Abstract: Anti-impersonation techniques using device-context information and user behavior information from a session. The session can include a time period where a user of the client computer is performing an activity on the client computer (e.g., the session includes the user logging into an account online). The behavior information can include information on ways the user uses user input devices during the session. The device-context information can include HTTP session information. The techniques can include generating feature vector(s) for the received information, and comparing the feature vector(s) against model(s) of related historical information. The comparisons can provide level(s) of deviation of the feature vector(s) from the model(s). Also, the techniques can include determining whether the session is anomalous or normal according to the level(s) of deviation, and performing a security action in response to determining the session is anomalous.

Abstract: The disclosed techniques utilize round-trip times (RTTs) from back-and-forth communications with distant servers to detect impersonations in a computer network, such as impersonations using IP spoofing. Also, the techniques can use machine learning to enhance analysis in spoofing detection. The techniques can include sending a computer program to a client device. The client device can have an IP address, and the computer program can be executed by the client device after it is received by the client device. The computer program can measure RTTs for messages the computer program sends to multiple pre-selected location servers at different remote or distant locations and for corresponding reply messages that are returned to the computer program. The IP address of the client device and the measured RTTs can then be received and used to determine whether the measured RTTs are anomalous or not; and thus, determine a possible impersonator or a legitimate user.

Abstract: Techniques to remotely detect behavior associated with malware and identify compromised user-sessions, regardless of the malware variant or family, and independently of the page structure.

Abstract: The disclosed techniques utilize round-trip times (RTTs) from back-and-forth communications with distant servers to detect impersonations in a computer network, such as impersonations using IP spoofing. Also, the techniques can use machine learning to enhance analysis in spoofing detection. The techniques can include sending a computer program to a client device. The client device can have an IP address, and the computer program can be executed by the client device after it is received by the client device. The computer program can measure RTTs for messages the computer program sends to multiple pre-selected location servers at different remote or distant locations and for corresponding reply messages that are returned to the computer program. The IP address of the client device and the measured RTTs can then be received and used to determine whether the measured RTTs are anomalous or not; and thus, determine a possible impersonator or a legitimate user.

Abstract: Anti-impersonation techniques using device-context information and user behavior information from a session. The session can include a time period where a user of the client computer is performing an activity on the client computer (e.g., the session includes the user logging into an account online). The behavior information can include information on ways the user uses user input devices during the session. The device-context information can include HTTP session information. The techniques can include generating feature vector(s) for the received information, and comparing the feature vector(s) against model(s) of related historical information. The comparisons can provide level(s) of deviation of the feature vector(s) from the model(s). Also, the techniques can include determining whether the session is anomalous or normal according to the level(s) of deviation, and performing a security action in response to determining the session is anomalous.

Abstract: Systems and methods to detect remote access malware activities, via: detecting, in a computing device, first input events in an operating system of the computing device; detecting, in the computing device, second input events received in an application running in the computing device; detecting, in the computing device, a mismatch between the first input events detected in the operating system and the second input events received in the application running in the computing device; and in response to the mismatch being detected, generating an alert indicating a threat of the application being attached by remote access malware.

Abstract: Systems and methods to detect the identities of victims of phishing activities, in which embedding, in an item, an element having a reference to a server, is embedded in an item (e.g., a webpage or a mobile application) that may be copied by attackers. When used on a user computer, the element generates a request to the server. Based on the request, the server identifies a user of the element embedded in the item or a copy of the item. Based on uses of the element, the server tracks a history of the user using the item or the copy of the item. In response to a determination that the element is currently being used by the user in the item and the history indicates that the user has used the copy of the item, the server identifies the user as a victim of the copy of the item.

Abstract: Systems and methods to detect remote access malware activities, via: detecting, in a computing device, first input events in an operating system of the computing device; detecting, in the computing device, second input events received in an application running in the computing device; detecting, in the computing device, a mismatch between the first input events detected in the operating system and the second input events received in the application running in the computing device; and in response to the mismatch being detected, generating an alert indicating a threat of the application being attached by remote access malware.

Abstract: Systems and methods to detect the identities of victims of phishing activities, in which embedding, in an item, an element having a reference to a server, is embedded in an item (e.g., a webpage or a mobile application) that may be copied by attackers. When used on a user computer, the element generates a request to the server. Based on the request, the server identifies a user of the element embedded in the item or a copy of the item. Based on uses of the element, the server tracks a history of the user using the item or the copy of the item. In response to a determination that the element is currently being used by the user in the item and the history indicates that the user has used the copy of the item, the server identifies the user as a victim of the copy of the item.

Abstract: Among other things, embodiments of the present disclosure help provide entities with the ability to remotely detect behavior associated with malware and identify compromised user-sessions, regardless of the malware variant or family, and independently of the page structure.

Abstract: Among other things, embodiments of the present disclosure help provide entities with the ability to remotely detect behavior associated with malware and identify compromised user-sessions, regardless of the malware variant or family, and independently of the page structure.

Abstract: Among other things, embodiments of the present disclosure help provide entities with the ability to remotely detect behavior associated with malware and identify compromised user-sessions, regardless of the malware variant or family, and independently of the page structure.

Abstract: Systems and methods to detect remote access malware activities, via: detecting, in a computing device, first input events in an operating system of the computing device; detecting, in the computing device, second input events received in an application running in the computing device; detecting, in the computing device, a mismatch between the first input events detected in the operating system and the second input events received in the application running in the computing device; and in response to the mismatch being detected, generating an alert indicating a threat of the application being attached by remote access malware.

Abstract: Among other things, embodiments of the present disclosure help provide entities with the ability to remotely detect behavior associated with malware and identify compromised user-sessions, regardless of the malware variant or family, and independently of the page structure.