Abstract: Monitoring activity in a network is disclosed, including monitoring a communication associated with a messaging service, observing suspicious activity associated with a host associated with the messaging service, and sending a challenge to the host using the messaging service.

Abstract: Application profiles for applications stored on the endpoint are defined. An application profile identifies components on the endpoint associated with an application with which the application profile is associated. Applications on the endpoint accessed by a user to perform a task are monitored. A task profile associated with the task is created and stored, the task profile associated with the application profiles for the applications accessed by the user to perform the task.

Abstract: A DRM server parses a request received from a client for a content identifier and client classification information. The content identifier identifies the requested content and client classification information describes the capabilities of the client. The DRM server determines a policy for the requested content. The policy specifies rules for determining access rights for the content responsive to the capabilities of the client. The DRM server determines access rights for the requested content responsive to the capabilities of the client and the policy. The DRM manager then provides the requested content and the determined access rights to the client.

Abstract: A behavioral signature for detecting malware is generated. A computer is used to collect behavior traces of malware in a malware dataset. The behavior traces describe sequential behaviors performed by the malware. The behavior traces are normalized to produce malware behavior sequences. Similar malware behavior sequences are clustered together. The malware behavior sequences in a cluster describe behaviors of a malware family. The cluster is analyzed to identify a behavior subsequence common to the cluster's malware family. A behavior signature for the malware family is generated using the behavior subsequence. A trace of new malware is normalized and aligned with an existing cluster, if possible. The behavioral signature for that cluster is generated based on the behavior sequence of the new malware and the other sequences in the cluster.

Abstract: Secure, continuous, on-demand access to services provided by servers internal to a network is facilitated, while minimizing power consumption and power load spikes. Information concerning operation of the network is monitored, and a profile of the network is maintained. Internal network servers being in reduced power consumption states is tracked. Service requests from clients to internal network servers that are in reduced power consumption states are detected. In response, packets are generated to wake servers in reduced power consumption states, without requiring registration or installation of any components on the servers or clients. Frequencies are controlled at which packets are generated to wake servers, thereby minimizing sudden increases in power consumption associated with waking multiple servers. This can comprise waiting for a specific duration of time prior to generating packets, based on server profiles.

Abstract: Detecting new or modified portions of executable code is disclosed. An indication is received that a prior version of an executable file has been replaced by a new version. A security response is provided if a process associated with the executable file attempts to perform a restricted action and a new or changed portion of code comprising the new version has executed. If no new or changed portion of code has executed, the restricted action is allowed to an extent determined previously for the prior version of the executable file.

Abstract: An exemplary method for preventing exploitation of byte sequences that violate compiler-generated instruction alignment may comprise: 1) identifying instantiation of a process, 2) identifying an address space associated with the process, 3) identifying, within the address space associated with the process, at least one control-transfer instruction, 4) determining that at least one byte preceding the control-transfer instruction is capable of resulting in an out-of-alignment instruction, and then 5) preventing the control-transfer instruction from being executed. In one example, the system may prevent the control-transfer instruction from being executed by inserting a hook in place of the intended instruction that executes the intended instruction and then returns control flow back to the instantiated process. Corresponding systems and computer-readable media are also disclosed.

Abstract: A method and apparatus for identifying web attacks is described. In one embodiment, a method of securing a computer comprises generating origin information for a portion of a web page and identifying a modification in the origin information. The identified modification is used to determine an indicia of suspicious behavior at a computer.

Abstract: A computer-implemented method for prioritizing virtual machine tasks may include receiving a request to perform a first task from a virtual machine. The request may include information relevant to determining a priority of the task. The method may include determining the priority of the task based on the information. The method may further include scheduling the first task based on the priority of the task. The method may include selecting the first task for execution based on the scheduling. The method may include notifying the virtual machine that the first task has been selected for execution. Various related methods, computer-readable media, and systems are also disclosed.

