Abstract: Methods for detecting and mitigating abusive network activity based on versioned browser usage are performed by systems and devices. Usage values for network activity of legacy web browser versions are determined, where the usage values represent benign network activity associated with active instances of the legacy versions over prior time periods. The number of active instances of legacy browser versions is assumed to generally be monotonically decreasing over time, and thus a bound of benign network activity for each of the legacy versions can be estimated by associating an approximate percentage of benign traffic with a minimum past usage value. Current network activity is monitored to determine current usage values for the legacy versions, and network actions are performed based on current usage values deviating from past usage values according to the bound.

Abstract: Web traffic at different geographic traffic distribution buckets are compared against each other to try and machine-learn the underlying traffic parameters of legitimate (human-initiated) traffic. Distributions of the traffic parameters for the web traffic at multiple servers are compared to see whether they match. If so, matching or substantially matching traffic parameters signal that such web traffic is, in fact, legitimate. A clean profile is built with the matching traffic parameters and used to determine how much bot traffic is resident in web traffic at different servers.

Abstract: Web traffic at different geographic traffic distribution buckets are compared against each other to try and machine-learn the underlying traffic parameters of legitimate (human-initiated) traffic. Distributions of the traffic parameters for the web traffic at multiple servers are compared to see whether they match. If so, matching or substantially matching traffic parameters signal that such web traffic is, in fact, legitimate. A clean profile is built with the matching traffic parameters and used to determine how much bot traffic is resident in web traffic at different servers.

Abstract: Systems and methods that establish a secured compartment that manages sensitive user transactions/information on a user's machine. The secured compartment qualifies user interaction with the machine, and separates such qualified interaction from other user activity on the machine. A user is switched to such secured compartment upon occurrence of a predetermined event, such as in form of: an explicit request (e.g., a secure attention sequence); an implicit request (e.g., inference of user activities); and presence of a peripheral device that is bound to the secured compartment (e.g., a USB)—wherein such actions typically cannot be generated by an application running outside the secured compartment.

Abstract: Techniques to provide evidence-based dynamic scoring to limit guesses in knowledge based authentication are disclosed herein. In some aspects, an authenticator may receive an input from a user in response to a presentation of a personal question that enables user access to a restricted resource. The authenticator may determine that the input is not equivalent to a stored value, and thus is an incorrect input. The authenticator may then determine whether the input is similar to a previous input received from the user. A score may be assigned to the input. When the input is determined to be similar to the previous input, the score may be reduced. Another request for an input may be transmitted by the authenticator when a sum of the score and any previous scores of the session is less than a threshold.

Abstract: A system and method that facilitates and effectuates detection of malware secreted and/or hidden in plain sight on a machine. The system and method in order to achieve its aims generates a list of all loaded modules, identifies from the list a set of modules common to more than a threshold number of processes, and eliminates from the list those modules included in an authentication list. The resultant list is prioritized based, in one instance, on the number of occurrences a particular module makes in the resultant list, and thereafter the list is distributed analyst workstations.

Abstract: A popularity determination module (PDM) is described which reduces the effectiveness of statistical guessing attacks. The PDM operates by receiving a password (or other secret information item) from a user. The PDM uses a model to determine whether the password is popular among a group of users. If so, the PDM may ask the user to select another password. In one implementation, the model corresponds to a probabilistic model, such a count-min sketch model. The probabilistic model provides an upper-bound assessment of a number of times that a password has been encountered. Further, the probabilistic model provides false positives (in which passwords are falsely assessed as popular) at a rate that exceeds a prescribed minimum rate. The false positives are leveraged to reduce the effectiveness of statistical guessing attacks by malicious entities.

Abstract: Implementations can be used to initiate a query for information regarding a dialog prompt or other pop-up type of prompt or image. Further, implementations may use hash values in proxy for images to enable aggregating of images for creating a knowledge base regarding certain images determined to be of interest.

Abstract: Confidential information is provided to a proxy computer in communication between an unsecured computer and a computer having information desired by a user. The proxy computer receives the confidential information in either an encrypted form or having arbitrary information combined therewith. The proxy computer ascertains the confidential information and forwards it to the computer having the information desired by the user.

Abstract: A phishing detection client component and method is provided. The component can be employed as part of a system to detect and, optionally, prevent phishing attacks. The phishing detection client component can provide password reuse event report(s), for example, to a phishing detection server component. The client component can further include a credential component that can track use of credentials by a user and determine whether a specific security credential is being used or presented. Due to the malicious nature of phishing in general, the client component can be susceptible to attacks by phishers. For example, phishers can generate false logins in an attempt to flood the client component with information resulting in induced false positives and/or induced false negatives. The client component can perform one or more checks to determine whether false login(s) have been attempted.

Abstract: The claimed subject matter provides systems and/or methods that facilitate utilizing a shared secret to obscure a password within a sequence of characters. The sequence of characters can include the password as well as noise. The shared secret can leverage utilizing a set of known images that a user can uniquely distinguish from random images. By employing the imaged based shared secret, the user can login to a server from an untrusted machine suspected to be infected with spyware such as a keylogger that tracks user input.

