Abstract: Methods, systems, and media for protecting against return-oriented programming malware are provided. In some embodiments, the method comprises: retrieving an executable module; identifying a basic block in the executable module located at a first memory location, wherein the basic block has one entry point and one exit point; moving a portion of the executable module that corresponds to the basic block to a random memory location from the first memory location; and replacing a destination of a function call to the basic block within the executable module with a representation of the random memory location.

Abstract: A system, method, and computer program product are provided for managing a connection between a device and a network. In use, a first device coupled between a second device and a network is identified. Further, the first device is controlled based on predefined criteria utilizing the second device, for managing a connection between the second device and the network.

Abstract: There is disclosed in one example an advertisement reputation server, including: a hardware platform including a processor and a memory; a network interface; and an advertisement reputation engine including instructions encoded in memory to instruct the processor to: receive via the network interface a plurality of advertisement instances displayed on client devices; extract from the advertisement instances an advertiser identifier; analyze one or more advertisements associated with the advertiser identifier to assign an advertiser reputation; and publish via the network interface advertisement reputation information derived from the reputation for the advertisement identifier.

Abstract: There is disclosed in one example a computing apparatus, including: a processor and a memory; a network interface; and a security agent including instructions encoded within the memory to instruct the processor to: identify an unknown software object; query, via the network interface, a global reputation store for a global reputation for the unknown software object; receive a response from the global reputation store and determine that the unknown software object does not have a reliable global reputation; compute a local reputation for the unknown software object; and share the local reputation for the unknown software object with the global security cache.

Abstract: A network security platform (NSP) device and interaction method are disclosed. The interaction method provides network packet analysis for secure transmission protocols using ephemeral keys or keys that are negotiated dynamically. The NSP may be part of an Intrusion Protection System, or firewall. The disclosed approach does not use man-in-the-middle proxy. Instead, it includes monitoring connections ends: client and/or server, to intercept the required data or negotiated (or changed) encryption keys. Decrypted data may be sent to an NSP sensor in a secure manner for analysis. Alternatively, intercepted keys used for the encrypt/decrypt operations may be sent to an NSP sensor in a secure manner every time they are changed. The NSP sensor may then use the obtained keys to decrypt traffic prior to providing it to the inspection engines. Embodiments focused on inbound traffic to a web server may coordinate between a web server and an NSP.

Abstract: In an example, there is disclosed a security management console, comprising: a hardware platform, comprising a processor, a memory, and a data exchange layer (DXL) interface, the DXL interface comprising a hardware network connection and a software layer, the software layer to provide a two-layer messaging bus, wherein a lower layer is an internet protocol (IP) network, and an upper layer is a publish-subscribe enterprise service bus (ESB); an interface to a reputation database, the reputation database including cached reputations for a plurality of network objects, the reputations representing the network objects' safety within an enterprise serviced by the DXL; and instructions encoded within the memory to instruct the processor to: provide a DXL security console graphical user interface (GUI), the GUI including instructions to provide a graphical representation of an object, including the object's default reputation retrieved from the reputation database; receive a user input to override the object's defau

Abstract: A system, method, and computer program product are provided for isolating a device associated with at least potential data leakage activity, based on user input. In operation, at least potential data leakage activity associated with a device is identified. Furthermore, at least one action is performed to isolate the device, based on user input received utilizing a user interface.

Abstract: Methods, apparatus, systems and articles of manufacture are disclosed to manage digital assets owned by a user and hosted by a first online service provider and a second online service provider. Provided herein is a gateway system comprising: a trusted authentication interface; one or more processors; and memory including instructions that, when executed, cause the one or more processors to at least: authenticate the user with the first and second online service providers using the trusted authentication interface; and instruct, via the trusted authentication interface, the first and second online service provider to take an action with respect to one or more of the digital assets, the first and second online service providers to trust the instructions from the trusted authentication interface without further authenticating the user.

Abstract: A method for automated assessment of a model includes: training a model to perform a prediction, diagnostic, or classification operation based on a training dataset; deploying the model in production to perform the operation on field data; monitoring signal data associated with the model automatically, the signal data including specific or derived signal data representing characteristics of an ecosystem in which the model is deployed and new observations in incoming field data; monitoring accuracy of the model by applying a statistical tool to a plurality of data points of the signal data; determining whether the signal data represents an unstable process by identifying outlier data points from among the plurality of data points of the signal data; generating an indication that a corrective action should be taken on the model based on a result of the determination; and displaying the indication on a display.

Abstract: Techniques for protecting a computer system against fileless malware are described. One technique includes a virtual machine (VM) locker logic/module implemented by one or more processors receiving information about input/output (I/O) requests associated with injection of data into a process. The logic/module can generate or update an information log to reflect that the process includes data from an external source. The data from the external source can include fileless malware. The technique also includes the logic/module intercepting an execution request by a process (e.g., the process that includes data from an external source, another process, etc.), where an execute privilege located in an operating system mediated access control mechanism approves the request. Next, the logic/module determines that the process requesting execution is included in the log and removes an execute privilege located in a hypervisor mediated access control mechanism to deny the request.

