Abstract: A computer-implemented method for creating a deception computing system may include (i) identifying, by a computing device, a dataset of security alert signatures from a set of client devices, (ii) determining, by the computing device, a set of software vulnerabilities based on the dataset of security alert signatures, (iii) clustering, by the computing device, the set of software vulnerabilities to increase a length of at least one potential attack path within a predetermined number of honeypot machines, and (iv) distributing, by the computing device and based on clusters of software vulnerabilities, a set of vulnerable software among a set of honeypot machines within a honeynet. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: Techniques for handling device inventories are disclosed. In one embodiment, the techniques may be realized as a system for handling device inventories comprising one or more processors. The one or more processors may be configured to send an inventory request of a device. The inventory request may comprise identification information of the device. The one or more processors may further be configured to receive, in response to the inventory request, inventory information associated with the device. The one or more processors may further be configured to compare the received inventory information and current inventory information of the device. The one or more processors may further be configured to send differences between the received inventory information and the current inventory information.

Abstract: The disclosed computer-implemented method for securing computing systems on private networks may include (i) identifying a set of computing systems that are connected via a private network, (ii) calculating, for each computing system in the set, a malware-vulnerability rating that reflects a probability of the computing system being compromised by a malware attack, a malware-exposure rating that is based on a relationship between the computing system and one or more other computing system within the set, and a conditional infection probability that is based on the malware-vulnerability and malware-exposure ratings and that indicates a probability of the computing system becoming infected if one or more of the other computing systems are infected, and (iii) performing, based on the conditional infection probabilities of the computing systems in the set, a security action within the private network. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A computer-implemented method for scalable network monitoring in virtual data centers may include (1) identifying a plurality of network monitoring agents executing on a plurality of virtual machine host systems within a virtual data center, (2) intercepting, at a receiving virtual machine host system, a traffic flow within a virtual network within the virtual data center, (3) determining a processor load on each of the plurality of virtual machine host systems, (4) selecting, based on the processor load on the receiving virtual machine host system exceeding an established threshold, an alternate virtual machine host system that executes a second network monitoring agent for inspecting the traffic flow, and (5) limiting the processor load on the receiving virtual machine host system by designating the second network monitoring agent executing on the alternate virtual machine host system to inspect the traffic flow. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A method for estimating mobile device performance is provided. The method includes accessing device information, application information and usage information from a plurality of mobile devices and receiving a user selection that indicates a type of mobile device and one or more applications. The method includes determining an impact the one or more applications cause to the selected type of mobile device, in terms of resources of the selected type of mobile device, based on the user selection and based on the device information, application information and usage information from the plurality of mobile devices. The method includes communicating information about the impact, in terms of the resources of the selected type of mobile device. A computer readable media and a system are also provided.

Abstract: The disclosed computer-implemented method for obtaining information about security threats on endpoint devices may include (1) detecting, by a security program on a computing device, an attempt to access at least one suspicious file, (2) before permitting the computing device to access the suspicious file, identifying, by the security program, at least one third-party resource not associated with the security program that contains information potentially indicative of the trustworthiness of the suspicious file, (3) obtaining, by the security program from the third-party resource, the information potentially indicative of the trustworthiness of the suspicious file, and then (4) determining, by the security program based at least in part on the information potentially indicative of the trustworthiness of the suspicious file, whether the suspicious file represents a security threat to the computing device. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: The disclosed computer-implemented method for detecting and addressing suspicious file restore activities may include (i) detecting a restore activity during which files are restored to a client device from a previously stored backup of the files, (ii) determining that a total number of the files restored during the restore activity exceeds a threshold number, and (iii) performing, based on the total number of the files exceeding the threshold number, a security action to protect the client device from a malicious threat associated with the restore activity. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A method for providing security recommendations is described. In one embodiment, the method may include identifying a set of monitored customers. In some cases, each monitored customer may include one or more computing devices. The method may include identifying a first computing device of a monitored customer for evaluation, selecting a potential security product to install on the first computing device, and quantifying the ability of the monitored customer to detect or prevent malware incidents based at least in part on the selected potential security product.

Abstract: The disclosed computer-implemented method for establishing a reputation for related program files may include (1) identifying a set of related program files, where each program file includes one or more common metadata field values and the values of the metadata fields are set by a program development tool, (2) identifying one or more of the set of related program files as malicious, (3) determining that a proportion of malicious files in the set of related program files is above a threshold, and (4) in response to determining that the proportion of malicious files is above the threshold, associating a negative reputation with the metadata field values. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: The disclosed computer-implemented method for logging users out of online accounts may include (i) receiving, from a first computing device of a user, a request from the user to log into an online account hosted by an online platform, (ii) establishing, between the online platform and a second computing device of the user, a network session that both (a) verifies the identity of the user to the online platform and (b) at least partially disrupts the functionality of the second computing device, (iii) logging the user into the online account via the first computing device, (iv) detecting a request from the user to log out of the online account, and then (v) in response to the request to log out of the online account, (a) restoring full functionality of the second computing device by terminating the network session and (b) logging the user out of the online account.

