Abstract: Example implementations relate to facilitating scanning of protecting computing resources. In example implementations, a computing device receives a scan indicator that indicates an external agent is prepared to scan a protected resource of the computing device; identifies a protected action that may be performed by the data processor, the protected action facilitating scanning the protected resource of the computing device by the external agent, the protected action comprising a change in a state of the protected resource; performs the protected action; and provides the external agent with data indicating a current state of the protected resource.

Abstract: Systems and methods of identifying a security risk by monitoring and generating alerts based on attempts to access web domains that have been registered within a short period of time and are therefore identified as “high-risk,” including identifying an attempt to access a domain; receiving a registration date of the domain; and detecting a security risk based on the registration date of the domain.

Abstract: The disclosed embodiments include a method for disarming malicious code in a computer system having a processor. The method comprises accessing, by the computer system, input content, wherein the input content includes a plurality of data units having a value representing media content, and adjusting, by the processor, a data unit value of at least a portion of the data units, wherein the portion of the data units and an adjustment of the data unit value are determined so as to render any malicious code included in the plurality of data units inactive for its intended malicious purpose while not interfering with an intended use of the input content.

Abstract: Embodiments of the present invention provide systems and methods for performing a security analysis on a set of observables by inferring malicious relationships. The method includes receiving a set of observables and structured and unstructured threat data. The method further includes analyzing the observables and the structured and unstructured threat data using cognitive computing, and creating and transferring a subgraph.

Abstract: The disclosed computer-implemented method for trichotomous malware classification may include (1) identifying a sample potentially representing malware, (2) selecting a machine learning model trained on a set of samples to distinguish between malware samples and benign samples, (3) analyzing the sample using a plurality of stochastically altered versions of the machine learning model to produce a plurality of classification results, (4) calculating a variance of the plurality of classification results, and (5) classifying the sample based at least in part on the variance of the plurality of classification results. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A system and method include obtaining and authenticating image files from users, such as insured users, at the request of an entity, such as an insurance provider. The requesting entity may supply an electronic address of the user and a unique identifier. The system may transmit a link to the electronic address. When selected, the link causes an image authentication application to be installed on a user device. The application takes the images securely and separately from a native camera application. Each image authentication application may be customized for each requesting entity. An authentication server may identify the requesting entity that made the request and identify a corresponding image authentication application to be provided to the electronic address. The images from the image authentication application may be authenticated via reverse image search, time, geolocation, and/or other information. The authenticated images and/or related data may be provided to the requesting entity.

Abstract: A method and apparatus for an automated classification and reset of browser settings is provided. A set of disreputable browser setting values is maintained based on statistics associated with the browser setting values. In response to determining that an attempt is made to set a browser setting to a value in the set of disreputable browser setting values, a notification can be presented to the user. The notification can include options in a set of reputable browser settings.

Abstract: Novel tools and techniques are implemented for providing computer security. In various embodiments, a computer system might receive data from one or more data feeds, might obtain a binary object based on the data, might load the binary object onto a sandboxed system, and might execute the binary object with the sandbox system. The computer system might analyze operation of the sandboxed system to determine whether the binary object includes a malware payload, and might, based on a determination that the binary object includes a malware payload, generate a report indicating that the binary object includes a malware payload.

Abstract: Various examples are directed to detecting anomalous modifications to a software component. For example, a computing device may receive, from a version control system, version metadata describing properties of a plurality of commits for the software component. The computing device may generate a plurality of commit clusters based, at least in part, on the properties of the plurality of commits. The computing device may determine a first anomalous commit of the plurality of commits and generate an alert message indicating a first code segment modified by the first commit.

Abstract: Provided are a binary vulnerability analysis method performed by a computing device is provided, and the binary vulnerability analysis method includes a primary execution step of recording a symbolic constraint of a vulnerability associated with an execution flow path causing a crash to a target binary to be analyzed and a suspicious element on the execution flow path by performing taint analysis through a primary execution of the target binary; and a secondary execution step of performing a secondary execution, which is a symbolic execution, on the execution flow path and, if an instruction satisfying the symbolic constraint is found, determining that the vulnerability exists in the target binary by comparing the suspicious element and the found instruction.

