Abstract: Disclosed herein are systems and methods of selecting security virtual machines (SVMs) for a virtual machine (VM) in a virtual infrastructure. In one aspect, an exemplary method comprises, forming a list of SVMs, wherein SVM performs security tasks for the VM, and VM includes a security agent configured to interact with the SVM, determining restriction requirements of the security agent and removing from the list SVMs not conforming to restriction requirements on limits of interaction area of the security agent, polling SVMs remaining on the list to determine network accessibility of said SVMs and removing inaccessible SVMs, for each accessible SVM remaining on the list, determining whether a marker of the SVM matches that of the security agent of the VM and removing SVMs whose markers do not match the marker of the security agent, and providing the list of remaining SVMs to the security agent of the VM.

Abstract: Feature vectors are abstracted from data describing application processes. The feature vectors are grouped to define non-anomalous clusters of feature vectors corresponding to normal application behavior. Subsequent feature vectors are considered anomalous if they do not fall within one of the non-anomalous clusters; alerts are issued for anomalous feature vectors. In addition, the subsequent feature vectors may be used to regroup feature vectors to adapt to changes in what constitutes normal application behavior.

Abstract: There is disclosed a method for determining malicious files in a network traffic, the method executable by a server. The method comprises: receiving the network traffic from a data communication network, retrieving a plurality of files from the network traffic, analyzing the plurality of files in order to detect at least one suspicious file, running the at least one suspicious file in at least one virtual machine, the at least one virtual machine associated with a set of the status parameters, determining changes in the set of the status parameters of the at least of one virtual machine, analyzing the changes in the set of status parameters using a set of the analysis rules such that to classify the at least one suspicious file as a malicious file based on the changes in the set of status parameters being indicative of the at least one file being the malicious file.

Abstract: An application privacy analysis system is described, where the system obtains an application and analyzes it for privacy related data use. The system may determine privacy related activities of the application from established sources of such data and/or may decompile the application and analyze the resulting code to determine the privacy related activities of the application. The system may execute the application and monitor the communications traffic exchanged by the application to determine privacy related activities of the application. The system may store the results of such analyses for future reference.

Abstract: The disclosed computer-implemented method for providing persistent visual warnings for application launchers may include (i) loading an application launcher into a sandbox, (ii) monitoring one or more functions of an application from the application launcher, (iii) querying a malware detection manager using information obtained from monitoring the functions of the application to determine whether the application is potentially harmful, and (iv) modifying, based on determining that the application is potentially harmful, an icon for the application launched from the sandbox to notify a user that the application is potentially harmful. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: Implementations of the present disclosure relate to method and device for managing a storage system. The method comprises in response to receiving a write request at a storage system, determining whether storage units allocated to a logic storage unit of the storage system are sufficient for data associated with the write request. The method also comprises in response to determining that the allocated storage units are insufficient, allocating a new storage unit to the logic storage unit. The method further comprises updating metadata associated with allocation of the storage units of the storage system, the metadata indicating a mapping between the logic storage unit and the storage units. The method also comprises encrypting the updated metadata. Other implementations of the present disclosure also involve corresponding method, device and computer-readable medium for decryption metadata and recovering the logic storage unit using the decrypted metadata.

Abstract: A method, apparatus, and system for storing data at a multi cloud-based storage system is disclosed. The operations comprise: receiving a data block at a first cloud of a multi cloud-based storage system for storage, the multi cloud-based storage system comprising a first number (n) of clouds; generating the first number (n) of coded blocks at the first cloud based on the data block, wherein the data block is recoverable from any second number (k) out of the first number (n) of coded blocks, and wherein the second number (k) is greater than 1 and less than the first number (n); and distributing, by the first cloud, the first number (n) of coded blocks to the first number (n) of clouds of the multi cloud-based storage system, each of the clouds including the first cloud receiving a respective one of the first number (n) of coded blocks for storage.

Abstract: There is disclosed in one example a computing apparatus, including: a hardware platform including a processor and a memory; and one or more mediums including instructions to instruct the processor to provide a security scanner to: determine that an object to be inspected is an archive including a plurality of bundled files; determine that the archive is encrypted; identify unencrypted data within the encrypted archive that can be made visible to an end user after a failed decryption operation; scan the unencrypted data for a pattern that matches password data; and attempt to decrypt the archive according to the password data.

