Abstract: Configuration discrepancies, such as server drift among different servers or malicious code installed on one or more servers, can be identified using system attribute information regarding processes, CPU usage, memory usage, etc. The system attribute information can be used to generate an image, which can be compared to other images to determine if a configuration discrepancy exists. Image recognition algorithms can be used to facilitate image comparison for different systems. By identifying configuration discrepancies, downtime and other issues can be mitigated and system performance can be improved.

Abstract: Techniques for monitoring based on a memory layout of an application are disclosed. A memory layout may be received, obtained, and/or generated from an application executing on a computer. Based on one or more attributes of a plurality of memory regions of the memory layout a memory layout fingerprint is generated. Additionally, memory region fingerprints are generated based on the one or more attributes for respective memory regions. The memory layout fingerprint and the memory region fingerprints are compared to respective previous memory layout fingerprints and the memory region fingerprints in order to determine whether malicious code and/or application drifting has occurred.

Abstract: Techniques for monitoring based on a memory layout of an application are disclosed. A memory layout may be received, obtained, and/or generated from an application executing on a computer. Based on one or more attributes of a plurality of memory regions of the memory layout a memory layout fingerprint is generated. Additionally, memory region fingerprints are generated based on the one or more attributes for respective memory regions. The memory layout fingerprint and the memory region fingerprints are compared to respective previous memory layout fingerprints and the memory region fingerprints in order to determine whether malicious code and/or application drifting has occurred.

Abstract: Techniques are disclosed for passively characterizing a type of host or computing device which may be engaged in a transaction between the host and another computing device. Observation data corresponding to one or more sessions of network traffic between an unclassified host and a second system may be passively generated by a device characterization server. The observation data can be processed by the device characterization server using a machine-learning classifier. The machine-learning classifier can be trained with a set of training data that includes multiple sessions of network traffic from multiple training data hosts. Each session of network traffic includes an exchange of multiple packets in various embodiments, including packets sent from, and packets received by, the training data hosts. Based on the processing, the unclassified host may be characterized by the device characterization server as one of a physical computing device, a virtual machine, or a container.

Abstract: Techniques for monitoring based on a memory layout of an application are disclosed. A memory layout may be received, obtained, and/or generated from an application executing on a computer. Based on one or more attributes of a plurality of memory regions of the memory layout a memory layout fingerprint is generated. Additionally, memory region fingerprints are generated based on the one or more attributes for respective memory regions. The memory layout fingerprint and the memory region fingerprints are compared to respective previous memory layout fingerprints and the memory region fingerprints in order to determine whether malicious code and/or application drifting has occurred.

Abstract: A user may be authenticated using an authentication scheme based on user access to two or more selected electronic devices. A security key may be assigned to the user. The security key is divided into multiple parts that are distributed among electronic devices associated with the user. The security key can be reconstructed based on a distributed trust among the devices, where some devices may have a higher trust level than others. For example, each device can receive a number of key parts. In response to a request to authenticate the user, parts of the security key may be retrieved from two or more, but less than all, of the plurality of electronic devices associated with the user. The retrieved parts are used to reconstruct the security key, and the user is authenticated based on the reconstructed security key.

Abstract: A user may be authenticated using an authentication scheme based on user access to two or more selected electronic devices. A security key may be assigned to the user. The security key is divided into multiple parts that are distributed among electronic devices associated with the user. The security key can be reconstructed based on a distributed trust among the devices, where some devices may have a higher trust level than others. For example, each device can receive a number of key parts. In response to a request to authenticate the user, parts of the security key may be retrieved from two or more, but less than all, of the plurality of electronic devices associated with the user. The retrieved parts are used to reconstruct the security key, and the user is authenticated based on the reconstructed security key.

Abstract: Embodiments described herein are directed to determining whether an application executing on a compute instance has been corrupted or compromised by malicious code. This may achieved by statically analyzing an image file from which the application is based to determine characteristics thereof. Such characteristics are representative of the behavior that is expected to be performed by the application during execution. During execution of the application, runtime characteristics of the application are determined, which are determined based on an analysis of the address space in memory allocated for a computing process of the application. The statically-determined characteristics are compared to the determined runtime characteristics to determine discrepancies therebetween. In the event that a discrepancy is found, a determination is made that the application has been compromised or corrupted and an appropriate remedial action is automatically performed.

Abstract: A process of operating a communication system is provided. The process may include identifying data at a device. The process may further include determining that at least one other device includes at least a portion of the identified data. In addition, the process may include transmitting, to the at least one other device, identification information to enable the at least one other device to locate the identified data at the at least one other device.

Abstract: A system and method for optimizing runtime environments for applications by running the applications in a plurality of runtime environments and iteratively selecting and creating new runtime environments based on a fitness score determined for the plurality of runtime environments.

