Abstract: Methods, apparatus, systems and articles of manufacture to detect phishing websites are disclosed. An example apparatus includes a plurality of website analyzers to analyze a requested website for evidence of a phishing attack, the plurality of website analyzers including a first website analyzer and a second website analyzer. An analysis selector is to select the first website analyzer for execution, the analysis selector to, in response to determining that an additional analyzer is to be executed, select the second website analyzer to analyze the requested website. A website classifier is to, in response to a website analyzer indicating a classification that exceeds a confidence threshold, classify the requested website as a benign site or presenting a phishing attack.

Abstract: Pairing of an external device using a random user action is disclosed herein. An example method includes restricting the external device from accessing a resource. A user input receivable from the external device is identified based on a type of the external device, the user input not included in a list of previously generated user actions. In response to receipt of the user input from the external device within a threshold time period, the external device is authorized to access the resource.

Abstract: There is disclosed in one example a computing apparatus, including: a hardware platform including a processor, a memory, and a network interface; and instructions encoded within the memory to instruct the processor to: receive an incoming packet via the network interface; extract from the incoming packet a source port and a source internet protocol (IP) address; correlate the source port and source IP to a device identifier (ID); receive a network policy for the device ID; and apply the network policy to the incoming packet.

Abstract: A technique for collecting and using signal reputation data, comprising obtaining a plurality of signal reputation data corresponding to a plurality of locations, categorizing the signal reputation data into groups, calculating signal circles for at least some of the groups based on a representative signal value for the corresponding group, calculating a signal reputation score for each signal circle, determining a best signal circle for a user mobile device within a predetermined distance of dead zones, and sending the best signal circle to the user mobile device based at least in part on the signal reputation score and a location of the user mobile device. In some embodiments, the technique may include some but not all of these actions and additional actions, such as suspending obtaining signal reputation data based on battery status.

Abstract: A technique allows a smart meter to receive a mask. The smart meter may receive the mask from a utility company or an escrow service. The smart meter may apply the mask to original metered data on a continuous schedule, on a periodic schedule, or on a determined schedule, or on a randomized schedule to conceal the original metered data. The smart meter may apply different masks at different times. The smart meter transmits the concealed metered data as augmented metered data remotely to an electric utility via a communication network.

Abstract: Methods, apparatus, systems and articles of manufacture to defend against adversarial machine learning are disclosed. An example apparatus includes memory; computer readable instructions; and processor circuitry to execute the computer readable instructions to: generate a first output indicating a feature that contributed to the generation of a classification by a machine learning model; compare the first output with a second output generated by a server that trained the machine learning model; and flag the machine learning model as corresponding to at least one of model drift or an adversarial attack when first output differs from the second output by more than a threshold.

Abstract: Methods, apparatus, systems and articles of manufacture for communicating encrypted data via a virtual private network are disclosed. An example computer system disclosed herein includes a memory including instructions that, when executed, cause one or more processors to establish a first tunnel and a second tunnel between a VPN client and a VPN server. The instructions further cause the one or more processors to access a request message to be sent via the VPN and determine, in response to a payload being formatted using a first protocol, whether a packet associated with the request message includes an encrypted server name indication (SNI). The instructions further cause the one or more processors to, in response to the packet including the encrypted SNI, encrypt the header of the request message to form an encrypted header, create an encrypted message including the encrypted header and the payload of the request message, and transmit the encrypted message through the first tunnel.

Abstract: Computing platform security methods and apparatus are disclosed. An example apparatus includes a graphics processor; and a graphics driver to facilitate access to the graphics processor, the graphics driver including: an authenticator to establish a trusted channel between the graphics driver and an application driver via mutual authentication of the graphics driver and the application driver; an offloader to offload a computing task to the graphics processor via the trusted channel, the computing task associated with the application driver; and a hypervisor to monitor memory associated with the offloaded computing task for an unauthorized access attempt.

Abstract: Methods, systems, and media for detecting malicious activity from user devices are provided. In some embodiments, a method for detecting malicious activity from user devices is provided, the method comprising: receiving information indicating a requested connection to a destination by a first user device; adding the received information to information received from a plurality of user devices to generate aggregated connection information; determining that the requested connection to the destination by the first user device is part of an attack, wherein determining that the requested connection to the destination by the first user device is part of the attack on the destination comprises determining that more than a predetermined percentage of user devices have requested connections to the destination; receiving information indicating a requested connection to the destination by a second user device; and causing the connection to the destination by the second user device to be blocked.

Abstract: Technologies for a distributed Internet of Things (IoT) system including a plurality of IoT devices are disclosed. An example first Internet of Things (IoT) device includes at least one processor to execute instructions to access a first message transmitted by a second IoT device, the first IoT device and second IoT device communicatively coupled via a direct communication, identify that the first message is indicative of an administrative event, the administrative event associated with a function of one or more of the first IoT device or the second IoT device, update a status of a system of IoT devices based on the administrative event, the system of IoT devices including the first IoT device and the second IoT device, and send a second message indicative of the administrative event to a universal bus.