Abstract: Maintaining system security by receiving metadata associated with at least a part of one data file from a metadata storage unit, generating a priority for the at least a part of one data file according to the metadata, and conducting a scan of the part of the data file. The metadata includes one or more virus indicators.

Abstract: The present invention relates to a method and an apparatus for transmitting content for a streaming service and can provide streaming content without delay even in a heterogeneous mobile network environment utilizing NAT technology, by transmitting and receiving a session key and UDP port information for transmitting the content using a UDP method through a TCP session, generating a UDP session between a terminal device and a content providing device, and providing the streaming content requested from the terminal device through the generated UDP session.

Abstract: Malware scanning for network-attached storage systems is provided herein. A data storage system as described herein can include a memory that stores computer executable components and a processor that executes computer executable components stored in the memory. The computer executable components can include a file identification component that obtains an identifier for a target file stored by the data storage system; a lookup component that searches a scan status data structure for a malware scan result corresponding to the identifier for the target file; and a file access component that grants access to the target file in response to the lookup component obtaining the malware scan result from the scan status data structure and the malware scan result indicating that the target file contains no malware.

Abstract: Methods and systems of determining a data protection level of a dataset are described. In an example, a processor may encode a dataset and generate a network model of the encoded dataset. The processor may sort a set of edges of the network model based on a descending order of costs of the set of edges. The processor may determine a flow for a first edge among the sorted edges, the first edge may be an edge associated with the least cost. The processor may performing the determining of flows for the other edges in accordance with the descending order of the sorted edges. The processor may determine a metric based on the determined flows of the sorted edges and based on the costs of the sorted edges. The processor may compare the metric with a threshold to determine a level of data protection provided by the encoded dataset.

Abstract: Disclosed herein are techniques for using a line-of-code behavior and relation model to determine software functionality changes. Techniques include identifying a first portion of executable code and a second portion of executable code; accessing a first line-of-code behavior and relation model representing execution of functions of the first portion of executable code; constructing, based on the second portion of executable code, a second line-of-code behavior and relation model representing execution of functions of the second portion of executable code; performing a functional differential comparison of the first line-of-code behavior and relation model to the second line-of-code behavior and relation model; determining, based on the functional differential comparison, a status of functional equivalence between the first portion of executable code and the code portion of executable code; and generating, based on the determined difference, a report identifying the status of functional equivalence.

Abstract: Systems, methods, and computer-readable media for managing near field communications during a low power express mode of an electronic device are provided that may make credentials of a near field communication (“NFC”) component appropriately secure and appropriately accessible while also limiting the power consumption of the NFC component and of other components of the electronic device.

Abstract: Examples of the present disclosure describe systems and methods for a behavioral threat detection virtual machine. In examples, the virtual machine executes a rule comprising rule instructions. A rule may comprise one or more wait rule instructions that causes the virtual machine to pause execution. As events are added to an event queue for the rule virtual machine, the behavioral threat detection virtual machine evaluates such events in order to identify a positive or, in some instances, a negative match. When a matching event is identified, rule execution resumes. Eventually, a determination is made as a result of processing events and wait packets, thereby indicating the presence or absence of a malicious or potentially malicious behavior, among other examples. Thus, among other things, the behavioral threat detection virtual machine maintains a state associated with rule execution and processes events to identify behaviors accordingly.

Abstract: Methods and systems are provided for conditionally allowing a mobile communications device to process received data. Initially, the data is analyzed by a known good component without the component determining that the data is safe, and the data is analyzed by a known bad component without the component determining that the data is malicious. Subsequently, the data is analyzed by a decision component on the mobile communications device. When the decision component determines the data to be safe, the decision component allows the mobile communications device to process the data. When the decision component determined the data to be malicious, the decision component prevents the mobile communications device from processing the data.

Abstract: Examples of devices and methods for detecting malicious network activity are described. Fake user credentials are saved into memory of a monitored device. The fake user credentials may include a username and a password hash for a nonexistent account. Reconnaissance on the fake user credentials is monitored. A compromised account is detected based on the fake user credential reconnaissance monitoring.

