The threat of malicious parties exposing users' credentials from one system and applying the exposed credentials to a different system to gain unauthorized access is addressed in the present disclosure by systems and methods to preemptively and reactively mitigate the risk of users reusing passwords between systems. A security device passively monitors traffic comprising authorization requests within a network to reactively identify an ongoing attack based on its use of exposed credentials in the authorization request and identifies accounts that are vulnerable to attacks using exposed credentials by actively attempting to log into those accounts with exposed passwords from other networks. The systems and methods reduce the number of false positives associated with attack identification and strengthens the network against potential attacks, thus improving the network's security and reducing the amount of resources needed to securely manage the network.

An extended enterprise browser installed on an endpoint device provides protection from ransomware attacks to SaaS and private enterprise applications. The extended enterprise browser monitors for alternate browser installed on the endpoint device. The extended enterprise browser may take one or more actions to block the spread of ransomware by the alternate browser.

A method of determining a location of a mobile device in the presence of a spoofing signal includes obtaining current position information associated with the mobile device, determining a Global Navigation Satellite System (GNSS) signal search window for acquiring GNSS signals associated with a satellite based on the current position information, searching a GNSS signal associated with the satellite based on the GNSS signal search window, and determining updated position information of the mobile device based on at least information of the GNSS signal associated with the satellite.

Embodiments utilize two types of passwords that each, separately, allow a device user to logon to a network. The first is a master password that allows a user to log on at any time. The second is a turn-varying password that changes with each logon and is valid for only one logon. The network may be accessed by using either the master password or the turn-varying password. The turn-varying password may be presented to a user at the device. A device and a network apparatus may each initially synchronize and maintain a turn state that is based on a number of user logons. When a logon occurs, the device and network apparatus update the turn-varying password for the next logon using the turn-varying password. If a user is in an unsecure location and logs on only using the turn-varying password, a sniffed or stolen turn-varying password is not useable.

A client application performs certificate pinning as a means of authenticating the identity of a server. A proxy is interposed in the communications path of the client and the hosting server and provides a proxy security certificate to the client. In response to the client extracting a proxy authentication component from the proxy security certificate, operation of the client is paused and a hosting server authentication component is extracted from a hosting server security certificate. The client operation is resumed, providing the extracted hosting server authentication component to the client, in substitution for the proxy authentication component. Based on receiving the extracted hosting server authentication component, the client authenticates the proxy to receive communications directed to the hosting server.

MITM attacks are detected by intercepting network configuration traffic (name resolution, DHCP, ARP, ICMP, etc.) in order to obtain a description of network components. A computer system generates artificial requests for network configuration information and monitors responses. Multiple responses indicate a MITM attack. Responses that are different from previously-recorded responses also indicate a MITM attack. MITM attacks may be confirmed by transmitting fake credentials to a source of a response to a request for network configuration information. If the fake credentials are accepted or are subsequently used in an access attempt, then a MITM attack may be confirmed.

Web security methods and apparatus are disclosed herein. A method includes receiving a detection model for detecting malicious webpages via a transceiver of the computing device, and storing the detection model in a non-volatile memory of the computing device. One or more JavaScripts are detected in the webpage, wherein each of the JavaScripts can be separately executed. A feature vector for each of the JavaScripts may be generated, either incrementally as the web page is being loaded or prefetching the JavaScript for the web page, to produce one or more feature vectors for the webpage, wherein a particular feature vector includes values for different features of a JavaScript. Each of the feature vectors are analyzed with the multi-instance learning based detection model to determine whether the webpage from which the JavaScripts originate is malicious or benign.

Briefly, systems and methods for managing Internet of Things (IoT) devices provide platforms featuring an architecture for user and device authentication as well as IoT system self-healing.

A taint report represents a taint flow from a source value at a source program point to a sink value at a sink program point. Candidate watchpoints that correspond to taint-like values similar to the source value may be inferred from an execution trace. Different subsets of candidate watchpoints represent solutions to the problem of determining an optimal subset of watchpoints contributing to a taint flow. Using a hill-climbing heuristic, incremental improvements are efficiently applied to a solution until no more improvements are found. An objective function may determine whether one solution improves another solution. The objective function may be based on validity, understandability, and performance. Validity favors candidate watchpoints that reduce the edit distance between the source and sink values. Understandability favors candidate watchpoints included in a call chain from the source program point to the sink program point. Performance favors small subsets of candidate watchpoints.

A method for improving data transmission security at a user equipment comprises receiving, from a source network node, a connection release message including instructions for computing a hash value for data to be included in a connection request message; computing the hash value based on the instructions included in the connection release message; calculating a token based on the hash value, and sending, to a target network node, the connection request message including the token. The method may further forward the data from the target network node directly to a gateway after the token has been verified. The method may reduce a signaling overhead by having a fixed-size hash value for data. Furthermore, the method may improve a transmission security by including the token in an RRC message, in which the token is calculated based on the hash value representing the data.