Abstract: A computing apparatus includes a hardware platform having a processor and a memory; an operating system (OS) having a GUI with a user-initiatable share function, and an interface to register a share target for the share function; and instructions encoded within the memory to provide a security agent, the instructions to instruct the processor to: receive from the OS a notification that an object has been shared to the security agent via the share function; responsive to the notification, initiate a security scan or reputation action for the shared object; receive a security or reputation response from the security scan or reputation action; and based at least in part on the security scan or reputation response, display a security or reputation notification via the GUI.

Abstract: Methods, apparatus, systems, and articles of manufacture for detecting anomalous activity of an IoT device are disclosed. An example apparatus includes a communications aggregator to aggregate communications from a device communicating via a communications interface, a statistical property extractor to extract statistical properties of the aggregated communications, an image generator to generate an image based on the extracted statistical properties, a persona identifier to identify a persona associated with the device, and a machine learning model trainer to train a machine learning model using the generated image and the persona.

Abstract: A method including receiving a feature vector of an unknown sample, computing a MinHash of the unknown sample based on Jaccard-compatible features, querying a Locality Sensitive Hashing forest of known samples with the MinHash of the unknown sample to identify a first subset of known samples that are similar to the unknown sample, receiving for each individual known sample in the first subset, a feature vector including non-Jaccard distance-compatible features, computing a first sub-distance and a second sub-distance between the unknown sample and the known samples in the first subset, calculating a total distance for each known sample in the first subset by combining the first and the second sub-distances, identifying, based on the calculated total distances, a second subset of known samples that are most similar to the unknown sample, and classifying the unknown sample based on the second subset.

Abstract: A method for increasing scalability of asynchronous data processing includes interpreting a computer program for reading data from an input data stream, wherein the input data stream is defined in the program as an object having a function for obtaining more data from the input data stream; determining that additional data from the input data stream is required to continue execution of the function in a thread of the interpreted computer program; suspending execution of the thread responsive to a determination that the additional data is unavailable; saving a state information for the suspended thread, wherein the saved state information includes information to allow resumption of the suspended thread; generating an event indication upon availability of at least some of the additional data; and resuming execution of the suspended thread of execution and providing the additional data as a result of the function.

Abstract: There is disclosed in one example a computing apparatus, including: a hardware platform including a processor and a memory; a transceiver; a local user display; and instructions encoded within the memory to instruct the processor to: locate via the transceiver at least one nearby device; receive observational profile information for the nearby device; and display on the local user display information about the nearby device's observation abilities.

Abstract: An apparatus, related devices and methods, having a memory element operable to store instructions; and a processor operable to execute the instructions, such that the apparatus is configured to identify sensitive user data stored in the memory by a first application, determine a risk exposure score for the sensitive user data, apply, based on a determination that the risk exposure score is above a threshold, a security policy to restrict access to the sensitive user data, receive a request from a second application to access the sensitive user data, determine whether the first application and the second application are similar applications, and allow access based on a determination that the first application and the second application are similar applications.

Abstract: An apparatus, related devices and methods, having a memory element operable to store instructions; and a processor operable to execute the instructions, such that the apparatus is configured to determine, based on operating system workload demands, whether a high-demand application is running and, based on a determination that a high-demand application is running, apply an optimization policy that modifies a security application, wherein the optimization policy modification includes reducing a protection applied by the security application.

Abstract: An apparatus, related devices and methods, having memory to store instructions; and a processor to execute the instructions, and the apparatus is configured to receive, by a remote browser isolation (RBI) proxy from a client device, a transfer request to send data to a destination application, wherein the client device is running an RBI agent and includes a Data Loss Prevention endpoint (DLPe) module, and wherein communications between the client device and the destination application are routed through the RBI proxy; receive a plurality of inputs to the client device associated with the transfer request; create a submission request that includes the plurality of inputs and metadata; send the submission request to the DLPe module; receive a response from the DLPe module, wherein the response includes an instruction to allow, to disallow, or to amend and allow the submission request; and process the submission request according to the instruction.

Abstract: Methods, apparatus, systems, and articles of manufacture are disclosed that improve detection of malware based on ecosystem specific data. An example apparatus includes a feedback weight controller to apply, with a machine learning model, a weight to feedback associated with a sample, the feedback obtained from at least a customer ecosystem and including endpoint feedback, human feedback, infrastructure feedback, and global feedback; and a sample conviction controller to, in response to a score based on the weighted feedback satisfying a threshold for a classification, indicate to a user, with the machine learning model, that the classification for the sample is malicious.

Abstract: Disclosed examples include during basic discovery, provide information from a local device to a first remote trusted device, the information to indicate the local device supports trusted discovery and to establish the local device as a second remote trusted device; during the trusted discovery, access, by the local device, a trusted discovery message received from the first remote trusted device; in response to verifying security credentials identified in the trusted discovery message for the first remote trusted device: add the first remote trusted device to a trusted network including the local device; and index, by the local device, a first service hosted by the first remote trusted device in a registry, the registry to identify second services available to the local device and corresponding locations of the second services.