Abstract: A computing device determines, for a first time period, a usage-based file list identifying one or more executable files. The computing device determines, for each of the one or more executable files identified by the usage-based file list, whether to perform a malware scan upon the executable file based on a cached record for the executable file. The computing device schedules, for execution during a preceding time period before the first time period, a malware scan for at least one of the one or more executable files based on the corresponding determination of whether to perform a malware scan. Each scheduled malware scan is initiated as a low priority thread for execution. The computing device performs each scheduled malware scan during the preceding time period.

Abstract: Some embodiments of cloud-based gateway security scanning have been presented. In one embodiment, some data packets are received sequentially at a gateway device. The data packets constitute at least a part of a file being addressed to a client machine coupled to the gateway device. The gateway device forwards an identification of the file to a remote datacenter in parallel with forwarding the data packets to the client machine. The datacenter performs signature matching on the identification and returns a result of the signature matching to the gateway device. The gateway device determining whether to block the file from the client machine based on the result of the signature matching from the datacenter.

Abstract: Systems and methods for scanning signatures in a string field. In one implementation, the invention provides a method for signature scanning. The method includes receiving a particular string field, scanning the particular string field for a plurality of signatures using a larger scan step size, scanning the particular string field for the remaining signatures that are shorter than what can be scanned by the larger scan step size separately either using the same scanning method but a smaller scan step size or using a different scan method and the same or a smaller scan step size, and outputting any identified signatures in the particular string field.

Abstract: Techniques for delivering a distributed network security service providing isolation of customer data are described. One example method includes configuring a first node to participate in a node cluster, wherein the first node is hosted by a first cloud service provider, and wherein participating in the node cluster includes performing one or more processing actions specific to the node cluster on data received by the node; configuring a second node to participate in the node cluster, the second node hosted by a second cloud service provider; receiving a status indication from the first node over a network; determining a synchronization mechanism for the first node based on a network configuration of the first node, wherein the determined synchronization mechanism is configured to allow the first node to acquire synchronization data from other nodes in the node cluster; and transmitting the synchronization mechanism to the first node over the network.

Abstract: Provided are systems, methods, and computer-readable medium for identifying security risks in applications executing in a cloud environment. In various implementations, a security monitoring and management system can obtain application data from a service provider system. The application data can include a record of actions performed by an application during use of the application by users associated with a tenant. The application executes in a service platform provided for the tenant by the service provider system. In various implementations, the application data is analyzed to identify an event associated with a security risk, where the event is identified from one or more actions performed by the application. The system can determine an action to perform in response to identifying the event. In various examples, an agent executing on the service platform can add instrumentation codes used by the application, where the instrumentation provides the application data.

Abstract: The present invention discloses methods and systems for an integrated disassembler with a function-queue manager and a disassembly interrupter for rapid, efficient, and scalable code gene extraction and analysis. Methods include the steps of: upon receiving a target binary file, disassembling the target binary file into assembly code; extracting code fragments from the assembly code; as each code fragment is extracted, verifying each code fragment; upon availability, placing each verified code fragment in an extractor queue; and upon availability, submitting each code fragment in the extractor queue to a gene-analysis system having a code genome database. Alternatively, upon determining the extractor queue is empty or determining resources of the gene-analysis system are underutilized, transferring partially-verified code fragments to the extractor queue.

Abstract: This document describes a module and method for detecting malicious activities in a storage device whereby the module is provided within a controller of the storage device. The module is configured to monitor, using a trained neural network, appropriate logical block addresses (LBAs) of the file system of the storage device that contain sensitive data or information for malicious activities.

Abstract: An electronic authorization system is typically configured for: receiving electronic activity requests from a plurality of source nodes; analyzing each of the electronic activity requests using a decisioning algorithm, wherein a decision boundary of the decisioning algorithm is dynamically altered while analyzing the electronic activity requests; for each of the electronic activity requests, determining an activity exposure level of the decision boundary based on (i) a distance to the decision boundary and (ii) an amount of information exposed regarding the decision boundary; for each of the plurality of source nodes, determining a source exposure level of the decision boundary based on the activity exposure levels of the decision boundary of the electronic activity requests; and in response to determining that a likelihood of decision boundary profiling by one or more first source nodes exceeds a defined threshold, performing an exposure remediation action.

