Abstract: A computer-implemented method for file classification may include (1) identifying, by a computer security system, a cluster of files that co-occur with each other according to a statistical analysis, (2) identifying ground truth files to which the computer security system has previously assigned a security score, (3) determining that a file in the cluster of files shares an item of file metadata with another file in the ground truth files, (4) assigning a security score to the file in the cluster of files based on a security score of the other file in the ground truth files that shares the item of file metadata, and (5) assigning an overall security score to the entire cluster of files based on the security score assigned to the file in the cluster. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A computer-implemented method for updating generic file-classification definitions may include (1) identifying at least one generic file-classification definition deployed in a software product installed on a client device, (2) classifying at least one data sample encountered by the client device based at least in part on the generic file-classification definition, (3) querying at least one verification server in an attempt to verify the correctness of the classification of the data sample, (4) determining that the classification of the data sample is incorrect based at least in part on the query, and then (5) modifying the generic file-classification definition deployed in the software product based at least in part on the data sample. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: The disclosed computer-implemented method for detecting advertisements displayed to users via user interfaces may include (1) monitoring, via an accessibility API provided by an operating system of the computing device, accessibility events that indicate state transitions in user interfaces of applications running on the computing device, (2) determining, based on an analysis of at least one accessibility event, that an advertisement is being displayed to a user within a user interface of an application running on the computing device, and (3) in response to determining that the advertisement is being displayed, performing at least one action to prevent the advertisement from interfering with interactions between the user and the application. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: The disclosed computer-implemented method for dynamic access control over shared resources may include (1) detecting an attempt by a user to access a resource via a computing environment, (2) identifying a risk level of the user attempting to access the resource, (3) identifying a sensitivity level of the resource, (4) identifying a risk level of the computing environment through which the user is attempting to access the resource, (5) determining an overall risk level for the attempt to access the resource based at least in part on (A) the risk level of the user, (B) the sensitivity level of the resource, and (C) the risk level of the computing environment, and then (6) determining, based at least in part on the overall risk level, whether to grant the user access to the resource via the computing environment. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: The disclosed computer-implemented method for determining that files found on client devices comprise sensitive information may include (1) maintaining, on a server, a set of representations of files that have been classified as sensitive according to a data loss prevention policy, (2) receiving, from a client device, a message that includes a representation of a file on the client device, (3) determining that the representation of the file on the client device matches the representation of a sensitive file from the set of representations of files, (4) concluding, based on the representation of the file on the client device matching the representation of the sensitive file, that the file on the client device includes sensitive information, and (5) performing a security action in response to concluding that the file on the client device includes the sensitive information. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: Techniques describe preventing sensitive data from being misappropriated during a clipboard operation. A copy operation for data being copied to a clipboard is intercepted. Information describing a first application from which the data was copied is retrieved. The data and the information is stored into the clipboard. A paste operation is evaluated based on the data and the information is evaluated against a policy to determine whether the paste operation should be blocked.

Abstract: An apparatus includes a processor and a memory storing instructions executed by the processor to receive a first communication session using a first key, where the first communication session is between a client and a server. A second communication session is initiated using a second key, where the second communication session is between the apparatus and the server. An active communication session is negotiated between the client and the server using the first key and the second key. The active communication session is decrypted using the first key and the second key. The active communication session is re-encrypted using a third key to form re-encrypted data.

Abstract: The disclosed computer-implemented method for defeating relay attacks may include (1) buffering, in a memory buffer, an encoded signal that has been sent to a remote device, (2) detecting, within a time interval of the encoded signal being sent, a second signal that corresponds to the encoded signal, (3) determining that a strength of the second signal is above a predetermined threshold, (4) determining, based on the strength of the second signal being above the predetermined threshold, that the second signal represents a relay attack, and (5) initiating a security action to defeat the relay attack. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A current selection of previously identified malicious files is identified. The selection includes identified malicious files in multiple formats that are tested by a malware analysis environment. Each specific malicious file is opened multiple times, using multiple versions of one or more corresponding program(s). The behavior of each malicious file is analyzed as it is opened with each version of the corresponding program(s). Based on observed behavior of malicious files as they are opened, the exploitability of each version of each program is determined and ranked. The malware analysis environment uses a specific number of versions of each program to test submitted files for maliciousness, in order from more exploitable to less so, based on the ranking. The specific number of versions of a given program to use is generally less than the total available number of versions, thereby reducing the time and computing resources spent per file.

