Abstract: A method for determining a likelihood of fraud associated with an input identity record is disclosed herein. The disclosed method contemplates determining characteristics of the input identity record by examining content of one or more fields of the input identity record. Historical identity records related to the input identity record may then be retrieved so as to define a set of linked identity records. The method further includes computing one or more network-based features of the set of linked identity records. A fraud score may then be generated based upon the characteristics of the input identity record and the one or more network-based features.

Abstract: A NAT system is identified as operating in conjunction with a specific IP address, in response to a threshold number of different authenticated computing devices making requests to the web service from the specific IP address during a given time period. The total number of computing devices operating from behind the identified NAT system is estimated, based on how many separate authenticated computing devices make requests to the web service from the IP address during the period of time. When a NAT system is identified, one or more additional action(s) are taken to manage the processing of traffic originating from the specific IP address, taking into account that multiple computing devices are operating behind the identified NAT system. An example action is rate limiting.

Abstract: Introduced here are techniques for modeling networks in a discrete manner. More specifically, various embodiments concern a virtual machine that collects data regarding a network and applies algorithms to the data to discover network elements, which can be used to discover the topology of the network and model the network. The algorithms applied by the virtual machine may also recognize patterns within the data corresponding to naming schemes, subnet structures, application logic, etc. In some embodiments, the algorithms employ artificial intelligence techniques in order to more promptly respond to changes in the data. The virtual machine may only have read-only access to certain objects residing within the network. For example, the virtual machine may be able to examine information hosted by a directory server, but the virtual machine may not be able to effect any changes to the information.

Abstract: A computer-implemented method for enforcing data loss prevention (DLP) policies during web conferences may include (i) detecting, by a computing device, an attempt by a presenter to initiate a web conference, (ii) determining that at least one item of content that a participant of the web conference attempts to share during the web conference contains sensitive data, (iii) identifying a DLP policy associated with the sensitive data, and (iv) securing the web conference against unauthorized dissemination of the sensitive data by enforcing the DLP policy on at least one participant machine participating in the web conference. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: Systems and methods for dynamic guided obfuscation pattern generation for preventing smudge attacks on touch screen devices are provided. One method may include receiving a user access pattern associated with a matrix displayed on the user interface; wherein, the system generates an obfuscation pattern based upon the user access pattern. For example, the system may generate edges of the obfuscation pattern by determining potential lines that may be drawn from the first and last points of the user access pattern, which are non-repeating and non-overlapping with any edges of the user access pattern and any edges of the obfuscation pattern. The system may iteratively generate edges until a predetermined number of edges are generated or no more edges can be drawn meeting the requirement. Further, the system may display the obfuscation pattern in a point by point or edge by edge fashion on the user interface, enabling the user to draw the new pattern that disguises the user's original access pattern.

Abstract: A computer-implemented method for dynamically varying web application firewall security processes based on cache hit results may include (i) identifying, at a computing device, a request directed to a web application resource protected by the computing device, (ii) determining, in response to identifying the request, whether a response to the request will be served from a cache stored on the computing device, (iii) determining, based at least in part on whether the response to the request will be served from the cache, a level of security processing to apply to the request, and (iv) applying the determined level of security processing to the request. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: The present disclosure relates to executing software within an execution safety container. An example method generally includes detecting that a memory address referenced by a stack pointer has changed from a first memory address to a second memory address. An execution safety container compares the referenced memory address to a memory address range associated with an application, and upon determining that the referenced memory address is not within the memory address range associated with the application, takes one or more actions to avoid occurrences of unhandled exceptions caused by the referenced memory address being outside of a memory address range associated with an application.

Abstract: Mitigating malicious actions associated with graphical user interface elements may be performed by a computing device. A user interface element is monitored in a graphical user interface environment executing on the computing device. An association between the user interface element and a malicious action is determined. Access to the user interface element is blocked to prevent the malicious action.

Abstract: The disclosed computer-implemented method for classifying files as specific types of malware may include (i) identifying an unknown file on a computing device, (ii) performing an analysis of the unknown file by applying, to the unknown file, a machine-learning heuristic that employs at least one decision tree, (iii) classifying the unknown file as malicious based on the analysis, and (iv) after classifying the unknown file as malicious, using the same decision tree employed by the machine-learning heuristic to sub-classify the unknown file by (a) identifying at least one leaf node of the decision tree arrived at by the analysis performed by the machine-learning heuristic on the unknown file, (b) determining that the leaf node of the decision tree is associated with a particular type of malicious file, and (c) sub-classifying the unknown file as the particular type of malicious file. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: Techniques for data loss prevention in an image-specific domain using image data identifiers and validators are described. According to some embodiments, a method may include defining an image data identifier and a data identifier validator, the image data identifier specifying one or more prohibited object types, and the data identifier validator specifying one or more prohibited object sub-types. The method may include receiving an image, identifying one or more objects in the image based on attributes of the one or more objects, determining an object type of a first object of the one or more objects, and determining whether the object type of the first object matches at least one of the one or more prohibited object types.

