Abstract: Techniques are presented for detecting malware in an executable. The method includes receiving an executable to evaluate for malware, emulating an execution of the executable up to a first count of instructions, determining a number of cache misses that occur while emulating the executable up to the first count of instructions, comparing the number of cache misses to a threshold, and upon determining the number of cache misses exceeds the threshold, identifying the executable as potentially containing malware.

Abstract: Method, apparatus, and computer readable medium for detecting malware on a target computer system is described. A threat profile is obtained at the target computer, the threat profile having manifestation information for known malware, the manifestation information including effects of the known malware on computer systems infected by the known malware. Using the threat profile, at least a portion of the manifestation information is detected on the target computer. A confidence level for detection of potential malware is determined based on the at least a portion of the manifestation information detected. The potential malware on the target computer is convicted as malware for remediation if the confidence level satisfies a threshold confidence level.

Abstract: A computer-implemented method for securing data and computer systems is described. In one embodiment, a request to connect to a server is received at an intermediary network device. It is detected, at the intermediary network device, that the server uses a one-time password (OTP) protocol. Based at least in part on the detecting that the server uses an OTP protocol, an action is performed by the intermediary network device. The action may include blocking, at the intermediary network device, a connection other than the connection to the server that uses the OTP protocol.

Abstract: A method and apparatus for interactive state restoring are described. A browser loads a web page using a uniform resource locator (URL). The web page includes interactive elements. The web page is in a default state when loaded by the browser in a first instance and is in an interactive state when any one of the interactive elements is changed. An interactive state restoring tool executing in connection with the browser monitors URLs being loaded by the browser and identifies a data object appended to an end of a first URL for the web page with interactive elements. The interactive state restoring tool extracts the data object from the URL and restores the web page in the interactive state using the data object extracted from the URL when the web page is loaded by the browser. The interactive state restoring tool can execute a state-restoring JavaScript method for consumption of an enhanced deep link.

Abstract: A method for restarting a force stop mobile application is described. In one embodiment, the method may include establishing a connection with a first application installed on a mobile device and receiving a heartbeat signal from the first application via the established connection. Upon receiving the heartbeat signal, the method may include monitoring for subsequent heartbeat signals from the first application and determining a subsequent heartbeat from the first application is not received when expected. Upon determining the subsequent heartbeat from the first application is not received when expected, the method may include determining whether a second application related to the first application is running on the mobile device.

Abstract: A method and apparatus for reputation scoring of applications on social networking services is described. A reputation score system scans a profile area of an application operating in a social networking service and generates a profile metric based on the content of the profile area. A reputation score system scans analyzes application installation behavior of an application and generates an installation metric. The reputation score system analyzes application activity of the application and generating an application metric. The reputation score system analyzes permissions requested by the application and generates a permissions metric. The reputation score system generates a reputation based on the profile metric, installation metric, application metric and permissions metric.

Abstract: The disclosed computer-implemented method for detecting discrepancies in automobile-network data may include (1) receiving data that indicates at least one attribute of an automobile and that was conveyed via an automobile-network message that was purportedly broadcast over an automobile network of the automobile, (2) receiving additional data that indicates the same attribute of the automobile and that was not conveyed via any automobile-network message that was broadcast over the automobile network, (3) detecting a discrepancy between the data and the additional data, and (4) performing a security action in response to detecting the discrepancy between the data and the additional data. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A peering relationship among two or more network appliances is established through an exchange of control messages among the network appliances. The peering relationship defines a cluster of peered network appliances, and at each network appliance of the cluster traffic flow state information for all the network appliances of the cluster is maintained. Network traffic associated with traffic flows of the network appliances of the cluster is managed according to the state information for the traffic flows. This managing of the network traffic may include forwarding among the network appliances of the cluster (i.e., to those of the appliances handling the respective flows) at least some of the network traffic associated with one or more of the traffic flows according to the state information for the one or more traffic flows. The traffic flows may be TCP connections or UDP flows.

Abstract: Techniques for detecting an intranet spoofing attack are disclosed. In one embodiment, the techniques may be realized as a system and method for detecting an intranet spoofing attack. For example, the system may comprise one or more processors communicatively coupled to a network. The one or more processors may be configured to: identify an attempt to access an intranet website at a user device; determine that the intranet website is a spoofed intranet website; and perform an action in response to the determination of the spoofed intranet website to protect user.

Abstract: A computer-implemented method for preventing false positive malware identification may include (1) identifying a set of variants of a trusted software program, (2) characterizing, for each variant in the set of variants of the trusted software program, at least one common property of the variants, (3) clustering the set of variants of the trusted software program based on the common property of the variants, and (4) creating a signature capable of recognizing variants of the trusted software program. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: The disclosed computer-implemented method for locating unrecognized computing devices may include (1) identifying a plurality of cooperating computing devices on a wireless network that are each configured with a device location application, (2) determining a physical location for each cooperating computing device within the plurality of cooperating computing devices, (3) receiving, from the device location application on the plurality of cooperating computing devices, data about packets intercepted by the plurality of cooperating computing devices that are directed to the wireless network by an unrecognized computing device, and (4) locating the unrecognized computing device based on information received from the plurality of cooperating computing devices that identifies both the physical location for each cooperating computing device and signal strengths of the packets intercepted by the plurality of cooperating computing devices.

