Abstract: Particular embodiments described herein provide for an electronic device that can be configured to intercept a process, store execution profiling for the process if the process involves a privileged resource or a privileged operation, and analyze the code involved in each stack frame to determine malicious activity. If the process does not involve a privileged resource or a privileged operation, then the process is not analyzed.

Abstract: Computing platform security methods and apparatus are disclosed. An example apparatus includes a security application to configure a security task, the security task to detect a malicious element on a computing platform, the computing platform including a central processing unit and a graphics processing unit; and an offloader to determine whether the central processing unit or the graphics processing unit is to execute the security task; and when the graphics processing unit is to execute the security task, offload the security task to the graphics processing unit for execution.

Abstract: A method for migrating logical devices from one Internet of Things (IoT) device to another includes: receiving, by a first IoT device having a first platform group key, a request to migrate a first logical device from the first IoT device to a second IoT device having a second platform group key; removing a first logical device platform group private key associated with the first logical device from a storage of the first IoT device; sending an encrypted state of the first logical device to the second IoT device; and binding the first logical device to the second IoT device by receiving a second logical device platform group private key for the first logical device from a zone controller; and storing the second logical device platform group private key in a storage of the second IoT device.

Abstract: Particular embodiments described herein provide for an electronic device that can be configured to receive data related to execution of a sandboxed process, determine if a high privileged process was created by the sandboxed process, and block the sandboxed process from executing if the high privileged process was created by the sandboxed process and the data indicates the sandboxed process is attempting a sandbox bypass attack. In an example, the high privileged process was created by the sandboxed process if a resource folder is associated with a sandbox folder. In another example, the high privileged process was created by the sandboxed process if a resource folder was created by a broker process in response to a request by the sandboxed process.

Abstract: A disclosed example separates a source data bit stream into at least a high bit stream and a low bit stream, the high bit stream and the low bit stream associated with an entropy band having an entropy designation indicating a level of entropy content, the entropy designation selected from an entropy designation range between a high entropy designation and a low entropy designation; entropy code the high bit stream and the low bit stream separately; create the at least two band entropy coded bit streams; generate a bit mask with a hash, the hash having inputs of at least a strong encryption key and selected data that is from the source data bit stream, the selected data not encrypted during any encryption process; merge the at least two band entropy coded bit streams into a resultant band entropy coded bit stream based on a sequence of at least one indexed value obtained from the bit mask; and at least one of store or share the resultant band entropy coded bit stream in a same file format as the source data b

Abstract: In an example, there is disclosed an electronic apparatus, comprising: a hardware-encoded internal private key; and one or more logic elements comprising a key generation engine to: receive an third-party key; and operate on the third-party key and the internal private key to generate a hardware-generated dynamic identifier (HGDI). There is also disclosed a method of providing an HGDI engine, and one or more computer-readable mediums having stored thereon executable instructions for providing an HGDI.

Abstract: There is disclosed in one example a computing apparatus, including: a processor; and logic encoded into one or more computer-readable mediums, the logic to instruct the processor to: capture first data from an intermediate data source across a first temporal interval; perform partial signal processing on the first data to classify the first temporal interval as either suspicious or not suspicious, wherein the first temporal interval is classified as suspicious if it is determined to potentially represent at least a portion of a cryptomining operation; classify second through N temporal intervals as either suspicious or not suspicious; based on the first through N temporal intervals, classify the apparatus as either operating a cryptomining function or not; and upon classifying the apparatus as operating a cryptomining function and determining that the cryptomining function is not authorized, take remedial action on the apparatus.

Abstract: There is disclosed in one example a computing apparatus, including: a hardware platform; and a storage medium having stored thereon executable instructions to provide an inference engine configured to: receive a new suspicious fragment object from a protected device; add the new suspicious fragment object to a rolling map configured to provide a temporal snapshot of suspicious fragment objects over a time span; determine a connection between the new suspicious fragment object and an existing suspicious fragment object within the rolling map; apply the connection to a connection map; and operate a map classifier to determine that the connection map represents a probable computer security threat.

Abstract: A disclosed example to batch replace credentials for multiple websites includes accessing mappings between first encrypted credentials and corresponding ones of the websites; decrypting the first encrypted credentials using a master key to generate a plurality of first decrypted credentials; providing ones of the first decrypted credentials and corresponding ones of second decrypted credentials to corresponding ones of the websites to batch replace the first decrypted credentials with the corresponding ones of the second decrypted credentials at the corresponding ones of the websites; generating second encrypted credentials by encrypting the second decrypted credentials using the master key; and storing the second encrypted credentials in a database.

