Abstract: The disclosed computer-implemented method for disseminating location-based reputations for link-layer wireless attacks may include (i) receiving, at a server from a first wireless client, a wireless-attack report for a location that includes (a) information that indicates that the first wireless client detected a link-layer wireless attack (e.g., a wireless-access-point spoofing attack or a deauthentication attack) at the location or (b) information that indicates that the first wireless client did not detect any link-layer wireless attacks at the location, (ii) using, at the server, the wireless-attack report to generate a reputation for link-layer wireless attacks for the location, (iii) receiving, at the server from a second wireless client, a request for the reputation of the location, and (iv) responding to the request with the reputation of the location. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: The disclosed computer-implemented method for detecting unknown vulnerabilities in computing processes may include (1) monitoring a computing environment that facilitates execution of a computing process by logging telemetry data related to the computing process while the computing process is running within the computing environment, (2) determining that the computing process crashed while running within the computing environment, (3) searching the telemetry data for evidence of any vulnerabilities that potentially led the computing process to crash while running within the computing environment, (4) identifying, while searching the telemetry data, evidence of at least one vulnerability of the computing process that is not yet known to exist within the computing process and then in response to identifying the evidence of the computing process's vulnerability, (5) performing at least one security action to hinder any potentially malicious exploitation of the computing process's vulnerability.

Abstract: Alerts generated by triggering signatures on endpoints are identified in samples of security telemetry. The sources of alerts are filtered. Alert tuples identifying multipart attacks are discovered. An iterative multi-pass search of alert types generated by filtered sources can be conducted. During each pass, groups of successively larger numbers of alert types generated by common sources are identified. A list of alert types can be sorted according to the number of filtered sources that generated each alert type, from most to least. Pairs of alert types with multiple common sources can be identified by traversing the sorted list of alerts types. The sorted list can be iteratively traversed, identifying successive additional alert types to add to previously identified groupings, which are used as seed groups for successive identifications. Only the portion of the sorted list appearing after the last added alert type need be examined for successive identifications.

Abstract: The disclosed computer-implemented method for detecting modification attacks on shared physical memory may include (i) identifying a page frame of physical memory that is shared by a plurality of virtual machines, (ii) calculating a first checksum for the page frame, (iii) calculating, while the page frame is shared by the plurality of virtual machines and before any of the plurality of virtual machines writes to a page of virtual memory that is mapped to the page frame, a second checksum for the page frame, (iv) detecting a modification attack (such as a rowhammer attack) on the page frame by one of the plurality of virtual machines by detecting that the first checksum does not equal the second checksum, and (v) performing a security action in response to detecting the modification attack. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A computer-implemented method for preventing internal network attacks may include 1) identifying a host system that is within a subnet of a network, 2) detecting an intrusion on the host system, the intrusion on the host system being capable of facilitating an attack via the host system on at least one additional system of the network, 3) identifying at least one additional host system within the subnet of the network, and 4) implementing a security measure on the additional host system to prevent the attack based at least in part on detecting the intrusion and at least in part on the host system and additional host system being within the subnet. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: The disclosed computer-implemented method for identifying non-malicious files on computing devices within organizations may include (1) identifying a file on at least one computing device within multiple computing devices managed by an organization, (2) identifying a source of the file based on examining a relationship between the file and the organization, (3) determining that the source of the file is trusted within the organization, and then (4) concluding, based on the source of the file being trusted within the organization, that the file is not malicious. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: An intrusion device identifies network data to be sent to a destination endpoint and determines a sensitivity level of the destination endpoint based on asset valuation. The intrusion device identifies a subset of signatures that corresponds to the sensitivity level of the destination endpoint and determines whether the network data includes an intrusion based on the subset of signatures.

Abstract: The disclosed computer-implemented method for detecting credential theft may include (i) monitoring a secured computing system's credential store that may include at least one sensitive credential that may be used to facilitate authentication of a user that is attempting to access the secured computing system, (ii) gathering, while monitoring the credential store, primary evidence of an attempted theft of the sensitive credential from the credential store, (iii) gathering corroborating evidence of the attempted theft of the sensitive credential, and (iv) performing a security action in response to gathering the primary evidence and the corroborating evidence of the attempted theft. The primary evidence of the attempted theft of the sensitive credential may include evidence of any suspicious access of the sensitive credential from the credential store that occurs outside of a procedure of authenticating the user. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: The present disclosure relates to scanning for security threats on a lightweight computing device. An example method generally includes receiving, from a mobile device, a software package including a lightweight computing device security application. A lightweight device transmits, to the mobile device, information identifying at least a first application installed on the lightweight computing device. In response, the lightweight device receives, from the mobile device, information identifying the first application as being a known security threat and remediates a security threat posed by the identified application.

Abstract: The disclosed computer-implemented method for encrypting files may include (i) detecting an event within a network that triggers an encryption of a file on the network, (ii) performing, in response to detecting the event, both encrypting the file to a file encryption key and encrypting the file encryption key to a public key of a source of the file, (iii) receiving, from a client, a file access request that includes the encrypted file encryption key, and (iv) transmitting, in response to determining that the client is authorized to access the file, a re-encrypted file encryption key to the client to enable the client to access the file. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: The systems and methods described herein relate to mobile devices. More specifically, the systems and methods described herein relate to dynamically altering a stating of an application on a mobile device. Mobile devices may have several applications installed thereon. In some instances, the applications may not be available. The application icon may be dynamically altered to indicate a status of the application.

