Abstract: Particular embodiments described herein provide for an electronic device that can be configured to allow for the mitigation of ransomware. For example, the system can determine that an application begins to execute, determine that the application attempts to modify a file, determine a file type for the file, and create a security event if the application is not authorized to modify the file type. In another example, the system determines an entropy value between the file and the attempted modification of the file, and create a security event if the entropy value satisfies a threshold or determine a system entropy value that includes a rate at which other files on the system are being modified by the application, and create a security event if the system entropy value satisfies a threshold.

Abstract: Certain embodiments herein relate to pairing an external device and a computer using a random user action. The random user action may be generated based on the type of device. After an external device is connected to the computer, the external device is segregated from one or more resources of the computer. A random user action based on the device type, and to be received from the external device, is generated and requested. If the random user action is received, the external device is paired with the computer and provided access to the one or more resources of the computer.

Abstract: Particular embodiments described herein provide for an electronic device that can be configured to monitor network traffic to and from a device, compare the monitored network traffic to characteristics of the device to determine if the monitored traffic is outside the characteristics of the device, and take remedial action if the monitored traffic is outside the characteristics of the device.

Abstract: Particular embodiments described herein provide for an electronic device that can be configured to determine when a peripheral is connected to the electronic device, determine a peripheral identification for the peripheral, and monitor the data going to and from the peripheral. Based on the monitored data, a type for the peripheral can be determine. The peripheral identification can be compared with the determined type for the peripheral and if they do not match, then communication to and from the peripheral can be blocked.

Abstract: A collection of techniques is disclosed to allow for the detection of malware that leverages pattern recognition and machine learning to effectively provide “content-less” malware detection, i.e., detecting a process as being an ‘anomaly’ not based on its particular content, but instead based on comparisons of its behavior to known (and characterized) ‘trusted’ application behaviors, i.e., the trusted applications' “phenotypes” and/or the phenotypes of known malware applications. By analyzing the patterns of normal behavior performed by trusted applications as well as malware applications, one can build a set of sophisticated, content-agnostic behavioral models (i.e.

Abstract: Particular embodiments described herein provide for an electronic device that can be configured to determine a file characteristic for a characteristic of a file, determine that the file has been modified to create a new file, determine a new characteristic for the characteristic of the new file, and create a security event if the new file characteristic does not match the file characteristic.

Abstract: In an example, there is disclosed a system and method for a two-device scrambled display. A first device displays content in a scrambled form. A second device acts as an interpreter, including an input driver for receiving a scrambled input; an output driver for displaying an organically perceptible output; and one or more logic elements comprising a unscrambling engine operable for: receiving an input on the input driver; detecting that at least a portion of the input is scrambled; unscrambling the scrambled portion of the input; and outputting an unscrambled analog of the scrambled input via the output driver.

Abstract: Particular embodiments described herein provide for a system that can be configured to communicate chat session data during a chat session to a first display of a first electronic device, communicate the chat session data during the chat session to a second display of a second electronic device, receive sensitive data during the chat session from the first electronic device, and protect the sensitive data from being displayed on the second display during the chat session without breaking continuity of the chat session.

Abstract: Certain embodiments herein relate to pairing an external device and a computer using a random user action. The random user action may be generated based on the type of device. After an external device is connected to the computer, the external device is segregated from one or more resources of the computer. A random user action based on the device type, and to be received from the external device, is generated and requested. If the random user action is received, the external device is paired with the computer and provided access to the one or more resources of the computer.

Abstract: Particular embodiments described herein provide for an electronic device that can be configured to monitor network traffic to and from a device, compare the monitored network traffic to characteristics of the device to determine if the monitored traffic is outside the characteristics of the device, and take remedial action if the monitored traffic is outside the characteristics of the device.

Abstract: Particular embodiments described herein provide for an electronic device that can be configured to identifying a digital certificate associated with data and assigning a reputation to the digital certificate, where the digital certificate is classified as trusted if the digital certificate is included in an entry in a whitelist and the digital certificate is classified as untrusted if the digital certificate is included in an entry in a blacklist.

Abstract: Provided in some embodiments are systems and methods for remediating malware. Embodiments include receiving (from a process) a request to access data, determining that the process is an unknown process, providing the process with access to one or more data tokens in response to determining that the process is an unknown process, determining whether the process is engaging in suspicious activity with the one or more data tokens, and inhibiting execution of the process in response to determining that the process is engaging in suspicious activity with the one or more data tokens.

Abstract: A technique allows a parentally attested security token to serve as authentication for a minor using identifying attributes of the minor child. The security token may include personally identifiable information about the child, a description of authorized activity as well as specifications of intended use of the security token. The security token may include provisions for authentication to be revoked by a parent or guardian and/or expire after a predetermined time. The security token may be stored inside a trusted execution environment of a portable computing device that may be carried by the minor and presented at physical locations where authentication is required.

Abstract: Particular embodiments described herein provide for an electronic device that can be configured to determine when a peripheral is connected to the electronic device, determine a peripheral identification for the peripheral, and monitor the data going to and from the peripheral. Based on the monitored data, a type for the peripheral can be determine. The peripheral identification can be compared with the determined type for the peripheral and if they do not match, then communication to and from the peripheral can be blocked.

Abstract: A system, method, and computer program product are provided for redirecting internet relay chat (IRC) traffic identified utilizing a port-independent algorithm and controlling IRC based malware. In use, IRC traffic communicated via a network is identified utilizing a port-independent algorithm. Furthermore, the IRC traffic is redirected to a honeypot.

Abstract: A system, method, and computer program product are provided for applying a regular expression to content based on required strings of the regular expression. In use, all required strings included in a regular expression are identified, the required strings including strings required by the regular expression. Additionally, it is determined whether the required strings match content. Furthermore, the regular expression is applied to the content, based on the determination.

Abstract: Methods, systems, and apparatus, including computer programs encoded on a computer storage medium, for detecting obfuscated malware.

Abstract: A system, method, and computer program product are provided for applying a regular expression to content based on required strings of the regular expression. In use, all required strings included in a regular expression are identified, the required strings including strings required by the regular expression. Additionally, it is determined whether the required strings match content. Furthermore, the regular expression is applied to the content, based on the determination.

Abstract: Methods, systems, and apparatus, including computer programs encoded on a computer storage medium, for detecting obfuscated malware.

Abstract: Methods, systems, and apparatus, including computer programs encoded on a computer storage medium, for obfuscated malware. In one aspect, a method includes executing from a binary executable a call instruction and a plurality of instruction subsequent to a target of the call instruction, determining if the value identified by the stack pointer of the call stack is equal to a default value stored in the call stack prior to emulation, determining if there is a non-obfuscation signal resulting from the execution of the call instructions and the plurality of instructions, and if the value identified by the stack pointer is the default value and there is no obfuscation signal, identifying the call instruction as a possibly obfuscated call instruction; Additionally, the method includes determining that if the number of call instructions identified as possibly obfuscated call instructions exceeds a threshold number, identifying the binary executable as an obfuscated executable.