Abstract: A system for managing computer security policies includes a policy management system that provides computer security policies to container host machines. The policy management system retrieves images of software containers from an image registry and generates computer security policies that are specific for each image. A container host machine informs the policy management system when an image is pulled from the image registry into the container host machine. The policy management system identifies a computer security policy that is applicable to the image and provides the computer security policy to the container host machine. The container host machine can also locally identify the applicable computer security policy from among computer security policies that are received from the policy management system. The container host machine enforces the computer security policy and other currently existing computer security policies.

Abstract: Example embodiments disclosed herein relate to a network security system. The network security system intercepts inline DNS requests. It is determined whether a domain name associated with one of the inline DNS requests corresponds with one or more domain names. A security action is performed based on the determination.

Abstract: Abusive user accounts in a social network are identified from social network data. The social network data are processed to compare postings of the user accounts to identify a group of abusive user accounts. User accounts in the group of abusive user accounts are identified based on posted message content, images included in the messages, and/or posting times. Abusive user accounts can be canceled, suspended, or rate-limited.

Abstract: A method for detecting and locating occurrence in a data stream of any complex string belonging to a predefined complex dictionary is disclosed. A complex string may comprise an arbitrary number of interleaving coherent strings and ambiguous strings. The method comprises a first process for transforming the complex dictionary into a simple structure to enable continuously conducting computationally efficient search, and a second process for examining received data in real time using the simple structure. The method may be implemented as an article of manufacture having a processor-readable storage medium having instructions stored thereon for execution by a processor, causing the processor to match examined data to an object complex string belonging to the complex dictionary, where the matching process is based on equality to constituent coherent strings, and congruence to ambiguous strings, of the object complex string.

Abstract: Examples of implementations relate to metadata extraction. For example, a system of privacy preservation comprises a physical processor that executes machine-readable instructions that cause the system to normalize a network traffic payload with a hardware-based normalization engine controlled by a microcode program; parse the normalized network traffic payload, as the network traffic payload passes through a network, by performing a parsing operation of a portion of the normalized network traffic payload with a hardware-based function engine of a plurality of parallel-distributed hardware-based function engines controlled by the microcode program; and provide the hardware-based function engine with a different portion of the normalized network traffic payload responsive to an indication, communicated through a common status interface, that the different portion of the normalized network traffic payload is needed to complete the parsing operation.

Abstract: Examples relate to identifying signatures for data sets. In one example, a computing device may: for each of a plurality of first data sets, obtain a data set signature; generate a first data structure for storing each data set signature that is distinct from each other data set signature; for each of a plurality of second data sets, obtain at least one data subset; generate a second data structure for storing each data subset; remove, from the first data structure, each data set signature that matches a data subset included in the second data structure; and for each data set signature removed from the first data structure, identify each first data set from which the data set signature was obtained; and for each identified first data set, obtain a new data set signature.

Abstract: Examples relate to identifying a signature for a data set. In one example, a computing device may: receive a data set that includes a plurality of data units; iteratively determine a measure of complexity for windows of data units included in the data set, each window including a distinct portion of the plurality of data units; identify, based on the iterative determinations, a most complex window of data units for the data set; and identify the most complex window as a data unit signature for the data set.

Abstract: Social messages sent or posted by users of a social networking service are collected. Compromised social networking accounts are identified from the collected social messages. Keywords indicative of compromised social networking accounts are extracted from social messages of identified compromised social networking accounts. The keywords are used as search terms in a search query for additional social messages. Additional compromised social networking accounts are identified from search results that are responsive to the search query.

Abstract: A behavior of a computer security threat is described in a root-cause chain, which is represented by a detection rule. The detection rule includes the objects of the root-cause chain and computer operations that represent links of the root-cause chain. An endpoint computer establishes a link between objects described in the detection rule when a corresponding computer operation between the objects is detected. Detected computer operations are accumulated to establish the links between objects. The threat is identified to be in the computer when the links of the detection rule have been established.

