Abstract: The disclosed computer-implemented method for dynamic access control over shared resources may include (1) detecting an attempt by a user to access a resource via a computing environment, (2) identifying a risk level of the user attempting to access the resource, (3) identifying a sensitivity level of the resource, (4) identifying a risk level of the computing environment through which the user is attempting to access the resource, (5) determining an overall risk level for the attempt to access the resource based at least in part on (A) the risk level of the user, (B) the sensitivity level of the resource, and (C) the risk level of the computing environment, and then (6) determining, based at least in part on the overall risk level, whether to grant the user access to the resource via the computing environment. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: The disclosed computer-implemented method for threat detection using a software program update profile may include (1) building an update behavioral model that identifies legitimate update behavior for a software application by (a) monitoring client devices for update events associated with the software application and (b) analyzing the update events to identify the legitimate update behavior of the software application, (2) using the update behavioral model to identify suspicious behavior on a computing system by (a) detecting an update instance on the computing system, (b) comparing the update instance with the legitimate update behavior identified in the update behavioral model, and (c) determining, based on the comparison of the update instance with the legitimate update behavior, that the update instance is suspicious, and (3) in response to determining that the update instance is suspicious, performing a security action. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A computer-implemented method for creating security profiles may include (1) identifying, within a computing environment, a new actor as a target for creating a new security behavior profile that defines expected behavior for the new actor, (2) identifying a weighted graph that connects the new actor as a node to other actors, (3) creating, by analyzing the weighted graph, the new security behavior profile based on the new actor's specific position within the weighted graph, (4) detecting a security anomaly by comparing actual behavior of the new actor within the computing environment with the new security behavior profile that defines expected behavior for the new actor, and (5) performing, by a computer security system, a remedial action in response to detecting the security anomaly. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: Techniques for detecting anomalous network traffic are disclosed. In one particular embodiment, the techniques may be realized as a method for detecting anomalous network traffic comprising the steps of receiving a list including a plurality of processes and, for each process, a list of approved types of network traffic; monitoring network traffic of each process on the list of processes; upon detecting network traffic for a process on the list of processes, determining that the type of network traffic detected is not on the list of approved types for that process; and identifying the process as infected based on determining that the type of network traffic detected is not on the list of approved types for that process.

Abstract: The disclosed computer-implemented method for classifying security events as targeted attacks may include (1) detecting a security event in connection with at least one organization, (2) comparing the security event against a targeted-attack taxonomy that identifies a plurality of characteristics of targeted attacks, (3) determining that the security event is likely targeting the organization based at least in part on comparing the security event against the targeted-attack taxonomy, and then in response to determining that the security event is likely targeting the organization, (4) classifying the security event as a targeted attack. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A computer-implemented method for healing infected document files may include (1) receiving an electronic message directed to a target client computing system, the electronic message including a document file, (2) in response to receiving the electronic message, discovering, by a security program, that the document file is infected with potentially malicious content by, parsing the document file into separate objects and detecting that one of the separate objects is infected with potentially malicious content, (3) healing, by the security program, the infected object by removing the potentially malicious content from the object, (4) reconstructing, by the security program, the document file by reuniting the healed separate object with a remainder of the separate objects in a manner that preserves readability of the document, and (5) providing access to the readable reconstructed document file at the target client computing system. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A computer-implemented method for detecting malware-induced crashes may include (1) identifying, by analyzing a health log associated with a previously stable computing device, the occurrence of an unexpected stability problem on the previously stable computing device, (2) identifying, by analyzing an event log associated with the previously stable computing device, an event that is potentially responsible for the occurrence of the unexpected stability problem on the previously stable computing device, (3) determining, due at least in part to the event being potentially responsible for the occurrence of the unexpected stability problem on the previously stable computing device, that the event is potentially malicious, and (4) performing a security action in response to determining that the event is potentially malicious. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A method for protecting data files may include (1) identifying a data file to be protected against data loss, (2) identifying a set of software programs permitted to open the data file by (a) identifying a format of the data file and (b) identifying at least one software program capable of opening files of the format of the data file, (3) detecting an attempt to open the data file by a software program not included in the set of software programs, and (4) performing a security action in response to detecting the attempt to open the data file. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A computer-implemented method for anomaly-based detection of compromised information technology (IT) administration accounts may (1) include establishing a set of permissible IT administration tasks for an IT administration account, (2) monitoring the IT administration account for activities outside the set of permissible IT administration tasks, (3) detecting a suspicious activity by identifying an activity that is outside the set of permissible IT administration tasks and therefore indicative of the IT administration account being compromised, and (4) in response to detecting the suspicious activity, performing a security action with respect to the potentially compromised IT administration account. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A method, performed by a processor to detect malicious or risky data accesses is provided. The method includes modeling user accesses to a content repository as to probability of a user accessing data in the content repository, based on a history of user accesses to the content repository. The method includes scoring a singular user access to the content repository, based on probability of access according to the modeling and alerting in accordance with the scoring.