Abstract: There is disclosed, in one example, a computing apparatus for providing a portable user interface agnostic to a native host implementation, including: a hardware platform including a processor and a memory; a first functional domain including logic to provide the user interface; a second functional domain including logic to provide native functionality; a function storage including logic to assign a unique identifier to a function of the second functional domain; and an application programming interface (API) interpreter to enable the first functional domain to access the function of the second functional domain via the unique identifier for the function.

Abstract: Enabling a distributed data processing system to process a data set from local storage devices by dynamically reallocating portions of the data set.

Abstract: Mechanisms for controlling traffic to an Internet of Things (IoT) device are provided, the mechanisms comprising: identifying a first IoT device having an Internet Protocol (IP) address and a Media Access Control (MAC) address; sending a first Address Resolution Protocol (ARP) broadcast on a local area network (LAN) indicating that the IP address of the first IoT device is to be associated with a MAC address of a router on the LAN; receiving first traffic on the LAN; extracting the IP Address of the first IoT device from the first traffic; determining that the first traffic is allowed; and forwarding the first traffic to the first IoT device by inserting the MAC address of the first IoT device in the first traffic and re-broadcasting the first traffic.

Abstract: Particular embodiments described herein provide for an electronic device that can be configured to allow for the mitigation of ransomware. For example, the system can determine that an application begins to execute, determine that the application attempts to modify a file, determine a file type for the file, and create a security event if the application is not authorized to modify the file type. In another example, the system determines an entropy value between the file and the attempted modification of the file, and create a security event if the entropy value satisfies a threshold or determine a system entropy value that includes a rate at which other files on the system are being modified by the application, and create a security event if the system entropy value satisfies a threshold.

Abstract: Particular embodiments described herein provide for an electronic device that can be configured to identify a process running on the electronic device, assign a reputation to the process if the process has a known reputation, determine if the process includes executable code, determine a reputation for the executable code, and combine the reputation for the executable code with the reputation assigned to the process to create a new reputation for the process.

Abstract: Particular embodiments described herein provide for a system that can be configured to communicate chat session data during a chat session to a first display of a first electronic device, communicate the chat session data during the chat session to a second display of a second electronic device, receive sensitive data during the chat session from the first electronic device, and protect the sensitive data from being displayed on the second display during the chat session without breaking continuity of the chat session.

Abstract: Methods, systems, and media for indicating a security status of an Internet of Things (IoT) device are provided. In some embodiments, a method for indicating a security status of an IoT device is provided, the method comprising: detecting a field of view comprising an IoT device; tracking a position of the IoT device relative to the field of view; interrogating the IoT device for a status thereof; determining a security status of the IoT device based on the interrogating; selecting a graphical representation of a plurality of graphical representations based on the determined security status of the IoT device; and causing an interface to be presented that displays the graphical representation associated with the position of the IoT device in the field of view.

Abstract: An opportunity to assist with remediation of a file at a remote particular host device is identified. One or more remediation techniques are identified that can be applied to assist with remediation of the file at the particular host device. In one aspect, one or more remediation scripts are identified from a plurality of remediation scripts for remediation of the file and provided to the particular host device for execution on the particular host device. In another aspect, a remediation tool is identified and launched on a computing device remote from the particular host device with operations of the remediation tool applied to resources of the particular host device. In another aspect, at least a portion of the remediation techniques are remotely initiated to be performed locally at the particular host device.

Abstract: Methods, systems, and media for detecting malicious activity from user devices are provided. In some embodiments, a method for detecting malicious activity from user devices is provided, the method comprising: receiving information indicating a requested connection to a destination by a first user device; adding the received information to information received from a plurality of user devices to generate aggregated connection information; determining that the requested connection to the destination by the first user device is part of an attack, wherein determining that the requested connection to the destination by the first user device is part of the attack on the destination comprises determining that more than a predetermined percentage of user devices have requested connections to the destination; receiving information indicating a requested connection to the destination by a second user device; and causing the connection to the destination by the second user device to be blocked.

Abstract: There is disclosed in one example a computing apparatus to broker purchase of an item or service between a consumer and seller, including: a hardware platform including a processor; and a memory, including executable instructions to instruct the hardware platform to: receive an encrypted payload including a request from a consumer to purchase the item or service, the encrypted payload including information about the consumer; without exposing the information about the consumer to the seller, determine, based on the seller's availability to sell the item or service and the seller's preferences for selling the item or service, that the request matches the seller's availability and preferences; and send a notification that the seller will sell the item or service.