Abstract: A malware classification system provides improved confidence in explanations of neural network classification outputs using methods such as weighting or masking when training the neural network to train the network on a sample resembling or including the explanation. The explanation in some examples comprises a subset of a hierarchical input vector that is responsible for the neural network's classification output. In another example the neural network has an inner portion inner portion configured to reduce the weight of elements of the output not significantly contributing to the explanation of the output, such as by reducing the weight of as many such outputs to zero as is practical in generating the desired output.

Abstract: Redundancy in a malware signature list is reduced by processing a plurality of pairs of records in a known malware signature list, where each pair of records comprises a file identifier and an associated malware detection. At least one of the file identifiers and the associated malware detections are mapped to symbols representing the file identifiers and the associated malware detections, the symbols taking less memory than the file identifiers and the associated malware detections. The mapped symbols representing the file identifiers and the associated malware detections are processed to remove at least some malware detections that are not needed to provide a desired degree of representation of each file identifier in the processed known malware signature list, and a processed known malware signature list is stored.

Abstract: A method of compressing a string array comprising strings with similarity includes selecting a string compression method from among a plurality of available compression methods based on at least which of the available compression method yields the shortest compressed string. The string is then compressed using the selected string compression method. The array of strings to be compressed comprises text characters represented by a first range of values within a word, and compressed string comprises one or more words in a second range of values dedicated to compression and not overlapping with the first range of values. This process is repeated for additional strings in the string array, such that the compression method used for each of a plurality of strings is independently selected.

Abstract: A method of generating receiving a valid domain name comprises evaluating a received valid domain name in a neural network trained to generate similar domain names, and providing an output comprising at least one domain name similar to the received valid domain name generated by the neural network. In a further example, a recurrent neural network is trained using valid domain names and observed malicious similar domain names and/or linguistic rules. In another example, the output of the recurrent neural network further comprises a similarity score reflecting a degree of similarity between the valid domain name and the similar domain name, such that the similarity score can be used to generate a ranked list of domain names similar to the valid domain name.

Abstract: Systems and methods for device type classification system include a rules engine and a machine learning engine. The machine learning engine can be trained using device type data from multiple networks. The machine learning engine and the rules engine can receive data for devices on a network at a first point in time. The data can be submitted to a rules engine and the machine learning engine, which each produce device type probabilities for devices on the network. The device type probabilities from the rules engine and the machine learning engine can be processed to determine device types for one or more devices on the network. As more data becomes available at later points in time, the additional data can be provided to the rules engine and the machine learning engine to update the device type determinations for the network.

Abstract: An application activation method includes enabling an activation of one or more applications, including an activation of a first application, on a computing device. A first plurality of interactions of a user with the one or more applications on the computing device are detected. A first offer to renew the activation of the first application is generated based on the first plurality of interactions of the user. The first offer is provided to the user via the computing device. An acceptance of the first offer is received from the user, and the activation of the first application is renewed responsive to receiving the acceptance of the first offer.

Abstract: A device control method includes monitoring location of a first user device of a first user and receiving an indication of a location of a second user device. The method further includes monitoring use of the second user device and determining a first time of use on the second user device. The first time of use on the second user device is allocated to a use time of a second user based on the location of the first user device relative to the location of the second user device, and a functional component of a third user device of the second user is disabled based at least on the use time of the second user.

Abstract: A computer-implemented method includes creating an account including an account value on an online service. The account value is modified periodically to activate a plurality of account values respectively associated with a plurality of times at which the plurality of account values were respectively activated on the account. A network-accessible data repository is scanned to detect a first value of the plurality of account values, the first value associated with a first time of the plurality of times at which the first value was activated. Responsive to detecting the first value a notification is provided indicating a data leak from the online service including an indication of when the data leak occurred based on the first time at which the first value was activated on the account and a second time at which a second value was activated on the account to replace the first value.

Abstract: A method of managing a fill state of a buffer in an external device includes monitoring the latency of a network connection to an external device having a network buffer via a managing device. A state of fill of the network buffer is determined based on at least the monitored latency of the network connection, and the effective network speed is estimated based on the state of fill of the network buffer. One or more network traffic scheduling parameters are adjusted in response to the estimated effective network speed, such as a maximum currently usable network speed that is lower than a maximum possible speed of the network. The maximum currently usable network speed of the network connection is periodically increased if the monitored latency is in a normal state and the maximum currently usable network speed is lower than the maximum possible speed of the network.

Abstract: Systems and methods use negative feedback to create generic rules for a high dimensional sparse feature space. A system receives a set of fingerprints, where a fingerprint can be a set of features of a file. The fingerprints can be clustered according to similarity. For each cluster, a proto-rule is created that has a condition for each feature. The proto-rule is simplified using negative feedback to create a well-formed rule having a comparatively small subset of the conditions in the proto-rule that are useful in determining malware. The well-formed rule can be added to a set of rules used in a malware detection system.

