Abstract: A system and method for detecting potential system vulnerabilities to malicious attacks. A list of routes between computing devices and associated threat levels is maintained as network events occur between computing devices. The routes include bad hygiene endpoints, high value targets which are a variety of server types controlling access to sensitive data, and network connections. A list of routes connecting high value targets and bad hygiene endpoints are sorted by a priority level and used to identify potential routes. When a network event corresponding to a given route is detected, the list is searched to identify potential routes. Potential routes are monitored routes with no network events detected yet between the source and destination.

Abstract: The disclosed computer-implemented method for guiding users to network-enabled devices may include (i) monitoring network communications within a wireless network, (ii) determining, based on monitoring network communications transmitted over the wireless network that involve a network-enabled device connected to the wireless network, that an end user requires guidance to a physical location of the network-enabled device, (iii) deriving the physical location of the network-enabled device in three-dimensional space, and (iv) guiding, by a user interface, the end user to the physical location of the network-enabled device in three-dimensional space. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: The disclosed computer-implemented method for preventing unauthorized access to computing devices implementing computer accessibility services may include (i) detecting, at a client computing device, an instruction to perform a user interface action utilizing a computer accessibility service, (ii) determining, at the client computing device, whether the instruction was triggered based on a touch event initiated by a user of the client computing device, and (iii) performing, at the client computing device, a security action in response to determining that the instruction was not triggered based on a touch event initiated by the user. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: The present disclosure relates to managing a rate of generating data requests to be processed at a service provider. An example method generally includes detecting an instance of a push notification event directed to a group of endpoint systems. The push notification event generally indicates that push notifications are to be transmitted to the group of endpoint systems to generate the data requests. A computing system determines a resource utilization associated with at least one of the data requests generated based on the push notification event and determines a push notification transmission rate based on the determined resource utilization and computing resources available at the service provider. The rate generally indicates a number of push notifications to generate and transmit over a period of time. The computing system transmits the push notifications to the group of endpoint systems based on the calculated push notification transmission rate.

Abstract: The disclosed computer-implemented method for warning users about untrustworthy application payment pages may include (1) detecting, within an Internet browser, a payment page to purchase an application, (2) determining a source of origin of the payment page, (3) querying a reputation database to determine a reputation of the source of origin of the payment page, (4) receiving a response from the reputation database indicating that the source of origin of the payment page is untrustworthy, and (5) in response to receiving the response that indicates that the source of origin of the payment page is untrustworthy, warning a user of the Internet browser that the source of origin of the payment page is untrustworthy. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: According to one embodiment, a method comprises presenting a graphical user interface that includes a plurality of user selectable buttons, each button corresponding to a customizable variable of a step in a sequence, and receiving, based on user input, a selection of one of the plurality of user selectable buttons. The method further comprises providing, based on the selection, a plurality of options for the variable corresponding to the selected button, determining a designation of at least one option for one or more variables in a first step and a designation of at least one option for one or more variables in a second step, and generating, based on the determined designations, a custom sequence detector comprising at least the first step and the second step.

Abstract: Techniques are disclosed for constructing network whitelists in server endpoints using host-based security controls. Once constructed, the network whitelists are used to detect unauthorized communications at the server endpoints. In one embodiment, a method is disclosed for constructing a network whitelist. The method includes identifying at least a first application hosted on a computing system. The method also includes inspecting one or more configuration files associated with the first application to identify one or more configuration settings that specify how the first application communicates with one or more second applications. The method further includes generating a whitelist that specifies expected network communications activity for the first application, based on the configuration settings.

Abstract: The disclosed computer-implemented method for responding to electronic security incidents may include (i) identifying a plurality of security incidents that each occurred within a computing environment and call for a security response, (ii) establishing relationships among the plurality of security incidents by, for each security incident, (a) calculating a feature vector indicating at least one feature of the security incident, (b) using the feature vector to calculate a degree of similarity between the security incident and an additional security and (c) creating an association between the security incident and the additional security incident that reflects the degree of similarity between the security incident and the additional security incident, and (iii) triggering, based on the relationships among the plurality of security incidents, a security action that responds to at least the security incident and the additional security incident.

Abstract: A method for improving security of peripheral devices is described. In one embodiment, the method includes sending, by a processor of a peripheral device, at least one packet of data to an operating system of a computing device, identifying, by the processor, execution of a software application on the computing device, performing, by the processor, a handshake protocol between the secure input device and the software application based at least in part on the execution of the software application, and establishing, by the processor, a secure session over a secure channel between the secure input device and the software application based at least in part on the handshake protocol. In some cases, the at least one packet of data identifies the peripheral device to the operating system as two or more peripheral devices such as a default input device and a secure input device.

Abstract: Techniques presented herein describe data loss prevention (DLP) methods for saving a file to a destination over a network via an application, such as a productivity application having such features. A DLP agent injects components to the productivity application intercept save operations initiated by a user. When the user initiates a save operation for a file, the components suspend the operation and store a current version of the file (including unsaved file data) in a temporary location accessible to the DLP agent on disk. The DLP agent evaluates the current version of the file and file destination based on network and security policies to determine whether to allow or block the save operation.

