Abstract: Particular embodiments described herein provide for an electronic device that can be configured to identify a file, determine a polyglotness score for the file, where the polyglotness score is an indicator of whether or not the file is a polyglot file, and analyze the file for the presence of malware if the polyglotness score satisfies threshold.

Abstract: There is disclosed in one example a computing apparatus, including: a processor and a memory; a uniform resource locator (URL) reputation store; a network interface; and instructions encoded within the memory to instruct the processor to: receive via the network interface a request for a reputation for a URL; query the URL reputation store and determine that the URL does not have a known reliable reputation; add the URL to a URL analysis queue; perform a rough analysis of the URL, and determine from the rough analysis that the URL potentially is for a phishing website; and move the URL ahead in the analysis queue.

Abstract: There is disclosed an example of one or more tangible, non-transitory computer-readable storage media, including instructions to: enumerate domain names newly registered in a time window; build a dictionary from the newly registered domain names; cluster the domain names, including performing a spell check with the dictionary to identify similar domain names; for a selected cluster, identify one or more domain names with an assigned reputation; and if a portion of assigned reputations exceeds a threshold of bad reputations, assign cluster-based bad reputations to domains in the cluster with unknown reputations.

Abstract: There is disclosed in one example a computing apparatus, including: a hardware platform including a processor and a memory; and instructions encoded within the memory to instruct the processor to: receive a client event report, the client event report including an operating system event trace for an attempt to exploit a patched vulnerability, and first feature data for a malware object that made the attempt; receive second feature data for an unknown object; compare the first feature data to the second feature data; and if the second feature data match the first feature data above a threshold, convict the unknown object as malware.

Abstract: Methods, systems, and media for protecting computer networks using adaptive workloads are provided. In some embodiments, the method comprises: transmitting, to a first server, an indication of a status of resources available to a user device; receiving a workload distribution that indicates an amount of work to be performed by the user device, wherein the amount of work is determined based on the status of resources; determining that a site is to be accessed by the user device; generating an analysis that includes one or more values indicating the safety of the site; transmitting the analysis to a second server at which a remaining amount of work is to be performed; based on the remaining amount of work, determining that the site is to be blocked from being accessed by the user device; and blocking the site from being accessed by the user device.

Abstract: There is disclosed in one example a computing apparatus, including: a hardware platform; and a storage medium having stored thereon executable instructions to provide an inference engine configured to: receive a new suspicious fragment object from a protected device; add the new suspicious fragment object to a rolling map configured to provide a temporal snapshot of suspicious fragment objects over a time span; determine a connection between the new suspicious fragment object and an existing suspicious fragment object within the rolling map; apply the connection to a connection map; and operate a map classifier to determine that the connection map represents a probable computer security threat.

Abstract: There is disclosed in one example a computing apparatus, including: a processor; and logic encoded into one or more computer-readable mediums, the logic to instruct the processor to: capture first data from an intermediate data source across a first temporal interval; perform partial signal processing on the first data to classify the first temporal interval as either suspicious or not suspicious, wherein the first temporal interval is classified as suspicious if it is determined to potentially represent at least a portion of a cryptomining operation; classify second through N temporal intervals as either suspicious or not suspicious; based on the first through N temporal intervals, classify the apparatus as either operating a cryptomining function or not; and upon classifying the apparatus as operating a cryptomining function and determining that the cryptomining function is not authorized, take remedial action on the apparatus.

Abstract: Methods, apparatus, systems and articles of manufacture are disclosed for classification of unknown samples using agglomerative clustering.

Abstract: A method including receiving a feature vector of an unknown sample, computing a MinHash of the unknown sample based on Jaccard-compatible features, querying a Locality Sensitive Hashing forest of known samples with the MinHash of the unknown sample to identify a first subset of known samples that are similar to the unknown sample, receiving for each individual known sample in the first subset, a feature vector including non-Jaccard distance-compatible features, computing a first sub-distance and a second sub-distance between the unknown sample and the known samples in the first subset, calculating a total distance for each known sample in the first subset by combining the first and the second sub-distances, identifying, based on the calculated total distances, a second subset of known samples that are most similar to the unknown sample, and classifying the unknown sample based on the second subset.

Abstract: There is disclosed in one example a malware analysis server, including: a hardware platform including a processor and a memory; a machine learning model; a store of known objects previously classified by the machine learning model; and instructions encoded within the memory to instruct the processor to: receive a test sample; apply the machine learning model to the test sample to provide the test sample with classified features; compute pairwise distances between the test sample and a set of known objects from the store of known objects; select a group of near neighbor samples from the set of known objects; select a group of far neighbor samples from the set of known objects; and generate an explanation for the test sample according to the near neighbor samples and far neighbor samples.

