Abstract: The disclosed computer-implemented method for anonymizing log entries may include (1) detecting a data pattern in a group of log entries documenting events performed by at least one process executing on at least one device, (2) identifying, in the data pattern, at least one data field in the log entries that contains variable data, (3) evaluating the data field containing variable data to determine whether the data field contains sensitive data, and (4) in response to determining whether the data field contains sensitive data, applying a data-anonymization policy to the data field to anonymize the log entries. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: Techniques for protecting against unauthorized technique support calls are disclosed. In one embodiment, the techniques may be realized as a system for protecting against unauthorized technique support calls including one or more computer processors. The one or more computer processors may be configured to register a client security application installed on a client device. The client security application may be associated with a mobile device. The client device may be separate from the mobile device. The one or more computer processors may further be configured to receive a notification to start monitoring the client device. The one or more computer processors may further be configured to monitor activities of the client device. The one or more computer processors may further be configured to alert a user of the client device for security risks associated with the activities.

Abstract: The disclosed computer-implemented method for facilitating single sign-on for multiple devices may include (1) establishing a login session for a user account, (2) in response to establishing the login session, providing, to a device associated with the user account, a session token for the user account, (3) receiving, from at least one client, a request to access resources associated with the user account, (4) determining that the associated device possesses the session token for the user account, and (5) in response to determining that the associated device possesses the session token, providing, to the client, access to the resources associated with the user account. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: The disclosed computer-implemented method for identifying suspicious controller area network messages may include (i) monitoring, for a predetermined period of time, messages sent by an electronic control unit that comprise a controller area network identifier for at least one controller area network device, (ii) observing, in the messages, a set of corresponding patterns that each comprise a content pattern and a timing pattern, (v) detecting a message that comprises the controller area network identifier, wherein a content pattern of the message and a timing pattern of the message do not match any pair of corresponding patterns in the set of corresponding patterns, and (vi) determining that the message is suspicious based at least in part on content pattern of the message and the timing pattern of the message not matching any pair of corresponding patterns in the set. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: Methods and apparatus for optimizing computer detection of malware using pattern recognition by refreshing random classification forests are described. In one embodiment, the method may include building a random forest with two or more binary decision trees based at least in part on a first set of categorized data, sending the random forest to a client device with a first random forest control value, identifying a second set of categorized data different from the first set of categorized data, calculating a second random forest control value based on the second set of categorized data and sending the second random forest control value to the client device.

Abstract: The disclosed computer-implemented method for applying security updates to endpoint devices may include (1) calculating a reputation score for an endpoint device that indicates a security state of the endpoint device, (2) transmitting, from the endpoint device to a security server that provides security updates, a request to receive a security update with a degree of urgency based on the reputation score of the endpoint device, (3) receiving the security update from the security server in accordance with the degree of urgency, and then (4) applying the security update within the endpoint device. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: The disclosed computer-implemented method for uniquely identifying malicious advertisements may include (1) associating, by a browser advertisement platform, a browser advertisement with a unique identifier for the browser advertisement, (2) transmitting, by the browser advertisement platform, the browser advertisement to be displayed on at least one endpoint computing device in conjunction with the unique identifier, (3) receiving, at the browser advertisement platform, a message from the endpoint computing device that includes the unique identifier and that indicates that the browser advertisement was associated with malicious activity on the endpoint computing device, and (4) performing, by the browser advertisement platform, a security action on the browser advertisement in response to the message indicating that the browser advertisement with the unique identifier was associated with the malicious activity. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: Securely sharing a Transport Layer Security (TLS) session with one or more trusted devices. In one embodiment, a method may include establishing a TLS session between a client device and a server device, communicating encrypted messages that are encrypted using encryption keys between the client device and the server device, and intercepting and decrypting one or more of the encrypted messages at a trusted device using the encryption keys. In this embodiment, the establishing of the TLS session may include negotiating a master secret, establishing a secure channel between the trusted device and the client device or the server device, sending, from the client device or the server device, the master secret to the trusted device over the secure channel, and employing the master secret at the client device, at the server device, and at the trusted device to generate, for the TLS session, the encryption keys.

Abstract: According to at least one embodiment, a computer-implemented method for managing generic data is described. In one embodiment, a request may be received to customize the generic data. The generic data may be downloaded based at least in part on the request. The generic data may be customized for the computing device. The customized data may be installed on the computing device.

