Abstract: Disclosed is an apparatus and method for a computing device to determine if an application is malware. The computing device may include: a query logger to log the behavior of the application on the computing device to generate a log; a behavior analysis engine to analyze the log from the query logger to generate a behavior vector that characterizes the behavior of the application; and a classifier to classify the behavior vector for the application as benign or malware.

Abstract: A network and its devices may be protected from non-benign behavior, malware, and cyber attacks caused by downloading software by configuring a server computing device to work in conjunction with the devices in the network. The server computing device may be configured to receive a software application from an application download service, establish a secure communication link to a client computing device in the network, receive exercise information from the client computing device via the secure communication link, use the received exercise information to exercise the received software application in a client computing device emulator to identify one or more behaviors, and determine whether the identified behaviors are benign. The server computing device may send the software application to the client computing device in response to determining that the identified behaviors are benign, and quarantine the software application in response to determining that the identified behaviors are not benign.

Abstract: A computing device may be configured to work in conjunction with another component (e.g., a server) to better determine whether a software application is benign or non-benign. This may be accomplished via the server performing static and/or dynamic analysis operations, generating a behavior information structure that describes or characterizes the range of correct or expected behaviors of the software application, and sending the behavior information structure to a computing device. The computing device may compare the received behavior information structure to a locally generated behavior information structure to determining whether the observed behavior of the software application differs or deviates from the expected behavior of the software application or whether the observed behavior is within the range of expected behaviors. The computing device may increase its level of security/scrutiny when the behavior information structure does not match the local behavior information structure.

Abstract: Embodiments include computing devices, apparatus, and methods implemented by the apparatus for time varying address space layout randomization. The apparatus may launch first plurality of versions of a system service and assign a random virtual address space layout to each of the first plurality of versions of the system service. The apparatus may receive a first request to execute the system service from a first application. The apparatus may randomly select a first version of the system service from the first plurality of versions of the system service, and execute the system service using data of the first version of the system service.

Abstract: Various embodiments include methods, and computing devices implementing the methods, for analyzing sensor information to identify an abnormal vehicle behavior. A computing device may monitor sensors (e.g., a closely-integrated vehicle sensor, a loosely-integrated vehicle sensor, a non-vehicle sensor, etc.) in the vehicle to collect the sensor information, analyze the collected sensor information to generate an analysis result, and use the generated analysis result to determine whether a behavior of the vehicle is abnormal. The computing device may also generate a communication message in response to determining that the behavior of the vehicle is abnormal, and send the generated communication message to an external entity.

Abstract: Various embodiments provide methods, devices, and non-transitory processor-readable storage media enabling network probing with a communication device based on the communication device sending a probe via a first network connection and receiving the probe via a second network connection. By leveraging a capability of a communication device to establish two network connections at the same time, various embodiments may enable a single communication device to act as both a probing client and a probing server. In this manner, various embodiments may enable standalone network probing, i.e., network probing that may not require a remote dedicated probing server to act as a probe generator or a probe sink.

Abstract: Provisioning and access control for communication nodes involves assigning identifiers to sets of nodes where the identifiers may be used to control access to restricted access nodes that provide certain services only to certain defined sets of nodes. In some aspects provisioning a node may involve providing a unique identifier for sets of one or more nodes such as restricted access points and access terminals that are authorized to receive service from the restricted access points. Access control may be provided by operation of a restricted access point and/or a network node. In some aspects, provisioning a node involves providing a preferred roaming list for the node. In some aspects, a node may be provisioned with a preferred roaming list through the use of a bootstrap beacon.

Abstract: A computing device may use machine learning techniques to determine whether a side channel attack is underway and perform obfuscation operations (e.g., operations to raise the noise floor) or other similar operations to stop or prevent a detected side channel attack. The computing device may determine that a side channel attack is underway in response to determining that the computing device is in airplane mode, that the battery of the computing device the battery has been replaced with a stable DC power supply, that the touch-screen display of the computing device has been disconnected, that there are continuous calls to a cipher application programming interface (API) using the same cipher key, that there has been tampering with a behavioral analysis engine of the computing device, or any combination thereof.

Abstract: Various embodiments include methods, and computing devices implementing the methods, for authenticating vehicle information by polling selected sensors. A server computing device receiving vehicle information from a reporting vehicle may compare the received vehicle information to contextual information to generate a comparison result, and determine whether the received vehicle information should be evaluated with greater scrutiny based on the comparison result. The server computing device may select sensors for polling based on the received vehicle information (and in response to determining that the received vehicle information should be evaluated with greater scrutiny), and poll the selected sensors to received sensor information. The server computing device may use the received sensor information to corroborate the received vehicle information, and perform a responsive action based on the result of the corroboration.

Abstract: Techniques are provided which may be implemented using various methods and/or apparatuses to allow for delay zone information to be gathered by one or more mobile stations used in route navigation, provided to one or more computing devices and processed in some manner to establish navigation information that may be of use by mobile stations involved in route navigation. For example, in certain instances navigation information may be indicative of an expected delay with regard to at least one known delay zone that may affect a user of the mobile station attempting to adhere to a route.

Abstract: Systems and methods for recognizing and reacting to malicious or performance-degrading behaviors in a mobile computing device include observing mobile device behaviors in an observer module within a privileged-normal portion of a secure operating environment to identify a suspicious mobile device behavior. The observer module may generate a behavior vector based on the observations, and provide the vector to an analyzer module in an unprivileged-secure portion of the secure operating environment. The vector may be analyzed in the unprivileged-secure portion to determine whether the mobile device behavior is benign, suspicious, malicious, or performance-degrading. If the behavior is found to be suspicious, operations of the observer module may be adjusted, such as to perform deeper observations. If the behavior is found to be malicious or performance-degrading behavior the user and/or a client module may be alerted in a secure, tamper-proof manner.

