Abstract: The disclosed computer-implemented method for preventing sensitive information exposure based on a surrounding audience may include (1) detecting, from one or more communication devices, surrounding audience data associated with an audience presentation on a presentation device, the audience presentation including sensitive information and non-sensitive information, (2) determining an audience profile based on the surrounding audience data, the audience profile identifying one or more unintended audience members in the surrounding audience, (3) assigning an information exposure policy to the audience presentation based on the audience profile, and (4) performing a security action to enforce the information exposure policy on the presentation device such that the sensitive information is prevented from being exposed to the surrounding audience during the audience presentation. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: The disclosed computer-implemented method for controlling access may include (i) installing on a personal mobile device a mobile device application that enforces an authorization security policy for protected premises, (ii) checking, by the mobile device application and in response to installing the mobile device application, whether the personal mobile device satisfies a condition of the authorization security policy, (iii) granting authorization for the personal mobile device to function as an access card based on a result of checking whether the personal mobile device satisfies the condition of the authorization security policy, and (iv) enforcing an additional access security policy on the personal mobile device after granting authorization for the personal mobile device to function as the access card. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A method for detecting and preventing phishing phone calls through verified attribute analysis is described. The method may comprise receiving, by a receiving device, a phone call from a sending device and receiving identification data in parallel with the phone call, the identification data describing context of the phone call. The method may then identify an attribute assertion from the identification data. The attribute assertion may comprise a signed attribute of the phone call and may be signed by a trusted authority. The method may comprise determining content of the phone call, analyzing the content of the phone call against the signed attribute, and performing a defined operation based on a result of the analysis of the content against the signed attribute.

Abstract: The disclosed computer-implemented method for identifying unsolicited communications on a computing device may include a computing device receiving a communication from an unrecognized phone number; obtaining the unrecognized phone number from the communication; obtaining classification data associated with the unrecognized phone number based on categories of other computing devices contacted by the unrecognized phone number; obtaining a category associated with a phone number of the computing device; determining that the communication is an unsolicited communication based on the classification data and the category associated with the phone number of the computing device; and in response to determining that the communication is unsolicited, performing a security action to manage interactions with the communication from the unrecognized phone number. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: The disclosed computer-implemented method for detecting unauthorized data shares may include (1) providing a user of an anonymized inbox with an email alias to use for a particular online entity, (2) identifying one or more emails sent to the email alias from one or more different entities that are different from the particular online entity, (3) determining, based on the one or more emails having been sent by the different entities, that the particular online entity has shared the user's email alias with other entities, and (4) creating a privacy score for the particular online entity based at least in part on the determination that the particular online entity has shared the user's email alias with other entities. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: The disclosed computer-implemented method for authenticating a multimedia stream may include generating a metadata transcript based on at least a portion of a multimedia stream and digitally signing the metadata transcript. The method may also include transmitting both the digitally signed metadata transcript and the multimedia stream to a recipient device to enable the recipient device to authenticate the multimedia stream. The recipient device may authenticate the multimedia stream based on a comparison of the digitally signed metadata transcript with an observed metadata transcript. The observed metadata transcript may be locally generated by the recipient device based on the multimedia stream. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: Thwarting an impersonation attack using online decoy text. In one embodiment, a method may include intercepting first actual text submitted online by a first user, generating decoy text to replace the first actual text, sending the decoy text for posting online, training a machine learning model using the decoy text to make the machine learning model capable of recognizing a decoy language pattern in the decoy text, intercepting second actual text submitted to a web server by a second user purporting to be the first user, determining, using the machine learning model, that a language pattern in the second actual text matches the decoy language pattern in the decoy text, and, in response, determining that the second user is impersonating the first user in an impersonation attack and thwarting the impersonation attack by performing a remedial action at the web server to protect the web server from the impersonation attack.

Abstract: The disclosed computer-implemented method for controlling an application launch based on a security policy may include (1) loading an application launcher into a sandbox, (2) monitoring one or more functions associated with launching an application from the application launcher, (3) determining that the functions associated with launching the application have been invoked by the application launcher, (4) querying a policy manager comprising a security policy to determine whether the application is potentially harmful, and (5) performing, based on the security policy, a security action preventing the application launcher from launching the application from the sandbox upon determining that the application is potentially harmful. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: Utility driven graph summarization for use in detecting and preventing malicious computer application. In one embodiment, a method may include receiving a graph comprising a plurality of nodes and a plurality of edges, prioritizing each of the plurality of nodes by way of assigning a relative importance value to each node of the plurality of nodes, combining at least two nodes of the plurality of nodes into a supernode based at least on the relative importance value of each node, calculating a utility penalty value for creating a superedge between the supernode and a node neighboring the supernode, creating the superedge between the supernode and the node neighboring the supernode if the utility penalty value satisfies a pre-determined penalty threshold, calculating a utility level based at least in part on creating the supernode and the superedge, and repeating the method until the calculated utility level satisfies a pre-determined threshold.

