Abstract: The disclosed computer-implemented method for trichotomous malware classification may include (1) identifying a sample potentially representing malware, (2) selecting a machine learning model trained on a set of samples to distinguish between malware samples and benign samples, (3) analyzing the sample using a plurality of stochastically altered versions of the machine learning model to produce a plurality of classification results, (4) calculating a variance of the plurality of classification results, and (5) classifying the sample based at least in part on the variance of the plurality of classification results. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: The disclosed computer-implemented method for protecting automated execution environments against enumeration attacks may include (1) monitoring a file that is undergoing a malware analysis in an automated execution environment, (2) while monitoring the file, detecting one or more behaviors exhibited by the file during the malware analysis in the automated execution environment, (3) determining, based at least in part on the behaviors exhibited by the file, that the file is attempting to discover one or more resources used in connection with the malware analysis, and then in response to determining that the file is attempting to discover the resources used in connection with the malware analysis, (4) terminating the malware analysis in an effort to undermine the file's attempt to discover the resources used in connection with the malware analysis. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: The disclosed computer-implemented method for providing two-factor authentication with an enterprise gateway when an authentication server is unavailable may include (1) receiving, at a computing device, an authentication request from a client device; (2) determining the authentication server is unavailable; (3) sending, to the client device and in response to determining the authentication server is unavailable, a backup credential stored on the enterprise gateway; (4) receiving, from the client device, a security code generated by the backup credential; (5) authenticating the security code; (6) sending, in response to determining the security code is authentic, access approval to the client device. The provided methods may provide authentication, by an enterprise gateway, of one or more factors in a multi-factor authentication system when an authentication server is unavailable. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: The disclosed computer-implemented method for providing interfaces for visualizing threats within networked control systems may include (i) receiving a request to provide a graphical interface to visualize a networked control system with multiple components, (ii) identifying within the networked control system a potential security threat involving a potentially compromised component of the networked control system, and (iii) providing the graphical interface by (a) ordering the components according to a control hierarchy, (b) portraying each component within a circular area by arranging the components according to the control hierarchy and according to domains within the networked control system such that each component falling within a given domain is placed within a corresponding arc of the circular area, and (c) highlighting, within the graphical interface, an area within an arc of the circular area containing the potentially compromised component.

Abstract: The disclosed computer-implemented method for detecting network security deficiencies on endpoint devices may include (i) detecting, at a network device, a request from an endpoint device to automatically connect to a wireless network, (ii) establishing, via the network device, a network connection between the endpoint device and a wireless network that appears to be the wireless network requested by the endpoint device but is not actually the requested wireless network, (iii) determining, based on establishing the network connection between the endpoint device and the wireless network that appears to be the requested wireless network, that the endpoint device is vulnerable to network attacks, and then (iv) facilitating, via the network connection, a security action on the endpoint device to protect the endpoint device against the network attacks. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A method for detecting malicious software is described. In one embodiment, the method includes identifying an unknown application on mobile device, identifying a package name of the unknown application, analyzing the package name of the unknown application in relation to package names of one or more categorized applications, and determining a likelihood the unknown application includes malware based at least in part on analyzing the package name of the unknown application.

Abstract: The disclosed computer-implemented method for obscuring user location may include (i) detecting a motion of a user mobile device through a motion sensor of the user mobile device, (ii) checking whether the motion of the user mobile device satisfies a specified threshold that defines a threshold level of motion, (iii) determining that the motion of the user mobile device satisfies the specified threshold that defines the threshold level of motion, and (iv) protecting a user of the user mobile device by obscuring, in response to determining that the motion of the user mobile device satisfies the specified threshold, an actual location of the user mobile device by outputting information indicating a decoy location of the user mobile device that deviates from the actual location of the user mobile device. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: The disclosed computer-implemented method for enabling safe memory de-duplication in shared-computing environments may include (i) identifying a first virtual machine and a second virtual machine, (ii) calculating a trustworthiness score for the first virtual machine based on a trustworthiness score of each binary of the first virtual machine, (iii) calculating a trustworthiness score for the second virtual machine based on a trustworthiness score of each binary of the second virtual machine, and (iv) enabling the first virtual machine and the second virtual machine to share a page frame of physical memory by assigning, based on the trustworthiness scores of the first virtual machine and the second virtual machine being above a predetermined threshold, the first virtual machine and the second virtual machine to a trusted group of virtual machines that can share physical memory. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A method for determining malicious attachments on messages is described. A computing device may receive an electronic message, including one or more unopened attachments, and identify one or more characteristic values of the message header, message body, or attachments of the message. The computing device may analyze the identified characteristics and in some instances compare at least a portion of the characteristics, individually or in combination, with one or more configured thresholds of the computing device. The computing device may determine an attachment is embedded with a macro. The macro may be associated with a visual basic application (VBA) and contain malicious code. Based on the determination, the computing device may initiate a security protocol, including notification via a user interface of the device.

Abstract: A method for anonymous reputation requests is described. In one embodiment, the method includes calculating a full thumbprint of an object on a client machine, trimming one or more bits from the full thumbprint to generate a trimmed thumbprint, sending the trimmed thumbprint to a reputation server, and receiving a result from the reputation server regarding the trimmed thumbprint.