Abstract: Methods, apparatus, systems and articles of manufacture are disclosed to facilitate malware detection using compressed data. An example apparatus includes an input processor to obtain a model, the model identifying a first sequence associated with a first trace of data known to be repetitive, a sequence identifier to identify a second sequence associated with a second trace of data, a comparator to compare the first sequence with the second sequence, and an output processor to when the first sequence matches the second sequence, transmit an encoded representation of the second sequence to the central processing facility using a first channel of communication, and when the first sequence fails to match the second sequence, transmit the second sequence to the central processing facility using a second channel of communication, the second sequence to be analyzed by the central processing facility to identify whether the second sequence is indicative of malware.

Abstract: Methods, apparatus, systems and articles of manufacture to detect phishing websites are disclosed. An example apparatus includes a plurality of website analyzers to analyze a requested website for evidence of a phishing attack, the plurality of website analyzers including a first website analyzer and a second website analyzer. An analysis selector is to select the first website analyzer for execution, the analysis selector to, in response to determining that an additional analyzer is to be executed, select the second website analyzer to analyze the requested website. A website classifier is to, in response to a website analyzer indicating a classification that exceeds a confidence threshold, classify the requested website as a benign site or presenting a phishing attack.

Abstract: There is disclosed in one example a computing apparatus, including: a processor and a memory; a uniform resource locator (URL) reputation store; a network interface; and instructions encoded within the memory to instruct the processor to: receive via the network interface a request for a reputation for a URL; query the URL reputation store and determine that the URL does not have a known reliable reputation; add the URL to a URL analysis queue; perform a rough analysis of the URL, and determine from the rough analysis that the URL potentially is for a phishing website; and move the URL ahead in the analysis queue.

Abstract: Methods, apparatus, systems and articles of manufacture for improving anti-malware scan responsiveness are disclosed. A storage device or storage disk comprising instructions which, when executed, cause processor circuitry to at least: in response to a performance issue on a user computing device, determine a symptom association with the performance issue based on a user input from the user computing device, the user input corresponding to highlighting an area of a window associated with the performance issue, the window having been displayed on the display by an operating system of the user computing device, identify a scan parameter for a targeted anti-malware scan based on positive results of malware scans from other user computing devices that experienced the symptom, and transmit the scan parameter to the user computing device to facilitate a targeted anti-malware scan of the user computing device based on the scan parameter.

Abstract: Security risk evaluation across user devices is disclosed herein. An example method includes registering one or more devices associated with a first user with the computer system, determining respective security sub-scores for each item of the one or more devices, computing an overall security score for the first user based, at least in part, on an aggregation of the security sub-scores, and creating a user profile based on the overall security score, the user profile to enable the at least one of the one or more devices to exchange data with an external device when the overall security score meets a security score threshold, the user profile to prevent the at least one of the one or more devices from exchanging data with the external device when the overall security score does not meet the security score threshold.

Abstract: Apparatus, systems, articles of manufacture, and methods for improving anti-malware scan responsiveness and effectiveness using user symptoms feedback. An example method includes detecting a performance issue on a computing device, presenting a user interface on a display of the computing device requesting user feedback regarding the performance issue, and synthesizing user input related to the performance issue to identify, on the computing device, a scan parameter associated with the performance issue. The example method further includes, in response to failing to identify the scan parameter on the computing device, transmitting the user input to a symptom analysis server to identify the scan parameter based on anti-malware scans from other computing devices, and, in response to determining the scan parameter, performing a targeted anti-malware scan on the computing device.

Abstract: There is disclosed in one example a gateway apparatus to operate on an intranet, including: a hardware platform; and an access proxy engine to operate on the hardware platform and configured to: intercept an incoming packet; determine that the incoming packet is an access request directed to an access interface of a resource of the intranet; present an access checkpoint interface; receive an authentication input response; validate the authentication input response; and provide a redirection to the access interface of the device.

Abstract: Device users today are increasingly using multiple smart connected devices simultaneously in order to manage their online lives and increase their productivity. This makes it difficult for users to accurately gauge or feel confident about their overall online security and privacy levels, and it also increases potential attack avenues for malicious actors. Interconnections and relationships between such smart connected devices may also further increase and complicate the security implications of the user's multi-device connected world. The systems and methods disclosed herein provide a single reference point to users that allows them to evaluate the security and privacy aspects of their various online activities and multi-device ecosystem via a single Security and Privacy Score (SPS) value.

Abstract: Particular embodiments described herein provide for an electronic device that can be configured to receive registration data for a local network device, receive registration data for an electronic device, receive a request to pair the local network device and the electronic device, where the request to pair the devices includes a pairing code, and allow the pairing if the registration data for the local network device, the registration data for the electronic device, and the pairing code satisfies predetermined conditions. In an example, the pairing code was to the local network device and the electronic device requested and received the pairing code from the local network device.

Abstract: An example authentication device disclosed herein is to access a message received via a wireless interface from an adapter, the message to indicate that a host device has connected to the adapter, the host device different from the authentication device. The disclosed example authentication device is also to determine whether to allow the host device to access a storage device. The disclosed example authentication device is further to transmit authentication data to the adapter via the wireless interface, the authentication data to specify whether the host device is allowed to access the storage device.