Abstract: A computer system monitors a set of inactive addresses. The computer system identifies a suspicious activity associated with at least one inactive address of the set of inactive addresses. The computer system determines a suspicion score for the at least one inactive address based on the suspicious activity associated with the at least one inactive address. The computer system categorizes the at least one inactive address as a potentially hijacked address if the suspicion score exceeds a threshold.

Abstract: Techniques for classifying non-process threats are disclosed. In one particular exemplary embodiment, the techniques may be realized as a method for classifying non-process threats comprising generating trace data of at least one observable event associated with execution of a process, representing a first feature of the at least one observable event of the trace data, calculating, using a computer processor, a similarity between the first feature and at least one sample feature, and classifying the process based on the similarity.

Abstract: A computer-implemented method for evaluating networks may include (1) identifying an initial set of recorded packet performance data that describes an instance of an attempt to establish a network connection path between an original node and a subsequent node in a network, (2) detecting, by a software security system, a network anomaly based on comparison data resulting from a comparison between the initial set of recorded packet performance data and an additional set of recorded packet performance data that describes another instance of an attempt to establish a network connection path between the original node and the subsequent node, and (3) performing, by the software security system, and in response to detecting the network anomaly based on the comparison between the sets of packet performance data, a security action to protect the computing device. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: The disclosed computer-implemented method for analyzing suspected malware may include (1) identifying a file suspected of including malware, (2) performing a static analysis of the file to identify at least one indication of an attack vector that the file uses to attack computing systems, (3) obtaining, from at least one computing system, telemetry data that identifies at least one indication of an attack vector that the file uses to attack computing systems, (4) constructing, using the indications obtained from the static analysis and the telemetry data, an execution profile that describes an execution environment that provides the attack vectors indicated by the static analysis and the telemetry data, and (5) configuring the execution environment described in the execution profile to test the file for maliciousness. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A computer-implemented method for detecting information leakage by an organizational insider may include (1) identifying a set of organizational insiders of an organization, (2) identifying a set of public forums used by one or more organizational insiders, (3) identifying a set of messages posted to one or more public forums, (4) creating a message record corresponding to each message, with the record including a message summary, and a set of message metadata fields, (5) consolidating message records with common metadata fields into a message summary record, and (6) identifying, based on the message summary record, an information leakage threat. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: The disclosed computer-implemented method for verifying the authenticity of graphical images may include (1) identifying a graphical image intended for presentation by a display and then, prior to facilitating presentation of the graphical image by the display, (2) identifying an original unique identifier of at least a portion of the graphical image encoded into the graphical image, (3) computing a subsequent unique identifier of the portion of the graphical image, and (4) determining, by comparing the subsequent unique identifier to the original unique identifier, whether the graphical image is authentic. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A computer-implemented method for identifying repackaged files may include (1) identifying an application package that packages files for a mobile device application that is to be executed through a mobile device operating system, (2) identifying, within the application package, a resource file that identifies resources for the application package defined in a programming language for the mobile device operating system, (3) parsing the resource file to identify a flag for a resource that specifies whether the resource is public, (4) determining that the flag for the resource has been set as public, and (5) classifying the application package as repackaged based at least in part on the determination that the flag for the resource has been set as public. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A computer-implemented method for detecting malicious files may include (1) identifying a length of at least one line within a textual file, (2) assessing, based at least in part on the length of the line within the textual file, a likelihood that at least a portion of the textual file has been encrypted, (3) determining, based on the likelihood that at least a portion of the textual file has been encrypted, a likelihood that the textual file is malicious, and (4) performing a remediation action based at least in part on determining the likelihood that the textual file is malicious. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: An intercepting proxy server processes traffic between an enterprise user and a cloud application which provides Software as a Service (SaaS). The intercepting proxy server provides interception of real data elements in communications from the enterprise to the cloud and replacing them with obfuscating information by encrypting individual real data elements without disturbing the validity of the application protocol. To the processing cloud application real data are only visible as encrypted tokens. Tokens included in results returned from the cloud, are intercepted by the intercepting proxy server, and replaced with the corresponding sensitive real data. In this way, the enterprise is able to enjoy the benefits of the cloud application, while protecting the privacy of real data.

Abstract: Dynamic on-device passcode to lock lost device is described. In one method, a security agent executing on a processor of a user device periodically generates a dynamic passcode using a cryptographic function and a cryptographic seed according to a predefined time interval. While the user device is in a first state, the security agent sends the cryptographic seed to an authentication service. The method receives an acknowledgement of receipt of the cryptographic seed from the authentication service and detects that the user device is in a potentially lost or stolen state based on a defined condition of the user device. In response to the detecting that the user device is in the potentially lost or stolen state, the method locks the user device and may unlock the user device when a current instance of the dynamic passcode is correctly entered on the user device.

