Abstract: Embodiments of the present invention are directed to a method and system for automated risk analysis. The method includes accessing host configuration information of a host and querying a vulnerability database based on the host configuration information. The method further includes receiving a list of vulnerabilities and accessing a plurality of vulnerability scores. The list of vulnerabilities corresponds to vulnerabilities of the host. Vulnerabilities can be removed from the list based on checking for installed fixes corresponding to vulnerability. A composite risk score can then be determined for the host and each software product of the host based on the plurality of vulnerability scores. An aggregate risk score can then be determined for the host and each software product of the host based on the plurality of vulnerability scores.

Abstract: Custom data is injected into a comment field in an APK file. This creates a data driven, customized app, without unzipping, resigning or re-zipping the APK file. The APK file and the injected custom data are transmitted to a mobile computing device. The custom data can be injected into a comment field at the end of the APK file, which allows the non-customized version of the APK file and the custom data to be transmitted to the mobile computing device in succession, such that the transmission is received as a single, customized APK file. The content of the non-customized APK file and the custom data can instead be written to a new, customized APK file, which is then transmitted to the mobile computing device.

Abstract: A computer-implemented method for classifying package files as Trojans may include (1) detecting a resemblance between an unclassified package file and a known legitimate package file, (2) determining that the unclassified package file is signed by a different signatory than a signatory that signed the known legitimate package file, (3) determining that a feature of the unclassified package file is suspicious, the feature being absent from the known legitimate package file, and (4) classifying the unclassified package file as a Trojan version of the known legitimate package file based on the unclassified package file being signed by the different signatory and having the suspicious feature. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A computer system receives, from a user device, a request to access a resource within a network of an organization and receives access credentials associated with an application, a user and the user device. The computer system identifies an application identifier, a user identifier and a device identifier and determines whether the combination of these identifiers satisfies an access policy. If the combination of application identifier, user identifier and device identifier satisfies the access policy, then the computer system grants the application access to the resource within the network of the organization.

Abstract: A computer-implemented method for enabling write-back-cache aware snapshot creation may include (1) identifying a cache that implements write-back caching to selectively store at least one write to a backing store, (2) receiving, while the write is stored within the cache, a request to create a snapshot of the backing store, and (3) creating, in response to the request, the snapshot of the backing store by (a) determining that the write is stored within the cache and (b) tracking, in response to the determination, the write stored within the cache to ensure that the write is included in the snapshot of the backing store. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A computer-implemented method to protect against a vulnerability event is described. A first set of security policies is enforced. A client device is monitored for a vulnerability event. Upon detecting a vulnerability event, a vulnerability level corresponding to a current environment is determined. A second set of security policies is selected based on the vulnerability level. The second set of security policies is enforced.

Abstract: The disclosed computer-implemented method for providing information identifying the trustworthiness of applications on application distribution platforms may include (1) monitoring event notifications generated by an accessibility service that provides user interface enhancements for disabled individuals on an operating system installed on a computing device, (2) determining, based on an analysis of an event notification generated by the accessibility service, that a user is viewing at least one application for download on an application distribution platform, (3) in response to determining that the user is viewing the application on the application distribution platform, identifying the application based at least in part on an analysis of an active window of the computing device, (4) once the application is identified, retrieving information from a third party that identifies the trustworthiness of the application, and (5) before the user downloads the application, displaying the information identifying the

Abstract: The subject matter of this specification can be implemented in, among other things, a method that includes receiving, from a computing device, one or more user inputs that include levels of relevance for multiple facets of multiple applications. Each of the facets represents a different set of behaviors from a plurality of behaviors of the applications. Each one of the applications has an associated value for each of the facets based on the set of behaviors of each of the applications. The method further includes organizing a list of the applications based on the levels of relevance for the facets and the value of each of the facets for each of the applications. The method further includes providing, to the computing device, the list of the applications for presentation on a display device at the computing device.

Abstract: A computer-implemented method for authenticating devices may include (1) identifying a request from a device for a credentialing service to issue a credential to the device, the request including an application identifier encrypted with a first encryption key, the first encryption key having been derived by the device based on a token provisioned to the device by a vendor of the device, (2) transmitting the request to the credentialing service, (3) receiving, from the credentialing service, the credential encrypted using a second encryption key, the second encryption key having been derived by the device based on the token, and (4) providing the encrypted credential to the device. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A computer-implemented method for securely providing information external to documents may include identifying a document that may include at least one link to content external to the document, retrieving the content external to the document from the link, converting the content external to the document to embeddable content in a secure format that can be embedded within the document and creating a secure version of the document at least in part by embedding the embeddable content that has been converted to the secure format into the document. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A first computer system identifies deduplication metadata for files. The deduplication metadata includes block level information for the files. The first computer system determines relationships that are associated with the files based on the block level information and sends relationship data that describes the relationships that are associated with the files to a second computer system via a network.