Abstract: A security module determines cost characteristics reflecting costs incurred in developing and/or deploying a software application, and determines whether the software application is malicious based at least in part on the cost characteristics. The security module determines (1) cost characteristics reflecting costs associated with an installer tool used to generate an installation package of the software application, (2) cost characteristics reflecting costs associated with a development tool used to develop the software application, and (3) cost characteristics reflecting costs incurred in deploying the software application. If the cost characteristics indicate that substantial cost was incurred in developing and/or deploying the application, the security module determines that the application is legitimate. Otherwise the security module considers other traits of the application to determine whether it is malicious.

Abstract: A system and method of automatic suggested application identification includes accessing a profile of a device, wherein the profile represents information specific to the device. From said profile, a determined pattern of use determined by the device is accessed, wherein the determined pattern is unique to the device. The profile including the determined pattern and a geo-specific data of the device and configuration information of the device and applications resident on the device is compared to similar profiles and similar determined patterns of other devices. A suggested application is identified based on said comparing.

Abstract: A decision tree for classifying computer files is constructed. A set of training files known to be legitimate or malicious are executed and their runtime behaviors are monitored. When a behavior event is detected for one of the training file at a point in time, a feature vector is generated for that training file. Behavior sequencing and timing information for the training file at that point in time is identified and encoded in the feature vector. Feature vectors for each of the training files at various points in time are fed into a decision tree induction algorithm to construct a decision tree that takes into account of the sequencing and timing information.

Abstract: A computer-implemented method for individually managing the power usage of software applications may include: 1) identifying at least one software application installed on a computing device, 2) determining the power usage of the software application, 3) identifying a power-management policy for managing the power usage of the software application independent of the overall power usage of the computing device, and then 4) managing the power usage of the software application independent of the overall power usage of the computing device in accordance with the power-management policy. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: Controlling identity disclosures is disclosed. A difference between a site policy as received at a first time and the site policy as received at a second time is detected through at least partially automated processing. The existence of the difference is indicated before disclosing to a relying party associated with the site policy, at or subsequent to the second time, an identity information.

Abstract: A host reputation score indicating whether a host connected to the client by a network is malicious is received. An entity on the client that communicates with the host is identified. Whether the entity is a malware threat is determined based at least in part on the host reputation score.

Abstract: A computer-implemented method for authenticating users may include identifying an image associated with a user for mutual assurance during an authentication process. The computer-implemented method may also include modifying the image based on a prompt message to create a modified image that displays the prompt message. The computer-implemented method may further include determining that user input comprises an expected response to the prompt message. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A plurality of fingerprints are created for a file. Each fingerprint is created in response to an instance of activity involving the file. A malware signature associated with the mutating malware is compared to one or more of the plurality of fingerprints. In response to the malware signature matching one of the plurality of fingerprints, determining that the file is infected with mutating malware. Further, in response to determining that the file is infected with mutating malware, transmitting to a server multiple fingerprints of the plurality of fingerprints. The server analyzes the multiple fingerprints to determine a pattern of mutation by the mutating malware. The determined pattern of mutation is used by the server to create a signature for detecting mutations of the mutating malware.

Abstract: Systems and methods for improving the effectiveness of decision trees are disclosed. In one example, an exemplary method for performing such a task may include: 1) receiving, from at least one computing device, a) a sample, b) a classification assigned to the sample by a decision tree employed by the computing device, and c) identification information for a branch configuration that resulted in the classification, 2) determining that the decision tree incorrectly classified the sample, and then 3) excluding the offending branch configuration from future decision trees. An exemplary method for dynamically adjusting the confidence of decision-tree classifications based on community-supplied data, along with corresponding systems and computer-readable media, are also described.

Abstract: A computer-implemented method for detecting rootkits is disclosed. The computer-implemented method may include sending periodic security communications from a privileged-processor-mode region of a computing device. The computer-implemented method may also include identifying at least one of the periodic security communications. The computer-implemented method may further include determining, based on the periodic security communications, whether the privileged-processor-mode region of the computing device has been compromised. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A security system monitors the trustworthiness and firewall configurations of a set of clients, where a firewall configuration comprises a set of firewall rules that control access by an application to network communication functionalities of a client. Based on the firewall rules used by other clients and the reputation of those clients, the system determines a set of default firewall rules by selecting one or more rules that are used by the more trustworthy clients. The default firewall rules are made available to other clients, which may use these default rules. This leverages community knowledge about how much network access to allow for a particular application.