Abstract: Various embodiments comprise systems and methods to generate privacy audit reports for web applications. In some examples a computing system comprises a data extraction component, a risk assessment component, and an exposure component. The data extraction component crawls a web application and identifies data, data exposure points, and security policies implemented by the web application. The risk assessment component generates a risk score for the web application based on the amount data, the data sensitivity, the amount and type of data exposure points, and the security policies. The risk assessment component generates the privacy audit report for the web application. The privacy audit report comprises the risk score, an inventory of data types, an inventory of the data exposure points, and a graphical representation of historical risk scores. The exposure component transfers the privacy audit report for delivery to an operator of the web application.

Abstract: Techniques to facilitate adaptive sampling of security policy violations are disclosed herein. In at least one implementation, a variable sampling rate for sampling a fixed amount of security policy violation reports per unit time based on a violation rate is determined. The variable sampling rate is applied to sample the fixed amount of the security policy violation reports per unit time. When the violation rate exceeds a threshold, the variable sampling rate is switched to a fixed sampling rate for sampling a variable amount of the security policy violation reports per unit time. The fixed sampling rate is applied to sample the variable amount of the security policy violation reports per unit time.

Abstract: Techniques to facilitate automatic insertion of security policies for web applications are disclosed herein. In at least one implementation, security configuration information for a web application is received. A web request for a web resource is received and processed to determine an HTTP security header for insertion into a web response to the web request based on properties of the web request. The web response is intercepted and the HTTP security header is inserted into the web response to generate a modified web response. The web response is processed to determine a security enhancement to apply to the web resource based on the security configuration information. The security enhancement is applied to the web resource to generate a modified web resource. The modified web response and the modified web resource are provided to a client application in response to the web request for the web resource.

Abstract: Techniques to facilitate protection of web application components are disclosed herein. In at least one implementation, a plurality of web resources associated with a web applications is received. The plurality of web resources is processed to generate individual generalized code templates for each of the web resources by removing data constants and code formatting elements from the web resources. A set of the individual generalized code templates for each of the web resources is stored in a probabilistic data structure. A security web module comprising the probabilistic data structure having the set of the individual generalized code templates for each of the web resources stored therein is deployed to protect the web application.

Abstract: The disclosed computer-implemented method for training malware classifiers may include (1) perturbing, at a computing device, a binary file in a manner that maintains functionality of the binary file, (2) classifying the perturbed binary file with a first machine learning classifier to produce a classification result, (3) producing a transformed file by repeating the perturbing and classifying steps until the transformed file becomes misclassified, and (4) performing a security action comprising training a second machine learning classifier with the transformed file and an associated correct classification result. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: Privacy preserving secure task automation. A method may include generating, by a first section of a platform, a pair of encryption keys (private and shared secret keys); receiving, by a second section of the platform, platform user data, trigger service user data; and action service user data, wherein the user of the services and platform are the same; sending the shared secret key to the services; storing the private key in the first section; receiving from the trigger service, by the second section, a first communication encrypted with the shared secret key, regarding occurrence of a trigger; determining, by the first section, that the trigger corresponds to the user of the platform; encrypting a second message with the shared secret key, requesting invocation of the action based on the trigger; and transmitting the second encrypted message to the action service without the data related to the user of the platform.

Abstract: The disclosed computer-implemented method for detecting misuse of online service access tokens may include (1) receiving a user permission token to access an online service that manages one or more user resources, (2) monitoring, based on utilization of the user permission token, usage data associated with an access token issued to a relying party for accessing the user resources managed by the online service, (3) identifying, based on the usage data, activity associated with the access token being misused by the relying party, and (4) performing, a security action that protects the user resources against the activity associated with the access token being misused by the relying party. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: The disclosed computer-implemented method for preparing honeypot computer files may include (1) identifying, at a computing device, a search term used by a cyber attacker in an electronic search request, (2) identifying, without regard to a search access restriction, a sensitive computer document in search results stemming from the electronic search request, (3) creating, as a security action in response to the electronic search request, a honeypot computer file based on the sensitive computer document and including the identified search term, and (4) placing the honeypot computer file in the search results. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A method for improving memory efficiency of production rule systems is described. In one embodiment, the method includes identifying a rule associated with production rule systems, constructing a production rule network based at least in part on the rule, identifying a positional constraint associated with the rule, and implementing an alpha memory gate in the production rule network based at least in part on the positional constraint. In some cases, the alpha memory gate is one of a plurality of nodes of the production rule network.

Abstract: A method for insider threat detection under user-resource bi-partite graphs is described. A computing device evaluates a bi-partite mapping of a set of users and a set of files, and performs a random-walk procedure initiating from a selected user of the set of users. The computing device computes a probability distribution associated with the access frequency of each alternate user and file of the random-walk procedure, and compares the probability distribution to one or more distributions associated with temporal periods prior to the initiated procedure. Based on the comparison, the computing device identifies points of maximum variance of the distribution. The computing device identifies the files of the set of files and users of the set of users associated with the points of maximum variance and access raw data to identify activity associated with the selected user and the identified resources.

