Abstract: Various embodiments include methods of evaluating device behaviors in a computing device and enabling white listing of particular behaviors. Various embodiments may include monitoring activities of a software application operating on the computing device, and generating a behavior vector information structure that characterizes a first monitored activity of the software application. The behavior vector information structure may be applied to a machine learning classifier model to generate analysis results. The analysis results may be used to classify the first monitored activity of the software application as one of benign, suspicious, and non-benign. A prompt may be displayed to the user that requests that the user select whether to whitelist the software application in response to classifying the first monitored activity of the software application as suspicious or non-benign. The first monitored activity may be added to a whitelist of device behaviors in response to receiving a user input.

Abstract: Methods and systems for classifying mobile device behavior include generating a full classifier model that includes a finite state machine suitable for conversion into boosted decision stumps and/or which describes all or many of the features relevant to determining whether a mobile device behavior is benign or contributing to the mobile device's degradation over time. A mobile device may receive the full classifier model along with sigmoid parameters and use the model to generate a full set of boosted decision stumps from which a more focused or lean classifier model is generated by culling the full set to a subset suitable for efficiently determining whether mobile device behavior are benign. Results of applying the focused or lean classifier model may be normalized using a sigmoid function, with the resulting normalized result used to determine whether the behavior is benign or non-benign.

Abstract: The various aspects provide a method for recognizing and preventing malicious behavior on a mobile computing device before it occurs by monitoring and modifying instructions pending in the mobile computing device's hardware pipeline (i.e., queued instructions). In the various aspects, a mobile computing device may preemptively determine whether executing a set of queued instructions will result in a malicious configuration given the mobile computing device's current configuration. When the mobile computing device determines that executing the queued instructions will result in a malicious configuration, the mobile computing device may stop execution of the queued instructions or take other actions to preempt the malicious behavior before the queued instructions are executed.

Abstract: Various embodiments provide methods, devices, and non-transitory processor-readable storage media enabling network probing with a communication device based on the communication device sending a probe via a first network connection and receiving the probe via a second network connection. By leveraging a capability of a communication device to establish two network connections at the same time, various embodiments may enable a single communication device to act as both a probing client and a probing server. In this manner, various embodiments may enable standalone network probing, i.e., network probing that may not require a remote dedicated probing server to act as a probe generator or a probe sink.

Abstract: Systems, methods, and devices of the various aspects enable identification of anomalous application behavior. A computing device processor may detect network communication activity of an application on the computing device. The processor may identify one or more device states of the computing device, and one or more categories of the application. The processor may determine whether the application is behaving anomalously based on a correlation of the detected network communication activity of the application, the identified one or more device states of the computing device, and the identified one or more categories of the application.

Abstract: Methods, devices, and non-transitory storage media for dynamic patching of diversity-based software executing on a computing device. One of many variations of various module utilized by software may be selected from a list of available module variations to be used when software is executed. An embodiment method for updating software may include obtaining or receiving a notification indicating a particular module variation that should not be used as a module for the software, and removing the module variation from the list of available module variations for the module in response to the notification. In some embodiments, the notification may be received by the mobile device from a remote server, and further the notification does not include data capable of being used as a module by the software during runtime. In some embodiments, the module variation may be one of flawed, outdated, and identified as exploited by malware.

Abstract: Embodiments include computing devices, apparatus, and methods implemented by the apparatus for time varying address space layout randomization. The apparatus may launch first plurality of versions of a system service and assign a random virtual address space layout to each of the first plurality of versions of the system service. The apparatus may receive a first request to execute the system service from a first application. The apparatus may randomly select a first version of the system service from the first plurality of versions of the system service, and execute the system service using data of the first version of the system service.

Abstract: Various embodiments include methods implemented on a computing device for analyzing a program executing within a virtual environment on the computing device. The methods may include determining whether the program is attempting to detect whether it is being executed within the virtual environment, and analyzing the program within a protected mode of the computing device in response to determining that the program is attempting to detect whether it is being executed within the virtual environment.

Abstract: The disclosure generally relates to behavioral analysis to automate monitoring Internet of Things (IoT) device health in a direct and/or indirect manner. In particular, normal behavior associated with an IoT device in a local IoT network may be modeled such that behaviors observed at the IoT device may be compared to the modeled normal behavior to determine whether the behaviors observed at the IoT device are normal or anomalous. Accordingly, in a distributed IoT environment, more powerful “analyzer” devices can collect behaviors locally observed at other (e.g., simpler) “observer” devices and conduct behavioral analysis across the distributed IoT environment to detect anomalies potentially indicating malicious attacks, malfunctions, or other issues that require customer service and/or further attention.

Abstract: Disclosed is an apparatus and method for a computing device to determine if an application is malware. The computing device may include: a query logger to log the behavior of the application on the computing device to generate a log; a behavior analysis engine to analyze the log from the query logger to generate a behavior vector that characterizes the behavior of the application; and a classifier to classify the behavior vector for the application as benign or malware.