Abstract: Systems and methods described herein align various types of hypervisor threads with a non-uniform memory access (NUMA) client of a virtual machine (VM) that is driving I/O transactions from an application so that no remote memory access is required and the I/O transactions can be completed with local accesses to CPUs, caches, and the I/O devices of a same NUMA node of a hardware NUMA system. First, hypervisor of the VM detects whether the VM runs on a single or multiple NUMA nodes. If the VM runs on multiple NUMA nodes, a NUMA client on which the application is executing the I/O transactions is identified and knowledge of resource sharing between the NUMA client and its related hypervisor threads is established. Such knowledge is then utilized to schedule the NUMA client and its related hypervisor threads to the same NUMA node of the NUMA system.

Abstract: A method and system is provided for detecting malicious compound files. An example method includes: obtaining at least one compound file; identifying a first set of features of the at least one compound file including features associated with a header of the at least one compound file; subsequent to identifying the first set of features, identifying, by the processor, a second set of features of the at least one compound file including features associated with at least one directory of the at least one compound file; determining a hash sum of the at least one compound file based on the first and second set of features; comparing the hash sum of the at least one compound file with information associated with a plurality of compound files stored in a database; and identifying the at least one compound file as being malicious, trusted or untrusted based at least on comparison results.

Abstract: A method for hiding transition events during malware detection comprising processing of an object within a VM, intercepting an attempted execution of an instruction located on a page in memory associated with the VM, responsive to determining the page includes instructions corresponding to one of a predefined set of function calls, (i) inserting a first transition event into the memory at a location on the page of a first instruction of the instructions, and (ii) setting a permission of the page to be execute only, and responsive to further processing within the VM causing an attempt to read from or write to the page including the first transition event, (i) halting processing within the VM, (ii) removing the first transition event, (iii) setting the permission of the page to prohibit execution, and (iv) resuming the processing is shown.

Abstract: The present disclosure relates to systems and methods for blocking an infection vector. In some embodiments, a method may include detecting, at a first device, a synchronization event with a second device, the first device and the second device operating with a proprietary mobile operating system. In some examples, the method may include recognizing, by the first device, that the first device is attempting to send a data package to the second device, and identifying the data package as malware. The method may further include blocking the data package from being received at the second device based at least in part on the identifying.

Abstract: Methods, systems, and computer-readable media for tracking and managing virtual desktops using signed tokens are presented. In some embodiments, a server computing device may receive a first registration message from a first virtual machine. The server computing device may determine a state of the first virtual machine based on token information associated with the first registration message received from the first virtual machine. Subsequently, the server computing device may update virtual machine state information records maintained by the server computing device based on the state of the first virtual machine determined by the server computing device. The virtual machine state information records maintained by the server computing device may identify one or more tainted virtual machines and one or more untainted virtual machines.

Abstract: A method and a system for implementing golden container storage. Specifically, the disclosed method and system entail the creation of a container registry to securely store golden containers (or templates) for containers of specific application types that execute within a service platform. Given short retention spans, the containers are constantly being cycled out. Each recreated container is modeled after one of the golden containers, and assigned new Internet Protocol (IP) and/or media access control (MAC) addresses rather than assuming the existing addresses of the containers the recreated containers replace. Substantively, embodiments of the invention employ these tactics towards implementing a moving target defense (MTD) strategy.

Abstract: Some embodiments of cloud-based gateway security scanning have been presented. In one embodiment, some data packets are received sequentially at a gateway device. The data packets constitute at least a part of a file being addressed to a client machine coupled to the gateway device. The gateway device forwards an identification of the file to a remote datacenter in parallel with forwarding the data packets to the client machine. The datacenter performs signature matching on the identification and returns a result of the signature matching to the gateway device. The gateway device determining whether to block the file from the client machine based on the result of the signature matching from the datacenter.