Abstract: The disclosed computer-implemented method for remediating computer reliability issues may include (1) obtaining a computer-generated log line that potentially includes information pertaining to a cause of a reliability issue experienced by a device, (2) determining that a product-specific schema has not been created for a product that generated the computer-generated log line, (3) in response to determining that a product-specific schema has not been created for the product, matching values of the computer-generated log line to fields within one or more established schemas that are not specific to the product, (4) identifying an entry, within the one or more established schemas, that corresponds to the computer-generated log line, and (5) remediating the device based on information associated with the entry within the one or more established schemas. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: Computer-implemented systems, methods, and media are provided for emulating microprocessor instructions. The computer-implemented systems, methods, and media may, for example, identify an instruction of a first software application using a second software application that emulates instructions of a type of microprocessor, add an additional bit to a length of an operation code of the instruction to create an extended operation code, wherein the extended operation code is represented in an operation code table of the second software application, and emulate execution of the instruction using the second software application and the extended operation code.

Abstract: The disclosed computer-implemented method for generating training documents used by classification algorithms may include (i) identifying a set of training documents used by a classification system to classify documents written in a first language, (ii) generating a list of tokens from within the training documents that indicate critical terms representative of classes defined by the classification system, (iii) translating the list of tokens from the first language to a second language, (iv) creating, based on the translated tokens, a set of simulated training documents that enables the classification system to classify documents written in the second language, and (v) classifying an additional document written in the second language based on the set of simulated training documents. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A computer-implemented method for generating tripwire files may include (1) generating an initial tripwire file according to an initial tripwire generation calculation, the initial tripwire file configured such that modification of the initial tripwire file triggers investigation of a security breach, (2) generating a subsequent tripwire file according to a subsequent tripwire generation calculation, the subsequent tripwire generation calculation differing from the initial tripwire generation calculation along at least one dimension, (3) receiving automated feedback that indicates whether at least one of the initial tripwire file and the subsequent tripwire file failed to enable detection of a security threat, and (4) adjusting automatic generation of a third tripwire file based on the automated feedback indicating whether at least one of the initial tripwire file and the subsequent tripwire file failed to detect the security threat.

Abstract: The disclosed computer-implemented method for categorizing security incidents may include (i) generating, within a training dataset, a feature vector for each of a group of security incidents, the feature vector including features that describe the security incidents and the features including categories that were previously assigned to the security incidents as labels to describe the security incidents, (ii) training a supervised machine learning function on the training dataset such that the supervised machine learning function learns how to predict an assignment of future categories to future security incidents, (iii) assigning a category to a new security incident by applying the supervised machine learning function to a new feature vector that describes the new security incident, and (iv) notifying a client of the new security incident and the category assigned to the new security incident. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: Automatically detecting insider threats using user collaboration patterns. In one embodiment, a method may include identifying collaborative access of one or more network resources in a network between a target user using a target network device and other users using other network devices in the network during multiple prior time periods and during a current time period, generating prior collaboration graphs for the prior time periods, generating an average collaboration graph by combining the prior collaboration graphs, generating a current collaboration graph for the current time period, generating an anomaly score by comparing the current collaboration graph to the average collaboration graph, determining that the collaborative access of the one or more network resources during the current time period is anomalous by determining that the anomaly score exceeds a threshold, and, in response to the anomaly score exceeding the threshold, performing a security action on the target network device.

Abstract: A predetermined event occurring on a client device is detected. The predetermined event can be in the form of a user-initiated action, an audio command, geolocation information, a breaking of a wireless connection, or exceeding a relative distance. The detection of the predetermined event triggers a switch of the current access mode of the client device to a more secure access mode. Access mode switches on other client devices may also be triggered. Additional actions may be executed on the client device and the other associated client devices to further secure these devices.

Abstract: A computer-implemented method for automatically generating passwords that comply with password restrictions may include (1) maintaining a database that stores password criteria for a plurality of websites, (2) determining that a user is accessing a website that requests creation of a password, (3) determining a set of password complexity rules for the website by querying the database that stores the password criteria, (4) using the set of password complexity rules to automatically generate the password for the website such that the password complies with the password criteria for the website, and (5) providing the password for use in the website that requested creation of the password. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: The present disclosure relates to systems and methods for blocking an infection vector. In some embodiments, a method may include detecting, at a first device, a synchronization event with a second device, the first device and the second device operating with a proprietary mobile operating system. In some examples, the method may include recognizing, by the first device, that the first device is attempting to send a data package to the second device, and identifying the data package as malware. The method may further include blocking the data package from being received at the second device based at least in part on the identifying.

Abstract: In certain embodiments, a method comprises forming a cluster of peered network devices comprising a plurality of three or more peered network devices and a plurality of control information connections between pairs of the peered network devices. The method further comprises classifying a connection by associating the connection with an application, wherein a first peered network device associated with the cluster classifies the connection based at least in part on sequential payload packets associated with the connection, at least some of which the first device receives from other peered network devices associated with the cluster. The method also comprises sending control information over one of the control information connections between the first peered network device and a second peered network device associated with the cluster, wherein the control information comprises information regarding the classification of the connection.