Abstract: A method for protecting sensitive data from being exposed in graph embedding vectors. In some embodiments, a method may include generating first graph embedding vectors from an original graph and generating a proxy graph from the first graph embedding vectors. The proxy graph may include a plurality of proxy nodes and proxy edges connecting the proxy nodes. The proxy nodes may include one or more attributes of the original nodes that are included in the first graph embedding vectors. Second graph embedding vectors may then be generated by encoding the proxy graph and a reconstructed graph may be generated from the second graph embedding vectors. Finally, the reconstructed graph may be compared to the original graph and if a threshold level of similarity is met, a security action may be performed to protect sensitive data from being exposed.

Abstract: A computer-implemented method for protecting data on devices may include (i) identifying a device that is operated by a user and that comprises private data pertaining to the user, (ii) determining that stalkerware on the device is sending the private data to an unauthorized device not operated by the user, (iii) requesting, in response to determining that the stalkerware is sending the private data to the unauthorized device, that the user select at least one safety plan step from a set of safety plan options, and (iv) modifying, at least in part based on the safety plan step selected by the user, outgoing data sent by the stalkerware to the unauthorized device. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: The disclosed computer-implemented method for utilizing user identity notifications to protect against potential privacy attacks on mobile devices may include (i) monitoring a mobile computing device to detect one or more user interactions by a current user, (ii) identifying the current user of the mobile computing device, (iii) determining that the current user is a potentially malicious user associated with one or more privacy-invasive applications installed on the mobile computing device, and (iv) performing a security action that protects a benign user of the mobile computing device against an attack initiated by the potentially malicious user associated with the privacy-invasive applications. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: The disclosed computer-implemented method for utilizing federated machine-learning to protect against potentially malicious data may include (i) arranging a set of client devices into groups for applying a federated machine-learning model, (ii) determining model updates for each of the groups over a predetermined period, (iii) training one or more recurrent neural networks to derive a low-dimensional representation of the model updates, (iv) calculating a data quality score for each of the client devices based on the model updates, (v) applying the federated machine-learning model to classify data instances on each of the client devices as including clean data or potentially corrupt data, and (vi) performing a security action that protects against the potentially malicious data by tagging the data instances classified as the potentially corrupt data. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A compound represented by general formula (I) or stereoisomers thereof and pharmaceutically acceptable salts, solvates or prodrugs thereof, a preparation method therefor and a pharmaceutical composition containing the compound. An application of the compound of general formula (I) in preparation of drugs for treating and/or preventing she-mediated diseases, especially an application in preparation of drugs for treating inflammatory diseases, cardiovascular and cerebrovascular diseases, diabetes, diabetes complications, diabetes-related diseases, fibrotic diseases, neurological and mental diseases, pain, and ulcer diseases, etc.

Abstract: The disclosed computer-implemented method for detecting inter-personal attack applications may include (i) receiving application marketplace information describing application feature information, (ii) creating, by performing natural language processing on the feature information, a feature vector identifying a potentially malicious functionality of the application, (iii) creating a profiling vector that is a categorical feature representation of installation information from an application installation file, and (iv) performing a security action including (A) mapping, using a machine learning model, the feature vector and the profiling vector to a multi-dimensional output vector having element corresponding to a malware category and (B) determining a malicious extent of the application by combining the categories identified by the multi-dimensional output vector with bi-partite graph information identifying (I) relations between a plurality of applications and (II) relations between a plurality of computing

Abstract: The disclosed computer-implemented method for detecting potentially malicious content in decentralized machine-learning model updates may include (i) receiving messages communicated within a group of client devices for performing an update of a shared machine-learning model, (ii) determining a bias of a target message in the messages communicated from a target client device in the group with respect to a remaining number of the messages in the messages communicated from the other client devices in the group, (iii) assigning a confidence score to each of the other client devices based on the bias determined for the target message, the confidence score representing a likelihood of potentially malicious content in the target message, and (iv) performing, based on the confidence score, a security action that prevents the potentially malicious content from compromising the update of the shared machine-learning model. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: The disclosed computer-implemented method for verifying decentralized federated data using influence evaluation may include (i) calculate an influence score for each of a group of data instances, (ii) rank the data instances based on the influence scores, (iii) determine an anomaly score for each of the ranked data instances, (iv) select the ranked data instances with the highest anomaly scores as containing potentially malicious data, and (v) perform a security action that protects against the potentially malicious data. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A method for detecting and protecting against abnormal user behavior is described. The method may include generating a tensor model based on a set of user information within a temporal period. The tensor model may include a behavioral profile associated with a user of a set of users. In some examples, the method may include determining that a behavior associated with the user of the set of users is abnormal based on the tensor model, adapting the tensor model based on feedback from an additional user of a set of additional users different from the set of users, and performing a security action on at least one computing device to protect against the abnormal user behavior based on the adapting.