Abstract: Various embodiments include methods, and computing devices configured to implement the methods, for anomaly monitoring using context-based sensor output correlation. A computing device may obtain output of a first sensor and may determine that an anomaly is likely to occur based on the obtained output of the first sensor. The computing device may transmit a message indicating that the anomaly is likely to occur, causing receiving computing devices to begin logging output of sensors of the receiving computing devices. The computing device may determine whether the anomaly did occur. If the anomaly did occur, the computing device may transmit a sensor output request. Nearby computing devices may receive this sensor output request and may transmit collected sensor data to the first computing device. The first computing device may receive the sensor output collected by the various receiving devices and may correlate the first sensor output with the received sensor output.

Abstract: Methods, systems, and devices for providing data from a server to a UAV, enabling the UAV to navigate with respect to areas of restricted air space (“restricted areas”). A server may receive from a UAV, a request for restricted area information based on a position of the UAV. The server may determine boundaries of a surrounding area containing the position of the UAV and a number of restricted areas. The server may transmit coordinate information to the UAV defining the restricted areas contained within the surrounding area.

Abstract: Methods, systems, and devices for providing data from a server to a UAV, enabling the UAV to navigate with respect to areas of restricted air space (“restricted areas”). A server may receive from a UAV, a request for restricted area information based on a position of the UAV. The server may determine boundaries of a surrounding area containing the position of the UAV and a number of restricted areas. The server may transmit coordinate information to the UAV defining the restricted areas contained within the surrounding area.

Abstract: Various aspects include methods and computing devices implementing the methods for evaluating device behaviors in the computing devices. Aspect methods may include using a behavior-based machine learning technique to classify a device behavior as one of benign, suspicious, and non-benign. Aspect methods may include using one of a multi-label classification and a meta-classification technique to sub-classify the device behavior into one or more sub-categories. Aspect methods may include determining a relative importance of the device behavior based on the sub-classification, and determining whether to perform robust behavior-based operations based on the determined relative importance of the device behavior.

Abstract: Methods, devices and systems for detecting suspicious or performance-degrading mobile device behaviors intelligently, dynamically, and/or adaptively determine computing device behaviors that are to be observed, the number of behaviors that are to be observed, and the level of detail or granularity at which the mobile device behaviors are to be observed. The various aspects efficiently identify suspicious or performance-degrading mobile device behaviors without requiring an excessive amount of processing, memory, or energy resources. Various aspects may correct suspicious or performance-degrading mobile device behaviors. Various aspects may prevent identified suspicious or performance-degrading mobile device behaviors from degrading the performance and power utilization levels of a mobile device over time. Various aspects may restore an aging mobile device to its original performance and power utilization levels.

Abstract: Approaches for modeling a risk of security breaches to a network. Agents gather, from multiple sources across the network, analysis data that identifies observed characteristics of habitable nodes and opaque nodes. Using the analysis data a multi-layer risk model for the network is generated that comprises a first layer that models an inherent risk of security breaches to assets of the network based on the observed characteristics. The model also comprises a second layer that models a present state of the inherent risk to the assets caused by global and temporal events. The model also comprises a third layer that models a change to the risk of security breaches in response to potential mitigative actions. The model may be used to understand how risk of a security breach is distributed and interdependent upon the nodes of the network so as to allow the most valuable preventive measures to be taken.

Abstract: Programmatic mechanisms that enable the automatic assignment of categories to network entities based on observed evidence. Agents gather observation data that identifies observations made by agents about the network and a plurality of nodes of the network. The agents provide the observation data to a classification module, which assigns a device category to the nodes of the network based on the observation data and a probabilistic node model. The probabilistic node model considers several probabilities to ascertain a recommended device category for a particular node, such as probabilities based on a manufacturer of a node, an operating system executing on a node, information about other nodes in the local vicinity of a node, and an administrator web page associated with a node. The classification module may also assign a particular network category to the network based on the observation data and a probabilistic network model.

Abstract: The subject matter disclosed herein relates to a system and method for determining indoor context information relating to a location of a mobile device. Indoor context information may be utilized by a mobile device or a network element to obtain an estimate of a location of the mobile device within an indoor environment.

Abstract: Various embodiments include methods, and computing devices configured to implement the methods, for anomaly monitoring using context-based sensor output correlation. A computing device may obtain output of a first sensor and may determine that an anomaly is likely to occur based on the obtained output of the first sensor. The computing device may transmit a message indicating that the anomaly is likely to occur, causing receiving computing devices to begin logging output of sensors of the receiving computing devices. The computing device may determine whether the anomaly did occur. If the anomaly did occur, the computing device may transmit a sensor output request. Nearby computing devices may receive this sensor output request and may transmit collected sensor data to the first computing device. The first computing device may receive the sensor output collected by the various receiving devices and may correlate the first sensor output with the received sensor output.

Abstract: Various embodiments provide methods, devices, and non-transitory processor-readable storage media enabling network path probing with a communications device by sending probes via a network connection to a STUN server and receiving probe replies. The communications device may increment a counter and transmit a test probe configured to be dropped at the first access point (NAT) causing all subsequent NATs to release their IP/port mappings. The communications device may send another probe to the STUN server and receive a probe reply. The communications device may compare the first and second probe replies to determine whether the final IP addresses within the network path match. By continuously incrementing the counter and querying access points, the communications device may determine the number of access points lay along any given network path. The presence of addition or unexpected numbers of NAT Servers may indicate the presence of a rogue access point.