Abstract: Systems and methods maintain a toplist associated with a sliding window having m elements. The toplist can include the top k elements of the sliding window, where k is less than m (typically an order of magnitude or more less than m). As new elements are received from a data stream, a counter associated with the new element is updated and the new element is inserted into the sliding window. If the toplist has less than k elements, the new element is added. Otherwise, if the new element is already in the toplist, its counter value is updated with the new value. Otherwise, if the new element's counter is smaller than the smallest element in toplist, then do nothing. If the new element counter is larger than the smallest counter in the toplist, the smallest element is discarded from the toplist and the new element is inserted.

Abstract: Systems and methods capable of initializing centroids in large datasets before commencement of clustering operations. The systems and methods can utilize a random sampling window to increase the speed of centroid initialization. The systems and methods can be modified to leverage parallelism and be configured for execution on multi-node compute clusters. Optionally, the initialization systems and methods can include post-initialization centroid discarding and/or re-assignment operations that adaptively control cluster sizes.

Abstract: Initiation of a purchase at an online shop or other retailer can be detected. In addition to, or instead of a payment method integrated with the online shop, one or more alternative payment services that are not integrated with the online shop or retailer can be considered for selection. A non-integrated payment service can be selected based on terms offered by the non-integrated payment service. The selected goods or services can be paid for by the non-integrated payment service using a virtual credit card. The user can reimburse the non-integrated payment service under the terms offered by the non-integrated payment service.

Abstract: A method of providing a content feed. The method includes monitoring a plurality of user content streams of a plurality of users on a plurality of computing devices, the plurality of user content streams including a plurality of content instances accessible via a network. A plurality of archetypes are generated based on the plurality of user content streams. A selection of a particular archetype of the plurality of archetypes from a particular user is received on a particular computing device. A particular content stream is determined based on the particular archetype, and the particular content stream is delivered to the particular user via the particular computing device.

Abstract: A method of generating a similarity hash for an executable includes extracting a plurality of characteristics for one or more classes in the executable, and transforming the plurality of characteristics into a set of one or more class fingerprint strings corresponding to the one or more classes. The set of class fingerprint strings is transformed into a hash string using minwise hashing, such that a difference between hash strings for different executables is representative of the degree of difference between the executables. The hash of a target executable is compared with hashes of known malicious executables to determine whether the target executable is likely malicious.

Abstract: A private network device such as a security device is inserted in a private network using ARP spoofing, which includes sending periodic ARP packets from the private network device to a router and to client devices to ensure the private network device spoofing remains intact. The private network device determines when at least one of the one or more private network devices is inactive, such as by monitoring the network for activity between the devices and a router, and suspends sending the periodic ARP packets to the client devices when they are inactive.

Abstract: A malware classification is generated for an input data set with a human-readable explanation of the classification. An input data set having a hierarchical structure is received in a neural network that has an architecture based on a schema determined from a plurality of second input data sets and that is trained to classify received input data sets into one or more of a plurality of classes. An explanation is provided with the output of the neural network, the explanation comprising a subset of at least one input data set that caused the at least one input data set to be classified into a certain class using the schema of the generated neural network. The explanation may further be derived from the statistical contribution of one or more features of the input data set that caused the at least one input data set to be classified into a certain class.

Abstract: A method for controlling application enabling includes receiving from a particular user an indication of data for sharing and an indication of one or more recipients with which to share the data. A multidimensional zone is determined based on the indication of the data and the indication of the one or more recipients. A request from the particular user to enable a particular application via a computing device is detected. Data permission requirements of the particular application are accessed, and a multidimensional coordinate is determined based on the data permission requirements of the particular application. The multidimensional zone is compared to the multidimensional coordinate, and the particular user is notified via the computing device of the comparing of the multidimensional zone to the multidimensional coordinate. An affirmation of the request is received from the particular user via the computing device, and the particular application is enabled responsive to the affirmation of the request.

Abstract: A universal virtual device remote control is implemented on a computerized device such as a smart phone. The remote control operates by receiving one or more pictures of a target device, and identifying the target device by comparing the one or more pictures to pictures in a data set. The remote control also receives functional data associated with the identified device from the data set, and presents controls for the physical device to a user based on the received functional data. An input is received from the user in association with one or more of the controls, and a command associated with the input is sent to the identified device based on the functional data associated with the identified device.

Abstract: A private network device such as a security device is inserted in a local network and is operable to isolate networked devices on the local network. The networked security device uses Internet Protocol spoofing to intercept network traffic between at least two networked devices on the same local network as the networked security device, and selectively blocks intercepted network traffic between the at least two networked devices on the local network.