Abstract: Systems, apparatuses, methods, and computer readable mediums for modeling malicious behavior that occurs in the absence of users. A system trains an anomaly detection model using attributes associated with a first plurality of events representing system activity on one or more clean machines when users are not present. Next, the system utilizes the trained anomaly detection model to remove benign events from a second plurality of events captured from infected machines when users are not present. Then, the system utilizes malicious events, from the second plurality of events, to train a classifier. Next, the classifier identifies a first set of attributes which are able to predict if an event is caused by malware with a predictive power greater than a threshold.

Abstract: The disclosed computer-implemented method for detecting anomalous behavior in shared data repositories may include (i) identifying a shared data repository that comprises files, (ii) monitoring access to the files for a predetermined time period in order to determine which files are accessed by each user, (iii) creating a graph of the access to the files, wherein each vertex represents a user and each edge that connects two vertices represents that one or more files were accessed by both users represented by the two vertices, (iv) deriving, from the graph, a set of communities, wherein each community represents a set of users that collaborated on one or more files during the predetermined time period, and (v) determining that a collaboration pattern of a user does not match a collaboration pattern for the user's community observed during the predetermined time period. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: Automatically detecting insider threats using user collaboration patterns. In one embodiment, a method may include identifying collaborative access of one or more network resources in a network between a target user using a target network device and other users using other network devices in the network during multiple prior time periods and during a current time period, generating prior collaboration graphs for the prior time periods, generating an average collaboration graph by combining the prior collaboration graphs, generating a current collaboration graph for the current time period, generating an anomaly score by comparing the current collaboration graph to the average collaboration graph, determining that the collaborative access of the one or more network resources during the current time period is anomalous by determining that the anomaly score exceeds a threshold, and, in response to the anomaly score exceeding the threshold, performing a security action on the target network device.

Abstract: The disclosed computer-implemented method for identifying non-malicious files on computing devices within organizations may include (1) identifying a file on at least one computing device within multiple computing devices managed by an organization, (2) identifying a source of the file based on examining a relationship between the file and the organization, (3) determining that the source of the file is trusted within the organization, and then (4) concluding, based on the source of the file being trusted within the organization, that the file is not malicious. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: Automatically detecting insider threats using user collaboration patterns. In one embodiment, a method may include identifying collaborative access of one or more network resources in a network between a target user using a target network device and other users using other network devices in the network during multiple prior time periods and during a current time period, generating prior collaboration graphs for the prior time periods, generating an average collaboration graph by combining the prior collaboration graphs, generating a current collaboration graph for the current time period, generating an anomaly score by comparing the current collaboration graph to the average collaboration graph, determining that the collaborative access of the one or more network resources during the current time period is anomalous by determining that the anomaly score exceeds a threshold, and, in response to the anomaly score exceeding the threshold, performing a security action on the target network device.

Abstract: Telemetry data concerning multiple samples convicted as malware by different endpoints is tracked over time. During a period of time in which telemetry data concerning convicted samples are tracked, specific samples can be convicted multiple times, both on a single endpoint and/or on multiple endpoints. The tracked telemetry data concerning the convicted samples is analyzed, and data that is indicative of false positives is identified. Convictions of samples can be exonerated as false positives, based on the results of analyzing the tracked telemetry data. More specifically, multiple data points from the tracked telemetry data that comprise evidence of false positives can be quantified and weighted. Where the evidence of false positives exceeds a given threshold, convictions of a given sample can be exonerated.

Abstract: The disclosed computer-implemented method for determining the trustworthiness of files within organizations may include (1) identifying a file on a computing device within multiple computing devices managed by an organization, (2) in response to identifying the file, identifying at least one additional computing device within the multiple computing devices that is potentially associated with the file, (3) distributing at least a portion of the file to a user of the additional computing device with a request to receive an indication of the trustworthiness of the file, and then (4) receiving, from the additional computing device, a response that indicates the trustworthiness of the file. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: Techniques are disclosed for dynamically managing hardening policies in a client computer (e.g., of an enterprise network). A hardening management application monitors activity on the client computer that is associated with a first hardening policy. The monitored activity is evaluated based on one or more metrics. Upon determining that at least one of the metrics is outside of a tolerance specified in the first hardening policy, the client computer is associated with a second hardening policy. The client computer is reconfigured based on the second hardening policy.

Abstract: A computer-implemented method for detecting malware may include (1) identifying a behavioral trace of a program, the behavioral trace including a sequence of runtime behaviors exhibited by the program, (2) dividing the behavioral trace to identify a plurality of n-grams within the behavioral trace, each runtime behavior within the sequence of runtime behaviors corresponding to an n-gram token, (3) analyzing the plurality of n-grams to generate a feature vector of the behavioral trace, and (4) classifying the program based at least in part on the feature vector of the behavioral trace to determine whether the program is malicious. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: The disclosed computer-implemented method for generating contextually meaningful animated visualizations of computer security events may include (1) detecting a security-related event that involves an actor and a target within a computing environment, (2) identifying certain characteristics of the security-related event that collectively describe a context of the security-related event with respect to the actor and the target within the computing environment, (3) generating, based at least in part on the certain characteristics of the security-related event, a graphical animation of the security-related event that graphically represents the context of the security-related event with respect to the actor and the target within the computing environment, and then (4) providing, for presentation to a user, the graphical animation of the security-related event to facilitate visualizing the context of the security-related event with respect to the actor and the target.