Abstract: Examples relate to dynamically adjusting a model for a security operations center (“SOC”). As such, the examples disclosed herein enable constructing a customer storage model over a set of time periods for a customer based on a set of resources of the SOC, a storage distribution model received from the customer related to expected usage of the set of resources, and a threat landscape for the customer. The customer storage model may be revised for a second time period based on actual storage use of the customer during a first time period, and a projection of an amount of data to be consumed in the second time period based on the threat landscape. Allocation of the resources in the SOC may be revised for the second time period based on the revision to the customer storage model.

Abstract: A detection method comprising: (A) transmitting a to-be tested file to a first testing machine by the processing device; wherein the first testing machine uses for executing the to-be tested file; (B) monitoring that whether a component usage of the first testing machine is higher than a default threshold during a period of executing the to-be tested file by the processing device; and (C) when the component usage of the first testing machine is higher than the default threshold, the memory forensics module analyzes the memory space of the first testing machine to determine that whether the to-be tested file comprises a malware program and generate an analyzing result.

Abstract: Methods, computer-readable media, software, and apparatuses may assist a consumer in keeping track of a consumer's accounts in order to prevent unauthorized access or use of the consumer's identified accounts. To discover the various accounts, the methods, computer-readable media, software, and apparatuses can monitor at least a consumer's email accounts, web browser history, and web cache. The discovered accounts may be displayed to the consumer along with recommendations and assistance for closing unused or unwanted accounts to prevent unauthorized access or use.

Abstract: There is provided a network appliance, methods and systems which intercept web and email traffic, extract executables, compare the executables with a policy and wrap the executables. Then, the wrapped executables are delivered to a client system in a manner to protect the network and end point devices, where the wrapped executables are run in a sandbox with all file system, registry accesses, communication and traffic isolated.

Abstract: Techniques for generating malware signatures based on developer fingerprints in debug information are disclosed. In some embodiments, a system, process, and/or computer program product for generating malware signatures based on developer fingerprints in debug information includes receiving a sample, in which the sample includes a binary executable file; matching one or more paths in content of the binary executable file based on a plurality of patterns; extracting meta information from the one or more matched paths; and automatically generating a signature based on the extracted meta information.

Abstract: Techniques are provided for retroactively identifying malware programs when new signatures become available that later match network traffic previously obtained from the sandbox environment. An exemplary method comprises obtaining a plurality of packet capture files comprising previously captured network communications of malware programs that previously executed in a sandbox environment, wherein each of the packet capture files are associated with a corresponding malware program that generated the network communications; obtaining signatures indicative of at least one malware program; comparing the signatures to the packet capture files; and retroactively identifying a given malware program as malware if a signature matches a given packet capture file associated with the given malware program.

Abstract: Systems and methods are described for using a template for simulated phishing campaigns based on predetermined date from a date associated with a user. The predetermined date may by an event, an anniversary or a milestone associated with employment of the user with a company. The campaign controller may identify a date associated with the user and based on the identification of the date associated with the user, the campaign controller may select one or more templates for one or more simulated phishing campaigns to be triggered by a predetermined date related to the date associated with the user.

Abstract: An organization categorization system and method is disclosed. The organization categorization system and method relies on server data to discover which business organizations are consuming the finite resources of the server and in what proportions. Organizations are categorized according to their consumption of resources. The categorization system and method further ascribes a relative business value to each organization to facilitate the allocation of resources among the various organizations in a business. In an example embodiment, users of the server resources use the SAS programming language and the server resources execute SAS applications that support the SAS programming language. The organization categorization system and method connects an executed computer program to a business-defined classification of applicability to purpose.