Abstract: Updating ground truth data in a security management platform is disclosed. One example is a system including at least one processor and a memory storing instructions executable by the at least one processor to receive, in a security management platform, event data relating to a plurality of events corresponding to operation of a computing arrangement in a current time interval, and computing ground truth data for the current time interval based on the received event data, and threat intelligence data from time intervals preceding the current time interval. A prediction model is applied to generate predictions for the current time interval based on the received event data. Ground truth data is re-computed for the time intervals preceding the current time interval based on a comparison of the generated predictions and the computed ground truth data.

Abstract: Embodiments of the present disclosure are directed to a network analytic system for tracking and analysis of network infrastructure for network-based digital assets. The network analytic system can detect and track a relationship between assets based on one or more attributes related or shared between any given assets. The network analytic system can analyze network-based digital assets to determine information about a website (e.g., information about electronic documents, such as web pages) that has be used to detect phishing and other abuse of the website. The network analytic system can analyze data about network-based assets to determine whether any are being used or connected to use of unauthorized or malicious activity or known network-based assets. Based on the relationship identified, the network analytic system can associate or link assets together. The network analytic system may provide an interface to view data sets generated by the network analytic system.

Abstract: Technologies for memory management with memory protection extension include a computing device having a processor with one or more protection extensions. The processor may load a logical address including a segment base, effective limit, and effective address and generate a linear address as a function of the logical address with the effective limit as a mask. The processor may switch to a new task described by a task state segment extension. The task state extension may specify a low-latency segmentation mode. The processor may prohibit access to a descriptor in a local descriptor table with a descriptor privilege level lower than the current privilege level of the processor. The computing device may load a secure enclave using secure enclave support of the processor. The secure enclave may load an unsandbox and a sandboxed application in a user privilege level of the processor. Other embodiments are described and claimed.

Abstract: Systems and methods for continuously scanning and/or sandboxing files to protect users from accessing infected files by natively mounting public cloud file stores are provided. According to one embodiment, a determination is made by a network security device that is protecting the enterprise network regarding whether an untrusted file stored within a first repository of a public cloud file store, which is natively mounted on the network security device, is a clean file that is free of malicious content by applying one or more security checks to the untrusted file. When a result of the determination is affirmative, the network security device makes the clean file accessible to the users by copying the clean file from the first repository to a second repository that is accessible to the users.

Abstract: A system for training a file classification model for classifying malicious software comprising at least one hardware processor adapted to: computing a plurality of datasets, each for one of a plurality of executable files, each file having a label, each dataset is computed by: receiving a respective file; detecting a plurality of binary functions in the respective file; translating each of the respective plurality of binary functions to produce a plurality of disassembled functions; clustering a plurality of operation-codes identified in the plurality of disassembled functions into a plurality of clusters according to respective operation-code; computing a plurality of statistical values of the plurality of disassembled functions and the plurality of clusters; and associating the plurality of statistical values with the file's label to produce a dataset; and training a file classification model using the plurality of datasets to compute at least one classification score of an input file.

Abstract: Systems and methods for analyzing applications (“apps”) on a mobile device for security risks for a company while maintaining the mobile device owner's privacy and confidentiality concerning the applications. The mobile device may be a user's personal device (a “bring your own device”). In an example method, a process generates one or more cryptographic representations of application information for each application on the mobile device. The cryptographic representations may comprise a hash or composite hash. The cryptographic representations may be transmit outside the mobile device to a system which makes a determination and provides an indication whether the application is permitted or not permitted for use at the company. The company can be associated with a hashed permitted or not permitted list. The application information can include application name, executable code, and a version number. The method may include automatically remediating the application if it matches a known risk.

Abstract: Determining a characteristic of a configuration file that is used to discover configuration files in a target machine, a computer identifies, using information associated with a configuration item of a machine, a candidate configuration file related to the configuration item of the machine, from among a plurality of files from the machine. The computer extracts a value of a feature of the candidate configuration file and aggregates the candidate configuration file with a second candidate configuration file related to the same configuration item identified from among a plurality of files from a second machine, based on the extracted value. The computer then determines a configuration file related to the configuration item from among the aggregated candidate configuration files based on a result of the aggregation, and determines a characteristic of the configuration file related to the configuration item.