Abstract: Systems, apparatuses, methods, and computer readable mediums for implementing a flexible call blocking scheme using validated identities and selected attribute sharing. A user may undergo an identity verification process to generate one or more signed attributes associated with the user. When the user initiates a phone call, the user may select which attributes to expose to the callee. In one embodiment, the user's device may prevent the user's phone number from being exposed to the callee. The selected attributes may be sent to the callee, and then the device of the callee may compare the selected attributes to preconfigured rules. If the preconfigured rules indicate the selected attributes of the caller meet one or more criteria, then the call may be allowed to ring the device of the callee. Otherwise, the call may be blocked.

Abstract: A control point module may receive information associated with a plurality of users accessing a plurality of files. Each of the files may be stored in a folder of the plurality of folders. Users who have accessed one or more files stored in a folder may be assigned to each corresponding folder. Users who have been assigned to each folder of a plurality of pairs of the folders may be compared to identify one or more differences of assigned users between each folder of each pair of the folders. Furthermore, a recommended control point may be determined based on the identified one or more differences of the assigned users.

Abstract: The disclosed computer-implemented method for detecting illegitimate devices on wireless networks may include (1) identifying an initial set of hops that represent devices on a wireless network that relay network traffic between the computing device and a destination, (2) identifying, after identifying the initial set of hops, a new set of hops that relay the network traffic between the computing device and the destination, (3) comparing the initial set of hops to the new set of hops, and (4) determining, based on the comparison, that the new set of hops comprises an abnormality that indicates an illegitimate device is intercepting the network traffic on the wireless network between the computing device and the destination. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: The disclosed computer-implemented method for preventing session hijacking may include (1) determining that a user is attempting to complete at least a portion of an authentication session on a first computing system, (2) using input from one or more input devices of the first computing system to obtain environmental context associated with the user's attempt to complete the authentication session, (3) preventing the authentication session from authenticating the user while using the environmental context to determine whether the authentication session is valid, where using the environmental context to determine whether the authentication session is valid includes (a) transmitting the environmental context to a second computing system and (b) requesting an indication of whether, based on an evaluation of the environmental context at the second computing system, the authentication session is valid. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: Techniques are disclosed for performing data loss prevention (DLP) by monitoring file system activity of an application having a network connection. A DLP agent tracks file system activity (e.g., file open and read operations) being initiated by the application. The DLP agent intercepts the file system activity and evaluates a file specified by the file system operation to determine whether the file includes sensitive data. If so determined, the DLP agent prevents the sensitive data from being transmitted (e.g., by blocking the file system activity, redacting the sensitive data from the file, etc.).

Abstract: A system and method for detecting malicious hijack events in real-time is provided. The method may include receiving routing data associated with a Border Gateway Protocol (BGP) event from at least one BGP router. The method may further include generating a hijack detection model using a machine learning technique, such as Positive Unlabeled learning. The machine learning technique may include at least one data input and a probability output; wherein, the data input couples to receive a set of historically confirmed BGP hijacking data and the routing data, while the probability output transmits a probability value for the malicious event which may be calculated based upon the data input. Finally, the method may include classifying the BGP event as a malicious event or a benign event using the BGP hijack model and correcting routing tables that have been corrupted by a malicious event.

Abstract: A computer implemented method is provided for processing sparse data. A sparse data set is received. A modified sparse data set is calculated by replacing all nonzero values in the sparse data set with a common positive integer. The modified sparse data set is transposed to create a transposed data set. A covariance matrix is calculated by multiplying the transposed data set by the modified sparse data set. A tree of a predefined depth is generated by assigning columns of the sparse data set to right and left nodes based on co-occurrence with a first anchor column and a second anchor column. The first anchor column and the second anchor column are determined based on the covariance matrix.

Abstract: A computer-implemented method for evaluating electronic control units within vehicle emulations may include (1) connecting an actual electronic control unit for a vehicle to a vehicle bus that emulates network traffic rather than actual network traffic generated by operation of the vehicle, (2) manipulating input to the actual electronic control unit to test how safely the actual electronic control unit and the emulated electronic control unit respond to the manipulated input, (3) detecting an output from the actual electronic control unit that indicates a response, from the actual electronic control unit, to manipulating the input, and (4) evaluating a safety level of at least one of the actual electronic control unit and the emulated electronic control unit based on detecting the output from the actual electronic control unit. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: The disclosed computer-implemented method for restarting computing devices into security-application-configured safe modes may include (1) configuring a security application to recognize a predetermined signal received via a predetermined hardware device that indicates that a user wants to restart the computing device into a security-application-configured safe mode that prevents suspicious applications from loading, (2) detecting the predetermined signal via an instance of the predetermined hardware device that is connected to the computing device, (3) setting, in response to detecting the predetermined signal, a registry key on the computing device that will instruct the computing device to boot into the security-application-configured safe mode during a restart sequence, and (4) restarting the computing device in the security-application-configured safe mode in response to detecting the registry key during the restart sequence. Various other methods, systems, and computer-readable media are also disclosed.