Abstract: There is disclosed in one example a server apparatus, including: a hardware platform including a processor and a memory; a network interface; and a vulnerability assessment server engine including instructions encoded within the memory to instruct the processor to: receive via the network interface an endpoint payload including a platform identification string, including an identifier for an application and an identifier for an action to be taken by the application; query a vulnerability database and platform identification string database to procure an application-specific reputation for the action; and send via the network interface the application-specific reputation for the action.

Abstract: An opportunity for a computing device to participate in a secure session with a particular domain is identified. A secured microcontroller of the computing device is used to identify a secured, persistent seed corresponding to the particular domain and stored in secured memory of the computing device. A secure identifier is derived based on the seed and sent for use by the particular domain in authenticating the computing device to the particular domain for the secure session. The particular domain can further apply security policies to transactions involving the computing device and particular domain based at least in part on the secure identifier.

Abstract: In an example, a web gateway is described, including an authentication proxy engine (PAE). The PAE authenticates a user device via, for example, a username and password, biometric data, or two-factor authentication. The web gateway then provides seamless and transparent single sign-on (SSO) for one or more web services. When the user requests a web page from the web service, the PAE inserts custom code that detects a login action. When the user logs in, a one-time token may be provided to auto-fill the username and password field. When the user submits the form, the PAE provides the actual credentials to the web service. The PAE may also provide authentication via authentication headers.

Abstract: Particular embodiments described herein provide for a network element that can be configured to receive, from an electronic device, a request to access a network service. In response to the request, the network element can send data related to the network service to the electronic device and add a test link to the data related to the network service. The network element can also be configured to determine if the test link was successfully executed and classify the electronic device as untrusted if the test link was not successfully executed.

Abstract: There is disclosed in one example a computing apparatus, including: a hardware platform including a performance monitoring unit (PMU); and one or more tangible, non-transitory computer-readable mediums having stored thereon executable instructions to provide a kernel space threat detection engine to: receive a PMU event; correlate the PMU event to a computer security threat including extracting artifacts from the PMU event, and correlating the artifacts to an artifact profile for a known attack; and identify a process associated with the PMU event as a potential attack.

Abstract: There is disclosed in one example a computing apparatus, including: a processor and a memory; a network interface to communicatively couple to a backup client; a storage to receive backup data from the client, including a plurality of versions and an associated reputation for each version, the associated reputation to indicate a probability that the version is valid; and instructions encoded within the memory to instruct the processor to: receive from the backup client a request to store a new version of the backup data; determine that the client has exceeded a backup threshold; identify a backup version having a lowest reputation for validity; and expunge the backup version having the lowest reputation for validity.

Abstract: A system for securing electronic devices includes a processor, a storage medium communicatively coupled to the processor, and a monitoring application comprising computer-executable instructions on the medium. The instructions are readable by the processor. The monitoring application is configured to receive an indication that a client has been affected by malware, cause the client to boot from a trusted operating system image, cause a launch of a secured security application on the client from a trusted application image, and analyze a malware status of the client through the secured security application.

Abstract: Technologies for detecting unauthorized memory accesses include a computing device with a processor having transactional memory support. The computing device executes a security assistance thread that starts a transaction using the transactional memory support. Within the transaction, the security assistance thread writes arbitrary data to one or more monitored memory locations. The security assistance thread waits without committing the transaction. The security assistance thread may loop endlessly. The transactional memory support of the computing device detects a transactional abort caused by an external read of the monitored memory location. The computing device analyzes the transactional abort and determines whether a security event has occurred. The computing device performs a security response if a security event has occurred.

Abstract: Systems, devices and methods are disclosed to assist in configuring devices and policies to protect a regional network (e.g., home network) and its users. Users on the network are monitored to determine appropriate configuration settings and preferences by utilizing a combination of internally configured information and externally gathered information for each user. For example, externally gathered information may include information obtained about a user from one or more social media Internet sites. Automatically obtained information may be used to provide or augment policy information such that a user's preference relative to internet content (e.g., content blocking software configuration) may be achieved without requiring an administrator to individually prepare each users security profile and configuration.

Abstract: A safety event is determined as affecting a user based at least in part context data collected at a user device associated with the user. In some aspects, context data is detected from sensors on the client device, the context data describing a present context of the user. A deviation of the present context from a historical context is determined to be beyond a threshold. Determining that the deviation is beyond the threshold can be determined to correspond to a safety event potentially jeopardizing safety of the user. In some aspects, an action can be launched in response to determining the safety event.

Abstract: The present disclosure relates to a system and method for performing anti-malware scanning of data files that is data-centric rather than device-centric. In the example, a plurality of computing devices are connected via a network. An originating device creates or first receives data, and scans the data for malware. After scanning the data, the originating device creates and attaches to the data a metadata record including the results of the malware scan. The originating device may also scan the data for malware contextually-relevant to a second device.