Abstract: The disclosed computer-implemented method for preventing data loss over virtualized networks may include (1) receiving, by a data loss prevention callout driver registered to a switch, a network packet from a virtual machine, (2) identifying, by the data loss prevention callout driver registered to the switch, flow context information that specifies a context associated with transmitting the network packet, (3) providing the flow context information and the network packet to a data loss prevention service, and (4) applying, by the data loss prevention service, a data loss prevention policy to the network packet based on the flow context information. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: Anomalous access activity is detected and managed. Access of enterprise data on multiple client computers is monitored and logged. The resulting log information identifies accessed units of enterprise data and corresponding access context. Log information concerning access of specific units of data on multiple client computers is received over a period of time and amalgamated. Statistical analysis is performed on amalgamated log information, thereby determining access baselines for data over the time period. Received log information concerning access of a specific unit of data on a specific client computer is compared to corresponding access baseline(s). Responsive to the comparison indicating that the access deviates from a baseline in excess of a threshold, the access is classified as being anomalous. Alerts are automatically output in response to detecting anomalous data access.

Abstract: A method and apparatus for knowledge-based authentication by a cloud-based authentication service are described. A cloud-based authentication service is to track credential usage of an end-user at the cloud-based authentication service. The authentication service receives a credential request for credentials associated with the end-user from a relying party website. The end-user no longer has authentication credentials for access to the relying party website. The authentication service issues a dynamic knowledge-based (KB) challenge to the end-user, the dynamic KB challenge being based on at least some of the tracked credential usage of the end-user. The processing logic receives a response to the dynamic KB challenge from the end-user and sends temporary credentials to the relying party for the end-user when the response is validated.

Abstract: A computer-implemented method for preserving deduplication efforts after backup-job failures may include (1) identifying a deduplicated data system that reduces redundant data storage by storing and referencing a plurality of deduplicated data segments and reclaims storage space by deleting unreferenced data segments from the deduplicated data system, (2) identifying a backup job that backs up data to the deduplicated data system, causes the deduplicated data system to store at least one new data segment available to be referenced within the deduplicated data system, and fails after the deduplicated data system stores the new data segment within the deduplicated data system causing the new data segment to be unreferenced within the deduplicated data system, and (3) causing the deduplicated data system to retain the new data segment until the backup job is retried despite the new data segment being unreferenced. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: Techniques are disclosed for using a false positive-prone data structure to store normalization data for use in an encrypted search context. A file host server in a cloud provider network may provide search functionality for a user's encrypted data by use of a search index. In updating the search index, the server consolidates common identities of the user on different web services (e.g., an e-mail service or a social media service) into a normalized identifier. These normalization values are stored in the false positive-prone data structure (e.g., a colliding hash table, a Bloomier filter, etc.). Consequently, the data structure may return false positives after a search operation. The server may filter out these false positives before returning search results.

Abstract: Techniques are disclosed for evenly distributing certificate status validity messages across multiple response servers. A certificate authority (CA) may partition subsets of online certificate status protocol (OCSP) responses to each be handled by OCSP response servers. The partitions are based on serial numbers of the underlying digital certificates of the OCSP responses. For example, to determine which OCSP response server is assigned to distribute a particular OCSP response, a modulo operation may be performed between the last octet value of the underlying certificate serial number and the total number of available OCSP response servers of the CA. The result yields a partition number that may be used to identify the corresponding OCSP response server.

Abstract: A computer-implemented method for enforcing secure network segmentation for sensitive workloads may include (1) identifying a sensitive workload that is deployed within a subnet of a segmented network on a remote workload hosting platform, (2) identifying a security policy that applies to the sensitive workload, wherein a deployment of the sensitive workload within the subnet of the segmented network complies with the security policy, (3) intercepting, at a proxy, an attempt to reconfigure the deployment of the sensitive workload within the segmented network on the remote workload hosting platform, (4) determining that the attempt to reconfigure the deployment of the sensitive workload could result in a violation of the security policy, and (5) enforcing, on the proxy, the security policy on the attempt to reconfigure the deployment of the sensitive workload. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A computer-implemented method for prioritizing restoration speed with deduplicated backups may include (1) receiving a request to store a backup image within a deduplicating data system, (2) evaluating an amount of data segments that match the backup image within a container of deduplicated data segments, (3) identifying a restoration prioritization value that is assigned to the backup image and that correlates with a desired restoration speed for the backup image, (4) determining that the amount of data segments that match the backup image exceeds the restoration prioritization value by a predetermined degree, and (5) referencing previously stored data segments within the container of deduplicated data segments that match the backup image when storing the backup image based on the amount of data segments that match the backup image exceeding the restoration prioritization value by the predetermined degree. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: For each page of a set, a Bayesian classification of the URL associated with the page is performed, and a maliciousness probability is assigned to the URL based on the Bayesian classification. A traversal priority is assigned to each page of the set, the assigned traversal priorities initially directing a breadth first traversal of the set of pages. The assigned traversal priorities of a subset of the pages of the set are modified to direct higher priority traversals, responsive to the maliciousness probabilities of the URLs corresponding to the pages of the subset. Each page of the set is traversed in the order specified by the traversal priorities, and analyzed during traversal to determine whether the page is malicious.