Abstract: A method detects, locates, and masks a hardware Trojan (HT) in an arithmetic circuit to improve circuit security. The method provides a first netlist and a second netlist of the arithmetic circuit, uses reverse engineering to extract 2-input XOR sub circuits, XOR trees, 1-bit adders, 1-bit adder graphs and arithmetic macros from the first netlist and the second netlist to obtain a first plurality of arithmetic macros and a second plurality of arithmetic macros, detects the HT by comparing the first plurality of arithmetic macros with the second plurality of arithmetic macros with functional ECO engine, locates the HT in the second netlist, and improves security of the arithmetic circuit by masking the HT with addition of a patch in the second netlist to obtain a patched netlist.

Abstract: A method and device for constructing an apk virus signature database and an apk virus detection system. The method comprises: obtaining a given sample set, the sample set being composed of N normal apk file samples and N virus-infected apk file samples; for any sample in the given sample set, separately obtaining M signature values of the sample according to M preset signatures; for any sample in the given sample set, separately obtaining M signature values of the sample according to M preset signatures; for any sample subset i (i=1, . . .

Abstract: As disclosed herein a computer-implemented method includes receiving a delta scan from an endpoint system comprising changes to a baseline inventory, and determining if the delta scan can be processed. The method further includes responsive to determining that the delta scan can be processed, processing the delta scan to produce a synchronized baseline inventory, and responsive to determining that the delta scan cannot be processed, indicating that the delta scan is unable to be processed. The method further includes responsive to indicating the delta scan is unable to be processed, receiving a most recent full system scan from the endpoint system to provide a new synchronized baseline inventory. A computer program product and a computer system corresponding to the above method are also disclosed herein.

Abstract: The present application discloses a method and an apparatus for file identification. The method for file identification comprises: determining a virus family of each malicious file sample in a plurality of the file samples resulting in a plurality of virus families; dividing the plurality of the virus families into at least one sample group based on a number of the malicious files belonging to each of the plurality of virus families; training the malicious file samples in each of the at least one sample group with a different training rule to obtain at least one file identification model; and determining, using the at least one identification model whether a file is a malicious file. The method for file identification of the present application may provide different identification models for various types of malicious files and thus improves the accuracy of the file identification.

Abstract: In general, in one aspect, a system for providing honeypot network services may monitor network activity, and detect network activity indicative of network service discovery by a first device, for example, port scanning. The system may present a temporarily available network service to the first device in response to detecting the activity indicative of port scanning, for example, by redirecting traffic at an unassigned network address to a honeypot network service. The system may monitor communication between the first device and the presented honeypot network service to determine whether the monitored communication is indicative of a threat, and determine that the first device is compromised based on the monitored communication between the first device and the presented honeypot network service. The system may initiate measures to protect the network from the compromised first device.

Abstract: Methods and systems for creating and maintaining a virtual library of virtual hard disks involve one or more processors partitioning resources on a physical host computer into at least one virtual machine having at least one virtual hard disk attached to the virtual machine and loading pre-selected custom content on the virtual hard disk. Thereafter, the virtual hard disk may be detached from the virtual machine and cataloged in a database together with control parameters limiting cloning of the detached virtual hard disk. At a later time, the cataloged virtual hard disk loaded with the pre-selected custom content may be attached from the database to the virtual machine on the physical host computer.

Abstract: Provided are a method and device for feature extraction. The method comprises: acquiring a batch of black sample files and white sample files from an application layer of a smart terminal operating system; parsing each file, acquiring information structure of all functions contained in each file, and computing a checksum for each function; determining whether or not the files contain the functions corresponding to the checksums, thus compiling statistics on the number of occurrences of each function in the black sample files and the white sample files; and, extracting a black sample feature on the basis of functions occurring only in the black sample files and not occurring in the white sample files, or extracting a white sample feature on a similar basis.

Abstract: Systems and methods herein discuss a policy engine stored on a mobile device that intercepts content requests to a content provider. The policy engine is self-preserving, and may, subsequent to intercepting the content requests and based upon a determination that the requesting entity is associated with a whitelist; blocking, by the policy engine. The policy engine may in some cases transmit at least some of the requested content in response to a determination that the requesting application is associated with a blacklist or may transmit an HTTP200 response to the requesting entity based on a determination that the requesting application anticipates a response.

