Abstract: Methods, apparatus, systems, and articles of manufacture are disclosed to identify and report cloud-based security vulnerabilities. An example apparatus includes memory, instructions, and processor circuitry. The example processor circuitry is to execute the instructions to assess a first security vulnerability associated with an application programming interface (API) of a cloud compute network, the first security vulnerability corresponding to at least one call to the API that deviates from a baseline report, the baseline report based on at least one communication in the cloud compute network, and assess a second security vulnerability associated with identity and access management in the cloud compute network based on an entity in the cloud compute network permitted to access a service provided by the cloud compute network, the second security vulnerability corresponding to an unauthorized request to access at least one of a device of the cloud compute network or the service.

Abstract: Methods, apparatus, systems and articles of manufacture are disclosed to identify and report cloud-based security vulnerabilities. An apparatus comprising: a security vulnerability detector to, in response to a resource monitor monitoring a threshold amount of activity in a resource of a cloud computing environment, determine one or more security vulnerabilities associated with the resource and the cloud computing environment; a vulnerability processor to correlate the one or more security vulnerabilities with one or more kill chains to exploit at least one security vulnerability in the cloud computing environment; and a report generator to generate a report including a story graph indicating a subset of at least one of: (a) the one or more security vulnerabilities associated with the one or more kill chains, (b) one or more remediation actions to obviate the one or more security vulnerabilities, or (c) threat intelligence feeds associated with the one or more security vulnerabilities.

Abstract: A disclosed apparatus includes a connection detector to detect a communication as including a request to connect to a device at a data link layer of an Open Systems Interconnection model; a threat monitor to determine whether the communication is a threat; and a threat manager to, when the threat monitor determines the communication is a threat, at least one of generate a notification to prompt a user about the threat or block the communication.

Abstract: Methods, systems, and media for detecting anomalous network activity are provided. In some embodiments, a method for detecting anomalous network activity is provided, the method comprising: receiving information indicating network activity, wherein the information includes IP addresses corresponding to devices participating in the network activity; generating a graph representing the network activity, wherein each node of the graph indicates an IP address of a device; generating a representation of the graph, wherein the representation of the graph reduces a dimensionality of information indicated in the graph; identifying a plurality of clusters of network activity based on the representation of the graph; determining that at least one cluster corresponds to anomalous network activity; and in response to determining that the at least one cluster corresponds to anomalous network activity, causing a network connection of at least one device included in the at least one cluster to be blocked.

Abstract: Methods, systems, and media for detecting anomalous network activity are provided. In some embodiments, a method for detecting anomalous network activity is provided, the method comprising: receiving information indicating network activity, wherein the information includes IP addresses corresponding to devices participating in the network activity; generating a graph representing the network activity, wherein each node of the graph indicates an IP address of a device; generating a representation of the graph, wherein the representation of the graph reduces a dimensionality of information indicated in the graph; identifying a plurality of clusters of network activity based on the representation of the graph; determining that at least one cluster corresponds to anomalous network activity; and in response to determining that the at least one cluster corresponds to anomalous network activity, causing a network connection of at least one device included in the at least one cluster to be blocked.

Abstract: Methods, apparatus, systems and articles of manufacture are disclosed to identify and report cloud-based security vulnerabilities. An apparatus comprising: a security vulnerability detector to, in response to a resource monitor monitoring a threshold amount of activity in a resource of a cloud computing environment, determine one or more security vulnerabilities associated with the resource and the cloud computing environment; a vulnerability processor to correlate the one or more security vulnerabilities with one or more kill chains to exploit at least one security vulnerability in the cloud computing environment; and a report generator to generate a report including a story graph indicating a subset of at least one of: (a) the one or more security vulnerabilities associated with the one or more kill chains, (b) one or more remediation actions to obviate the one or more security vulnerabilities, or (c) threat intelligence feeds associated with the one or more security vulnerabilities.

Abstract: Techniques for protecting a computer system against fileless malware are described. One technique includes a virtual machine (VM) locker logic/module implemented by one or more processors receiving information about input/output (I/O) requests associated with injection of data into a process. The logic/module can generate or update an information log to reflect that the process includes data from an external source. The data from the external source can include fileless malware. The technique also includes the logic/module intercepting an execution request by a process (e.g., the process that includes data from an external source, another process, etc.), where an execute privilege located in an operating system mediated access control mechanism approves the request. Next, the logic/module determines that the process requesting execution is included in the log and removes an execute privilege located in a hypervisor mediated access control mechanism to deny the request.

Abstract: A disclosed apparatus includes a connection detector to detect a communication as including a request to connect to a device at a data link layer of an Open Systems Interconnection model; a threat monitor to determine whether the communication is a threat; and a threat manager to, when the threat monitor determines the communication is a threat, at least one of generate a notification to prompt a user about the threat or block the communication.