Abstract: In one embodiment, a device in a network classifies Internet content data using one or more classifiers to identify a plurality of content classes for the content data. Each content class has a corresponding classification score based on the classification. The device determines whether any of the classification scores exceed a threshold level. The device identifies a set of content groups, where each of the plurality of content classes is associated with one of the content groups. The device associates the content data with a selected one of the content groups based on a determination that the classification scores for the plurality of content classes do not exceed the threshold level.

Abstract: Methods and apparatus for optimizing computer detection of malware using pattern recognition by refreshing random classification forests are described. In one embodiment, one or more selected trees of a random forest on a computing system may be replaced by one or more new trees. As new categorized data becomes available, one or more new trees may be generated using the new categorized data. Once the one or more new trees are available, the performance of the one or more new trees may be compared to the performance of the trees in the current random forest. Based on this comparison, one or more trees of the random forest may be selected to be replaced by one or more of the new trees.

Abstract: A computer-implemented method for verifying authentication requests using IP addresses may include (i) collecting, by a computing system, data on IP address changes from a set of endpoint devices, (ii) creating, by the computing system using the data on IP address changes, a virtual IP address distance map based on a likelihood of change from at least one origin IP address to at least one destination IP address, (iii) automatically detecting, by the computing system, a change in an IP address of a client device, (iv) determining, by the computing system and based on the virtual IP address distance map, that the change in the IP address of the client device indicates that an authentication request from the client device is suspicious, and (v) performing, by the computing system, a security action to secure the client device. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: The disclosed computer-implemented method for dynamically validating remote requests within enterprise networks may include (1) receiving, on a target system within an enterprise network, a request to access a portion of the target system from a remote system within the enterprise network, (2) performing a validation operation to determine whether the remote system is trustworthy to access the portion of the target system by (A) querying an enterprise security system to authorize the request from the remote system and (B) receiving, from the enterprise security system in response to the query, a notification indicating whether the remote system is trustworthy to access the portion of the target system, and then (3) determining whether to grant the request based at least in part on the notification received from the enterprise security system as part of the validation operation. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: The disclosed computer-implemented method for categorizing mobile devices as rooted may include (1) gathering a set of metadata describing a plurality of rooted mobile devices that have been modified to allow a user to alter protected systems and an additional set of metadata describing a plurality of unrooted mobile devices that have not been modified to allow the user to alter the protected systems, (2) comparing the set of metadata with the additional set of metadata to determine at least one feature that differentiates the rooted mobile devices from the unrooted mobile devices, (3) determining whether the feature is present in metadata that describes an uncategorized mobile device, and (4) categorizing the uncategorized mobile device as a rooted mobile device based on the presence of the feature in the metadata that describes the uncategorized mobile device. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: Techniques for data classification may be realized as a method including: selecting from a group of files a sample set representing fewer than all of the files; classifying each file in the sample set, wherein classifying each file includes identifying whether each file represents sensitive information; and providing an estimate for the group of files based on the classification of each file in the sample set, including an estimate of sensitive information within the group of files.

Abstract: In one embodiment, a first device in a network receives intercepted traffic that has been encrypted. The first device decrypts the intercepted traffic and sends the decrypted traffic to one or more analysis devices in the network. The first device receives a message indicative of a result of analysis of the decrypted traffic by the one or more analysis devices.

Abstract: A method and system for activating malicious actions within electronic documents is described. In one embodiment, the method may include receiving, by a processor of a computing device, the electronic document; identifying, by the processor, an object embedded within the electronic document; identifying, by the processor, an action associated with execution of the object; executing, by the processor, the action within a context of rules associated with the object; identifying, by the processor, at least one behavior that results from execution of the action; and determining, by the processor, an existence of at least one malicious element from the identified behavior.

Abstract: The disclosed computer-implemented method for detecting vulnerabilities on servers may include (i) sending requests to servers for information about services potentially executing on the servers, (ii) receiving, in response to requests, messages from the servers that comprise the information about the services, wherein the set of messages use different formats for transmitting the information, (iii) creating, by analyzing the set of the messages, at least one heuristic that is capable of automatically extracting, from a message, an identifier of a service that executes on a server that sent the message, (iv) extracting, from the message, via the heuristic, the identifier of the service executes on the server that sent the message, and (v) determining, based on the identifier of the service, that the service contributes to a vulnerability on the server that sent the message. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: The disclosed computer-implemented method for reducing infection risk of computing systems may include (i) determining a distance between a computing system that is connected to a local network and an additional computing system that is not connected to the local network but is connected to the computing system via a series of connected devices, (ii) detecting that the additional computing system is infected with malware, (iii) calculating an infection probability for the computing system that is based at least in part on the distance between the computing system and the additional computing system that is infected, and (iv) performing a security action on the computing system that reduces a risk of infection of the computing system in response to the infection probability for the computing system meeting a predetermined threshold for infection probability. Various other methods, systems, and computer-readable media are also disclosed.