Abstract: There is disclosed in one example a gateway apparatus, including: a hardware platform including a processor and a memory; and instructions stored within the memory to instruct the processor to: provide a domain name system (DNS) server, the DNS server to provide an encrypted DNS service, and to cache resolved domain names; receive an outgoing network packet; determine a destination address of the outgoing network packet; and upon determining that the destination address was not cached, apply a security policy.

Abstract: There is disclosed in one example a computing apparatus, including: a hardware platform including a processor and a memory; a network interface; an operating system including a native internet protocol (IP) stack; and a security agent, including instructions encoded within the memory to instruct the processor to: establish a split virtual private network (VPN) tunnel with a remote VPN service; receive outgoing network traffic; direct a first portion of the outgoing traffic to the VPN tunnel, including determining that the first portion includes an outgoing domain name service (DNS) request; and direct a second portion of the outgoing traffic to the native IP stack.

Abstract: Methods, systems, and media for protected near-field communications are provided. In some embodiments, the method comprises: receiving, from an NFC tag device, a request for an NFC reader device identifier (ID); transmitting the NFC reader device ID to the NFC tag device; receiving an NFC tag device ID; determining whether the NFC tag device ID matches an NFC tag device ID stored in memory of the NFC reader device; in response to determining that the NFC tag device ID matches the NFC tag device ID, transmitting a password to the NFC tag device; receiving, from the NFC tag device, a shared secret; determining whether the received shared secret matches a shared secret stored in the memory of the NFC reader device; and in response to determining that the received shared secret matches the shared secret, causing an action to be performed by a device associated with the NFC reader device.

Abstract: Example apparatus to process an electronic communication includes a trusted communication identifier including a contact identifier to compare sender information from the electronic communication to contact information from a contact datastore, determine that a communication has not previously been sent from a recipient of the electronic communication to the sender of the electronic communication when the sender information from the electronic communication is not found in the contact datastore, and in response to determining that the communication has not been previously sent, provide an alert message that the sender information from the electronic communication is unknown. The trusted communication identifier further including a user action determiner to store the sender information from the electronic communication in the contact datastore when a response to the electronic communication has been sent.

Abstract: An apparatus, including systems and methods, for classifying, mapping, and predicting cybercriminal activity is disclosed herein. For example, in some embodiments, an apparatus is configured to: receive cybercriminal communication (CCC) data of postings from a source forum; identify, classify, and rank a threat topic for each posting; identify a first subset of postings that includes postings assigned the threat topic classification with the greatest threat topic rank; for each posting of the first subset of postings: identify and rank the threat actor; identify a second subset of postings that includes postings associated with the threat actor assigned the greatest threat actor rank; and send, to a cybersecurity data exchange module, the CCC data of the second subset of postings and associated enriched data including the source forum, the threat topic classifications, the threat actor, the threat actor rank, or the other threat actors that mentioned the threat actor.

Abstract: Methods, apparatus, systems and articles of manufacture are disclosed to analyze network traffic for malicious activity. An example apparatus includes a graph generator to, in response to obtaining one or more internet protocol addresses included within input data, generate a graph data structure based on one or more features of the one or more internet protocol addresses in the input data, a file generator to generate a first matrix using the graph data structure, the first matrix to represent nodes in the graph data structure and generate a second matrix using the graph data structure, the second matrix to represent edges in the graph data structure, and a classifier to, using the first matrix and the second matrix, classify at least one of the one or more internet protocol addresses to identify a reputation of the at least one of the one or more internet protocol addresses.

Abstract: An apparatus, including systems and methods, for detecting ransomware is disclosed herein. For example, in some embodiments, an apparatus includes a memory element operable to store instructions; and a processor operable to execute the instructions, such that the apparatus is configured to receive data identifying a process and a plurality of files accessed by the process; identify an access indicator associated with each of the plurality of files accessed by the process, wherein the access indicator includes file type; determine whether the access indicator exceeds a threshold; interrupt, based on a determination that the access indicator exceeds a threshold, the process; and prompt a user to allow or disallow the process to proceed.

Abstract: A computing apparatus, including: a hardware platform including a processor circuit and a memory; and instructions encoded within the memory to instruct the processor circuit to: extract human readable text from a plurality of known websites, the known websites having known classifiers; apply a MinHash algorithm to respective human readable text of the known websites; generate a plurality of different locality sensitive hashing (LSH) indexes for the respective websites; extract human readable text from a test website; apply the MinHash algorithm to the human readable text of the test website to provide a MinHash of the test website; query the plurality of different LSH indexes with the MinHash of the test website; and according to a result of the query, assign a category the test website, wherein the category matches a known category of at least one of the plurality of known website found to have a containment with the test website above a threshold.

Abstract: There is disclosed herein a computing apparatus having a hardware platform, including a processor circuit and a memory; a web-enabled application; and stored instructions within the memory to instruct the processor circuit to: determine that an input field of the web-enabled application has requested a password or personal data from a user; receive an input value; apply a deterministic function to the input value to create an obfuscated value; and provide the obfuscated value as an input to the input field.