Abstract: Methods, systems, and media for detecting anomalous network activity are provided. In some embodiments, a method for detecting anomalous network activity is provided, the method comprising: receiving information indicating network activity, wherein the information includes IP addresses corresponding to devices participating in the network activity; generating a graph representing the network activity, wherein each node of the graph indicates an IP address of a device; generating a representation of the graph, wherein the representation of the graph reduces a dimensionality of information indicated in the graph; identifying a plurality of clusters of network activity based on the representation of the graph; determining that at least one cluster corresponds to anomalous network activity; and in response to determining that the at least one cluster corresponds to anomalous network activity, causing a network connection of at least one device included in the at least one cluster to be blocked.

Abstract: Techniques for protecting a computer system against fileless malware are described. One technique includes a virtual machine (VM) locker logic/module implemented by one or more processors receiving information about input/output (I/O) requests associated with injection of data into a process. The logic/module can generate or update an information log to reflect that the process includes data from an external source. The data from the external source can include fileless malware. The technique also includes the logic/module intercepting an execution request by a process (e.g., the process that includes data from an external source, another process, etc.), where an execute privilege located in an operating system mediated access control mechanism approves the request. Next, the logic/module determines that the process requesting execution is included in the log and removes an execute privilege located in a hypervisor mediated access control mechanism to deny the request.

Abstract: Utilizing a virtual desktop interface, including receiving, from a server, a clone image comprising an instance of an operating system and an application executing on the server, and a copy of scan results, identify initiation of the application using the clone image, in response to identifying initiation of the application, determine that the copy of scan results includes scan results of the application, and in response to determining the copy of scan results includes scan results of the application, executing the application without any further scan of the application.

Abstract: Utilizing a virtual desktop interface, including receiving, from a server, a clone image comprising an instance of an operating system and an application executing on the server, and a copy of scan results, identify initiation of the application using the clone image, in response to identifying initiation of the application, determine that the copy of scan results includes scan results of the application, and in response to determining the copy of scan results includes scan results of the application, executing the application without any further scan of the application.

Abstract: A system for virtualization of a local device includes a proxy configured to report, to a remote system, a status of a local Universal Serial Bus (“USB”) device of the system, and to receive a transaction request designated for the local device from the remote system. The system further includes a generic device driver configured to receive the transaction request for the local device, and to provide a result of the transaction request. The proxy is further configured to provide the result of the transaction request to the remote system. The local device is remote to the remote system, which is configured to include a device-specific driver for the local device. A system for utilizing a local device of a remote system is also provided. The system may include an agent and a virtual bus driver. Methods and machine-readable media are also provided.

Abstract: A technique for composing a virtual desktop associated with one or more applications in a virtualized computing environment. The technique includes generating file system level metadata in the desktop image for applications that create a perception that data blocks in the desktop image have been allocated to applications, but not actually copying any of the application data into the allocated blocks. Instead, the technique builds a mapping table between disk block numbers and the application data, which can be stored in a separate application store. The disclosed techniques provide a more efficient way to compose a virtual desktop, compared to current virtual desktop adoption techniques.

Abstract: A technique for composing a virtual desktop associated with one or more applications in a virtualized computing environment. The technique includes generating file system level metadata in the desktop image for applications that create a perception that data blocks in the desktop image have been allocated to applications, but not actually copying any of the application data into the allocated blocks. Instead, the technique builds a mapping table between disk block numbers and the application data, which can be stored in a separate application store. The disclosed techniques provide a more efficient way to compose a virtual desktop, compared to current virtual desktop adoption techniques.

Abstract: A system for redirecting a local device to a remote system includes a proxy configured to communicate with a remote access module. The remote access module is configured to establish a remote access connection between a system and a remote system. The proxy is configured to receive socket connection information for establishing a socket connection between the system and the remote system. The proxy is also configured to receive, from the remote system over the socket connection, at least one device transaction designated for a virtual device local to the remote system. The virtual device may correspond with a Universal Serial Bus device locally connected to the system. A system for automatically redirecting a local device to a remote system, as well as a system for utilizing a local device of a remote system, are also provided. Methods and machine-readable media are also provided.

Abstract: A system for redirecting a local device to a remote system includes a proxy configured to communicate with a remote access module. The remote access module is configured to establish a remote access connection between a system and a remote system. The proxy is configured to receive socket connection information for establishing a socket connection between the system and the remote system. The proxy is also configured to receive, from the remote system over the socket connection, at least one device transaction designated for a virtual device local to the remote system. The virtual device may correspond with a Universal Serial Bus device locally connected to the system. A system for automatically redirecting a local device to a remote system, as well as a system for utilizing a local device of a remote system, are also provided. Methods and machine-readable media are also provided.

Abstract: A system for virtualization of a local device includes a proxy configured to report, to a remote system, a status of a local Universal Serial Bus (“USB”) device of the system, and to receive a transaction request designated for the local device from the remote system. The system further includes a generic device driver configured to receive the transaction request for the local device, and to provide a result of the transaction request. The proxy is further configured to provide the result of the transaction request to the remote system. The local device is remote to the remote system, which is configured to include a device-specific driver for the local device. A system for utilizing a local device of a remote system is also provided. The system may include an agent and a virtual bus driver. Methods and machine-readable media are also provided.