions from the same source to see if any of the successful domain resolutions match these parameters. If they match specific thresholds, then the domain is determined to be a C&C server of the DGA malware and may be identified as such.

Abstract: Methods, apparatus, systems and articles of manufacture are disclosed to analyze telemetry data of a network device for malicious activity. An example apparatus includes an interface to obtain first telemetry data, a rules generator to, using the first telemetry data, generate a global block list using a machine learning model, the machine learning model generated based on a device specific block list and a device specific allow list, and a model manager to transmit the global block list to a gateway, the gateway to facilitate on-path classification of second telemetry data.

Abstract: A computing apparatus, including: a hardware platform including a processor circuit and a memory; and instructions encoded within the memory to instruct the processor circuit to: extract human readable text from a plurality of known websites, the known websites having known classifiers; apply a MinHash algorithm to respective human readable text of the known websites; generate a plurality of different locality sensitive hashing (LSH) indexes for the respective websites; extract human readable text from a test website; apply the MinHash algorithm to the human readable text of the test website to provide a MinHash of the test website; query the plurality of different LSH indexes with the MinHash of the test website; and according to a result of the query, assign a category the test website, wherein the category matches a known category of at least one of the plurality of known website found to have a containment with the test website above a threshold.

Abstract: Methods, apparatus, systems, and articles of manufacture are disclosed to determine mutex entropy for malware classification. An example apparatus includes interface circuitry to access a mutex associated with a software application, the mutex to include a mutex identifier string, normalizer circuitry to normalize the mutex identifier string, character probability circuitry to determine character probabilities of characters within the normalized mutex identifier string, the character probabilities based on a historical mutex character distribution, entropy calculator circuitry to calculate an entropy value for the mutex based on the character probabilities, classifier circuitry to classify the mutex as clean or malicious based on the entropy value, and protector circuitry to mitigate malicious attacks based on the classification.

Abstract: There is disclosed in one example a computing apparatus, including: a processor and a memory; a network interface; and instructions encoded within the memory to instruct the processor to: receive a uniform resource locator (URL) for analysis, the URL to access a web page via a remote server; via the network interface, retrieve from the remote server a copy of the web page; render the web page in a headless browser to provide a computer-accessible visual output; perform visual analysis of the visual output via a digital eye; compare the visual analysis to a plurality of known phishing target websites; and if the comparison identifies the web page as visually similar to a known phishing target website, detect the web page as a phishing web page.

Abstract: Particular embodiments described herein provide for modular device assemblies and methods for enabling maintenance and servicing, particularly by an unmanned aerial vehicle. A device assembly comprises a plurality of modules, each module having control circuitry, a communications port and contact points to couple the modules. When the modules are coupled, the communications ports are connected to create a bus for communications between the modules. The modular device structure where modules are removable and replaceable allows for an unmanned aerial vehicle to perform maintenance on the device.

Abstract: There is disclosed in one example a computing apparatus, including: a hardware platform including a processor and a memory; a network interface to communicatively couple to a network; and a network gateway engine to identify devices on the network, the network gateway engine including instructions encoded within the memory to instruct the processor to provide two-phase identification for a device newly-identified on the network, including: a static identification phase including applying discovery probes to the newly-identified device; and a dynamic identification phase including collecting network telemetry for the newly-identified device over time and analyzing the collected network telemetry to determine if the network telemetry is consistent with expected network usage for the newly-discovered device.

Abstract: There is disclosed in one example a computing apparatus, including: a hardware platform including a processor and a memory; and instructions encoded within the memory to instruct the processor to: trace, for a plurality of actions having different direct parent actors, a common responsible parent actor, wherein the instructions determine that the common responsible parent actor caused or directed the plurality of actions; compile a report of the plurality of actions, wherein the actions are grouped by the common responsible parent actor; send the report to a machine or human analysis agent; responsive to the report, receive from the analysis agent a remedial action; and execute the remedial action.

