Abstract: An electronic threat mitigation method is provided. A first rule for identifying application code is obtained, and a rule update for identifying application code is generated. An abstract syntax tree of the first rule is generated, the abstract syntax tree including a plurality of nodes. The rule update is incorporated into a first node of the plurality of nodes to generate a second rule for identifying application code, the first node at a first depth on the abstract syntax tree. The second rule is applied to a plurality of application code samples to determine a coverage of the second rule, and the first rule is updated as the second rule based on the coverage of the second rule and the first depth. A notification is provided or a data file is disabled, blocked, or deleted based on application of the second rule.

Abstract: A machine learning model is trained to classify data as malicious or benign, including receiving the machine learning model in a user device and training the machine learning model on the user device user-generated data that has been classified as known benign. A result of the training is sent to a remote server. Training samples on the user device may be classified automatically, such as classifying sent emails, instant messages, or other content generated by the user as benign.

Abstract: The behavior of browser extensions when installed and operating in a browser environment is monitored, such as by observing changes to a web page with and without the browser extensions installed. Document Object Model (DOM) changes to the web page, such as scripts that only run when an extension is installed, or other web content that changes as a result of differences in a web page with and without the browser extension installed are observed. These differences may be attributed to the browser extension, and the changed or added elements may be inspected for malicious content or behavior. If malicious behavior is found in the different content, the content and/or the browser extension may be flagged as malicious behavior and a signature used to identify the malicious browser extension in future applications.

Abstract: Systems and methods enable a notification based on determining a particular electronic message is associated with a particular cluster of electronic messages. A plurality of electronic messages from a first plurality of accounts directed to a second plurality of accounts over a network are received. The plurality of electronic messages are compared to determine a plurality of clusters of electronic messages. A particular electronic message is received from a first particular account directed to a second particular account. The particular electronic message is compared to the plurality of clusters of electronic messages to determine that the particular electronic message is associated with a particular cluster of the plurality of clusters of electronic messages. A notification is provided based on the determining that the particular electronic message is associated with the particular cluster of the plurality of clusters of electronic messages.

Abstract: Systems and methods for transacting over a network is provided. The system includes a first agent and second agent. The first agent is operable to receive from a third agent a transaction code associated with one or more credential types required to apply the transaction code or with one or more credential claim types required to apply the transaction code, transmit the transaction code to the second agent, and receive from the second agent a digitally signed transaction, a first verifiable proof, and the transaction code. The first agent is further operable to transmit to a fourth agent a second verifiable proof based on the first verifiable proof and the transaction code, receive from the fourth agent an unlock signature for a locked credential including one or more credential claims, and transmit the unlock signature to the second agent.

Abstract: A method for accessing a network resource including detecting an attempt by a user via a computing device to access a service enabled by a computing system via a network and transmitting via the network to the computing system a first request to access the service in response to detecting the attempt by the user to access the service, the first request including at least one empty personally identifiable data structure. A failure to access the service responsive to the first request is determined. A second request to access the service in response to the first failure to access the service is transmitted via the network to the computing system, the second request including artificial personally identifiable information, and access to the service from the computing system is received for the user.

Abstract: A system and method are provided by which an electronic address associated with a user is monitored. Based on the monitoring, an electronic message is detected including a digital document. A cryptographic function is applied to the digital document to generate a hash which is rendered accessible at a network location. An identification of the network location of the hash is transmitted to a first computing system associated with the user.

Abstract: An electronic tracking protection system and method enable receiving a particular electronic message, detecting in the particular electronic message a link including a particular uniform resource locator (“URL”) including a parameter including a value. A uniqueness of the value is determined and the parameter is removed from the particular URL based on the uniqueness of the value to generate a modified URL. The particular URL is replaced with the modified URL in the particular electronic message based on the uniqueness of the value to generate a modified electronic message.

Abstract: A data sharing control method. The method includes detecting a plurality of images on one or more devices operated by a first user, the one or more devices comprising a particular device. A plurality of tags are determined for the plurality of images, and a plurality of settings are received based on the plurality of tags from a second user. A particular image is detected on the particular device. One or more particular tags of the particular image on the particular device are determined, and a sharing action of the particular image by the particular device is blocked based on the plurality of settings and the one or more particular tags.

Abstract: A method of collecting user device data includes receiving a probabilistic cardinality estimator data structure in the user device from a server, the probabilistic cardinality estimator data structure associated with a survey question. An answer to the survey question associated with the probabilistic cardinality estimator data structure is determined, and one or more elements are selectively added to the probabilistic cardinality estimator data structure based on the determined answer to the survey question. The probabilistic cardinality estimator data structure is sent back to the server, which calculates the survey result from the probabilistic cardinality estimator data structure.

