Abstract: There are provided systems and methods for a sentence based automated Turing test for detecting scripted computing attacks. A computing may request access to a service or data from a service provider, where the service provider may be required to determine that the device is used by a user and not a bot executing a scripted or automated process/attack against the service provider. To authenticate that the device is used by a user, the service provider may determine and output a challenge that queries the user to fill in one or more missing words from a sentence. Acceptable answers may be based on past messages and internal data that is specific to the service provider, as well as an external corpus of documents. The service provider may also further authenticate the user based on the user's response and a likely user response for that user.

Abstract: An indication is received that a first online platform has undergone/is undergoing a first electronic attack made by one or more actors engaged in online malicious actions with the first online platform. Responsive to the indication of the first electronic attack, one or more vulnerability characteristics of the first online platform are determined, where the vulnerability characteristics are associated with the first electronic attack. A plurality of other online platforms are analyzed to identify a second online platform that shares at least one of the vulnerability characteristics with the first online platform. Based on the determining and/or the analyzing, the second online platform is predicted to be a potential target for a second electronic attack having an attack vector in common with the first electronic attack that corresponds to the shared vulnerability characteristics. An action is performed to mitigate potential damage of the second electronic attack.

Abstract: Methods and systems are provided to determine when a first electronic device is emulating a second electronic device. The first electronic device may be operated through indirect inputs such as through a mouse and keyboard. The second electronic device may be operated through direct inputs such as inputs received through a touchscreen. Interaction data received from the first electronic device may be used to determine that the first electronic device is operating an emulator. Interaction data may include data associated with scrolling on the electronic device and such data may allow a determination that the electronic device received indirect inputs and, thus, is operating an emulator.

Abstract: Techniques are disclosed relating to determining whether geographic locations of a user computing device satisfy a location consensus threshold. A computer system receives results of a plurality of location determination operations, each of which specifies a geographic location of a computing device initiating an action. The computer system then makes a determination whether the received results satisfy a consensus threshold as to geographic location of the computing device. In some embodiments, the determination is usable to select, from a plurality of sets of rules for different geographic regions, a particular set of rules for processing the action. In some cases, the particular set of rules is usable to determine whether to process the action. Such techniques may advantageously allow a processing system to understand how to process actions initiated by a computing device associated with different geographic locations.

Abstract: A method and apparatus for mobile emulator determination using sound fingerprinting is disclosed. The method includes a verification computer system receiving a transaction request from a computing device purporting to be a mobile device. Responsive to receiving the request, the verification computer system transmits a request for verification information to the computing device. The verification system includes information regarding a tone to be generated by a speaker of the computing device. Thereafter, verification information is received from the computing device. The verification information includes information tone information generated by the computing device, wherein the tone is, after generation, detected by a microphone. The verification system then verifies, based on the receive verification information, whether the information indicates that the computing device is a mobile device.

Abstract: Methods and systems are presented for assessing a veracity of device attributes obtained from a computer device based on estimating a number of processing cycles used by the computer device to perform a particular function. In response to receiving a transaction request from the computer device, software programming instructions are transmitted to the computer device for obtaining device attributes of the computer device. The software programming instructions may also include code that estimate a number of processing cycles used by the computer to perform a particular function. The particular function may be associated with obtaining at least one of the device attributes of the computer device. The estimated number of processing cycles may be compared against a benchmark profile. A risk associated with the transaction request is determined based on the comparing.

Abstract: A system and method for detecting anomalous access to tables is described. A query for accessing a table from a requesting user is received. A set of users similar to the requesting user is determined. The probability that the requesting user should access the table is calculated. Whether the user should be accessing the table based on the calculated probability is determined.

Abstract: An indication is received that a first online platform has undergone/is undergoing a first electronic attack made by one or more actors engaged in online malicious actions with the first online platform. Responsive to the indication of the first electronic attack, one or more vulnerability characteristics of the first online platform are determined, where the vulnerability characteristics are associated with the first electronic attack. A plurality of other online platforms are analyzed to identify a second online platform that shares at least one of the vulnerability characteristics with the first online platform. Based on the determining and/or the analyzing, the second online platform is predicted to be a potential target for a second electronic attack having an attack vector in common with the first electronic attack that corresponds to the shared vulnerability characteristics. An action is performed to mitigate potential damage of the second electronic attack.

Abstract: There are provided systems and methods for a sentence based automated Turing test for detecting scripted computing attacks. A computing may request access to a service or data from a service provider, where the service provider may be required to determine that the device is used by a user and not a bot executing a scripted or automated process/attack against the service provider. To authenticate that the device is used by a user, the service provider may determine and output a challenge that queries the user to fill in one or more missing words from a sentence. Acceptable answers may be based on past messages and internal data that is specific to the service provider, as well as an external corpus of documents. The service provider may also further authenticate the user based on the user's response and a likely user response for that user.

Abstract: Embodiments described herein are directed to determining whether an application executing on a compute instance has been corrupted or compromised by malicious code. This may achieved by statically analyzing an image file from which the application is based to determine characteristics thereof. Such characteristics are representative of the behavior that is expected to be performed by the application during execution. During execution of the application, runtime characteristics of the application are determined, which are determined based on an analysis of the address space in memory allocated for a computing process of the application. The statically-determined characteristics are compared to the determined runtime characteristics to determine discrepancies therebetween. In the event that a discrepancy is found, a determination is made that the application has been compromised or corrupted and an appropriate remedial action is automatically performed.