Abstract: A storage system in one embodiment comprises a plurality of storage devices and a storage controller. The storage controller is configured to generate a plurality of snapshots of a storage volume of the storage system at respective different points in time, to monitor a differential between a given one of the snapshots and the storage volume, and to generate an alert indicative of at least a potential ransomware attack on the storage system based at least in part on the monitored differential satisfying one or more specified conditions. The one or more specified conditions illustratively comprise a specified minimum amount of change in the storage volume relative to the given snapshot of the storage volume. Compressibility of the storage volume is also taken into account in generating the alert in some embodiments. The storage controller illustratively initiates restoration of the storage volume utilizing a selected snapshot responsive to confirmation of an actual attack.

Abstract: A system for detecting malicious software, comprising at least one hardware processor adapted to: execute a tested software object in a plurality of computing environments each configured according to a different hardware and software configuration; monitor a plurality of computer actions performed in each of the plurality of computing environments when executing the tested software object; identify at least one difference between the plurality of computer actions performed in a first of the plurality of computing environments and the plurality of computer actions performed in a second of the plurality of computing environments; and instruct a presentation of an indication of the identified at least one difference on a hardware presentation unit.

Abstract: Example implementations relate to code package variants. For example, a system according to the present disclosure, may include a client server, a development environment, a digital signing environment, and a central server. The development environment may generate a plurality of variants of a first portion of a code package. The digital signing environment may create a distinct digital signature for each variant of the plurality of variants of the first portion of the code package with a same second portion of the code package. The central server may transmit to the client server a complete code package comprising a variant of the plurality of variants of the first portion of the code package along with the second portion of the code package and a corresponding digital signature.

Abstract: Methods, computer-readable media, software, and apparatuses may assist a consumer in keeping track of a consumer's accounts in order to prevent unauthorized access or use of the consumer's identified accounts. To discover the various accounts, the methods, computer-readable media, software, and apparatuses can monitor at least a consumer's email accounts, web browser history, and web cache. The discovered accounts may be displayed to the consumer along with recommendations and assistance for closing unused or unwanted accounts to prevent unauthorized access or use.

Abstract: A combining apparatus has an acquiring unit that acquires script codes included in a website and having been divided and written at plural locations in the website; and a code combining unit that combines a plurality of the divided script codes written therein, based on a dependency between data in the divided script codes written therein acquired by the acquiring unit, or a dynamic generation relation arising from execution of the divided script codes written therein.

Abstract: Techniques are disclosed relating to fencing out a first one of a plurality of nodes configured to handle requests for data stored in a distributed storage. A database system, in various embodiments, stores a value indicating that the first node is permitted to update a catalog stored at a metadata server. In response to a determination to prevent the first node from updating the catalog and writing to the distributed storage, in various embodiments, the database system updates the value to indicate that the first node is not permitted to update the catalog and instructs the distributed storage to prevent write operations to a particular portion allocated to the first node for writing data.

Abstract: An electronic device and a method of payment by the electronic device are provided. The electronic device includes a local wireless communication circuit, a first biometric sensor and a second biometric sensor, a security module configured to store payment information corresponding to a payment card, a processor electrically connected to the first biometric sensor, the second biometric sensor, the local wireless communication circuit, and the security module, and a memory electrically connected to the processor, wherein the memory is configured to store instructions that cause the processor to select at least one of the first biometric sensor or the second biometric sensor, based on a security policy of an issuer of the payment card or a security policy of the payment card, authenticate a user by using the selected biometric sensor, and if the authentication is successful, transmit the payment information to an external device through the local wireless communication circuit.

Abstract: An exemplary monitoring system receives log data associated with an operation of a hardware component, applies the log data as an input to an unsupervised machine learning model, and identifies, based on an output of the unsupervised machine learning model, an anomaly in the log data.

Abstract: Surrogate browsing techniques are disclosed. A request for a page is received, from a client, by a surrogate. The specified page is requested by the surrogate from a site. Data received from the site in response to the request is rendered at the surrogate. A representation of the page is transmitted to the client.

