Abstract: A security manager configured to generate a plurality of learned security policies and provide at least one learned security policy and a security agent to a client machine for enforcement of the at least one learned security policy by the security agent on the client machine. The security manager configured to receive alerts from the security agent indicating anomalous behavior on the client machine.

Abstract: A security manager configured to generate a plurality of learned security policies and provide at least one learned security policy and a security agent to a client machine for enforcement of the at least one learned security policy by the security agent on the client machine. The security manager configured to receive alerts from the security agent indicating anomalous behavior on the client machine.

Abstract: A security manager configured to generate a plurality of learned security policies and provide at least one learned security policy and a security agent to a client machine for enforcement of the at least one learned security policy by the security agent on the client machine. The security manager configured to receive alerts from the security agent indicating anomalous behavior on the client machine.

Abstract: A security manager configured to generate a plurality of learned security policies and provide at least one learned security policy and a security agent to a client machine for enforcement of the at least one learned security policy by the security agent on the client machine. The security manager configured to receive alerts from the security agent indicating anomalous behavior on the client machine.

Abstract: A security manager configured to generate a plurality of learned security policies and provide at least one learned security policy and a security agent to a client machine for enforcement of the at least one learned security policy by the security agent on the client machine. The security manager configured to receive alerts from the security agent indicating anomalous behavior on the client machine.

Abstract: There is provided, in accordance with some embodiments, a method comprising using one or more hardware processors for receiving a behavioral biometric model that characterizes a human user according to pointing device data of the human user, where the pointing device data comprises screen coordinate and time stamp pairs. The method comprises an action of monitoring an input data stream from a pointing device in real time, wherein the input data stream covers two or more spatial regions of a display screen, and an action of segregating the input data stream into one or more subset streams that is restricted to one of the plurality of spatial regions. The method comprises an action of computing a similarity score based on one or more comparisons of the behavioral biometric model and the one or more subset streams, and an action of sending the similarity score to a user authorization system.

Abstract: A security manager configured to generate a plurality of learned security policies and provide at least one learned security policy and a security agent to a client machine for enforcement of the at least one learned security policy by the security agent on the client machine. The security manager configured to receive alerts from the security agent indicating anomalous behavior on the client machine.

Abstract: Detecting heap spraying on a computer by determining that values of characteristics of a plurality of requests to allocate portions of heap memory are consistent with benchmark values of the characteristics, wherein the benchmark values of the characteristics are associated with heap spraying; and performing a computer-security-related remediation action responsive to determining that the values of the characteristics are consistent with the benchmark values of the characteristics.

Abstract: There is provided, in accordance with some embodiments, a method comprising using one or more hardware processors for receiving a behavioral biometric model that characterizes a human user according to pointing device data of the human user, where the pointing device data comprises screen coordinate and time stamp pairs. The method comprises an action of monitoring an input data stream from a pointing device in real time, wherein the input data stream covers two or more spatial regions of a display screen, and an action of segregating the input data stream into one or more subset streams that is restricted to one of the plurality of spatial regions. The method comprises an action of computing a similarity score based on one or more comparisons of the behavioral biometric model and the one or more subset streams, and an action of sending the similarity score to a user authorization system.

Abstract: Detecting computer anomalies by determining probabilities of encountering call stack configurations at various depths, the call stacks being associated with software application instances on computers having the same operating system, where snapshots of the call stacks are recorded on the computers responsive to detecting predefined software application events, determining entropies of call stack configurations at various call stack depths using their associated probabilities, determining stack frame rarity scores of call stack configurations at various depths based on their associated stack frame entropies in accordance with a predefined rarity function, determining a call stack rarity score of any given call stack configuration as the maximum stack frame rarity score of the given configuration, and detecting an anomaly associated with any given one of the computers where any of the snapshots recorded on the given computer is of a call stack whose call stack rarity score meets a predefined anomaly condition.

Abstract: Detecting computer anomalies by determining probabilities of encountering call stack configurations at various depths, the call stacks being associated with software application instances on computers having the same operating system, where snapshots of the call stacks are recorded on the computers responsive to detecting predefined software application events, determining entropies of call stack configurations at various call stack depths using their associated probabilities, determining stack frame rarity scores of call stack configurations at various depths based on their associated stack frame entropies in accordance with a predefined rarity function, determining a call stack rarity score of any given call stack configuration as the maximum stack frame rarity score of the given configuration, and detecting an anomaly associated with any given one of the computers where any of the snapshots recorded on the given computer is of a call stack whose call stack rarity score meets a predefined anomaly condition.

Abstract: Detecting computer anomalies by determining probabilities of encountering call stack configurations at various depths, the call stacks being associated with software application instances on computers having the same operating system, where snapshots of the call stacks are recorded on the computers responsive to detecting predefined software application events, determining entropies of call stack configurations at various call stack depths using their associated probabilities, determining stack frame rarity scores of call stack configurations at various depths based on their associated stack frame entropies in accordance with a predefined rarity function, determining a call stack rarity score of any given call stack configuration as the maximum stack frame rarity score of the given configuration, and detecting an anomaly associated with any given one of the computers where any of the snapshots recorded on the given computer is of a call stack whose call stack rarity score meets a predefined anomaly condition.

Abstract: Detecting computer anomalies by determining probabilities of encountering call stack configurations at various depths, the call stacks being associated with software application instances on computers having the same operating system, where snapshots of the call stacks are recorded on the computers responsive to detecting predefined software application events, determining entropies of call stack configurations at various call stack depths using their associated probabilities, determining stack frame rarity scores of call stack configurations at various depths based on their associated stack frame entropies in accordance with a predefined rarity function, determining a call stack rarity score of any given call stack configuration as the maximum stack frame rarity score of the given configuration, and detecting an anomaly associated with any given one of the computers where any of the snapshots recorded on the given computer is of a call stack whose call stack rarity score meets a predefined anomaly condition.

Abstract: Detecting heap spraying on a computer by determining that values of characteristics of a plurality of requests to allocate portions of heap memory are consistent with benchmark values of the characteristics, wherein the benchmark values of the characteristics are associated with heap spraying; and performing a computer-security-related remediation action responsive to determining that the values of the characteristics are consistent with the benchmark values of the characteristics.

Abstract: Detecting heap spraying on a computer by detecting a plurality of requests to allocate portions of heap memory, measuring the plurality of requests to determine a value of a characteristic of the plurality of requests, identifying an activity consistent with heap spraying by determining that the value of the characteristic is consistent with a benchmark value of the characteristic, wherein the benchmark value of the characteristic is associated with heap spraying, and performing a computer-security-related remediation action responsive to determining that the value of the characteristic is consistent with the benchmark value of the characteristic.

Abstract: Detecting heap spraying on a computer by detecting a plurality of requests to allocate portions of heap memory, measuring the plurality of requests to determine a value of a characteristic of the plurality of requests, identifying an activity consistent with heap spraying by determining that the value of the characteristic is consistent with a benchmark value of the characteristic, wherein the benchmark value of the characteristic is associated with heap spraying, and performing a computer-security-related remediation action responsive to determining that the value of the characteristic is consistent with the benchmark value of the characteristic.

Abstract: The present disclosure relates to a method of providing user categorization from computer pointer interaction, comprising the steps of: creating a plurality of different pointer data profiles based on initial user sessions and storing said created pointer data profiles in the form of pointer data profile entries in a pointer data profile database, wherein said pointer data profile is obtained from collected user activity data generated by a pointing device; and categorizing each user using the stored pointer data profiles at an onset of subsequent user sessions.