Abstract: A computer-implemented method for scanning a file is described. A Golomb-Compressed Sequence (GCS) index may be queried to determine whether GCS data is associated with the scanned data. The GCS index may be stored in a first storage medium and the GCS data may be stored in a second storage medium. The second storage medium may be different from the first storage medium. Upon determining the GCS data is associated with the scanned data, the location of the GCS data associated with the scanned data may be identified. The GCS data may be retrieved from the identified location. At least a portion of the retrieved GCS data may be analyzed. Based on the analysis of the retrieved GCS data, it may be determined whether to perform additional data querying.

Abstract: Techniques for detecting security vulnerabilities are disclosed. In one particular embodiment, the techniques may be realized as a method for detecting security vulnerabilities including assigning a reputation to an application, distributing the reputation to a client, receiving monitored system behavior from the client related to the client executing the application, determining whether to change the reputation of the application based on the monitored system behavior, distributing the changed reputation to the client, receiving further monitored system behavior from the client, and determining whether to generate a rule for the application based on the monitored system behavior received from the client.

Abstract: Techniques are disclosed for providing a device-based PIN authentication process used to protect encrypted data stored on a computing system, such as a tablet or mobile device. A client component and a server component each store distinct cryptographic keys needed to access encrypted data on the client. The mobile device stores a vault encryption key used to decrypt encrypted sensitive data stored on the mobile device. The vault key is encrypted using a first encryption key and stored on the mobile device. The first encryption key is itself encrypted using a second encryption key. The second encryption key is derived from the PIN value.

Abstract: A method for calculating a partial risk score for a data object may include identifying a request to calculate a partial risk score for a data object, the request including a partial risk score filter, and the data object being associated with one or more policies. The method may further include for each policy associated with the data object, determining whether characteristics associated with the policy match a parameter in the partial risk score filter, and when the characteristics associated with the policy match information in the partial risk score filter, including a data object risk score associated with the policy in the partial risk score for the data object.

Abstract: A mechanism for providing inventory information from distributed computing resources in an enterprise network in a manner that minimizes network traffic being sent from those computing resources to a centralized inventory server is provided. Bandwidth minimization is performed by generating a value corresponding to identifying information for each item inventoried on a computing resource and transmitting only those values to the inventory server. The generated value is shorter than a string containing the detailed information regarding the inventoried item, but is unique to that item. The inventory server then only requests more detailed information about an individual inventory item if a reported value has not previously been reported to the inventory server. In this manner, detailed information about a specific inventoried item is only transmitted through the network the first time that the item is inventoried and reported from any computer in the network.

Abstract: Application authorization management is provided without installation of an agent at an operating system level. A component runs outside of the operating system, in an AMT environment. AMT is utilized to examine the operating system for applications. Identified applications are checked against a whitelist or a blacklist. Responsive to determining that an identified application is not authorized, AMT is used to redirect input/output requests targeting the application to an alternative image, which can, for example, warn the user that the application is not authorized.

Abstract: A computer-implemented method for detecting security events may include (1) identifying facets of candidate security events detected by a network security system, (2) assigning each of the facets of the candidate security events to one of multiple groups of facets to create permutations of the facets, (3) comparing, for each group of facets, the candidate security events according to a similarity algorithm that indicates similarity between the candidate security events, (4) generating, for each group of facets, a weak classifier for detecting security events based on a nearest neighbor graph, and (5) performing, by the network security system, a remedial action in response to classifying a candidate security event as a security threat by applying a combination of the weak classifiers for the groups of facets to the candidate security event. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A computing system assigns an anonymous cloud account to a user in response to a determination that identity information of the user is validated for a request to access a cloud. The anonymous cloud account does not reveal an identity of the user to the cloud. The computing system creates mapping data that associates the user with the anonymous cloud account. The cloud does not have access to the mapping data. The computing system facilitates user access to the cloud based on the anonymous cloud account. The cloud generates cloud access pattern data for the anonymous cloud account without determining the identity of the user.

Abstract: A computer-implemented method for evaluating reputations of wireless networks may include (1) identifying an endpoint computing system that is connected to a wireless network, (2) receiving, by a backend security server from the endpoint computing system, information that identifies the wireless network and that indicates in part a security state of the wireless network, (3) calculating, by the backend security server, a reputation of the wireless network based at least in part on the received information that identifies the wireless network and that indicates in part the security state of the wireless network, and (4) transmitting information about the calculated reputation of the wireless network to another endpoint computing system that is within range of the same wireless network. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: The disclosed computer-implemented method for detecting potentially malicious applications may include (1) detecting a request issued by an application running on a client device to download a file from a remote device, (2) determining that the request calls an application programming interface that enables the client device to download the file from the remote device, (3) determining that a parameter passed to the application programming interface in the request has been implicated in a previous attempt to download a known malicious file, and then in response to determining that the parameter has been implicated in a previous attempt to download a known malicious file, (4) classifying the application that issued the request as potentially malicious. Various other methods, systems, and computer-readable media are also disclosed.