Abstract: The disclosed computer-implemented method for malware classification may include receiving dynamic analysis traces that include event descriptions regarding malware programs, and labels regarding classes of malware programs; performing a first mapping of the event descriptions to a first set of vector representations, wherein order of the events is not taken into account by the first mapping; performing a second mapping of the event descriptions to a second set of vector representations, wherein order of the events is taken into account by the second mapping; combining the first set of vector representations and the second set of vector representations into a combined set of vector representations; inputting the combined set of vector representations, along with the labels, into an autoencoder; and training the autoencoder to generate a feature space representation that correlates identified features with classes of malware. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: The disclosed computer-implemented method for cross-product malware categorization may include accessing computer readable media storing an incomplete feature dataset and an incomplete label dataset, determining a correlation between the plurality of features and the plurality of malware labels, and constructing at least one of a complete feature dataset based on the incomplete feature dataset and the correlation and a complete label dataset based on the incomplete label dataset and the correlation. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: The disclosed computer-implemented method for preventing decentralized malware attacks may include (i) receiving, by a computing device, node data from a group of nodes over a network, (ii) training a machine learning model by shuffling the node data to generate a set of outputs utilized for predicting malicious data, (iii) calculating a statistical deviation for each output in the set of outputs from an aggregated output for the set of outputs, and (iv) identifying, based on the statistical deviation, an anomalous output in the set of outputs that is associated with one or more of the malicious nodes, the one or more malicious nodes hosting the malicious data. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: Detecting abnormal user behavior via temporally regularized tensor factorization.

Abstract: Log text is encoded into a low dimensional feature vector. A temporal predictive model is constructed based on the low dimensional feature vector. The temporal predictive model is used to calculate probabilities of the occurrence of security incidents based on signature names from the log text encoded in the low dimensional feature vector. A preventative security action is automatically taken in response to the calculated probability of the occurrence of a specific security incident exceeding a given threshold.

Abstract: Securing network devices by forecasting future security incidents for a network based on past security incidents. In one embodiment, a method may include constructing past inside-in security features for a network, constructing past outside-in security features for the network, and employing dynamic time warping to generate a similarity score for each security feature pair in the past inside-in security features, in the past outside-in security features, and between the past inside-in security features and the past outside-in security features. The method may further include generating a Coupled Gaussian Latent Variable (CGLV) model based on the similarity scores, forecasting future inside-in security features for the network using the CGLV model, and performing a security action on one or more network devices of the network based on the forecasted future inside-in security features for the network.

Abstract: A computer-implemented method for assessing cyber risks using incident-origin information may include (1) receiving a request for a cyber-risk assessment of an entity of interest, (2) using an Internet-address data source that maps identifiers of entities to public Internet addresses of the entities to translate an identifier of the entity into a set of Internet addresses of the entity, (3) using an incident-origin data source that maps externally-detected security incidents to public Internet addresses from which the security incidents originated to translate the set of Internet addresses into a set of security incidents that originated from the entity, and (4) using the set of security incidents to generate the cyber-risk assessment of the entity. Various other methods, systems, and computer-readable media may have similar features.

Abstract: The disclosed computer-implemented method for determining the reputations of unknown files may include (1) identifying a file that was downloaded by the computing device from an external file host, (2) creating a node that represents the file in a dynamic file relationship graph, (3) connecting the node in the dynamic file relationship graph with at least one other node that represents an attribute of the external file host, and (4) labeling the node with a reputation score calculated based at least in part on a reputation score of the at least one other node that represents the attribute of the external file host. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: The disclosed computer-implemented method for evaluating infection risks based on profiled user behaviors may include (1) collecting user-behavior profiles that may include labeled profiles (e.g., infected profiles and/or clean profiles) and/or unlabeled profiles, (2) training a classification model to distinguish infected profiles from clean profiles using features and labels of the user-behavior profiles, and (3) using the classification model to predict (a) a likelihood that a computing system of a user will become infected based on a profile of user behaviors of the user and/or (b) a likelihood that a user behavior in the user-behavior profiles will result in a computing-system infection. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: The disclosed computer-implemented method for making security-related predictions may include (i) gathering information that comprises both signatures of events that occurred on computing systems during consecutive time slots and incident labels about incidents on the computing systems during the consecutive time slots, (ii) using the gathered information to train a machine learning model, (iii) predicting, by the machine learning model, at least one of an incident label about an incident and a signature of an event on a computing system during a time slot, wherein the computing system does not comprise at least one of an application capable of generating the signature and information about events occurring during the time slot due to the time slot having not yet occurred, and (iv) performing an action in response to the prediction. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A computer-implemented method for predicting security incidents triggered by security software may include (i) collecting, by a computing device, telemetry data from a set of security products deployed by a set of client machines, (ii) identifying, by the computing device, a selected security product within the set of security products that is missing telemetry data for a target client machine, (iii) building a classifier, by the computing device using the telemetry data, that predicts information about security incidents triggered by the selected security product, (iv) determining, by the computing device and based on the classifier, that the selected security product triggers a new security incident on the target client machine, and (v) performing a security action, by the computing device, to secure the target client machine against the new security incident. Various other methods, systems, and computer-readable media are also disclosed.