Abstract: Identifying and protecting against a computer security threat while preserving privacy of individual client devices using differential privacy for text documents. In some embodiments, a method may include receiving, at the remote server device, text documents from one or more local client devices, generating, at the remote server device, a differential privacy document vector for each of the text documents, identifying, at the remote server device, a computer security threat to a first one of the one or more local client devices using the differential privacy document vectors, and, in response to identifying the computer security threat, protecting against the computer security threat by directing performance, at the first local client device or the remote server device, of a remedial action to protect the first local client device from the computer security threat.

Abstract: Identifying and protecting against a computer security threat while preserving privacy of individual client devices using differential privacy machine learning for streaming data. In some embodiments, a method may include receiving first actual data values streamed from one or more first local client devices, generating first perturbed data values by adding noise to the first actual data values using a differential privacy mechanism, storing the first perturbed data values, training a machine learning classifier using the first perturbed data values, receiving a second actual data value streamed from a second local client device, generating a second perturbed data value by adding noise to the second actual data value, storing the second perturbed data value, identifying a computer security threat to the second local client device using the second actual data value as input to the trained machine learning classifier, and protecting against the computer security threat.

Abstract: The disclosed computer-implemented method for malware remediation may include constructing a malware detection model by (i) identifying multiple candidate hyperparameter sets, (ii) selecting, from the candidate hyperparameter sets, a set of hyperparameters for the malware detection model that optimizes a tradeoff between model efficacy and model size, and (iii) training the malware detection model on a set of training samples to distinguish between malicious samples and clean samples. After constructing the malware detection model, the disclosed computer-implemented method may also include using the constructed malware detection model to perform a security action. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A method for improving cascade classifier ordering is described. In one embodiment, the method may include determining an efficacy rating of a first current configuration, generating a decreasing sequence of values for a control parameter, and selecting a current value of the control parameter according to the decreasing sequence of values. In some cases, the method may include randomly selecting a first test configuration among the plurality of configurations based at least in part on the current value of the control parameter, analyzing the first test configuration in relation to the first current configuration, and implementing, based at least in part on the analyzing of the first test configuration, the first test configuration in a machine learning classification system of a computing device to improve a data classification accuracy of the computing device.

Abstract: The disclosed computer-implemented method for identifying non-malicious files on computing devices within organizations may include (1) identifying a file on at least one computing device within multiple computing devices managed by an organization, (2) identifying a source of the file based on examining a relationship between the file and the organization, (3) determining that the source of the file is trusted within the organization, and then (4) concluding, based on the source of the file being trusted within the organization, that the file is not malicious. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: The disclosed computer-implemented method for determining the trustworthiness of files within organizations may include (1) identifying a file on a computing device within multiple computing devices managed by an organization, (2) in response to identifying the file, identifying at least one additional computing device within the multiple computing devices that is potentially associated with the file, (3) distributing at least a portion of the file to a user of the additional computing device with a request to receive an indication of the trustworthiness of the file, and then (4) receiving, from the additional computing device, a response that indicates the trustworthiness of the file. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: Suspicious file prospecting activity is detected based on patterns of file system access. A user's file system access is monitored over a specific time period. A sequence of the file accesses (e.g., represented as path names) made by the user during the time period is recorded. Distances between the recorded file accesses are determined, for example as edit distances. A distance sequence is recorded, comprising a record of the determined distances. The distance sequence is reduced to one or more baseline statistics describing the pattern of the user's access of the file system during the given period of time. At least one subsequent anomaly in the user's access of the file system is detected, by comparing at least one subsequently calculated statistic representing at least one subsequent pattern of the user's file system access to the at least one baseline statistic.

Abstract: Techniques are disclosed for dynamically managing hardening policies in a client computer (e.g., of an enterprise network). A hardening management application monitors activity on the client computer that is associated with a first hardening policy. The monitored activity is evaluated based on one or more metrics. Upon determining that at least one of the metrics is outside of a tolerance specified in the first hardening policy, the client computer is associated with a second hardening policy. The client computer is reconfigured based on the second hardening policy.