Abstract: Systems and methods facilitate secure one-time-password access to an account in a remote server from an untrusted client. The system consists of an intermediary component whose salient components are a proxy component, a webserver component, and an encryption/decryption component, and it preserves the characteristics of both the server and client. In a man-in-the-middle fashion, the proxy substitutes a one-time password entered at a login interface with a true password, and forwards it to the remote login server. True passwords are encrypted using a seed associated with user identifiers, and a list of one-time passwords is generated/updated and stored on media or transmitted to an electronic device. Substitution takes place by decrypting the one-time password with the seed used for encryption, ensuring the proxy avoids storing the true password.

Abstract: A popularity determination module (PDM) is described which reduces the effectiveness of statistical guessing attacks. The PDM operates by receiving a password (or other secret information item) from a user. The PDM uses a model to determine whether the password is popular among a group of users. If so, the PDM may ask the user to select another password. In one implementation, the model corresponds to a probabilistic model, such a count-min sketch model. The probabilistic model provides an upper-bound assessment of a number of times that a password has been encountered. Further, the probabilistic model provides false positives (in which passwords are falsely assessed as popular) at a rate that exceeds a prescribed minimum rate. The false positives are leveraged to reduce the effectiveness of statistical guessing attacks by malicious entities.

Abstract: A phishing detection server component and method is provided. The component can be employed as part of a system to detect/phishing attacks. The phishing detection server component can receive password reuse event report(s), for example, from a protection component of client component(s). Due to the malicious nature of phishing in general, the phishing detection server component can be susceptible to attacks by phishers (e.g., by reverse engineering of the client component). For example, false report(s) of PREs can be received from phisher(s) in an attempt to overwhelm the server component, induce false positives and/or induce false negatives. Upon receipt of a PRE report, the phishing detection server component can first verify that the timestamp(s) are genuine (e.g., previously generated by the phishing detection server component). The report verification component can employ the timestamp(s) to verify veracity of the report (e.g., to minimize attacks by phishers).

Abstract: Disclosed are methods and systems for a receiver to autonomously allocate bandwidth among its incoming communications flows. The incoming flows are assigned priorities. When it becomes necessary to alter the allocation of bandwidth among the flows, the receiver selects one of the lower priority flows. The receiver then causes the selected flow to delay sending acknowledgements of messages received to the senders of the messages. In most modern protocols, senders are sensitive to the time it takes to receive acknowledgements of the messages they send. When the acknowledgement time increases, the sender assumes that the receiver is becoming overloaded. The sender then slows down the rate at which it sends messages to the receiver. This lowered sending rate in turn reduces the amount of bandwidth used by the flow as it comes into the receiver. This frees up bandwidth which can then be used by higher priority flows.

Abstract: Implementations use hash values in proxy for images to enable aggregating of images for creating a knowledge base regarding certain images determined to be of interest.

Abstract: Techniques to provide evidence-based dynamic scoring to limit guesses in knowledge based authentication are disclosed herein. In some aspects, an authenticator may receive an input from a user in response to a presentation of a personal question that enables user access to a restricted resource. The authenticator may determine that the input is not equivalent to a stored value, and thus is an incorrect input. The authenticator may then determine whether the input is similar to a previous input received from the user. A score may be assigned to the input. When the input is determined to be similar to the previous input, the score may be reduced. Another request for an input may be transmitted by the authenticator when a sum of the score and any previous scores of the session is less than a threshold.

Abstract: Information about media objects within media streams is inferred based on repeat instances of the media objects within the media streams. A system and methods enable the monitoring of one or more media streams and the identification of repeat instances of media objects (e.g., audio and/or video objects) within the media streams. The monitoring and object repeat identification is performed by one or more server computers on a network. Information about a media object can be inferred based on repeat instances of the media object and based on repeat instances of related media objects. The information is transferred from a server to a client in response to a user query entered at the client through an interactive user interface.

Abstract: A system and method for data distribution is disclosed. A bulletin board is employed to maintain a list of requests from nodes in the system. The requests indicate data requested and identify the node making the request. Nodes are able to post requests for data as long as they maintain a minimum performance level. Additionally, the nodes periodically check in with the bulletin board and receive the list of requests from the bulletin board. On determining to satisfy a particular request by a node, the node (serving node) contacts a requesting node (identified in the request) and transfers the requested data to the requesting node. After successful completion of the transfer, the requesting node reports to the bulletin board that the node has filled the request and the request is removed from the list of requests.

Abstract: Systems and methods that establish a secured compartment that manages sensitive user transactions/information on a user's machine. The secured compartment qualifies user interaction with the machine, and separates such qualified interaction from other user activity on the machine. A user is switched to such secured compartment upon occurrence of a predetermined event, such as in form of: an explicit request (e.g., a secure attention sequence); an implicit request (e.g., inference of user activities); and presence of a peripheral device that is bound to the secured compartment (e.g., a USB)—wherein such actions typically cannot be generated by an application running outside the secured compartment.