Abstract: A method is described. The method includes streaming subject data from a subject repository. The method also includes storing a subject length of the subject data. The method further includes executing a hash function on the subject data to produce a subject hash value. The method additionally includes executing the hash function on content data from a content stream based on the subject length to produce a content hash value. The method also includes detecting whether the content data matches the subject data based on the subject hash value and the content hash value. The method further includes reporting a match detection in response to detecting that the content data matches the subject data.

Abstract: A monitoring device is described. The monitoring device includes a processor. The monitoring device also includes memory in electronic communication with the processor. The monitoring device further includes instructions stored in the memory. The instructions are executable to intercept a lightweight directory access protocol (LDAP) search request sent to an LDAP search handler of a security subsystem from a calling device. The LDAP search request includes a query string containing data for a second protocol. The instructions are also executable to generate response data for the second protocol to substitute for a response by the LDAP search handler. The instructions are further executable to send an LDAP search result to the calling device, the LDAP search result comprising the response data for the second protocol.

Abstract: A method is described. The method includes monitoring a request to access one or more files via a shadow copy on a computing device. The method also includes preventing unauthorized access to the shadow copy based on a shadow copy access policy. Monitoring the request to access a shadow copy may include using a filter driver to intercept a request for a previously created shadow copy or a request to create a shadow copy.

Abstract: Examples of devices and methods for detecting malicious network activity are described. Fake user credentials are saved into memory of a monitored device. The fake user credentials may include a username and a password hash for a nonexistent account. Reconnaissance on the fake user credentials is monitored. A compromised account is detected based on the fake user credential reconnaissance monitoring.

Abstract: A method is described. The method includes generating an access model that simulates a transformation of existing new technology file system (NTFS) permissions for a plurality of shared folders. The method also includes creating permission groups for the plurality of shared folders based on the access model. The method further includes updating the NTFS permissions of the shared folders based on the access model and permission groups.

Abstract: A method is described. The method includes checking a raw event generated by a file system against a set of predicates conditions indicative of a high-level user operation. The method also includes filtering multiple raw events with a finite state machine (FSM) in response to determining that the raw event matches a predicate condition. The method further includes identifying a single high-level event for the high-level user operation based on the multiple raw events filtered by the FSM.