Abstract: Systems, methods, and computer program products to perform an operation comprising monitoring a privileged storage of a computing system, wherein at least a portion of the privileged storage stores a microcode of the computing system, determining, based on the monitoring, that a first location of the privileged storage includes an instruction, determining that the first location is designated as an unused location of the privileged storage, and performing a predefined operation to remove the instruction from the first location of the privileged storage.

Abstract: A method protects a daemon in an operating system of a host computer. The operating system detects that there is an access of a plist file of a daemon by a process in the computer. If so, then it executes a callback function registered for the plist file. The callback function sends to a kernel extension a notification of the attempted access. The kernel extension returns a value to the operating system indicating that the access should be denied. The operating system denies access to the plist file of the daemon by the process. The extension may also notify an application which prompts the user for instruction. The kernel extension also protects itself by executing its exit function when a command is given to unload the extension, and the exit function determines whether or not the command is invoked by an authorized application, such as by checking a flag.

Abstract: Examples disclosed herein relate to classification models for binary code data. Some of the examples enable obtaining changed binary code data and unchanged binary code data, and generating, using a machine-leaning algorithm, a classification model based on training data that comprises the changed binary code data and the unchanged binary code data.

Abstract: A method of determining a category of a malware file, using a malware determination system comprising a machine learning algorithm, the method comprising obtaining a file, which is assumed to constitute malware file, by the malware determination system, building a data structure representative of features present in said file, based on features present in at least one dictionary, wherein said dictionary stores at least, for each of one or more of categories Ci out of a plurality of N categories of malware files, with i from 1 to N and N>2, one or more features which are specific to said category Ci with respect to all other N?1 categories Cj, with j different from i, according to at least one first specificity criteria, feeding the data structure to the machine learning algorithm of the malware determination system, and providing prospects representative of one or more malware categories to which said file belongs, based on said data structure.

Abstract: There are provided measures for enabling resource-efficient remote malware scanning capable of static and dynamic file analysis. Such measures could exemplarily comprise include, at a local entity, comparing file items of an electronic file to be scanned for malware with the file items of previously scanned electronic files, generating a recipe of the electronic file to be scanned, sending the generated recipe of the electronic file to be scanned for malware to a remote entity for enabling reconstructing the electronic file by assembling its file items on the basis of the obtained recipe and executing a dynamic malware analysis on a runtime behavior of the reconstructed electronic file.

Abstract: A file system is setup in user space of an operating system (OS) of a device without editing kernal code of the OS. Data of a file at the device is archived to a target location. The data of the file is replaced with a link to the target location. The archived data is retrieved via the file system in response to an input/output (I/O) request to the data of the file.

Abstract: Embodiments provide for class balancing for intent authoring using search via: receiving a positive example of an utterance associated with an intent, building an in-intent pool of utterances from a conversation log using the positive example in a first search query of the conversation log; adding the in-intent pool of utterances as a positive class to a training dataset; applying Boolean operators to negate the positive example to form a complement example; building an out-intent pool of utterances from the conversation log using the complement example in a first search query of the conversation log; and adding the out-intent pool of utterances as a complement class to the training dataset. The training dataset may be balanced to include a predefined ratio of positive and complement examples. The training dataset may be used to train or retrain an intent classifier.

Abstract: A specifying device receives detection information from a security device that detects hacking into a network or an activity of a terminal related to infection, and specifies a state of the terminal from information of the terminal and content of activity of the terminal included in the detection information. The specifying device specifies, when specifying that the terminal is in the state of being infected with malware, a terminal that may be infected before performing the content of the activity of the terminal included in the detection information based on connection information stored in a configuration information storage device, and specifies a terminal located on a route, along which the infected terminal is likely to be used for hacking or for infection of the terminal in the future, as a candidate for an infected terminal likely to be infected.

Abstract: A malware detection method and a malware detection apparatus, where the method includes running to-be-detected software in a sandbox, and recording at least one operation, and in a process of recording the at least one operation, when it is detected that any interface that has a delay attribute in the sandbox is called, determining whether delay duration corresponding to a first delay length parameter of the called interface is greater than a preset duration. When the delay duration corresponding to the first delay length parameter is greater than the preset duration, delay duration of delay execution is reduced to enable the malicious behavior to be executed in the process of recording the at least one operation executed within the preset duration after the to-be-detected software starts to run.