Abstract: Methods and systems are provided to determine when a first electronic device is emulating a second electronic device. The first electronic device may be operated through indirect inputs such as through a mouse and keyboard. The second electronic device may be operated through direct inputs such as inputs received through a touchscreen. Interaction data received from the first electronic device may be used to determine that the first electronic device is operating an emulator. Interaction data may include data associated with scrolling on the electronic device and such data may allow a determination that the electronic device received indirect inputs and, thus, is operating an emulator.

Abstract: There are provided systems and methods for a sentence based automated Turing test for detecting scripted computing attacks. A computing may request access to a service or data from a service provider, where the service provider may be required to determine that the device is used by a user and not a bot executing a scripted or automated process/attack against the service provider. To authenticate that the device is used by a user, the service provider may determine and output a challenge that queries the user to fill in one or more missing words from a sentence. Acceptable answers may be based on past messages and internal data that is specific to the service provider, as well as an external corpus of documents. The service provider may also further authenticate the user based on the user's response and a likely user response for that user.

Abstract: Computer system security can be threatened by users who manipulate their software to avoid detection of malicious activities—such as account takeover. Web browser software, for example, can be altered so the browser will report false information about the browser itself and/or the system on which it is running. By providing such false information, a user can try to avoid his system being fingerprinted (e.g. identified) so that the user can more effectively instigate electronic attacks without being detected. This disclosure describes techniques that allow for detection of when a user has tampered with their web browser (e.g., by overriding native code functions in the browser). Detecting that a browser has been tampered with can allow a computer server system to take mitigation actions against potentially malicious users, thus improving computer security.

Abstract: An indication is received that a first online platform has undergone/is undergoing a first electronic attack made by one or more actors engaged in online malicious actions with the first online platform. Responsive to the indication of the first electronic attack, one or more vulnerability characteristics of the first online platform are determined, where the vulnerability characteristics are associated with the first electronic attack. A plurality of other online platforms are analyzed to identify a second online platform that shares at least one of the vulnerability characteristics with the first online platform. Based on the determining and/or the analyzing, the second online platform is predicted to be a potential target for a second electronic attack having an attack vector in common with the first electronic attack that corresponds to the shared vulnerability characteristics. An action is performed to mitigate potential damage of the second electronic attack.

Abstract: A method and apparatus for mobile emulator determination using sound fingerprinting is disclosed. The method includes a verification computer system receiving a transaction request from a computing device purporting to be a mobile device. Responsive to receiving the request, the verification computer system transmits a request for verification information to the computing device. The verification system includes information regarding a tone to be generated by a speaker of the computing device. Thereafter, verification information is received from the computing device. The verification information includes information tone information generated by the computing device, wherein the tone is, after generation, detected by a microphone. The verification system then verifies, based on the receive verification information, whether the information indicates that the computing device is a mobile device.

Abstract: Methods and systems are provided to determine when a first electronic device is emulating a second electronic device. The first electronic device may be operated through indirect inputs such as through a mouse and keyboard. The second electronic device may be operated through direct inputs such as inputs received through a touchscreen. Interaction data received from the first electronic device may be used to determine that the first electronic device is operating an emulator. Interaction data may include data associated with scrolling on the electronic device and such data may allow a determination that the electronic device received indirect inputs and, thus, is operating an emulator.

Abstract: Techniques are disclosed relating to determining whether geographic locations of a user computing device satisfy a location consensus threshold. A computer system receives results of a plurality of location determination operations, each of which specifies a geographic location of a computing device initiating an action. The computer system then makes a determination whether the received results satisfy a consensus threshold as to geographic location of the computing device. In some embodiments, the determination is usable to select, from a plurality of sets of rules for different geographic regions, a particular set of rules for processing the action. In some cases, the particular set of rules is usable to determine whether to process the action. Such techniques may advantageously allow a processing system to understand how to process actions initiated by a computing device associated with different geographic locations.

Abstract: Techniques for identifying weaknesses in a probabilistic model such as an artificial neural network using an iterative process are disclosed. A seed file may be obtained and variant files generated therefrom. The variant files may be evaluated for their fitness, based upon the ability of the variant files to cause the probabilistic model to fail. The fittest variants, which may refer to those variants that are most successful in causing the model to fail, may be selected. From these selected variants, a next generation of variant files may be created. The next generation of variant files may be evaluated for their fitness. At each step of fitness evaluation or at the end of the iterative process, a map of the fittest variants may be generated to identify hotspots. These hotspots may reveal segments of code or a file that are problematic for the model, which can be used to improve the model.

Abstract: A method and apparatus for mobile emulator determination using sound fingerprinting is disclosed. The method includes a verification computer system receiving a transaction request from a computing device purporting to be a mobile device. Responsive to receiving the request, the verification computer system transmits a request for verification information to the computing device. The verification system includes information regarding a tone to be generated by a speaker of the computing device. Thereafter, verification information is received from the computing device. The verification information includes information tone information generated by the computing device, wherein the tone is, after generation, detected by a microphone. The verification system then verifies, based on the receive verification information, whether the information indicates that the computing device is a mobile device.

Abstract: A request to access one or more server resources is received from a user device. Based on the request, a purported version of a browser running on the user device is determined. The user device executes a program within the browser, according to various embodiments, which throws one or more exceptions associated with one or more particular browser versions. The results of the exceptions may be analyzed to determine whether the purported version of the browser appears to be a true version of the browser. If the analysis indicates that the purported version of the browser is not accurate, the request to access the one or more server resources may be evaluated at an elevated risk level. Inaccurately reported browser versions may indicate an attempt to gain unauthorized access to an account, and thus, being able to detect a falsely reported browser version can help improve computer security.