Abstract: The disclosed computer-implemented method for protecting computing resources may include (i) computing a degree of commonality between pairs of users within a file sharing system based on which files the users accessed over a period of time, (ii) building a social graph that indicates at least one edge between members of an instance of the pairs of users, (iii) computing an anomaly score for a user within the instance of the pairs of users, (iv) detecting that the anomaly score deviates, according to a statistical measurement, from historical anomaly scores computed for the same user, and (v) performing, in response to detecting that the anomaly score deviates from the historical anomaly scores, a protective action to protect computing resources from anomalous behavior by the user. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: The disclosed computer-implemented method for dynamic access control over shared resources may include (1) detecting an attempt by a user to access a resource via a computing environment, (2) identifying a risk level of the user attempting to access the resource, (3) identifying a sensitivity level of the resource, (4) identifying a risk level of the computing environment through which the user is attempting to access the resource, (5) determining an overall risk level for the attempt to access the resource based at least in part on (A) the risk level of the user, (B) the sensitivity level of the resource, and (C) the risk level of the computing environment, and then (6) determining, based at least in part on the overall risk level, whether to grant the user access to the resource via the computing environment. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: The disclosed computer-implemented method for threat detection using a software program update profile may include (1) building an update behavioral model that identifies legitimate update behavior for a software application by (a) monitoring client devices for update events associated with the software application and (b) analyzing the update events to identify the legitimate update behavior of the software application, (2) using the update behavioral model to identify suspicious behavior on a computing system by (a) detecting an update instance on the computing system, (b) comparing the update instance with the legitimate update behavior identified in the update behavioral model, and (c) determining, based on the comparison of the update instance with the legitimate update behavior, that the update instance is suspicious, and (3) in response to determining that the update instance is suspicious, performing a security action. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A computer-implemented method for creating security profiles may include (1) identifying, within a computing environment, a new actor as a target for creating a new security behavior profile that defines expected behavior for the new actor, (2) identifying a weighted graph that connects the new actor as a node to other actors, (3) creating, by analyzing the weighted graph, the new security behavior profile based on the new actor's specific position within the weighted graph, (4) detecting a security anomaly by comparing actual behavior of the new actor within the computing environment with the new security behavior profile that defines expected behavior for the new actor, and (5) performing, by a computer security system, a remedial action in response to detecting the security anomaly. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A computer-implemented method for managing access may include (1) identifying an attempt to perform, within a computing environment, an action that involves a specific entity, (2) determining that the attempted action is anomalous for the specific entity, (3) identifying a quota of allowed anomalous actions for the specific entity, (4) determining that the attempted action causes a count of anomalous actions to exceed the quota of allowed anomalous actions, and (5) performing a security action based on the determination that the attempted action causes the count of anomalous actions to exceed the quota of allowed anomalous actions. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: Suspicious file prospecting activity is detected based on patterns of file system access. A user's file system access is monitored over a specific time period. A sequence of the file accesses (e.g., represented as path names) made by the user during the time period is recorded. Distances between the recorded file accesses are determined, for example as edit distances. A distance sequence is recorded, comprising a record of the determined distances. The distance sequence is reduced to one or more baseline statistics describing the pattern of the user's access of the file system during the given period of time. At least one subsequent anomaly in the user's access of the file system is detected, by comparing at least one subsequently calculated statistic representing at least one subsequent pattern of the user's file system access to the at least one baseline statistic.

Abstract: A method, performed by a processor to detect malicious or risky data accesses is provided. The method includes modeling user accesses to a content repository as to probability of a user accessing data in the content repository, based on a history of user accesses to the content repository. The method includes scoring a singular user access to the content repository, based on probability of access according to the modeling and alerting in accordance with the scoring.