Abstract: The disclosed computer-implemented method for verifying users based on user motion may include (1) instructing a user of a mobile device to physically move in a prescribed manner, (2) receiving information, collected by one or more sensors associated with the mobile device, describing physical movement performed by the user after the user receives the instruction, (3) determining, upon receiving the information, that the user's physical movement matches the prescribed movement, and (4) verifying the user in response to determining that the user's physical movement matches the prescribed movement. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: The disclosed computer-implemented method for determining reputations of files may include (i) identifying, on an endpoint device, a loadpoint data entry created by a file installed on the endpoint device that directs an operating system of the endpoint device to execute the file during boot up operations of the endpoint device, (ii) determining a reputation of the loadpoint data entry, (iii) detecting, on an additional endpoint device, an attempt to install a suspicious file with a loadpoint data entry at least partially similar to the loadpoint data entry of the file installed on the endpoint device, (iv) determining a reputation of the suspicious file based on the reputation of the loadpoint data entry of the file installed on the endpoint device, and (v) protecting the additional endpoint device from security threats by performing a security action on the suspicious file based on the reputation of the suspicious file.

Abstract: Systems and methods for Zero-day Data Loss Protection (DLP) having enhanced file upload processing are provided. One method may include capturing and sending file upload context (e.g. folder name, metadata, an active URL, etc.) associated with the scheduled file or folder upload to a DLP filesystem driver. For example, the method may include detecting whether a single/multi-file upload, a folder upload, or a drag-and-drop operation exists, through interception of the shell dialog API, the browse folder API, or the drop process interface, respectively. Further, the method may include generating a file upload cache including the file upload context, prior classification entries, and a timestamp indicating when the scheduled file or folder upload was last modified; such that, the DLP filesystem driver may intercept and process the file open call based upon the file upload cache. Accordingly, the file may be processed in accordance with a prior file classification, file/domain filter, or DLP policy.

Abstract: The disclosed computer-implemented method for determining reputations of digital certificate signers may include (i) identifying a group of endpoint devices that have accessed files to which a digital certificate signer has attached digital certificates that assert the files are legitimate, (ii) determining, for each endpoint device, whether a security state of the endpoint device is compromised or uncompromised based on a security analysis of computing events detected on the endpoint device, (iii) classifying the digital certificate signer as potentially malicious by determining that the files were accessed more frequently by endpoint devices with compromised security states than by endpoint devices with uncompromised security states, and (iv) protecting a security state of an additional endpoint device by preventing the additional endpoint device from accessing a file with a digital certificate signed by the digital certificate signer.

Abstract: The disclosed computer-implemented method for authenticating users on touchscreen devices may include (i) detecting that the computing device is at an authentication step that requires valid authentication input from a user in order to authenticate the user to a service on the computing device, (ii) detecting that the computing device is physically oriented such that a touchscreen of the computing device is facing away from the user of the computing device, (iii) receiving input from the user via the touchscreen, (iv) determining that the input from the user comprises a mirrored version of the valid authentication input that is flipped along a vertical axis relative to the touchscreen, and (v) authenticating the user to the service in response to determining that the input comprises the mirrored version of the valid authentication input. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A computer-implemented method for detecting malware using machine learning may include (1) identifying data to be analyzed for malware, (2) classifying, using a classifier created by a combination of at least one deep learning neural network and at least one supervised data mining method, the data to be analyzed for malware, (3) determining, based on a predefined threshold, that the classification of the data indicates potential malware on the computing device, and (4) performing a security action based on the determination of potential malware on the computing device. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: The disclosed computer-implemented method for providing integrated security management may include (1) identifying a computing environment protected by security systems and monitored by a security management system that receives event signatures from the security systems, where a first security system uses a first event signature naming scheme that differs from a second event signature naming scheme used by a second security system, (2) observing a first event signature that originates from the first security system and uses the first event signature naming scheme, (3) determine that the first event signature is equivalent to a second event signature that uses the second event signature naming scheme, and (4) performing, in connection with observing the first event signature, a security action associated with the second event signature and directed to the computing environment. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: Automatically detecting a malicious file using name mangling strings. In one embodiment, a method may include (a) identifying a file, (b) identifying name mangling strings in the file, (c) concatenating the name mangling strings together, (d) hashing the concatenated name mangling strings to generate a signature for the file, (e) clustering the file with other files with matching signatures into a cluster, (f) determining that any of the files in the cluster is malicious, (g) adding the signature to a list of signatures of files known to be malicious, (f) identifying a network device file stored on a network device, (g) repeating (b)-(d) on the network device file, (h) determining that the signature for the network device file matches any signature in the list of signatures of files known to be malicious, and (i) performing a security action on the malicious file on the network device.

Abstract: A computer-implemented method for predicting security incidents triggered by security software may include (i) collecting, by a computing device, telemetry data from a set of security products deployed by a set of client machines, (ii) identifying, by the computing device, a selected security product within the set of security products that is missing telemetry data for a target client machine, (iii) building a classifier, by the computing device using the telemetry data, that predicts information about security incidents triggered by the selected security product, (iv) determining, by the computing device and based on the classifier, that the selected security product triggers a new security incident on the target client machine, and (v) performing a security action, by the computing device, to secure the target client machine against the new security incident. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: According to one embodiment, a method for predicting the trustworthiness of a particular website comprising receiving information about a plurality of websites and constructing a hierarchy of groups from the received information, the hierarchy of groups comprising one or more tiers and each tier comprising one or more groups. The method further comprising receiving information about a particular website and predicting the trustworthiness of the particular website based on the hierarchy.