Systems and methods for identifying and remediating malware-compromised mobile devices are disclosed. A computer-implemented method includes accessing, by a computing device, malware risk data; determining, by the computing device, a mobile device is at risk from malware based on the malware risk data; identifying, by the computing device, a set of connections of a user of the mobile device, wherein each connection in the set of connections is associated with a user computer device; identifying, by the computing device, at least one user computer device from the set of connections at risk from the malware; and outputting, by the computer device, a malware notification for the mobile device at risk and at least one user computer device at risk.

A cloud storage server-based approach allows detection of ransomware activity in cloud storage systems caused by ransomware infections on an endpoint device. A heuristic or rule-based technique is employed for recognizing sequences of file operations that may indicate ransomware activity. In some embodiments, users may be offered an opportunity to approve or disapprove of the possible ransomware activity. In others, cloud system file activity may be suspended or halted for the affected user upon recognition of possible ransomware actions. Enhanced recovery of files affected prior to recognition of the ransomware activity may be performed in some embodiments.

Examples relate to model-based computer attack analytics orchestration. In one example, a computing device may: generate, using an attack model that specifies behavior of a particular attack on a computing system, a hypothesis for the particular attack, the hypothesis specifying, for a particular state of the particular attack, at least one attack action; identify, using the hypothesis, at least one analytics function for determining whether the at least one attack action specified by the hypothesis occurred on the computing system; provide an analytics device with instructions to execute the at least one analytics function on the computing system; receive analytics results from the analytics device; and update a state of the attack model based on the analytics results.

A signature matching hardware accelerator system comprising one or more hardware accelerator circuits, wherein each of the hardware accelerator circuit utilizes a compressed deterministic finite automata (DFA) comprising a state table representing a database of digital signatures defined by a plurality of states and a plurality of characters, wherein the plurality of states are divided into groups, each group comprising a leader state having a plurality of leader state transitions and one or more member states, each having a plurality of member state transitions is disclosed. The hardware accelerator circuit comprises a memory circuit configured to store the leader state transitions within each group of the compressed DFA, only the member state transitions that are different from the leader state transitions for a respective character within each group of the compressed DFA and a plurality of member transition bitmasks associated respectively with the plurality of member state transitions.

A computer-implemented method, computerized apparatus and computer program product for monitoring traffic in a computer network. The computer network comprises a plurality of devices configured to apply a transformation function on a target port identifier of a requested transmission by an application program executing thereon and direct the transmission to a different target port per the scrambled identifier thereby obtained. The transformation function depends on at least one parameter shared among the plurality of devices and applying thereof is conditioned on the application program requesting transmission being listed in a list of authorized application programs. Attempts to access invalid ports as defined by the transformation function are identified and an action for mitigating a security threat ascribed thereto is provided.

A signature matching hardware accelerator system comprising one or more hardware accelerator circuits, wherein each of the hardware accelerator circuit utilizes a compressed deterministic finite automata (DFA) comprising a state table representing a database of digital signatures defined by a plurality of states and a plurality of characters, wherein the plurality of states are divided into groups, each group comprising a leader state having a plurality of leader state transitions and one or more member states, each having a plurality of member state transitions is disclosed. The hardware accelerator circuit comprises a memory circuit configured to store a single occurrence of a most repeated leader state transition within each group, the unique leader state transitions comprising the leader state transitions that are different from the most repeated leader state transition within the respective group; and leader transition bitmasks associated respectively with the leader states within each group.

The present disclosure is directed to a system, method, and computer program for detecting and assessing security risks in an enterprise's computer network. A behavior model is built for a user in the network based on the user's interactions with the network, wherein a behavior model for a user indicates client device(s), server(s), and resources used by the user. The user's behavior during a period of time is compared to the user's behavior model. A risk assessment is calculated for the period of time based at least in part on the comparison between the user's behavior and the user's behavior model, wherein any one of certain anomalies between the user's behavior and the user's behavior model increase the risk assessment.

Various embodiments of the invention provide solutions (including inter alia, systems, methods and software) for dealing with online fraud. Some embodiments function to access and/or obtain information from (and/or receive data from) a data source; the data might, for example, indicate a possible instance of online fraud. Certain embodiments, therefore, can be configured to analyze the data, e.g., to determine whether the data indicate a likely instance of online fraud. Such instances may be further investigated, and/or a response may be initiated. Data sources can include, without limitation, web pages, email messages, online chat sessions, domain zone files, newsgroup (and/or posting thereto), etc. Data obtained from the data sources can include, without limitation, suspect domain registrations, uniform resources locators, references to trademarks, advertisements, etc.

An extended enterprise browser installed on an endpoint device provides protection from ransomware attacks to SaaS and private enterprise applications. The extended enterprise browser monitors for alternate browser installed on the endpoint device. The extended enterprise browser may take one or more actions to block the spread of ransomware by the alternate browser.

A distributed security system can include instances of a compute engine that can execute either locally in security agents on client devices or as cloud instances in a security network. Event data can be processed by elements of the distributed security system according to centrally-defined ontological definitions and/or configurations. Bounding managers of local security agents can control how much event data is sent to the security network. A storage engine in the security network can store event data received from client devices, can route event data to other elements of the security network, including cloud instances of the compute engine. An experimentation engine of the security network can also at least temporarily adjust other elements of the distributed security system during experiments or tests.