Abstract: Methods and systems for detecting malware by monitoring client-side memory stacks are described. A request for a payment process is received and a client-side memory stack is populated with a series of functions corresponding to the requested payment process. The execution of each function is monitored to determine whether the series of functions and an order of execution of the functions from the client-side memory stack are the same as an expected series of functions and in an expected order corresponding to the payment process. The monitoring also determines whether the number and types of parameters called by the functions are the same as the expected number and types of parameters. The monitoring further determines whether the timing of the execution of the functions is the same as an expected timing. Remedial action is performed when the any of these factors is determined to be different than what is expected.

Abstract: According to an aspect of an embodiment of the present disclosure, operations related to emulated mobile device determinations may include obtaining sensor data associated with an entity. The sensor data may include sensor output values associated with one or more sensors of a physical mobile device. The operations may also include analyzing the obtained sensor data. The analyzing may include performing one or more determinations. The determinations may include determining whether the obtained sensor data includes static data. The determinations may also include determining whether the obtained sensor data includes computer-simulated data. In addition, the determinations may include determining whether the obtained sensor data includes reused sensor data. In some embodiments, the operations may include determining whether the obtained sensor data includes emulated sensor data based on one or more of the determinations.

Abstract: A computer-implemented method is provided. The method may include generating a state model for an application including a plurality of modeled stack traces generated via execution of a plurality of characterization scenarios of the application. The method may also include comparing each static data point in at least one stack trace generated during execution of the application to one or more modeled stack traces of the plurality of modeled stack traces of the state model. In addition, the method may include detecting, based on the comparison, at least one inconsistent event in the at least one stack trace generated during executing of the application. The method may further include performing at least one remedial action in response to detection of the at least one inconsistent event.

Abstract: A system is configured to perform operations that include determining an exception event corresponding to a transmission of a plurality of network packets over an electronic network. The electronic network may cause network address translation to be performed on the plurality of network packets. The operations may also include identifying, based on a log of the plurality of network packets, a first network packet associated with the exception event and calculating, based on a payload portion of the first network packet, a packet signature corresponding to the first network packet. The operations may further include determining, based on a comparison between a first data structure and a second data structure using the packet signature, original source address information that corresponds to the first network packet prior to the network address translation being performed on the first network packet.

Abstract: A system for discovering and monitoring data movement across the file system on a specific device or across the network, which enables to detect data leakage and locate specific data across the organization. The system tracks files by having devices maintain a record of hash values associated with a file in a tables of hash values. The memory used to maintain the records of each file can be distributed to each device carrying the files. The system can analyze the data leak of a file by receiving a hash value of a file and requesting devices to search and respond with information about files that have the same hash value. Furthermore, based on the table of hash values for all the files, the system can recreate the origination of each file and the number of different versions that exist of the file.

Abstract: Techniques for identifying weaknesses in a probabilistic model such as an artificial neural network using an iterative process are disclosed. A seed file may be obtained and variant files generated therefrom. The variant files may be evaluated for their fitness, based upon the ability of the variant files to cause the probabilistic model to fail. The fittest variants, which may refer to those variants that are most successful in causing the model to fail, may be selected. From these selected variants, a next generation of variant files may be created. The next generation of variant files may be evaluated for their fitness. At each step of fitness evaluation or at the end of the iterative process, a map of the fittest variants may be generated to identify hotspots. These hotspots may reveal segments of code or a file that are problematic for the model, which can be used to improve the model.

Abstract: Methods and systems for detecting malware by monitoring client-side memory stacks are described. A request for a payment process is received and a client-side memory stack is populated with a series of functions corresponding to the requested payment process. The execution of each function is monitored to determine whether the series of functions and an order of execution of the functions from the client-side memory stack are the same as an expected series of functions and in an expected order corresponding to the payment process. The monitoring also determines whether the number and types of parameters called by the functions are the same as the expected number and types of parameters. The monitoring further determines whether the timing of the execution of the functions is the same as an expected timing. Remedial action is performed when the any of these factors is determined to be different than what is expected.

Abstract: Techniques are disclosed for passively characterizing a type of host or computing device which may be engaged in a transaction between the host and another computing device. Observation data corresponding to one or more sessions of network traffic between an unclassified host and a second system may be passively generated by a device characterization server. The observation data can be processed by the device characterization server using a machine-learning classifier. The machine-learning classifier can be trained with a set of training data that includes multiple sessions of network traffic from multiple training data hosts. Each session of network traffic includes an exchange of multiple packets in various embodiments, including packets sent from, and packets received by, the training data hosts. Based on the processing, the unclassified host may be characterized by the device characterization server as one of a physical computing device, a virtual machine, or a container.

Abstract: Methods and systems for detecting passive malicious network-mapping software on a computer network are disclosed. An expected location within a computer system for storing a received data packet may be determined. An actual storage location of the received data packet may be identified and compared to the expected storage location. In the event that the expected location does not match the actual storage location of the received data packet on the computer system, the presence of passive malicious network-mapping software such as a sniffer may be detected.

Abstract: A system and method for preventing hidden data being passed using steganography by performing additional steganography to obscure the hidden data such that the hidden data is unrecoverable without information regarding the method of the additional steganography. This system and method allows for preventing hidden data without having to decipher the hidden data.