Abstract: A method of providing a content feed. The method includes monitoring a plurality of user content streams of a plurality of users on a plurality of computing devices, the plurality of user content streams including a plurality of content instances accessible via a network. A plurality of archetypes are generated based on the plurality of user content streams. A selection of a particular archetype of the plurality of archetypes from a particular user is received on a particular computing device. A particular content stream is determined based on the particular archetype, and the particular content stream is delivered to the particular user via the particular computing device.

Abstract: A network security assessment engine can assess security on a remote computer network. Agent programs on computing devices on the remote network can execute security tests. The network security assessment engine receives security test results produced by the security tests. The network security assessment engine can determine security test scores based, at least in part, on the security test results. The network security assessment engine can determine an overall network security score based, at least in part, on the security test scores and present the overall network security score. As an example, a network services provider can utilize the network security assessment engine to provide an adaptive, expressive scoring mechanism, allowing the network services provided to more efficiently digest, assess, and report network anomalies within a multitenant context.

Abstract: A method includes enabling a messaging server and providing credentials for the messaging server. A computing system is enabled and a malware application is received by the computing system. The malware application is executed by the computing system. The credentials are rendered accessible to the malware application via the computing system, and the malware application is enabled to transmit the credentials via network transmission from the computing system to a computer. An actor is enabled to access the messaging server over a network in response to the actor applying the credentials, and a first electronic message transmitted by the actor is received by the messaging server, the first electronic message including first content.

Abstract: A method including detecting a webpage accessed by a user on a computing device via a browser. Content on the webpage is determined, and a model is applied to the content to determine a plurality of keyword sets. A network search is performed based on each of the plurality of keyword sets to generate a plurality of search results. The plurality of search results are compared to the content, and the plurality of search results are compared to each other. A factualness of the content is determined based on the comparing of the plurality of search results to the content and based on the comparing of the plurality of the search results to each other, and the user is notified via the browser of the factualness of the content.

Abstract: A method of managing access to a network destination. The method includes establishing a first network zone for a user, the first network zone including a plurality of network destinations. The first network zone is monitored and one or more changes in the first network zone are determined. A first network destination in the first network zone is analyzed responsive to determining the one or more changes in the first network zone to determine a first threat. An attempt by the user to access the first network destination is detected, and access by the user to the first network destination is restricted based on the determining the first threat.

Abstract: A method for controlling application enabling includes receiving from a user an indication of data for sharing and an indication of one or more recipients with which to share the data. A multidimensional zone is determined based on the indication of the data and the indication of the one or more recipients. A request from the user to enable an application via a computing device is detected. Data permission requirements of the application are accessed, and a multidimensional coordinate is determined based on the data permission requirements of the application. The multidimensional zone is compared to the multidimensional coordinate, and the user is notified via the computing device of the comparing of the multidimensional zone to the multidimensional coordinate. An affirmation of the request is received from the user via the computing device, and the application is enabled responsive to the affirmation of the request.

Abstract: Anomalous or unexpected system permissions in applications in a computing environment are identified by generating a statistical model at least in part from application permissions granted across a plurality of application types. One or more of the application permissions granted across a plurality of application types are identified as potentially unexpected dangerous permissions. The statistical model is used to determine whether a target application has at least one potentially dangerous permission that is not statistically likely for a target application type of the target application.

Abstract: A method of identifying network devices includes transforming a first data set of feature-rich device characteristics of devices with known device identities to a second data set comprising feature-poor device characteristics with the known device identities. A third data set of feature-poor device characteristics of devices with known identities is collected. A statistical model is derived comprising one or more adjustments to the transformed data set, the statistical model reflecting a difference in statistical distribution between one or more characteristics of the second data set of transformed device characteristics and one or more corresponding and/or related characteristics of the third data set of feature-poor device characteristics. A device identification module is trained based on the second data set of feature-poor characteristics and the statistical model adjustments, the trained device identification module operable to use feature-poor device characteristics to identify network devices.

Abstract: Systems and methods maintain a toplist associated with a sliding window having m elements. The toplist can include the top k elements of the sliding window, where k is less than m (typically an order of magnitude or more less than m). As new elements are received from a data stream, a counter associated with the new element is updated and the new element is inserted into the sliding window. If the toplist has less than k elements, the new element is added. Otherwise, if the new element is already in the toplist, its counter value is updated with the new value. Otherwise, if the new element's counter is smaller than the smallest element in toplist, then do nothing. If the new element counter is larger than the smallest counter in the toplist, the smallest element is discarded from the toplist and the new element is inserted.

Abstract: In order to identify an unknown IoT device type, behavioral or statistical data of the device is collected and analyzed. A functional group may be created using behavioral data of devices of a known type. A behavior profile for the functional group may be generated and stored in a database. The behavioral data of the device of an unknown type is compared to the behavior profile of the functional group. When the similarity of the behavioral data of the device of an unknown type and the behavior profile exceeds a predetermined or configurable threshold, a device type associated with the functional group can be assigned to the device of a previously unknown type.