Abstract: A system for protecting computers against remote malware downloads includes a malware download detection system and participating client computers that provide download event information to the malware download detection system. A download event information identifies a file, a network address (e.g., uniform resource locator) from which the file was downloaded, and an identifier of the client computer that downloaded the file. The malware download detection system uses the download event information to build and update a tripartite download graph, and uses the download graph to train one or more classifiers. The malware download detection system consults the one or more classifiers to classify a download event. The download event is classified as malicious if either the file or the network address is classified as malicious.

Abstract: Social network usage in an enterprise environment is controlled by receiving and processing dynamic postings from a social network to identify indicators of prohibited content. The indicators of prohibited content are employed to identify and block prohibited postings from entering an enterprise network.

Abstract: Example embodiments relate to redirecting data packets. The examples disclosed herein receive a first packet from a first device. The first packet is qualified as a flow control packet. In response to the first packet being qualified as a flow control packet, examples herein then redirect the first packet from being delivered to a second device to being delivered to a third device.

Abstract: Malicious shortened uniform resource locators are identified by collecting online messages in a computer. Senders and uniform resource locators are extracted from the collected online messages. Sender controlled components are identified in the uniform resource locators. Groups of sender controlled components and senders are formed. Shortened uniform resource locators associated with sender controlled components that are members of malicious groups are identified as malicious.

Abstract: A login page of an online service is received in a user computer. False credentials, such as a false user identifier (ID) and a false password, are entered into the login page to login to the online service. The login page is classified as phishing when the online service does not serve a legitimate login-fail page in response to the entry of the false credentials in the login page.

Abstract: Examples disclosed herein relate to confidence levels in reputable entities. Some of the examples enable identifying a particular reputable entity that is originated from a plurality of sources including a first source and a second source; determining a first level of confidence associated with the first source; determining a second level of confidence associated with the second source; determining an aggregate level of confidence associated with the plurality of sources based on the first and second levels of confidence, wherein the aggregate level confidence is higher than the first and second levels of confidence; and determining an entity score for the particular reputable entity based on the aggregate level of confidence.

Abstract: The present disclosure provided a method and system for protecting web applications against web attacks comprising a cloud service for generating rules and receiving reports, an agent manager in communication with the cloud service receiving rules from the cloud service and passing reports thereto, and an in-application agent in communication with the agent manager for receiving rules therefrom and passing reports thereto for protecting an application in which the in-application agent is embedded.

Abstract: Documents that have been compromised by malware are detected and recovered. A hash of a portion of a file of a document is generated. An identifier of the file includes a signature that is embedded in the file, with the identifier including the hash of the portion of the file and other file information, such as a pathname of the file. A list that includes the identifier of the file is consulted before generating a backup copy of the file. The file is restored from the backup copy of the file in response to detecting that the file has been encrypted.

Abstract: A server computer provides centralized key management services to several computers having encrypted files or file systems. The server computer receives key requests from the computers. The server computer issues a key to a computer that passes an integrity check. The key is used to unlock an encrypted file or file system in the computer. When the computer fails another integrity check after receiving the key, indicating a change in the security posture of the computer, the server computer may revoke the key automatically or upon receipt of an instruction from a key administrator.

Abstract: Examples relate to identifying randomly generated character strings. In one example, a computing device may: receive a character string that includes two or more characters; identify a number of character transitions included in the character string, each character transition being a change in character type within an n-gram of the character string, where n is a positive integer; and determine, based on the number of character transitions, whether the character string was randomly generated.

Abstract: Examples relate to intelligent logging in a system. One example enables monitoring a set of critical processes of the system, responsive to a first process parameter of a first critical process exceeding a corresponding first parameter threshold, changing a first process log level associated with the critical process from a first log level to a second log level; and logging information related to the first critical process by: obtaining a second set of information associated with the second log level, wherein the second set of information is different from a first set of information associated with the first log level.