Abstract: Mechanisms are provided for correlating security vulnerability detection across multiple applications. The mechanisms perform a security vulnerability analysis of first source code of a first application, and identify, based on results of the security vulnerability analysis, a security vulnerability in a first portion of the first source code. The mechanisms associate characteristics of the security vulnerability with the first portion, and correlate the characteristics of the security vulnerability with second source code of a second application based on the association of the characteristics of the security vulnerability with the first portion. In addition, the mechanisms generate an output to a computing device of a consumer or contributor associated with the second source code identifying a presence of the security vulnerability in the second source code based on the correlation.

Abstract: Approaches for augmenting a BIOS with a new program. A BIOS provides an interface through which a user may select one or more programs from a plurality of offered programs. When the BIOS receives input from the user that selects a particular program, the BIOS retrieves, over a network, the particular program. Received applications may be stored in the BIOS or in a hidden file that the BIOS can also access without booting the operating system. An online application store can offer applications that are signed by the BIOS issuer as being approved for plug-in applications for use in a pre-boot or post-boot environment.

Abstract: A method for detecting malware beaconing in a network, the method includes capturing network traffic over a network connection at a network connected device, representing the network traffic over the network connection as a set of tuples wherein each of the tuples includes at least a source Internet Protocol address, a destination Internet Protocol address, and a destination port, associating timestamps with each of the set of tuples, and analyzing the tuples using the timestamps based on frequency of connections to determine malware beaconing on the network, wherein the analyzing is performed by a computing device.

Abstract: Systems, methods and apparatus for malware detection detect and stop the distribution of malware and other undesirable content before such content reaches computing systems. A malware detection service external to network edges of a system receives a request from a computer within the system, the request identifying a signature associated with content. The service determines a status indicator of the content using the signature, and transmits the status indicator to the computer.

Abstract: Techniques and mechanisms described herein facilitate the encryption of content using content-based encryption keys. According to various embodiments, data stream may include one or more data chunks. A client machine may apply a hash function to a data chunk to determine a fingerprint value. A cryptographic protocol shared with a remote server may be applied to the fingerprint value to determine a data chunk encryption key. The data chunk encryption key may be used to encrypt the data chunk, and the encrypted data chunk may be sent to the remote server for storage.

Abstract: The launching of new software code, virtual machines, and other such instances can undergo one or more scans before being fully available in an electronic environment. One or more policies may apply to such a launch, which can cause the launch to first be performed under a first network configuration, wherein the instance may not be granted access to resources other than scanning infrastructure. After one or more scans are performed, the results can be compared against the policies and, if the results pass, the instance can be caused to operate in a second network configuration, whether launching a new instance in a production environment, altering the configuration of the network, or other such tasks. The policies can be set by a provider of the relevant resources, an administrator of one or more affected resources, an administrator of the instance, or another appropriate party.

Abstract: A system automatically detects bots and/or botnets.

Abstract: Disclosed are an apparatus and method of verifying an application installation procedure. One example method of operation may include receiving an application at a computer device and initiating the installation of the application on the computer device. The method may also provide executing the application during the installation procedure and creating a hash value corresponding to the executed application data. The method may further provide storing the hash value in memory and comparing the hash value to a pre-stored hash value to determine whether to continue the installation of the application.

Abstract: A method for implementing an Internet of Things security appliance is presented. The method may include intercepting a data packet sent from a server to a client computing device. The method may include performing a security check on the data packet using security modules. The method may include determining the data packet is not malicious based on the security check. The method may include determining a shadow tester to test the data packet based on a type associated with the client computing device. The method may include creating a virtualization environment of the client computing device using the shadow tester. The method may include analyzing behaviors associated with the data packet within the virtualization environment using detection modules. The method may include determining the behaviors do not violate a behavior policy associated with the client computing device. The method may include transmitting the data packet to the client computing device.

