Systems and methods for identifying and remediating malware-compromised mobile devices are disclosed. A computer-implemented method includes accessing, by a computing device, malware risk data; determining, by the computing device, a mobile device is at risk from malware based on the malware risk data; identifying, by the computing device, a set of connections of a user of the mobile device, wherein each connection in the set of connections is associated with a user computer device; identifying, by the computing device, at least one user computer device from the set of connections at risk from the malware; and outputting, by the computer device, a malware notification for the mobile device at risk and at least one user computer device at risk.

The threat of malicious parties exposing users' credentials from one system and applying the exposed credentials to a different system to gain unauthorized access is addressed in the present disclosure by systems and methods to preemptively and reactively mitigate the risk of users reusing passwords between systems. A security device passively monitors traffic comprising authorization requests within a network to reactively identify an ongoing attack based on its use of exposed credentials in the authorization request and identifies accounts that are vulnerable to attacks using exposed credentials by actively attempting to log into those accounts with exposed passwords from other networks. The systems and methods reduce the number of false positives associated with attack identification and strengthens the network against potential attacks, thus improving the network's security and reducing the amount of resources needed to securely manage the network.

Some examples relate generally to managing and storing data, and more specifically to the real-time detection of ransomware, system (or insider) threats, or the misappropriation of credentials by using file system audit events.

Systems, methods, and software described herein enhances how security actions are implemented within a computing environment. In one example, a method of implementing security actions for a computing environment comprising a plurality of computing assets includes identifying a security action in a command language for the computing environment. The method further provides identifying one or more computing assets related to the security action, and obtaining hardware and software characteristics for the one or more computing assets. The method also includes translating the security action in the command language to one or more action procedures based on the hardware and software characteristics, and initiating implementation of the one or more action procedures in the one or more computing assets.

A security monitoring system for a Controller Area Network (CAN) comprises an Electronic Control Unit (ECU) operatively connected to the CAN bus. The ECU is programmed to classify a message read from the CAN bus as either normal or anomalous using an SVM-based classifier with a Radial Basis Function (RBF) kernel. The classifying includes computing a hyperplane curvature parameter γ of the RBF kernel as γ=f(D) where f( ) denotes a function and D denotes CAN bus message density as a function of time. In some such embodiments γ=f(Var(D)) where Var(D) denotes the variance of the CAN bus message density as a function of time. The security monitoring system may be installed in a vehicle (e.g. automobile, truck, watercraft, aircraft) including a vehicle CAN bus, with the ECU operatively connected to the vehicle CAN bus to read messages communicated on the CAN bus. By not relying on any proprietary knowledge of arbitration IDs from manufacturers through their dbc files, this anomaly detector truly functions as a zero knowledge detector.

A method for detecting an unauthorized physical access to a bus system. The method includes detecting a test level sequence in the voltage signal; constituting a binary sampled pattern by sampling the voltage signal at specified pattern times associated with the detected test level sequence, and assigning a first value if the voltage signal is above a predefined voltage threshold at the respective pattern time, and a second value if the voltage signal is not above the voltage threshold; comparing the sampled pattern with a reference pattern that is associated with the detected test level sequence and that was constituted for the test level sequence as a sampled pattern in a state of the bus system during which no unauthorized access existed; and determining that a possible unauthorized physical access exists if the reference pattern does not match the sampled pattern.

Disclosed herein are a dynamic security module terminal device for receiving a dynamic security module and transmitting a security management event to a security server, and a method of operating the dynamic security module terminal device. The dynamic security module terminal device includes a communication unit configured to transmit and receive a security management event over a network, and a processor configured to control the communication unit. The processor is configured to create a security session with a security server, and to receive the dynamic security module from the security server so that part or all of code of the dynamic security module performing security management has a predetermined valid period.

Described systems and methods enable a swift and efficient detection of fraudulent Internet domains, i.e., domains used to host or distribute fraudulent electronic documents such as fraudulent webpages and electronic messages. Some embodiments use a reverse IP analysis to select a set of fraud candidates from among a set of domains hosted at the same IP address as a known fraudulent domain. The candidate set is further filtered according to domain registration data. Online content hosted at each filtered candidate domain is further analyzed to identify truly fraudulent domains. A security module may then prevent users from accessing a content of such domains.

This technical solution relates to systems and methods of cyber attack detection, and more specifically it relates to analysis methods and systems for protocols of interaction of malware and cyber attack detection and control centres (servers). The method comprises: uploading the malware application into at least one virtual environment; collecting, by the server, a plurality of malware requests transmitted by the malware application to the malware control center; analyzing the plurality of malware requests to determine, for each given malware request: at least one malware request parameter contained therein; and an order thereof of the at least one malware request parameter. The method then groups the plurality of malware requests based on shared similar malware request parameters contained therein and order thereof and for each group of the at least one group containing at least two malware requests, generates a regular expression describing malware request parameters and order thereof of the group, which regular expression can be used as an emulator of the malware application.

Aspects of the disclosure relate to preventing unauthorized screen capture activity. A computing platform may detect, via an infrared sensor associated with a computing device, an infrared signal from a second device attempting an unauthorized image capture of contents being displayed by a display device of the computing device. Subsequently, the computing platform may determine, via the computing platform, the contents being displayed by the display device. Then, the computing platform may retrieve a record of the contents being displayed by the display device. Then, the computing platform may determine a risk level associated with the infrared signal. Subsequently, the computing platform may perform, via the computing platform and based on the risk level, a remediation task to prevent the unauthorized image capture.