Abstract: Methods, apparatus, systems and articles of manufacture are disclosed to detect an attack in an input file. An example apparatus includes a detection controller to identify a section of a number of bytes of data in a buffer including a first or second byte of data indicative of a value within a preconfigured range, the preconfigured range corresponding to a range of values indicative of memory addresses, update a merged list with a chunk of data that includes the section having the first or second byte of data indicative of the value within the preconfigured range, and a reoccurrence detector to concatenate the chunk of data in the merged list into a string to identify a number of occurrences the string matches remaining data in the buffer, and in response to a detection of the number of occurrences exceeding an occurrence threshold, determine that the data includes a malicious data stream.

Abstract: Methods, apparatus, systems and articles of manufacture are disclosed for classification of unknown samples using agglomerative clustering.

Abstract: A technique for detecting malware involves loading known malware information, finding a string in the known malware information, saving the string in a first database, identifying a first contiguous string block from the known malware information, assigning a confidence indicator to the first contiguous string block, attempting to find the first contiguous string block in a second database containing one or more contiguous string blocks extracted from known malware, and responsive to a determination the first contiguous string block meets a predetermined threshold of similarity with a second contiguous string block contained in the second database, labelling the first contiguous string block.

Abstract: An apparatus, related devices and methods, having a memory element operable to store instructions; and a processor operable to execute the instructions, such that the apparatus is configured to identify, on an electronic device, a phone number of an incoming caller device; request, via an out-of-band control channel, a digital certificate for the phone number from the incoming caller device; receive, via the out-of-band control channel, the digital certificate for the phone number from the incoming caller device; determine whether the digital certificate for the phone number is authentic; and indicate, on the electronic device, based on a determination that the digital certificate for the phone number is authentic or not authentic, whether the phone number is authentic or not authentic.

Abstract: An apparatus for detecting a phishing website based on website icons is disclosed. A disclosed example apparatus includes a parser to locate a first website icon corresponding to a first website, an icon hasher to generate a first hash of the first website icon, and a hash checker to determine whether the first hash matches a second hash of a second website icon corresponding to a second website in an icon hash database, the hash checker to, in response to the first hash matching the second hash, determine whether a first portion of a first Uniform Resource Locator (URL) corresponding to the first website matches a second portion of a second URL corresponding to the second website, the hash checker to, in response to the first portion not matching the second portion, identify the first website as a phishing website.

Abstract: A system, method, and computer program product are provided for dynamically configuring a virtual environment for identifying unwanted data. In use, a virtual environment located on a first device is dynamically configured based on at least one property of a second device. Further, unwanted data is identified, utilizing the virtual environment.

Abstract: Methods, apparatus, systems and articles of manufacture to defend against adversarial machine learning are disclosed. An example apparatus includes a model trainer to train a classification model based on files with expected classifications; and a model modifier to select a convolution layer of the trained classification model based on an analysis of the convolution layers of the trained classification model; and replace the convolution layer with a tree-based structure to generate a modified classification model.

Abstract: There is disclosed a method of providing passive phishing remediation for an enterprise, including: displaying, to a user of a mobile device, an email; receiving from the user a one-click request to perform additional analysis of the email; providing the email to a phishing mitigation service; assigning the email a reputation score, generating a human-readable reputation display for the email, wherein the human-readable reputation display includes at least three grades comprising safe, unknown or unreliable, and unsafe or malicious; and providing the human-readable reputation display as a push notification to the mobile device.

Abstract: Example apparatus disclosed herein generate blocks of a blockchain, the blockchain to store a neural network that has input nodes, hidden nodes and output nodes, with respective ones of the blocks of the blockchain including respective code and respective data to represent corresponding ones of the output nodes of the neural network, a first one of the blocks including first code and first data to implement operations to be performed by a first one of the output nodes, the hidden nodes and the input nodes on input data applied to the neural network to determine an output of the first one of the output nodes. Disclosed example apparatus also train the neural network to determine at least portions of the respective data to include in the respective ones of the blocks of the blockchain, and forward the blockchain to a server that is to distribute the neural network to client(s).

Abstract: A computing includes a hardware platform having a processor and a memory; and instructions encoded within the memory to instruct the processor to: on behalf of a human user, scan a social media platform for which the user has an account, and compute a proactive privacy risk score, wherein the proactive privacy risk score is a quantitative value based at least in part on an inherent risk of the social media platform according to data types that may be collected and exposed by the social media platform, and at least in part on privacy settings for the social media platform in relation to the data types; and recommend or initiate an action to improve the proactive privacy risk score.