Abstract: Methods, systems and devices for generating data models in a client-cloud communication system may include applying machine learning techniques to generate a first family of classifier models that describe a cloud corpus of behavior vectors. Such vectors may be analyzed to identify factors in the first family of classifier models that have the highest probability of enabling a mobile device to better determine whether a mobile device behavior is malicious or benign. Based on this analysis, a second family of classifier models may be generated that identify significantly fewer factors and data points as being relevant for enabling the mobile device to better determine whether the mobile device behavior is malicious or benign based on the determined factors. A mobile device classifier module based on the second family of classifier models may be generated and made available for download by mobile devices, including devices contributing behavior vectors.

Abstract: Systems and methods for recognizing and reacting to malicious or performance-degrading behaviors in a mobile device include observing mobile device behaviors in an observer module within a privileged-normal portion of a secure operating environment to identify a suspicious mobile device behavior. The observer module may generate a concise behavior vector based on the observations, and provide the vector to an analyzer module in an unprivileged-secure portion of the secure operating environment. The vector may be analyzed in the unprivileged-secure portion to determine whether the mobile device behavior is benign, suspicious, malicious, or performance-degrading. If the behavior is found to be suspicious, operations of the observer module may be adjusted, such as to perform deeper observations. If the behavior is found to be malicious or performance-degrading behavior the user and/or a client module may be alerted in a secure, tamper-proof manner.

Abstract: As part of a localized positioning solution, a mobile device may transmit a request message to a server to obtain information about location contexts near the mobile device. In response, the server may, in some implementations, transmit a response message back to the mobile device that identifies a list of nearby LCIs and an area that encompasses these LCIs. The mobile device may store the returned LCI information and the returned area information in corresponding databases for later use. In some implementations, time limits may be placed on the returned area information after which the information is deemed stale.

Abstract: Various aspects provide methods implemented by at least one processor executing on a mobile communication device to efficiently identify, classify, model, prevent, and/or correct the non-benign (e.g., performance degrading) conditions and/or behaviors that are related to an application operating on the device. Specifically, in various aspects, the mobile computing device may derive or extract application-specific features by performing a binary analysis of an application and may determine the application's category (e.g., a “games,” “entertainment,” or “news” category) based on the application-specific features. The mobile computing device may also obtain a classifier model associated with the application's category that includes various conditions, features, behaviors and corrective actions that may be used to quickly identify and correct non-benign behaviors (e.g., undesirable, malicious, and/or performance-degrading behaviors) occurring on the mobile computing device that are related to the application.

Abstract: Access control for an access point (e.g., a cell of the access point) may be based on an access mode associated with the access point. For example, depending on the access mode, access control may involve performing a membership check for the access point. Such a membership check may be performed at a network entity, a source access point, or some other suitable location in a network. In some aspects, access control may involve performing a membership check for an access point in conjunction with a context fetch procedure. Such a procedure may be performed, for example, when an access terminal arrives at the access point after experiencing RLF at another access point.

Abstract: A computing device processor may be configured with processor-executable instructions to implement methods of using behavioral analysis and machine learning techniques to identify, prevent, correct, or otherwise respond to malicious or performance-degrading behaviors of the computing device. As part of these operations, the processor may generate user-persona information that characterizes the user based on that user's activities, preferences, age, occupation, habits, moods, emotional states, personality, device usage patterns, etc. The processor may use the user-persona information to dynamically determine the number of device features that are monitored or evaluated in the computing device, to identify the device features that are most relevant to determining whether the device behavior is not consistent with a pattern of ordinary usage of the computing device by the user, and to better identify or respond to non-benign behaviors of the computing device.

Abstract: Techniques are provided which may be implemented using various methods and/or apparatuses to allow for delay zone information to be gathered by one or more mobile stations used in route navigation, provided to one or more computing devices and processed in some manner to establish navigation information that may be of use by mobile stations involved in route navigation. For example, in certain instances navigation information may be indicative of an expected delay with regard to at least one known delay zone that may affect a user of the mobile station attempting to adhere to a route.

Abstract: Methods, systems and devices for communicating behavior analysis information using an application programming interface (API) may include receiving data/behavior models from one or more third-party network servers in a client module of a mobile device and communicating the information to a behavior observation and analysis system via a behavior API. The third-party servers may be maintained by one or more partner companies that have domain expertise in a particular area or technology that is relevant for identifying, analyzing, classifying, and/or reacting to mobile device behaviors, but that do not have access to (or knowledge of) the various mobile device sub-systems, interfaces, configurations, modules, processes, drivers, and/or hardware systems required to generate effective data/behavior models suitable for use by the mobile device. The behavior API and/or client modules allow the third-party server to quickly and efficiently access the most relevant and important information on the mobile device.

Abstract: Methods, systems and devices compute and use the actual execution states of software applications to implement power saving schemes and to perform behavioral monitoring and analysis operations. A mobile device may be configured to monitor an activity of a software application, generate a shadow feature value that identifies actual execution state of the software application during that activity, generate a behavior vector that associates the monitored activity with the shadow feature value, and determine whether the activity is malicious or benign based on the generated behavior vector, shadow feature value and/or operating system execution states. The mobile device processor may also be configured to intelligently determine whether the execution state of a software application is relevant to determining whether any of the monitored mobile device behaviors are malicious or suspicious, and monitor only the execution states of the software applications for which such determinations are relevant.