Abstract: The disclosed computer-implemented method for monitoring encrypted data transmission may include (1) detecting a data transmission session between an application running on a first device and an application running on a second device, (2) identifying a shared library loaded by the application running on the first device to establish encryption for the data transmission session, (3) retrieving, from the shared library, a symmetric session key designated for the data transmission session, (4) intercepting data transmitted during the data transmission session, the data having been encrypted using the symmetric session key, and (5) decrypting the data utilizing the symmetric session key retrieved from the shared library. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: The disclosed computer-implemented method for detecting text display manipulation attacks may include (1) extracting a file name from a file that is under evaluation for malicious content, (2) inspecting, by a software security system, the file name for at least one control character that manipulates how the file name is displayed, (3) determining, based on inspecting the file name, that the file name includes the control character that manipulates how the file name is displayed, and (4) performing, by the software security system, a security action based at least in part on the determination that the file name includes the control character. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: An apparatus and method to distribute applications and services in and throughout a network and to secure the network includes the functionality of a switch with the ability to apply applications and services to received data according to respective subscriber profiles. Front-end processors, or Network Processor Modules (NPMs), receive and recognize data flows from subscribers, extract profile information for the respective subscribers, utilize flow scheduling techniques to forward the data to applications processors, or Flow Processor Modules (FPMs). The FPMs utilize resident applications to process data received from the NPMs. A Control Processor Module (CPM) facilitates applications processing and maintains connections to the NPMs, FPMs, local and remote storage devices, and a Management Server (MS) module that can monitor the health and maintenance of the various modules.

Abstract: A computer-implemented method for evaluating network security may include (1) receiving, by a security server, a request to report a network risk score for an organization based on telemetry data describing file downloads at computers managed by the organization over a specified period of time, (2) identifying the telemetry data describing file downloads at the computers managed by the organization over the specified period of time, (3) searching the telemetry data to match file downloads over the specified period of time to at least one file that was previously categorized, prior to the request, as a hacking tool, (4) calculating the network risk score based on the telemetry data, and (5) reporting, automatically by the security server in response to the request, the calculated network risk score. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: The disclosed computer-implemented method for threat detection using a software program update profile may include (1) building an update behavioral model that identifies legitimate update behavior for a software application by (a) monitoring client devices for update events associated with the software application and (b) analyzing the update events to identify the legitimate update behavior of the software application, (2) using the update behavioral model to identify suspicious behavior on a computing system by (a) detecting an update instance on the computing system, (b) comparing the update instance with the legitimate update behavior identified in the update behavioral model, and (c) determining, based on the comparison of the update instance with the legitimate update behavior, that the update instance is suspicious, and (3) in response to determining that the update instance is suspicious, performing a security action. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A computer-implemented method for creating security profiles may include (1) identifying, within a computing environment, a new actor as a target for creating a new security behavior profile that defines expected behavior for the new actor, (2) identifying a weighted graph that connects the new actor as a node to other actors, (3) creating, by analyzing the weighted graph, the new security behavior profile based on the new actor's specific position within the weighted graph, (4) detecting a security anomaly by comparing actual behavior of the new actor within the computing environment with the new security behavior profile that defines expected behavior for the new actor, and (5) performing, by a computer security system, a remedial action in response to detecting the security anomaly. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: The efficacy of security products and practices is quantified, based on monitored activities and conditions on multiple computers over time. A set of metrics is defined, specifying what criteria concerning computer security systems are to be quantified. Telemetry data concerning the defined metrics are collected from multiple computers, such as the customer base of a security product vendor. Security configuration information such as the deployments and settings of security systems on computing devices is monitored. This monitored information tracks what security products are deployed on which machines, and how these products are configured and used. Collected telemetry is correlated with monitored configuration information, enabling determination of what security product deployments and settings are in place when specific security incidents, operations and other types of actions occur.

Abstract: A method for managing payment of digital certificates includes receiving a request to issue a digital certificate to a subscriber, capturing and saving payment information of the subscriber, performing a first authentication and verification of the subscriber at a first time, and performing at least one additional authentication and verification of the subscriber at least once every authentication period. A long-lived certificate is issued to the subscriber provided the subscriber is authenticated and verified. The long-lived certificate is valid for an expiration period. However, the long-lived certificate is revoked if (1) the additional authentications and verification produce invalid results, or (2) if payment is not received during a payment period. The authentication period is shorter than the expiration period and there are at least a first and a second authentication period within the expiration period. The expiration period is longer than the authentication period.

Abstract: A system and method for efficiently establishing secure mobile device communication for location-aware applications. A beacon device broadcasts encrypted packets. Each of the packets includes an indication of a respective time of broadcast. A mobile computing device, such as a smartphone, receives a packet that is broadcast from the beacon device. The mobile computing device determines the packet corresponds to a particular location-aware application and sends the packet to a server. The server determines an expected latency for the received packet based at least in part on crowdsourcing, which includes latencies of other packets sent from the same location. If the server determines the latency of the received packet is not within an expected range, the server considers the packet to be invalid.

Abstract: A method for a secure boot of a vehicular system is provided. The method includes performing a security self-verification on a first electronic control unit (ECU) of a vehicular system and sending a security challenge to a second electronic control unit of the vehicular system. The method includes verifying a security response from the second electronic control unit, the security response relating to the security challenge and indicating an aspect of contents of memory of the second electronic control unit. The performing the security self-verification and verifying the security response establishes a chain of trust that includes the first electronic control unit and the second electronic control unit.

Abstract: Control and management of bandwidth at networks remote from the physical bandwidth management infrastructure. Particular implementations allow network equipment at a plurality of data centers, for example, to manage network traffic at remote branch office networks without deployment of network devices at the remote branch office networks.