Abstract: Detecting a fraudulent subscriber identity module (SIM) swap may be performed by a mobile app executing on a mobile computing device. A network connectivity state is determined for the mobile computing device to a mobile telephony network provided by a mobile network operator. The mobile computing device is associated with a SIM which is associated with the mobile network operator. A signal strength is determined at the mobile computing device of the mobile telephony network provided by the mobile network operator. A likelihood is determined that a SIM swap has taken place involving the SIM based on the signal strength and the network connectivity state. In some embodiments, a probe request is transmitted to a remote server, requesting that the remote server programmatically call the telephone number associated with the SIM to confirm whether the SIM swap has taken place.

Abstract: A system and method for dynamic detection of Command and Control (C&C) malware is provided. The method may include hooking API within an application and analyzing the code of the hooked API using static analysis. The method may further include conducting dynamic analysis; wherein incoming network and file content is collected and data patterns relating to C&C are detected from this content. Using these data patterns, this system may identify C&C URLs and further filter these URLs using C&C behaviors found during the dynamic analysis. For example, the system may detect when the code attempts to communicate with C&C servers or attempts to write to local files, which set up new C&C servers. Filtering of the C&C URLs may include detecting when the CRC URL intercepts an incoming SMS message or transmits a SMS; executes an abortBroadcast; or initiates collection of data leaked through to the network or the SMS.

Abstract: The disclosed computer-implemented method for detecting unknown vulnerabilities in computing processes may include (1) monitoring a computing environment that facilitates execution of a computing process by logging telemetry data related to the computing process while the computing process is running within the computing environment, (2) determining that the computing process crashed while running within the computing environment, (3) searching the telemetry data for evidence of any vulnerabilities that potentially led the computing process to crash while running within the computing environment, (4) identifying, while searching the telemetry data, evidence of at least one vulnerability of the computing process that is not yet known to exist within the computing process and then in response to identifying the evidence of the computing process's vulnerability, (5) performing at least one security action to hinder any potentially malicious exploitation of the computing process's vulnerability.

Abstract: An intrusion device identifies network data to be sent to a destination endpoint and determines a sensitivity level of the destination endpoint based on asset valuation. The intrusion device identifies a subset of signatures that corresponds to the sensitivity level of the destination endpoint and determines whether the network data includes an intrusion based on the subset of signatures.

Abstract: The disclosed computer-implemented method for detecting modification attacks on shared physical memory may include (i) identifying a page frame of physical memory that is shared by a plurality of virtual machines, (ii) calculating a first checksum for the page frame, (iii) calculating, while the page frame is shared by the plurality of virtual machines and before any of the plurality of virtual machines writes to a page of virtual memory that is mapped to the page frame, a second checksum for the page frame, (iv) detecting a modification attack (such as a rowhammer attack) on the page frame by one of the plurality of virtual machines by detecting that the first checksum does not equal the second checksum, and (v) performing a security action in response to detecting the modification attack. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: The disclosed computer-implemented method for identifying non-malicious files on computing devices within organizations may include (1) identifying a file on at least one computing device within multiple computing devices managed by an organization, (2) identifying a source of the file based on examining a relationship between the file and the organization, (3) determining that the source of the file is trusted within the organization, and then (4) concluding, based on the source of the file being trusted within the organization, that the file is not malicious. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A computer-implemented method for preventing internal network attacks may include 1) identifying a host system that is within a subnet of a network, 2) detecting an intrusion on the host system, the intrusion on the host system being capable of facilitating an attack via the host system on at least one additional system of the network, 3) identifying at least one additional host system within the subnet of the network, and 4) implementing a security measure on the additional host system to prevent the attack based at least in part on detecting the intrusion and at least in part on the host system and additional host system being within the subnet. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: The disclosed computer-implemented method for detecting credential theft may include (i) monitoring a secured computing system's credential store that may include at least one sensitive credential that may be used to facilitate authentication of a user that is attempting to access the secured computing system, (ii) gathering, while monitoring the credential store, primary evidence of an attempted theft of the sensitive credential from the credential store, (iii) gathering corroborating evidence of the attempted theft of the sensitive credential, and (iv) performing a security action in response to gathering the primary evidence and the corroborating evidence of the attempted theft. The primary evidence of the attempted theft of the sensitive credential may include evidence of any suspicious access of the sensitive credential from the credential store that occurs outside of a procedure of authenticating the user. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: The disclosed computer-implemented method for encrypting files may include (i) detecting an event within a network that triggers an encryption of a file on the network, (ii) performing, in response to detecting the event, both encrypting the file to a file encryption key and encrypting the file encryption key to a public key of a source of the file, (iii) receiving, from a client, a file access request that includes the encrypted file encryption key, and (iv) transmitting, in response to determining that the client is authorized to access the file, a re-encrypted file encryption key to the client to enable the client to access the file. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: The present disclosure relates to scanning for security threats on a lightweight computing device. An example method generally includes receiving, from a mobile device, a software package including a lightweight computing device security application. A lightweight device transmits, to the mobile device, information identifying at least a first application installed on the lightweight computing device. In response, the lightweight device receives, from the mobile device, information identifying the first application as being a known security threat and remediates a security threat posed by the identified application.