Abstract: The disclosed computer-implemented method for blocking push authentication spam may include (1) detecting an attempt by an unauthenticated source to gain access to a web resource protected by an MFA service, (2) issuing, to a mobile device of an authenticated user of the MFA service, a push authentication request to query the authenticated user about whether to allow the unauthenticated source's attempt, (3) determining, based at least in part on the push authentication request issued to the mobile device, that the authenticated user has not allowed the unauthenticated source's attempt, and (4) in response to determining that the authenticated user has not allowed the unauthenticated source's attempt, blacklisting the unauthenticated source such that the MFA service refuses to issue any subsequent push authentication requests in connection with the unauthenticated source. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A computer-implemented method for assessing Internet addresses may include (1) identifying an Internet Protocol address, (2) identifying a plurality of files downloaded from the Internet Protocol address, (3) generating an aggregation of security assessments that relates to the Internet Protocol address and that may be based at least in part on a security assessment of each of the plurality of files, (4) determining a trustworthiness of the Internet Protocol address based at least in part on the aggregation of security assessments and (5) facilitating a security action based at least in part on the trustworthiness of the Internet Protocol address. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A server computer system within a network of an organization receives a request from a user to access a cloud account. The request includes a user identifier. The server computer system authenticates the user for access to the cloud account based on the user identifier, identifies one or more predetermined roles associated with the cloud account for the user, and identifies one or more pseudo accounts associated with the cloud account. The server computer system further maps the user to the one or more pseudo accounts, and provides user access to the cloud account based on the mapping and with access privileges corresponding to the one or more pseudo accounts.

Abstract: A computer-implemented method for remotely configuring applications may include (1) identifying a centrally administered application that includes a configuration specification that defines at least one setting available for the centrally administered application and that is prepared to provide the configuration specification, (2) identifying, by extracting the configuration specification for the centrally administered application, a settings field of the configuration specification, (3) creating a settings configuration policy that specifies a value for the settings field, (4) detecting an instance of the centrally administered application that includes the configuration specification, and (5) pushing the value for the settings field to the instance of the centrally administered application in accordance with the settings configuration policy. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A computer-implemented method for identifying variants of samples based on similarity analysis may include (1) collecting, from security agents on endpoint computing systems, metadata attributes that describe samples identified by the security agents over an initial period of time, (2) collecting metadata attributes that describe a current sample identified after the initial period of time, (3) comparing at least two of the metadata attributes that describe the current sample with corresponding metadata attributes of the samples identified over the initial period of time, (4) designating the current sample as related to another sample from the samples identified over the initial period of time based on the comparison of the two metadata attributes, and (5) performing a security action to protect a user from malware based on the designation of the current sample as related to the other sample. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: The disclosed computer-implemented method for protecting purpose-built appliances on local networks may include (1) identifying a purpose-built appliance that is installed at a physical site to enhance the physical site with a pre-programmed functionality and that is connected to a local network that operates at the physical site, (2) intercepting, by a router of the local network, a request from a requesting device to access the pre-programmed functionality of the purpose-built appliance via the local network, (3) querying, from the router, via an authorization channel that is separate from a communication channel used to transmit the request, an owner of the physical site for authorization for the requesting device to access the purpose-built appliance, (4) receiving, by the router, the authorization from the owner, and (5) forwarding, by the router, the request from the requesting device to the purpose-built appliance. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: The disclosed computer-implemented method for identifying security threat sources responsible for security events may include (1) identifying security-event data collected from a plurality of security events detected over a network, (2) partitioning the security-event data into a set of single-dimensional security clusters, each grouped by a common feature, (3) determining that a subset of the single-dimensional security clusters exceed a threshold level of similarity relative to one another, (4) grouping the subset of single-dimensional clusters into a multi-dimensional security cluster corresponding to a single threat source in response to determining that the subset of single-dimensional clusters exceed the threshold level of similarity relative to one another, and then (5) determining, based at least in part on grouping the single-dimensional clusters into the multi-dimensional cluster, that the single threat source is likely responsible for some of the security events.

Abstract: A computer-implemented method for enabling biometric authentication options may include (1) identifying a device that includes a biometric authentication option that provides access to a protected feature of the device and that is based on a biometric trait and an initial authentication option that provides access to the protected feature and that is not based on the biometric trait, (2) detecting an authentication action that is performed by a user on the device that provides access to the protected feature via the initial authentication option, (3) capturing biometric data describing the biometric trait of the user in connection with the user performing the authentication action on the device, and (4) using the biometric data as training data for the biometric authentication option to enable the user to access the protected feature of the device via the biometric authentication option. Various other methods, systems, and computer-readable media are also disclosed.