Abstract: The disclosed computer-implemented method for evaluating wireless network connection security may include (i) detecting a wireless network connection from an Internet-of-Things device through sniffing, (ii) automatically selecting the wireless network connection as the wireless network connection to be evaluated in an analysis of network connection security, (iii) performing, in response to the automatic selecting of the wireless network connection as the wireless network connection to be evaluated, the analysis of network connection security to determine whether the wireless network connection is secure, and (iv) automatically reporting, through a physical output of the computing device and in response to performing the analysis of network connection security, a result of the analysis of network connection security to inform a user about the safety of the Internet-of-Things device. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: Latency of DLP policy application during file transfer operations is decreased, by front loading the extraction of file content. The potential extraction latencies of files are quantified based on attributes such as size and/or type. Files with potential extraction latencies that meet a given threshold are identified for pre-transfer content extraction, and their content is extracted and stored. An index of the stored extracted content is maintained, tracking all files from which content has been extracted, according to factors such as size and checksum. When a specific file in the filesystem is transferred, it is determined whether its content has already been extracted, for example by matching the file size and checksum against those for which extracted content has been stored. Responsive to determining that content of the specific file has already been extracted and stored, the stored content is utilized when applying DLP, thereby greatly increasing performance.

Abstract: The present disclosure provides methods for an endpoint ranking system that can take endpoint importance, symptom importance, and symptom timing into account when determining endpoint hygiene scores for endpoints in a network. A list of endpoints that is ranked or sorted according to hygiene score can by dynamically generated and can change over time due to the manner in which symptom timing is taken into account. The list can also evolve as parameters for endpoint importance and system importance are modified. An endpoint-importance weight can be assigned to each endpoint to bias hygiene scores according to endpoint importance. Symptom-importance weights and decay rates can also be assigned to symptom types to further bias hygiene scores.

Abstract: The disclosed computer-implemented method for selecting questions for knowledge-based authentication based on social entropy may include (1) identifying a potential question to ask a user of a computing system during a KBA process in an attempt to verify the user's identity, (2) determining whether any information suggestive of a correct answer to the potential question is available to anyone other than the user of the computing system, (3) calculating a social entropy of the potential question based at least in part on the determination of whether any information suggestive of the correct answer is available to anyone other than the user, and then (4) selecting the potential question to be asked to the user during the KBA process based at least in part on the social entropy of the potential question. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: Sensitive information displayed on a screen is protected against leakage and loss. A section of a bitmap containing sensitive information is defined as a protection region. A protection marker identifying the protection region is embedded into the bitmap. The defined protection region is divided into multiple sub-regions, and a separate sub-region protection marker is embedded in each sub-region of the original protection region. The defining, embedding and dividing are performed before the bitmap is copied to the screen buffer. When content that was displayed on the screen has been captured, for example by screen capturing software, the captured content is parsed. All sub-region protection markers embedded in the captured content are detected, and a real protection region in the captured content is calculated, based on information in the detected sub-region protection markers. The sensitive information in the captured content is erased.

Abstract: A method for preventing malware is described. The method may include identifying a malicious application running on a first computing device, determining that the malicious application is installed on a second computing device based on the identifying, and performing a single operation including uninstalling the malicious application from the first computing device and the second computing device.

Abstract: The disclosed computer-implemented method for efficiently matching files may include (i) analyzing a file to identify a set of functions within the file and relationships between functions within the set of functions, (ii) creating a set of representations for the set of functions by, for each function, combining a representation of a size of the function with a representation of a size of each function identified, when analyzing the file, as having a relationship to the function, (iii) comparing the set of representations of the set of functions with a set of representations of an additional set of functions identified within an additional file, and (iv) determining, based on comparing the sets of representations, that the file matches the additional file. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: Techniques for in-line filtering of insecure or unwanted mobile components or communications (e.g., insecure or unwanted behaviors associated with applications for mobile devices (“apps”), updates for apps, communications to/from apps, operating system components/updates for mobile devices, etc.) for mobile devices are disclosed. In some embodiments, in-line filtering of apps for mobile devices includes intercepting a request for downloading an application to a mobile device; and modifying a response to the request for downloading the application to the mobile device. In some embodiments, the response includes a notification that the application cannot be downloaded due to an application risk policy violation.

Abstract: The disclosed computer-implemented method for detecting low-density training regions of machine-learning classification systems may include (i) receiving a training dataset that is used to train a classifier of a machine-learning classification system, (ii) calculating a density estimate of a distribution of the training dataset, (iii) receiving a sample that is to be classified by the classifier, (iv) using the density estimate to determine that the sample falls within a low-density region of the distribution of the training dataset, and (v) performing a security action in response to determining that the sample falls within the low-density region. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: Structured text and pattern matching may be performed for data loss prevention in object-specific image domain. According to some embodiments, a method may include receiving an image, identifying one or more objects in the image based on attributes of the one or more objects, and determining an object type of a first object of the one or more objects by a computing device. The method may include identifying, by the computing device, one or more specific regions of the first object for recognition based on the object type of the first object and recognizing text in the one or more specific regions of the first object. In some embodiments, the method may then include providing, by the computing device, the text recognized in the one or more specific regions of the first object to a security engine, wherein the security engine may be configured to evaluate whether the text comprises sensitive information.