Abstract: Methods, apparatus, systems and articles of manufacture are disclosed to detect deepfake content. An example apparatus to determine whether input media is authentic includes a classifier to generate a first probability based on a first output of a local binary model manager, a second probability based on a second output of a filter model manager, and a third probability based on a third output of an image quality assessor, a score analyzer to obtain the first, second, and third probabilities from the classifier, and in response to obtaining a first result and a second result, generate a score indicative of whether the input media is authentic based on the first result, the second result, the first probability, the second probability, and the third probability.

Abstract: Methods, systems, and media for dynamically separating Internet of Things (IoT) devices in a network are provided. In accordance with some embodiments of the disclosed subject matter, a method for dynamically separating IoT devices in a network is provided, the method comprising: detecting a first IoT device in the network; monitoring network communication of the first IoT device; determining device information of the first IoT device based on the monitored network communication; and causing the first IoT device to communicate on a first subnet of a plurality of subnets in the network based on the device information.

Abstract: There is disclosed in one example a method of detecting computer malware, including: receiving a binary object for analysis; allocating the binary object to a sandbox; within the sandbox, loading the binary object into an executable memory region; performing a memory dump of the executable memory region; and analyzing the memory dump for malware characteristics.

Abstract: Methods, apparatus, systems and articles of manufacture to create malware detection rules are disclosed. An example apparatus includes a rule generator to generate an augmented rule set based on a first training data set. A matrix generator is to create a matrix using the augmented rule set and a second training data set. A rule regulator to apply regularization to the augmented rule set based on the matrix to remove any number of rules from the augmented rule set, the rule regulator to create a reduced rule set. A reduced rule set checker to validate the reduced rule set.

Abstract: A non-transitory computer readable medium includes computer executable instructions that, when executed, cause at least one processor to train a model to perform at least one of a prediction operation, a diagnostic operation, or a classification operation based on a training dataset, deploy the model in a production computer system to perform the at least one operation on field data, monitor signal data associated with the model, the signal data including specific or derived signal data representing characteristics of an ecosystem in which the model is deployed and new observations in incoming field data, monitor accuracy of the model by applying a statistical tool to a plurality of data points of the signal data, apply a secondary machine learning predictive engine to the plurality of data points of the signal data to predict future data points of the signal data, determine whether the signal data represents an unstable process by identifying future outlier data points from among the plurality of future data

Abstract: There is disclosed in one example a computing apparatus, including: a hardware platform including a processor and a memory; a network interface; an operating system including a native internet protocol (IP) stack; and a security agent, including instructions encoded within the memory to instruct the processor to: establish a split virtual private network (VPN) tunnel with a remote VPN service; receive outgoing network traffic; direct a first portion of the outgoing traffic to the VPN tunnel, including determining that the first portion includes an outgoing domain name service (DNS) request; and direct a second portion of the outgoing traffic to the native IP stack.

Abstract: There is disclosed in one example a gateway apparatus, including: a hardware platform including a processor and a memory; and instructions stored within the memory to instruct the processor to: provide a domain name system (DNS) server, the DNS server to provide an encrypted DNS service, and to cache resolved domain names; receive an outgoing network packet; determine a destination address of the outgoing network packet; and upon determining that the destination address was not cached, apply a security policy.

Abstract: Methods, systems, and media for protected near-field communications are provided. In some embodiments, the method comprises: receiving, from an NFC tag device, a request for an NFC reader device identifier (ID); transmitting the NFC reader device ID to the NFC tag device; receiving an NFC tag device ID; determining whether the NFC tag device ID matches an NFC tag device ID stored in memory of the NFC reader device; in response to determining that the NFC tag device ID matches the NFC tag device ID, transmitting a password to the NFC tag device; receiving, from the NFC tag device, a shared secret; determining whether the received shared secret matches a shared secret stored in the memory of the NFC reader device; and in response to determining that the received shared secret matches the shared secret, causing an action to be performed by a device associated with the NFC reader device.

Abstract: Example apparatus to process an electronic communication includes a trusted communication identifier including a contact identifier to compare sender information from the electronic communication to contact information from a contact datastore, determine that a communication has not previously been sent from a recipient of the electronic communication to the sender of the electronic communication when the sender information from the electronic communication is not found in the contact datastore, and in response to determining that the communication has not been previously sent, provide an alert message that the sender information from the electronic communication is unknown. The trusted communication identifier further including a user action determiner to store the sender information from the electronic communication in the contact datastore when a response to the electronic communication has been sent.

Abstract: An apparatus, including systems and methods, for classifying, mapping, and predicting cybercriminal activity is disclosed herein. For example, in some embodiments, an apparatus is configured to: receive cybercriminal communication (CCC) data of postings from a source forum; identify, classify, and rank a threat topic for each posting; identify a first subset of postings that includes postings assigned the threat topic classification with the greatest threat topic rank; for each posting of the first subset of postings: identify and rank the threat actor; identify a second subset of postings that includes postings associated with the threat actor assigned the greatest threat actor rank; and send, to a cybersecurity data exchange module, the CCC data of the second subset of postings and associated enriched data including the source forum, the threat topic classifications, the threat actor, the threat actor rank, or the other threat actors that mentioned the threat actor.