Abstract: There is disclosed in one example a computing apparatus, including: a hardware platform including a processor and a memory; and instructions encoded within the memory to instruct the processor to: receive a client event report, the client event report including an operating system event trace for an attempt to exploit a patched vulnerability, and first feature data for a malware object that made the attempt; receive second feature data for an unknown object; compare the first feature data to the second feature data; and if the second feature data match the first feature data above a threshold, convict the unknown object as malware.

Abstract: There is disclosed in one example a computer-implemented method of detecting a statistically-significant security event and automating a response thereto, including: querying, or causing to be queried, a security intelligence database for sector-wise historical norms for an indicator of compromise (IoC); obtaining sector-wise expected prevalence data for the IoC; receiving observed sector-wise prevalence data for the IoC; computing a first test statistic from a goodness-of-fit test between the observed and expected prevalences; from the observed sector-wise prevalence data, computing a second test statistic from a difference between a highest prevalence and a next-highest prevalence; computing a third test statistic from a difference between the observed prevalence of a highest prevalence sector and the expected prevalence for the highest prevalence sector; selecting a least significant statistic from among the first, second, and third test statistics; and determining from the least significant statistic whet

Abstract: A computing apparatus includes a hardware platform having a processor circuit and a memory; a network interface; and instructions encoded within the memory to instruct the processor circuit to: extract data from an object under analysis; compute a partial match value according to a partial match algorithm of the extracted data; send the partial match value to a remote service via the network interface; receive from the remote service, via the network interface, a list of candidate signatures that correspond to the partial match value, wherein the candidate signatures are a superset of true matches to the object under analysis; compare the object under analysis to the candidate signatures; and if the compare identifies one or more matching signature, classify the object under analysis as belonging to a same class as at least one second object that is a source of a matching signature.

Abstract: Mechanisms (which can include systems, methods, and media) for securing connections to IoT devices are provided. In some embodiments, systems for securing connections to Internet of Things (IoT) devices are provided, the systems comprising: a memory; and a hardware processor coupled to the memory and configured to: receive first inbound traffic at a router from a wide area network (WAN), wherein the first inbound traffic is destined for a first IoT device; block the first inbound traffic at the router; notify a server on the WAN that the first inbound traffic has been blocked; receive instructions from the server indicating to unblock the first inbound traffic; and unblock the first inbound traffic.

Abstract: Methods, apparatus, systems and articles of manufacture to classify a first file are disclosed herein. Example apparatus include a feature hash generator to generate respective sets of one or more feature hashes for respective features of the first file. The number of the one or more feature hashes to be generated is based on an ability of the feature to distinguish the first file from a second file. The apparatus also includes a bit setter to set respective bits of a first fuzzy hash value based on respective ones of the one or more feature hashes, a classifier to assign the first file to a class associated with a second file based on a similarity between the first fuzzy hash value and a second fuzzy hash value for a second file.

Abstract: Mechanisms, which can include systems, method, and media, for protecting network devices from malicious rich text format (RTF) files are provided, the mechanisms comprising: intercepting an RTF file destined for a network device; parsing the RTF file to identify a plurality of objects in the RTF file; checking a first object of the plurality of objects for a first heuristic; based upon an outcome of the checking of the first object for the first heuristic, increasing a cumulative weight by a first weight value; comparing the cumulative weight against at least one threshold to classify the RTF file; and based on the classification of the RTF file, taking a protective action on the RTF file.

Abstract: A system, method, and computer program product are provided for preventing access to data associated with a data access attempt. In use, a data access attempt associated with a remote data sharing session is identified. Further, access to the data is prevented.

Abstract: There is disclosed in one example a computing apparatus, including: a processor and memory; and instructions encoded within the memory to instruct the processor to: identify a scripted process for security analysis; hook application programming interface (API) calls of the scripted process to determine a plurality of pre-execution parameters and runtime parameters; assign individual scores to the pre-execution parameters and runtime parameters; compute a sum of the individual scores; compare the sum to a threshold; and detect malicious or suspicious activity if the sum is above the threshold.

Abstract: There is disclosed in one example a home router, including: a hardware platform including a processor and a memory; a local area network (LAN) interface; a data store including rules for domain name-based services; and instructions encoded within the memory to instruct the processor to: provision a certificate and key pair to provide domain name system (DNS) over hypertext transfer protocol secure (DoH) or DNS over transport layer security (DoT) services; receive on the LAN interface an encrypted DNS request; decrypt the DNS request; query the data store according to the DNS request; receive a rule for the DNS request; and execute the rule.

Abstract: Particular embodiments described herein provide for an electronic device that can be configured to receive data in a data flow, extract a data visa from the data flow, wherein the data visa is related to the data, and determine a reputation of the data from the data visa. The data visa can include reputation determination information obtained by previous network elements in the data flow. In addition, the electronic device can update the data visa, and communicate the updated data visa and data to a next network element in the data flow.

Abstract: A computing apparatus includes a hardware platform comprising a processor and a memory; and instructions encoded within the memory to receive a user-generated comment related to a uniform resource locator (URL); analyze the comment with a trained machine learning (ML) model to determine a user sentiment for the comment; assign a predicted reputation to the URL according to the user sentiment; and use the predicted reputation as an input to an analysis of the URL.