Abstract: Systems, apparatuses, methods, and computer readable mediums for implementing a flexible call blocking scheme using validated identities and selected attribute sharing. A user may undergo an identity verification process to generate one or more signed attributes associated with the user. When the user initiates a phone call, the user may select which attributes to expose to the callee. In one embodiment, the user's device may prevent the user's phone number from being exposed to the callee. The selected attributes may be sent to the callee, and then the device of the callee may compare the selected attributes to preconfigured rules. If the preconfigured rules indicate the selected attributes of the caller meet one or more criteria, then the call may be allowed to ring the device of the callee. Otherwise, the call may be blocked.

Abstract: A control point module may receive information associated with a plurality of users accessing a plurality of files. Each of the files may be stored in a folder of the plurality of folders. Users who have accessed one or more files stored in a folder may be assigned to each corresponding folder. Users who have been assigned to each folder of a plurality of pairs of the folders may be compared to identify one or more differences of assigned users between each folder of each pair of the folders. Furthermore, a recommended control point may be determined based on the identified one or more differences of the assigned users.

Abstract: The systems and methods described herein relate to mobile devices. More specifically, the systems and methods described herein relate to dynamically altering a stating of an application on a mobile device. Mobile devices may have several applications installed thereon. In some instances, the applications may not be available. The application icon may be dynamically altered to indicate a status of the application.

Abstract: The disclosed computer-implemented method for detecting illegitimate devices on wireless networks may include (1) identifying an initial set of hops that represent devices on a wireless network that relay network traffic between the computing device and a destination, (2) identifying, after identifying the initial set of hops, a new set of hops that relay the network traffic between the computing device and the destination, (3) comparing the initial set of hops to the new set of hops, and (4) determining, based on the comparison, that the new set of hops comprises an abnormality that indicates an illegitimate device is intercepting the network traffic on the wireless network between the computing device and the destination. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: The disclosed computer-implemented method for preventing session hijacking may include (1) determining that a user is attempting to complete at least a portion of an authentication session on a first computing system, (2) using input from one or more input devices of the first computing system to obtain environmental context associated with the user's attempt to complete the authentication session, (3) preventing the authentication session from authenticating the user while using the environmental context to determine whether the authentication session is valid, where using the environmental context to determine whether the authentication session is valid includes (a) transmitting the environmental context to a second computing system and (b) requesting an indication of whether, based on an evaluation of the environmental context at the second computing system, the authentication session is valid. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: Techniques are disclosed for performing data loss prevention (DLP) by monitoring file system activity of an application having a network connection. A DLP agent tracks file system activity (e.g., file open and read operations) being initiated by the application. The DLP agent intercepts the file system activity and evaluates a file specified by the file system operation to determine whether the file includes sensitive data. If so determined, the DLP agent prevents the sensitive data from being transmitted (e.g., by blocking the file system activity, redacting the sensitive data from the file, etc.).

Abstract: A system and method for detecting malicious hijack events in real-time is provided. The method may include receiving routing data associated with a Border Gateway Protocol (BGP) event from at least one BGP router. The method may further include generating a hijack detection model using a machine learning technique, such as Positive Unlabeled learning. The machine learning technique may include at least one data input and a probability output; wherein, the data input couples to receive a set of historically confirmed BGP hijacking data and the routing data, while the probability output transmits a probability value for the malicious event which may be calculated based upon the data input. Finally, the method may include classifying the BGP event as a malicious event or a benign event using the BGP hijack model and correcting routing tables that have been corrupted by a malicious event.

Abstract: A computer implemented method is provided for processing sparse data. A sparse data set is received. A modified sparse data set is calculated by replacing all nonzero values in the sparse data set with a common positive integer. The modified sparse data set is transposed to create a transposed data set. A covariance matrix is calculated by multiplying the transposed data set by the modified sparse data set. A tree of a predefined depth is generated by assigning columns of the sparse data set to right and left nodes based on co-occurrence with a first anchor column and a second anchor column. The first anchor column and the second anchor column are determined based on the covariance matrix.

Abstract: A computer-implemented method for evaluating electronic control units within vehicle emulations may include (1) connecting an actual electronic control unit for a vehicle to a vehicle bus that emulates network traffic rather than actual network traffic generated by operation of the vehicle, (2) manipulating input to the actual electronic control unit to test how safely the actual electronic control unit and the emulated electronic control unit respond to the manipulated input, (3) detecting an output from the actual electronic control unit that indicates a response, from the actual electronic control unit, to manipulating the input, and (4) evaluating a safety level of at least one of the actual electronic control unit and the emulated electronic control unit based on detecting the output from the actual electronic control unit. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: Techniques for system backup are disclosed. In one embodiment, the techniques may be realized as a method including identifying a particular characteristic of a particular modification of a default automated procedure for selecting files to include in an off-site backup, wherein the identifying is based at least in part on an aggregation of data from many client devices as to how each of many users deviated from the default automated selection procedure; receiving a first system profile for a first client device; identifying the particular characteristic in the first system profile; and based on identifying the particular characteristic in the first system profile, applying a modified default automated selection procedure to the first client device, the modified default automated selection procedure including the particular modification identified with the particular characteristic.