Abstract: A system, method, and apparatus for identifying and removing malicious applications are disclosed. An example apparatus includes an executable application configured to collect data regarding processes operating on a client device during a time period. The executable application is also configured to purposefully access, during the time period, an application server using a web browser on the client device in an attempt to trigger a malicious application potentially located on the client device. The executable application is configured to transmit, after the time period, the collected data to an analysis server to determine whether the malicious application is located on the client device.

Abstract: In an example, there is disclosed a method and system for calculating an object's trust level for security purposes based on prevalence in a context-aware network. In an embodiment, as objects are accessed, a client queries a domain master such as a reputation server to evaluate the object's reputation. The domain master may maintain a prevalence-based reputation database, which may be updated as new clients report object prevalences.

Abstract: Approaches, techniques, and mechanisms are disclosed for improved caching in database systems that deal with multiple data access patterns, such as in database systems that interface with both OLTP and Data Warehouse clients. A cache is deployed between a database server and a storage system that stores data units. Some of the data units accessed by the database server are buffered within the cache. The data units may be associated with data access patterns, such as a random data access pattern or a scan data access pattern, in accordance with which the database server is or appears to be accessing the data units. A processor selects when to cache data units accessed by the database server, based at least on the associated data access patterns. Recent access counts may also be stored for the data units, and may further be utilized to select when to cache data units.

Abstract: Detecting cyber threat and malware, particularly zero-day malware is a major challenge for the security community. Signature-based methods of cyber threat and malware detection are unable to detect zero-day malware. In order to detect zero-day malware and cyber threat which may have more severe impacts, a system called Compromised Detection System (CDS) and a method thereof is disclosed. The CDS uses a sophisticated approach and method based on Machine Learning to detect anomalies on the network behavior. By such approach, CDS is able to detect unknown cyber threat and malware (aka zero day)since they will present a deviation from the normal behavior in the network.

Abstract: In one embodiment, a networking device in a network causes formation of device clusters of devices in the network. The devices in a particular cluster exhibit similar characteristics. The networking device receives feedback from a device identity service regarding the device clusters. The feedback is based in part on the device identity service probing the devices. The networking device adjusts the device clusters based on the feedback from the device identity service. The networking device performs anomaly detection in the network using the adjusted device clusters.

Abstract: A method for maintaining conversational cadence may include determining, by a processor, a conversational cadence associated with a user in a social network. The conversational cadence may be determined based on a plurality of messages previously transmitted by the user. The method may also include detecting, by the processor, a reduction in the conversational cadence of the user. The method may further include providing, by the processor, a set of fill-in messages that create an appearance to another user in the social network that there is no reduction in the conversational cadence.

Abstract: Provided are systems, methods, and computer program products for a cyber-vaccination technique. In various implementations, the cyber-vaccination technique includes using a network device that is infected by a malware program to determining a marker generated by the malware program. The marker may indicate to the malware program that the network device has been infected by the malware program. Determining the marker can include identifying a placement of the marker on the network device. The technique further includes identifying one or more other network devices that have not previously been infected by the malware program. The technique further includes automatically distributing copies of the marker. When a copy of the marker is received at one of the previously identified, uninfected network devices, the identified network device can place the marker on the identified network device according to the identified placement.

Abstract: In accordance with an embodiment of the present invention, a client device is protected against the execution of unauthorized software. The client includes a code authentication process that verifies the integrity of executable code, by generating and comparing a first hash value of the executable code with a known hash value of the original code. Furthermore, during boot-up, the client initializes a CPU exception vector table with one or more vector table entries. One or more, or all, of the vector table entries direct the CPU to execute the code authentication process prior to executing an event handler when an exception event occurs. Consequently, the code authentication process is virtually guaranteed to execute, thereby protecting against the execution of unauthorized code.