Abstract: An example apparatus includes: memory; instructions in the apparatus; and at least one processor to execute the instructions to: check for proof of trust information in one or more pre-determined positions in a trusted digital image, the proof of trust information including a secure output marker, the secure output marker indicative of information corresponding to a trusted output area of the trusted digital image; decrypt the secure output marker using one or more security keys from a trusted execution environment (TEE), the TEE isolated from a computing application; and enable activation of a trusted output indicator in response to a match between first data corresponding to the secure output marker and second data corresponding to the trusted output area of the trusted digital image.

Abstract: Systems and methods for real-time user verification in online education are disclosed. In certain example embodiments, user identifying information associated with a user and a request to access online education content may be received from a user device. A face template including historical facial image data for the user can be identified. Current facial image data can be compared to the face template to determine if a match exists. Biometric sensor data, such as heart rate data, may also be received for the user. The biometric sensor data may be evaluated to determine if the user is currently located at the user device. If the user is currently located at the user device and the current facial image data matches the face template, access to the online education content may be provided to the user at the user device.

Abstract: There is disclosed in one example a computing apparatus, including: a hardware platform, including a processor, a memory, and a network interface; a bucketized reputation modifier table; and instructions encoded within the memory to instruct the processor to: perform a feature-based malware analysis of an object; assign the object a malware reputation according to the feature-based malware analysis; query and receive via the network interface a complementary score for a complementary property of the object; query the bucketized reputation modifier table according to the complementary score to receive a reputation modifier for the object; adjust the object's reputation according to the reputation modifier; and take a security action according to the adjusted reputation.

Abstract: There is disclosed in one example a mobile computing apparatus, including: a hardware platform including a processor and a memory; a user display; a global positioning system (GPS) driver; a network interface; and instructions encoded within the memory to instruct the processor to: receive a device location from the GPS driver; via the network interface, query a cloud-based wireless access point (WAP) reputation service for WAP reputation data of nearby WAPs; and drive to the user display an image of nearby WAPs having overlaid thereon WAP reputation data for the nearby WAPs.

Abstract: There is disclosed in one example a remediation server including: a hardware platform, including a processor, a memory, and a network interface; and instructions encoded within the memory to instruct the processor to: receive an application binary; create an application logic model of the application binary; and create personalization rules for the application binary based on the application logic model.

Abstract: Automatic detection of software that performs unauthorized privilege escalation is disclosed. Examples disclosed herein include detecting, in an event log, a first event associated with a start of execution of a process, the first event to identify a first privilege level associated with the process, and storing the first privilege level in a data structure associated with the process. Disclosed examples also include detecting, in the event log by executing an instruction with the at least one processor, a subsequent second event associated with the execution of the process, the second event to identify a second privilege level associated with the process. Disclosed examples further include at least one of terminating, pausing or suspending the process in response to the second privilege level being higher than the first privilege level.

Abstract: Methods, apparatus, systems and articles of manufacture are disclosed to build privacy preserving models. An example apparatus disclosed herein includes a training manager to generate a first modeling plan for client-side resources, and transmit the first modeling plan to the client-side resources. The example apparatus also includes a data aggregator to search for a primary validation flag in response to retrieving client-side model parameters, and an accuracy calculator to, in response to detecting the primary validation flag, perform a secondary validation corresponding to the client-side model parameters using a server-side ground truth data set, and determine whether to update the global model with the client-side model parameters based on a comparison of results of the secondary validation and a validation threshold.

Abstract: There is disclosed in one example a mobile telephone, including: a hardware platform including a processor and a memory; a telecommunication transceiver; and instructions encoded within the memory to instruct the processor to: identify a call made via the telecommunication transceiver; analyze the call and assign the call a predicted local reputation according to the analysis, including a legitimacy confidence score; if the legitimacy confidence score is less than a first threshold, terminate the call; if the legitimacy confidence score is greater than a second threshold, cease analysis of the call; and if the legitimacy confidence score is between the first and second thresholds, continue analysis of the call.