Abstract: Introduced here are techniques for modeling networks in a discrete manner. More specifically, various embodiments concern a virtual machine that collects data regarding a network and applies algorithms to the data to discover network elements, which can be used to discover the topology of the network and model the network. The algorithms applied by the virtual machine may also recognize patterns within the data corresponding to naming schemes, subnet structures, application logic, etc. In some embodiments, the algorithms employ artificial intelligence techniques in order to more promptly respond to changes in the data. The virtual machine may only have read-only access to certain objects residing within the network. For example, the virtual machine may be able to examine information hosted by a directory server, but the virtual machine may not be able to effect any changes to the information.

Abstract: Techniques are disclosed for providing a device-based PIN authentication process used to protect encrypted data stored on a computing system, such as a tablet or mobile device. A client component and a server component each store distinct cryptographic keys needed to access encrypted data on the client. The mobile device stores a vault encryption key used to decrypt encrypted sensitive data stored on the mobile device. The vault key is encrypted using a first encryption key and stored on the mobile device. The first encryption key is itself encrypted using a second encryption key. The second encryption key is derived from the PIN value.

Abstract: The disclosed computer-implemented method for generating memory images of computing devices may include (1) monitoring a computing device to detect changes made to data stored within the computing device, (2) maintaining a log that describes the data changes made by recording, in response to detecting a change made to a portion of data, both a state of the portion of data after the data change occurred and a time at which the data change occurred, (3) detecting an event that triggers generation of an image of the computing device that represents a state of the computing device at a particular point in time, and (4) in response to detecting the event, generating the image of the computing device by incorporating at least a portion of the log of data changes into the image of the computing device. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A computer-implemented method for securely sharing cloud-service credentials within a network of computing devices may include (i) identifying, by a central computing device, a set of networked devices, (ii) encrypting, by the central computing device, at least one user credential for a cloud service, (iii) dividing, by the central computing device, a decryption key for decrypting the user credential into a set of fragments such that a minimum number of fragments, as defined by a security policy, is required to decrypt the user credential, and (iv) securing the user credential by distributing the set of fragments of the decryption key from the central computing device to the set of networked devices in compliance with the security policy. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A method of categorizing a recent transaction as anomalous includes a) receiving information about a recent transaction and b) accessing information about one or more historical transactions. The one or more historical transactions have at least one party in common with the recent transaction. The method also includes c) determining a similarity value between the recent transaction and a transaction i of the one or more historical transactions and d) determining if the similarity value is greater than or equal to a predetermined threshold value. The method further includes e) if the similarity is greater than or equal to the predetermined threshold value, categorizing the recent transaction as not anomalous or f) if the similarity is less than the predetermined threshold value, determining if there are additional transactions. If there are additional transactions, incrementing counter i and repeating steps c) through f).

Abstract: The disclosed computer-implemented method for enforcing access-control policies in an arbitrary physical space may include (i) identifying a collection of devices that are located within a predetermined physical space, (ii) determining the physical location of each device in the collection of devices, (iii) establishing, based on the collection of devices, (a) a list of controlled devices that are subject to an access-control policy and (b) a list of monitoring devices that are capable of monitoring user activity within a physical proximity, (iv) matching each controlled device with at least one monitoring device that is capable of monitoring user activity within physical proximity to the controlled device, and (v) monitoring, for each controlled device and by each monitoring device matched to the controlled device, user activity within proximity to the controlled device. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: The disclosed computer-implemented method for reporting the attempted transmission of sensitive information may include (1) identifying an attempt by at least one software program running on a computing device to transmit data to one or more intended recipients, (2) determining that the data of the attempted transmission includes sensitive information, (3) identifying an intended recipient of the attempted transmission, and (4) notifying a user of the computing device both that the attempted transmission includes sensitive information and of the intended recipient of the attempted transmission. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: The disclosed computer-implemented method for managing wireless-network deauthentication attacks may include (1) detecting, at the wireless access point, a deauthentication signal, transmitted over a wireless network that is managed at least in part by the wireless access point, that prompts a target computing device to disconnect from the wireless network, (2) determining both that the deauthentication signal is directed to the target computing device and that the deauthentication signal was not initiated by the wireless access point, (3) determining, based at least in part on the determination that the deauthentication signal was not initiated by the wireless access point, that the deauthentication signal represents an illegitimate deauthentication signal, and (4) performing, in response to determining that the deauthentication signal represents an illegitimate deauthentication signal, a security action to mitigate effects of the illegitimate deauthentication signal on the target computing device.