Abstract: A reference file set having high-confidence malware severity classification is generated by selecting a subset of files from a group of files first observed during a recent observation period and including them in the subset. A plurality of other antivirus providers are polled for their third-party classification of the files in the subset and for their third-party classification of a plurality of files from the group of files not in the subset. A malware severity classification is determined for the files in the subset by aggregating the polled classifications from the other antivirus providers for the files in the subset after a stabilization period of time, and one or more files having a third-party classification from at least one of the polled other antivirus providers that changed during the stabilization period to the subset are added to the subset.

Abstract: A data managing method. Metadata including a sharing policy is applied to a data file on a computing device. A sharing of the data file from the computing device via a network to a platform hosted by a computing system is detected. It is determined whether the platform is in compliance with the sharing policy, and it is reported whether the platform is in compliance with the sharing policy.

Abstract: Latency in a cloud security service provided via a network security device is reduced by receiving in the network security device a new network connection request for a connection between a local network device and a remote server. If a locally cached rule is applicable to the new network connection request, the applicable locally cached rule is applied to selectively allow the new network connection based on the rule. If no locally cached rule is applicable to the new network connection request, the new network connection request is forwarded to the remote server and to a cloud security service, and a response from the remote server is selectively forwarded to the local network device only upon receiving a determination by the cloud security device as to whether the new network connection is a security risk.

Abstract: Systems and methods provide an entity identifier (EID) for use in distributed systems, where the entity identifier includes inherent privacy features and where an estimate of the distinct count of the entity identifiers in a distributed system can be determined. A unique identifier (e.g., a GUID) for an entity is received. A hash value can be generated for the unique identifier using a hash function that is not guaranteed to generate unique values. An EID is created using a portion of the bits of the hash value and stored in a database. An estimated distinct count of entities based on a count of EIDs in the database can be determined based on the count of EIDs in the database and the size of the EID space.

Abstract: A method of identifying network devices such as a router includes accessing an HTTP server on at least one network device, and evaluating a web page served by the device's HTTP server. The web page is evaluated to determine whether it is similar to a page group from a plurality of page groups, where each of the plurality of page groups comprises a group of web pages similar to other pages in the page group. If the evaluated web page is determined similar to a page group, the page group most similar to the evaluated web page is identified as corresponding to the identity of the network device.

Abstract: A method of providing a content feed. The method includes monitoring a plurality of user content streams of a plurality of users on a plurality of computing devices, the plurality of user content streams including a plurality of content instances accessible via a network. A plurality of archetypes are generated based on the plurality of user content streams. A selection of a particular archetype of the plurality of archetypes from a particular user is received on a particular computing device. A particular content stream is determined based on the particular archetype, and the particular content stream is delivered to the particular user via the particular computing device.

Abstract: Permissions in a parental control system are managed by evaluating a set of current permissions settings, current interests, and the age of at least one child subject to the current permissions to derive one or more suggested modifications to the current permissions. The one or more suggested modifications are determined to be age appropriate for the at least one child and to be of interest to the child. The one or more current interests comprise prior usage data of the at least one child.

Abstract: A method of identifying cryptocurrency mining on a networked computerized device includes intercepting network traffic between the networked computerized device and a public network, and extracting Internet Protocol (IP) packet data of the intercepted network traffic. The IP packet data of the intercepted network traffic is evaluated such that if the intercepted network traffic is determined to be characteristic of communication with a cryptocurrency mining pool it is determined that the networked computerized device is mining cryptocurrency. One or more remedial actions are taken if it is determined that the networked computerized device is mining cryptocurrency, such as blocking traffic between the networked computerized device and the mining pool or notifying a user.

Abstract: A method of selecting devices on a private network for security protection via a network security device comprises classifying devices on the private network into devices that are sometimes protected and devices that are always either protected or not protected. Threats are monitored, the threats comprising at least one of a macro security event and a local security event, the macro security event detected by one or more external systems and the local security event detected by one or more devices local to the private network. When a threat is detected, it is determined whether the detected threat is a threat to one or more devices on the private network classified as devices that are sometimes protected, and if the detected threat is determined to be a threat to the one or more devices that are sometimes protected the one or more devices are protected.

Abstract: Systems and method verify a user based on facial image data, without prior information about the user. A user name and facial image of the user are received. A search query comprising the user name can be issued to one or more search engines. Images returned as a result of the search query can be filtered to determine a set of candidate images. The images in the set of candidate images can be compared to the facial image of the use to determine a probability of a match. If there is a match, the user can be considered verified.