Abstract: Example methods, apparatus, systems and articles of manufacture to implement cooperative mitigation of distributed denial of service attacks originating in local networks are disclosed. An example network element disclosed herein is to detect a first distributed denial of service attack associated with first network traffic received by an Internet service provider network, the first network traffic originating from a first device connected to a local network. The disclosed example network element is also to implement a threat signaling client to transmit first information describing the first distributed denial of service attack to a threat signaling server implemented by a local network router of the local network, and receive second information from the threat signaling server of the local network, the second information to provide a notification when the first network traffic associated with the first distributed denial of service attack has been mitigated.

Abstract: Mechanisms for analyzing a structured file for malicious content are provided, comprising: parsing the structured file into a plurality of portions; selecting a selected portion of the portions; checking the selected portion to determine if at least one pre-condition is met; and in response to determining that the at least one pre-condition is met: decoding the selected portion to form a decoded portion; and checking the decoded portion to determine if it is malicious. In some embodiments: the at least one pre-condition can be changed; the structured file is a MICROSOFT OFFICE XML file; the selected portion is a file; the at least one pre-condition checks at least one attribute of the selected portion; decoding the selected portion comprises decompressing the selected portion; and/or checking the decoded portion to determine if it is malicious comprises checking whether a previously decoded portion of the structure file meets at least one condition.

Abstract: There is disclosed in one example a computing apparatus, including: a processor and a memory; a data store having stored thereon trained models MGLOBAL and MENT, wherein model MGLOBAL includes a clustering model of proximity and prevalence of a first body of computing objects, and MENT includes a clustering model of proximity and prevalence of a second body of computing object; and instructions encoded within the memory to instruct the processor to: receive an object under analysis; apply a machine learning model to compute a global variance score between the object under analysis and MGLOBAL; apply the machine learning model to compute an enterprise variance score between the object under analysis and MENT; compute from the global variance score and the enterprise variance score a cross-sectional variance score; and assign the object under analysis an analysis priority according to the cross-sectional variance score.

Abstract: Methods, apparatus, systems and articles of manufacture for producing generic Internet Protocol (IP) reputation through cross-protocol analysis are disclosed. An example apparatus includes a data collector to gather a first data set representing IP telemetry data for a first protocol, the data collector to gather a second data set representing IP telemetry data for a second protocol different from the first protocol. A label generator is to generate a training data set based on records in the first data set and the second data set having matching IP addresses, the training data set to include combined label indicating whether each of the respective matching IP addresses is malicious. A model trainer is to train a machine learning model using the training data set. A model executor is to, responsive to a request from a client device, execute the machine learning model to determine whether a requested IP address is malicious.

Abstract: An apparatus, related devices and methods, having a memory element operable to store instructions; and a processor operable to execute the instructions, such that the apparatus is configured to identify, on an electronic device, a phone number of an incoming caller device; request, via an out-of-band control channel, a digital certificate for the phone number from the incoming caller device; receive, via the out-of-band control channel, the digital certificate for the phone number from the incoming caller device; determine whether the digital certificate for the phone number is authentic; and indicate, on the electronic device, based on a determination that the digital certificate for the phone number is authentic or not authentic, whether the phone number is authentic or not authentic.

Abstract: Methods, apparatus, systems and articles of manufacture are disclosed to detect deepfake content. An example apparatus to determine whether input media is authentic includes a classifier to generate a first probability based on a first output of a local binary model manager, a second probability based on a second output of a filter model manager, and a third probability based on a third output of an image quality assessor, a score analyzer to obtain the first, second, and third probabilities from the classifier, and in response to obtaining a first result and a second result, generate a score indicative of whether the input media is authentic based on the first result, the second result, the first probability, the second probability, and the third probability.

Abstract: There is disclosed in one example a method of detecting computer malware, including: receiving a binary object for analysis; allocating the binary object to a sandbox; within the sandbox, loading the binary object into an executable memory region; performing a memory dump of the executable memory region; and analyzing the memory dump for malware characteristics.

Abstract: Methods, systems, and media for dynamically separating Internet of Things (IoT) devices in a network are provided. In accordance with some embodiments of the disclosed subject matter, a method for dynamically separating IoT devices in a network is provided, the method comprising: detecting a first IoT device in the network; monitoring network communication of the first IoT device; determining device information of the first IoT device based on the monitored network communication; and causing the first IoT device to communicate on a first subnet of a plurality of subnets in the network based on the device information.

Abstract: A non-transitory computer readable medium includes computer executable instructions that, when executed, cause at least one processor to train a model to perform at least one of a prediction operation, a diagnostic operation, or a classification operation based on a training dataset, deploy the model in a production computer system to perform the at least one operation on field data, monitor signal data associated with the model, the signal data including specific or derived signal data representing characteristics of an ecosystem in which the model is deployed and new observations in incoming field data, monitor accuracy of the model by applying a statistical tool to a plurality of data points of the signal data, apply a secondary machine learning predictive engine to the plurality of data points of the signal data to predict future data points of the signal data, determine whether the signal data represents an unstable process by identifying future outlier data points from among the plurality of future data

Abstract: Methods, apparatus, systems and articles of manufacture to create malware detection rules are disclosed. An example apparatus includes a rule generator to generate an augmented rule set based on a first training data set. A matrix generator is to create a matrix using the augmented rule set and a second training data set. A rule regulator to apply regularization to the augmented rule set based on the matrix to remove any number of rules from the augmented rule set, the rule regulator to create a reduced rule set. A reduced rule set checker to validate the reduced rule set.