Abstract: An apparatus, including systems and methods, for detecting ransomware is disclosed herein. For example, in some embodiments, an apparatus includes a memory element operable to store instructions; and a processor operable to execute the instructions, such that the apparatus is configured to receive data identifying a process and a plurality of files accessed by the process; identify an access indicator associated with each of the plurality of files accessed by the process, wherein the access indicator includes file type; determine whether the access indicator exceeds a threshold; interrupt, based on a determination that the access indicator exceeds a threshold, the process; and prompt a user to allow or disallow the process to proceed.

Abstract: Methods, apparatus, systems and articles of manufacture are disclosed to analyze network traffic for malicious activity. An example apparatus includes a graph generator to, in response to obtaining one or more internet protocol addresses included within input data, generate a graph data structure based on one or more features of the one or more internet protocol addresses in the input data, a file generator to generate a first matrix using the graph data structure, the first matrix to represent nodes in the graph data structure and generate a second matrix using the graph data structure, the second matrix to represent edges in the graph data structure, and a classifier to, using the first matrix and the second matrix, classify at least one of the one or more internet protocol addresses to identify a reputation of the at least one of the one or more internet protocol addresses.

Abstract: A computing apparatus, including: a hardware platform including a processor circuit and a memory; and instructions encoded within the memory to instruct the processor circuit to: extract human readable text from a plurality of known websites, the known websites having known classifiers; apply a MinHash algorithm to respective human readable text of the known websites; generate a plurality of different locality sensitive hashing (LSH) indexes for the respective websites; extract human readable text from a test website; apply the MinHash algorithm to the human readable text of the test website to provide a MinHash of the test website; query the plurality of different LSH indexes with the MinHash of the test website; and according to a result of the query, assign a category the test website, wherein the category matches a known category of at least one of the plurality of known website found to have a containment with the test website above a threshold.

Abstract: There is disclosed herein a computing apparatus having a hardware platform, including a processor circuit and a memory; a web-enabled application; and stored instructions within the memory to instruct the processor circuit to: determine that an input field of the web-enabled application has requested a password or personal data from a user; receive an input value; apply a deterministic function to the input value to create an obfuscated value; and provide the obfuscated value as an input to the input field.

Abstract: There is disclosed in one example a computing apparatus, including: a hardware platform including a processor and a memory; and instructions encoded within the memory to instruct the processor to: receive a client event report, the client event report including an operating system event trace for an attempt to exploit a patched vulnerability, and first feature data for a malware object that made the attempt; receive second feature data for an unknown object; compare the first feature data to the second feature data; and if the second feature data match the first feature data above a threshold, convict the unknown object as malware.

Abstract: There is disclosed in one example a computer-implemented method of detecting a statistically-significant security event and automating a response thereto, including: querying, or causing to be queried, a security intelligence database for sector-wise historical norms for an indicator of compromise (IoC); obtaining sector-wise expected prevalence data for the IoC; receiving observed sector-wise prevalence data for the IoC; computing a first test statistic from a goodness-of-fit test between the observed and expected prevalences; from the observed sector-wise prevalence data, computing a second test statistic from a difference between a highest prevalence and a next-highest prevalence; computing a third test statistic from a difference between the observed prevalence of a highest prevalence sector and the expected prevalence for the highest prevalence sector; selecting a least significant statistic from among the first, second, and third test statistics; and determining from the least significant statistic whet

Abstract: A computing apparatus includes a hardware platform having a processor circuit and a memory; a network interface; and instructions encoded within the memory to instruct the processor circuit to: extract data from an object under analysis; compute a partial match value according to a partial match algorithm of the extracted data; send the partial match value to a remote service via the network interface; receive from the remote service, via the network interface, a list of candidate signatures that correspond to the partial match value, wherein the candidate signatures are a superset of true matches to the object under analysis; compare the object under analysis to the candidate signatures; and if the compare identifies one or more matching signature, classify the object under analysis as belonging to a same class as at least one second object that is a source of a matching signature.

Abstract: Mechanisms (which can include systems, methods, and media) for securing connections to IoT devices are provided. In some embodiments, systems for securing connections to Internet of Things (IoT) devices are provided, the systems comprising: a memory; and a hardware processor coupled to the memory and configured to: receive first inbound traffic at a router from a wide area network (WAN), wherein the first inbound traffic is destined for a first IoT device; block the first inbound traffic at the router; notify a server on the WAN that the first inbound traffic has been blocked; receive instructions from the server indicating to unblock the first inbound traffic; and unblock the first inbound traffic.

Abstract: Methods, apparatus, systems and articles of manufacture to classify a first file are disclosed herein. Example apparatus include a feature hash generator to generate respective sets of one or more feature hashes for respective features of the first file. The number of the one or more feature hashes to be generated is based on an ability of the feature to distinguish the first file from a second file. The apparatus also includes a bit setter to set respective bits of a first fuzzy hash value based on respective ones of the one or more feature hashes, a classifier to assign the first file to a class associated with a second file based on a similarity between the first fuzzy hash value and a second fuzzy hash value for a second file.

Abstract: Mechanisms, which can include systems, method, and media, for protecting network devices from malicious rich text format (RTF) files are provided, the mechanisms comprising: intercepting an RTF file destined for a network device; parsing the RTF file to identify a plurality of objects in the RTF file; checking a first object of the plurality of objects for a first heuristic; based upon an outcome of the checking of the first object for the first heuristic, increasing a cumulative weight by a first weight value; comparing the cumulative weight against at least one threshold to classify the RTF file; and based on the classification of the RTF file, taking a protective action on the RTF file.