Abstract: A computer-implemented method for modifying file backups in response to detecting potential ransomware may include (1) detecting, during a file backup process, an anomaly that is potentially indicative of ransomware on a computing device, (2) in response to detecting the anomaly that is potentially indicative of ransomware, storing a backup copy in a separate location from other backup copies, (3) confirming that the anomaly is indicative of ransomware on the computing device, (4) adjusting a backup policy in response to confirming that the anomaly is indicative of ransomware on the computing device, and (5) managing the backup copy based on the adjusted backup policy. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: The content of each specific image file on an endpoint is analyzed. Each analyzed image file is categorized based on the results of analyzing its content. The analysis can be in the form identifying one or more objects graphically represented in given image files, and the categorization of image files can be based on these identified graphically represented object(s). A backup policy is configured to automatically backup specific image files on the endpoint, based on their content as per the categorization. Information concerning the content-based categorization of the image files on the endpoint can be output to a user. In response, directives for backing-up image files according to their content-based categorization can be received from the user. Specific images files are backed-up automatically, regardless of their location on the endpoint, according to the configured backup policy.

Abstract: The disclosed computer-implemented method for categorizing security incidents may include (i) generating, within a training dataset, a feature vector for each of a group of security incidents, the feature vector including features that describe the security incidents and the features including categories that were previously assigned to the security incidents as labels to describe the security incidents, (ii) training a supervised machine learning function on the training dataset such that the supervised machine learning function learns how to predict an assignment of future categories to future security incidents, (iii) assigning a category to a new security incident by applying the supervised machine learning function to a new feature vector that describes the new security incident, and (iv) notifying a client of the new security incident and the category assigned to the new security incident. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: The disclosed computer-implemented method for detecting system attacks may include (1) receiving, from a detecting system capable of detecting attacks, information that identifies an attack that originated from a compromised client system that is remote from the detecting system, (2) determining that the attack originated from the compromised client system, (3) determining that the compromised client system includes an anti-malware agent, and (4) notifying the anti-malware agent on the compromised client system that the compromised client system performed the attack. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A computer-implemented method for enforcing privacy in cloud security may include (i) identifying, by a computing device, a set of files in a backup process for a cloud service, (ii) determining, by the computing device, that at least one file in the set of files is a private file, (iii) modifying, by the computing device encrypting the private file, the set of files in the backup process, (iv) completing the backup process for the cloud service with the modified set of files, and (v) enforcing a security policy of the cloud service based on a scan of file hashes. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: The disclosed computer-implemented method for protecting users may include (i) displaying, through a graphical user interface for a third-party security application executing within an operating system environment, a button for a user to select, (ii) displaying, through the graphical user interface, a prompt that prompts the user to select the button in order to receive a reward, (iii) configuring the graphical user interface such that selecting the button triggers both a conspicuous response that provides access to the reward and a more hidden response that initiates application of a security service to protect the user, and (iv) performing, based on receiving a selection of the button, both the conspicuous response and the more hidden response. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: Methods and systems for generating limited-use credit card numbers at a consumer device and verifying said numbers for completing transactions are provided. One example method generally includes determining a current time; generating a first series of digits based on the current time and an account credential associated with an account number; combining, by the consumer device, the first series of digits with the account number to form a first card number; and making the first card number available for use.

Abstract: The disclosed computer-implemented method for creating application ratings may include (i) determining that a user device has downloaded an application, (ii) monitoring the usage of the application on the user device, (iii) deducing a value of the application based at least in part on the monitored usage, and (iv) creating a rating for the application that indicates the deduced value of the application. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A method for insider threat detection under user-resource bi-partite graphs is described. A computing device evaluates a bi-partite mapping of a set of users and a set of files, and performs a random-walk procedure initiating from a selected user of the set of users. The computing device computes a probability distribution associated with the access frequency of each alternate user and file of the random-walk procedure, and compares the probability distribution to one or more distributions associated with temporal periods prior to the initiated procedure. Based on the comparison, the computing device identifies points of maximum variance of the distribution. The computing device identifies the files of the set of files and users of the set of users associated with the points of maximum variance and access raw data to identify activity associated with the selected user and the identified resources.

Abstract: The disclosed computer-implemented method for evaluating unfamiliar executables may include (i) identifying, on the computing device, (a) a code object that is generated from source code written in a programming language, that is specified in an intermediate language different from the programming language, and that can be compiled into an executable file by a just-in-time compiler on the computing device and (b) an executable file that lacks an assigned reputation in a reputation system that distinguishes benign and malicious files, (ii) determining that the executable file was produced by the just-in-time compiler compiling the code object on the computing device, (iii) retrieving, from the reputation system, a reputation for the code object, and (iv) performing a security action on the executable file that is based on the reputation of the code object. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: Securing a network device from a malicious embedded script hosted on a third-party domain. In one embodiment, a method may include detecting an attempt by a browser executing on a network device to load a webpage that embeds a reference to a script hosted on a third-party domain, compiling a list of domains that host webpages that embed references to the script hosted on the third-party domain, identifying reputation scores for the domains in the list of domains, generating a risk score for the script based on the identified reputation scores, determining that the script is malicious based on the generated risk score being above a threshold risk score, and, in response to determining that the script is malicious, performing a security action on the network device that secures the network device from the malicious script.