Abstract: A computer-implemented method for detecting security threats based on user profiles may include 1) identifying behavior on a computing system that is potentially indicative of a security threat, 2) identifying a user profile for a user of the computing system that estimates a level of the user's technical sophistication, 3) comparing the identified behavior with the estimated level of the user's technical sophistication, and 4) determining whether the identified behavior indicates a security threat based at least in part on the comparison of the identified behavior with the estimated level of the user's technical sophistication. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A computer-implemented method for detecting malicious documents based on component-object reuse may include (1) identifying a plurality of malicious documents, (2) identifying a plurality of component objects that are contained within at least one malicious document from the plurality of malicious documents, (3) receiving an unknown document, (4) determining that at least one component object from the plurality of component objects was used to create the unknown document, and (5) performing a security action on the unknown document in response to determining that the component object was used to create the unknown document. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: The disclosed computer-implemented method for classifying security events as targeted attacks may include (1) detecting a security event in connection with at least one organization, (2) comparing the security event against a targeted-attack taxonomy that identifies a plurality of characteristics of targeted attacks, (3) determining that the security event is likely targeting the organization based at least in part on comparing the security event against the targeted-attack taxonomy, and then in response to determining that the security event is likely targeting the organization, (4) classifying the security event as a targeted attack. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A computer-implemented method for detecting selective malware attacks is described. A website visited by a user is identified based on a number of visits to the website satisfying a predetermined threshold. A web crawl is performed on the identified website. Results of the web crawl are analyzed to determine whether the identified website includes a malicious software attack designed to selectively attack visitors to the website.

Abstract: A computer-implemented method for using event-correlation graphs to generate remediation procedures may include (1) detecting a suspicious event involving a first actor within a computing system, (2) constructing, in response to detecting the suspicious event involving the first actor, an event-correlation graph that includes (i) a first node that represents the first actor, (ii) a second node that represents a second actor, and (iii) an edge that interconnects the first node and the second node and represents an additional suspicious event involving the first actor and the second actor, and (3) using the event-correlation graph to generate a procedure for remediating an effect of an attack on the computing system that is reflected in the event-correlation graph. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A computer-implemented method for protecting document files from macro threats may include (1) identifying a document file that contains an embedded macro, (2) locating an event-driven programming language module that stores the embedded macro for the document file, and (3) cleaning the event-driven programming language module by removing procedures for the embedded macro within the event-driven programming language module and retaining variable definitions within the event-driven programming language module. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: Techniques for detecting anomalous network traffic are disclosed. In one particular embodiment, the techniques may be realized as a method for detecting anomalous network traffic comprising the steps of receiving a list including a plurality of processes and, for each process, a list of approved types of network traffic; monitoring network traffic of each process on the list of processes; upon detecting network traffic for a process on the list of processes, determining that the type of network traffic detected is not on the list of approved types for that process; and identifying the process as infected based on determining that the type of network traffic detected is not on the list of approved types for that process.

Abstract: A computer-implemented method for distinguishing code of a program obfuscated within a packed program may include (1) retrieving memory of the packed program that includes the code of the obfuscated program in an unobfuscated state and unpacking code that unpacks the code of the obfuscated program when the packed program is executed, (2) identifying an import address table within the memory of the packed program, (3) determining that the import address table is an import address table of the code of the obfuscated program, (4) determining that a region of code within the memory of the packed program may be the code of the obfuscated program by determining that the region of code uses the import address table, and (5) performing a security operation on the region of code. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A computer-implemented method for reducing false positives when using event-correlation graphs to detect attacks on computing systems may include (1) detecting a suspicious event involving a first actor within a computing system, (2) constructing an event-correlation graph that includes a first node that represents the first actor, a second node that represents a second actor, and an edge that represents an additional suspicious event involving the first actor and the second actor, (3) comparing the event-correlation graph with at least one additional event-correlation graph that represents events on at least one additional computing system, (4) determining that a similarity of the event-correlation graph and the additional event-correlation graph exceeds a predetermined threshold, and (5) classifying the suspicious event as benign based on determining that the similarity of the event-correlation graph and the additional event-correlation graph exceeds the predetermined threshold.

Abstract: A computer-implemented method for adjusting suspiciousness scores in event-correlation graphs may include (1) detecting a suspicious event involving a first actor and a second actor within a computing system, (2) constructing an event-correlation graph that includes (i) a representation of the first actor, (ii) a representation of the suspicious event, and (iii) a representation of the second actor, and (3) adjusting a suspiciousness score associated with at least one representation in the event-correlation graph based at least in part on a suspiciousness score associated with at least one other representation in the event-correlation graph such that the adjusted suspiciousness score associated with the at least one representation is influenced by the suspicious event. Various other methods, systems, and computer-readable media are also disclosed.