Abstract: A data processing method in the form of a data compression method is provided in which a plurality of integers are accessed. Each of the plurality of integers is split to generate a first plurality of numbers respectively paired with a second plurality of numbers. A first tuple is generated based on the first plurality of numbers. A second tuple is generated based on the second plurality of numbers and the first plurality of numbers. The first tuple and the second tuple are stored. A system and computer readable medium enabling the data processing method are further provided.

Abstract: Malicious activity is identified in a plurality of sequences of computer instructions by identifying a plurality of sequences of computer instructions of interest, and assigning the plurality of sequences of computer instructions into two or more groups. A virtual machine sandbox is executed for each of the two or more groups, and each of the plurality of sequences of computer instructions is executed in the virtual machine sandbox into which the sequence of computer instructions has been assigned. Behavior of the executing instruction sequences is monitored, and is used to determine whether each of the groups has at least one executed sequence of computer instructions that is likely malicious.

Abstract: A method of detecting likely malicious activity in a sequence of computer instructions includes identifying a set of behaviors of the computer instructions and representing the identified behaviors as a graph. The graph is provided to a graph neural network that is trained to generate a geometric representation of the sequence of computer instructions, and a degree of relatedness between the geometric representation of the computer instructions and a set of base graphs including base graphs known to be malicious is determined. The sequence of computer instructions is determined to likely be malicious or clean based on a degree of relatedness between the geometric representation of the computer instructions and one or more base graphs known to be malicious.

Abstract: A method for accessing a network resource including detecting an attempt by a user via a computing device to access a service enabled by a computing system via a network and transmitting via the network to the computing system a first request to access the service in response to detecting the attempt by the user to access the service, the first request including at least one empty personally identifiable data structure. A failure to access the service responsive to the first request is determined. A second request to access the service in response to the first failure to access the service is transmitted via the network to the computing system, the second request including artificial personally identifiable information, and access to the service from the computing system is received for the user.

Abstract: A method and system detects at a plurality of network locations a plurality of accuracy ratings of a plurality of media instances and detects the plurality of media instances. A particular accuracy rating of one or more particular media instances is detected at a particular network location, and the one or more particular media instances are detected. A bias of the particular accuracy rating is determined based on the particular accuracy rating, the one or more particular media instances, the plurality of accuracy ratings, and the plurality of media instances. An indication is transmitted to a user based on the bias of the particular accuracy rating.

Abstract: A method of managing access to a network destination. The method includes establishing a first network zone for a user, the first network zone including a plurality of network destinations. The first network zone is monitored and one or more changes in the first network zone are determined. A first network destination in the first network zone is analyzed responsive to determining the one or more changes in the first network zone to determine a first threat. An attempt by the user to access the first network destination is detected, and access by the user to the first network destination is restricted based on the determining the first threat.

Abstract: Redundancy in a malware signature list is reduced by processing a plurality of pairs of records in a known malware signature list, where each pair of records comprises a file identifier and an associated malware detection. At least one of the file identifiers and the associated malware detections are mapped to symbols representing the file identifiers and the associated malware detections, the symbols taking less memory than the file identifiers and the associated malware detections. The mapped symbols representing the file identifiers and the associated malware detections are processed to remove at least some malware detections that are not needed to provide a desired degree of representation of each file identifier in the processed known malware signature list, and a processed known malware signature list is stored.

Abstract: Systems and methods for transacting over a network enable transacting on behalf of a first entity at a plurality of first network locations based on one or more first cryptographically verifiable credentials for a plurality of first network-enabled services. One or more assessments of the first entity are determined based on the transacting on behalf of the first entity at the plurality of first network locations based on the one or more first cryptographically verifiable credentials. One or more second cryptographically verifiable credentials are generated as one or more digitally signed credentials based on the one or more assessments of the first entity. The systems and methods further enable transacting on behalf of the first entity at one or more second network locations based on the one or more second cryptographically verifiable credentials for a second network-enabled service.

Abstract: Systems and methods for transacting over a network. A first agent and a second agent are provided. The second agent is operable to transact with a third agent for use of a network-enabled service based on a first transaction policy from a fourth agent, the third agent enabled to communicate with a fifth agent. The first agent is operable to communicate with the second agent to facilitate the transacting by the second agent with the third agent for the use of the network-enabled service based on the first transaction policy and communicate with the fifth agent to facilitate the transacting by the second agent with the third agent for the use of the network-enabled service.

Abstract: Systems and methods for transacting over a network. A first agent operating on a first computing system is operable to transact on behalf of a first entity. The first agent transacts with a second agent operating on a second computing system for a first cryptographically verifiable credential, transmits the first cryptographically verifiable credential to a third agent, and transacts with the third agent based on the first cryptographically verifiable credential for a second cryptographically verifiable credential to facilitate transacting with a fourth agent for a service. The second agent is operable to receive telemetry data of the first computing system which is configured to monitor the telemetry data, determine an assessment of the first entity based on the telemetry data, generate the first cryptographically verifiable credential based on the assessment of the first entity by the second agent, and transmit the first cryptographically verifiable credential to the first agent.