Abstract: The disclosed computer-implemented method for chaining virtual private networks may include (i) establishing a virtual private network client that routes network traffic to a virtual private network, (ii) establishing an additional virtual private network client that routes the network traffic to an additional virtual private network, (iii) configuring the virtual private network client for split routing such that the virtual private network client routes different ranges of incoming network traffic to respective different network addresses, (iv) configuring the additional virtual private network client to route all incoming network traffic according to a default route, and (v) chaining the virtual private network client and the additional virtual private network client such that they process incoming network traffic in series. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: The disclosed computer-implemented method for securing push authentications may include (i) receiving, by a security service and from a security service relying party, a push authentication for a user that the security service relying party encrypted using a public key assigned to a client device of the user, (ii) forwarding, by the security service, the push authentication to the client device of the user, (iii) receiving, by the security service, a response to the push authentication from the client device of the user, and (iv) forwarding, by the security service, the response to the push authentication from the client device of the user to the security service relying party. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: The disclosed computer-implemented method for using electronic text information to automatically determine untrustworthy voice calls, at least a portion of the method being performed by a computing device comprising at least one processor, may include (1) during a voice call, receiving, by the computing device, text information representing contents of the voice call, (2) analyzing, by the computing device, the text information representing the contents of the voice call, (3) determining, by the computing device, that the voice call is untrustworthy based on the analysis of the text information, and (4) during the voice call, advising a recipient of the voice call of the determination that the voice call is untrustworthy. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A non-transitory computer readable storage medium, comprising executable instructions to collect network traffic data, produce a Fourier signature from the network traffic data, associate the Fourier signature with a known pattern, collect new network traffic data, produce a new Fourier signature from the new network traffic data, compare the new Fourier signature with the Fourier signature to selectively identify a match and associate the new network traffic data with the known pattern upon a match.

Abstract: Providing joint access to an isolated computer object by both an isolated computer application and a non-isolated computer application. In one embodiment, a method may include executing a first computer application as a virtualized first computer application in an isolation layer, executing a second computer application as an actual second computer application in an operating system outside the isolation layer, creating a virtualized second computer object in the isolation layer in a location accessible to the virtualized first computer application, creating a gateway third computer object associated with the virtualized second computer object, storing the gateway third computer object outside the isolation layer in a location accessible to the operating system, and enabling joint access to the gateway third computer object by both the virtualized first computer application and the actual second computer application.

Abstract: Systems, apparatuses, methods, and computer readable mediums for modeling malicious behavior that occurs in the absence of users. A system trains an anomaly detection model using attributes associated with a first plurality of events representing system activity on one or more clean machines when users are not present. Next, the system utilizes the trained anomaly detection model to remove benign events from a second plurality of events captured from infected machines when users are not present. Then, the system utilizes malicious events, from the second plurality of events, to train a classifier. Next, the classifier identifies a first set of attributes which are able to predict if an event is caused by malware with a predictive power greater than a threshold.

Abstract: A method for improving cascade classifier ordering is described. In one embodiment, the method may include determining an efficacy rating of a first current configuration, generating a decreasing sequence of values for a control parameter, and selecting a current value of the control parameter according to the decreasing sequence of values. In some cases, the method may include randomly selecting a first test configuration among the plurality of configurations based at least in part on the current value of the control parameter, analyzing the first test configuration in relation to the first current configuration, and implementing, based at least in part on the analyzing of the first test configuration, the first test configuration in a machine learning classification system of a computing device to improve a data classification accuracy of the computing device.

Abstract: A method for applying personalized machine learning models is provided. The method includes producing one or more feature vectors that represents features of one of a plurality of files of a file system and selecting, from a plurality of personalized machine learning models that model user accesses to the files of the file system a subset of the personalized machine learning models each of which has a plurality of non-zero weights corresponding to non-zero features of the one or more feature vectors. The method includes determining from the subset of personalized machine learning models which users of a plurality of users of the file system are likely to access the one of the plurality of files.

Abstract: The disclosed computer-implemented method for data visualization may include (i) identifying a data set that includes data entities and relationships between the data entities, (ii) dividing the data entities into groups, (iii) responding to a request to display the data set within a graphical user interface by portraying the data set as concentric rings, each given ring portraying a corresponding group and portraying data entities within the corresponding group as arcs of the given ring, (iv) receiving an input within the graphical user interface to select a data entity within a group by selecting an arc corresponding to the selected data entity of a ring corresponding to the group, and (v) determining that a subset of data entities within an additional group are related to the selected data entity and highlighting the subset of data entities within an additional ring. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A method for preventing suspicious activity on a computer network is described. In one embodiment, the method includes determining a first identifier of a first packet from a connection associated with network traffic, calculating a first value based at least in part on a portion of data included in the first packet, determining a second identifier of a second packet from the connection associated with the network traffic, the second identifier matching the first identifier, calculating a second value based at least in part on a portion of data included in the second packet, comparing the first value with a the second value, and determining that suspicious activity is occurring on the network based at least in part on the comparison between the first and second values. In some embodiments, the first identifier includes at least one of a sequence number and an acknowledgement number associated with the first packet.

Abstract: The disclosed computer-implemented method for recovering encrypted information may include (i) identifying an untrusted application that uses a known cryptographic function, (ii) hooking the known cryptographic function used by the untrusted application to execute decryption-facilitation code when the untrusted application attempts to encrypt data, where the decryption-facilitation code reduces the difficulty of later decrypting data encrypted by the untrusted application, (iii) detecting encrypted data produced by the untrusted application, and (iv) recovering unencrypted data from the encrypted data produced by the untrusted application using a decryption technique facilitated by having executed the decryption-facilitation code that reduced the difficulty of later decrypting the encrypted data encrypted by the untrusted application. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A computer-implemented method for providing security in smart buildings may include (1) detecting the presence of a user in a smart building, (2) determining that the user is unauthorized to access at least one resource in a smart building network within the smart building, (3) in response to determining that the user is unauthorized to access the resource in the smart building network, selecting an authentication policy that provides heightened security within the smart building network, and (4) increasing security within the smart building network to reflect the presence of the user by implementing the authentication policy within the smart building network. Various other methods, systems, and computer-readable media are also disclosed.