Abstract: The disclosed computer-implemented method for detecting malicious computing events may include (i) determining, for multiple computing events detected within an enterprise, an initial disposition score for each computing event based on currently-available security information, (ii) determining an initial classification of each computing event as malicious or non-malicious by comparing the initial disposition score of each computing event with a threshold disposition score, (iii) for each computing event, determining (a) an updated disposition score based on new security information (b) an updated classification, (iv) calculating a degree to which the threshold disposition score correctly identifies malicious computing events by determining a frequency with which the initial classification of each computing event matches the updated classification of the computing event, and (v) adjusting the threshold disposition score based on the degree to which the threshold disposition score correctly identifies malicious

Abstract: The disclosed computer-implemented method for managing application updates may include (i) recording network activity of a target application, (ii) recording an identifying attribute of the target application that is associated with a current version of the target application, (iii) determining, based on recording the identifying attribute, that the target application has attempted to update from a previous version of the target application to the current version of the target application, (iv) locating a portion of network activity that reveals how to manually update an instance of the previous version of the target application, and (v) perform, in response to locating the portion of network activity that reveals how to manually update the instance of the previous version of the target application, a security action to protect a user from a candidate security threat. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: The present disclosure relates to changing a password in a proximity-based authentication system. After a successful proximity-based authentication, a password agent may determine that a password does not comply with an administrative password policy. The password agent may then generate a new password that does comply with the administrative password policy and submit a password change request to an administrator of that password policy, without any input by a user at these steps. The user can then request to view the password for input to a service using the same password, and after passing a biometric challenge may view the password.

Abstract: The disclosed computer-implemented method for locating functions for later interception may include (i) identifying a function to be intercepted during an execution of a file that comprises an instance of the function, (ii) procuring, from a description of the function, a string that, when located in any given file within a set of files, indicates a location of the function within the given file, (iii) scanning the file to identify a location of the string within the file, (iv) determining, based on the location of the string within the file, a location of the instance of the function within the file, and (v) intercepting a call made by a process during the execution of the file to the instance of the function based on having located the instance of the function within the file. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: The disclosed computer-implemented method for evaluating security software configurations may include (1) identifying, within a software security system, a live configuration that includes active configuration settings applied by the software security system when protecting a computing system, (2) establishing a test configuration that includes at least one configuration setting that is different from the live configuration, (3) recording a live result of the software security system performing a protective action using the live configuration, (4) generating an alternate result of the protective action by performing the protective action using the test configuration instead of the live configuration and without applying changes resulting from the protective action to the computing system, and (5) performing a security action based on the live result of the protective action and the alternate result of the protective action. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: The disclosed computer-implemented method for assessing security risks of users of computer networks of organizations may include (i) detecting, at a risk computing device, a location of a host electronically accessed by a user computing device, the host location having an electronic address outside of a computer network of an organization, (ii) identifying, at the risk computing device, a host user credential sent to the host location from the user computing device, (iii) determining, at the risk computing device, that the host user credential matches an organization user credential associated with the organization's computer network, and (iv) calculating, at the risk computing device, a risk score for a user of the user computing device based on the determination that the host user credential matches the organization user credential. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: Preventing a malicious computer application from executing in a computing environment. In one embodiment, a method may include identifying a base graph, identifying a perturbed graph, determining an importance of each of the edges in the base graph using an Edge Current-Flow Based Betweenness Centrality (ECFBBC) metric, identifying the edges in the base graph that match the edges in the perturbed graph, determining a utility value for the perturbed graph, determining whether the utility value is above a threshold utility value, in response to determining that the utility value is above the threshold utility value, employing the perturbed graph to analyze a computer application and determine that the computer application is malicious, and performing a security action on the malicious computer application to prevent the malicious computer application from executing in a computing environment.

Abstract: The disclosed computer-implemented method for making security-related predictions may include (i) gathering information that comprises both signatures of events that occurred on computing systems during consecutive time slots and incident labels about incidents on the computing systems during the consecutive time slots, (ii) using the gathered information to train a machine learning model, (iii) predicting, by the machine learning model, at least one of an incident label about an incident and a signature of an event on a computing system during a time slot, wherein the computing system does not comprise at least one of an application capable of generating the signature and information about events occurring during the time slot due to the time slot having not yet occurred, and (iv) performing an action in response to the prediction. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: Blocking malicious Internet content at an appropriate hierarchical level. In one embodiment, a method may include identifying evidence of security risks in hierarchical levels of an Internet hierarchy. The method may also include generating security risk scores for the hierarchical levels of the Internet hierarchy based on the evidence of security risks. The method may further include identifying a security risk threshold. The method may also include identifying, as an appropriate blocking level, the highest hierarchical level of the Internet hierarchy having a security risk score at or above the security risk threshold. The method may further include blocking a network device from accessing Internet content in the Internet hierarchy at or below the appropriate blocking level.

Abstract: The disclosed computer-implemented method for preventing unauthorized access to computing devices implementing computer accessibility services may include (i) detecting, at a client computing device, an instruction to perform a user interface action utilizing a computer accessibility service, (ii) determining, at the client computing device, whether the instruction was triggered based on a touch event initiated by a user of the client computing device, and (iii) performing, at the client computing device, a security action in response to determining that the instruction was not triggered based on a touch event initiated by the user. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: The present disclosure relates to managing a rate of generating data requests to be processed at a service provider. An example method generally includes detecting an instance of a push notification event directed to a group of endpoint systems. The push notification event generally indicates that push notifications are to be transmitted to the group of endpoint systems to generate the data requests. A computing system determines a resource utilization associated with at least one of the data requests generated based on the push notification event and determines a push notification transmission rate based on the determined resource utilization and computing resources available at the service provider. The rate generally indicates a number of push notifications to generate and transmit over a period of time. The computing system transmits the push notifications to the group of endpoint systems based on the calculated push notification transmission rate.