Abstract: Detecting malware includes monitoring an event stream for an executable program, where the event stream includes a plurality of events such as API call events. A first plurality of hash values is determined for the event stream. In response to an occurrence of a trigger event in the event stream, the first plurality of hash values for the event stream can be compared with a second plurality of hash values that represents an event stream for a known malware executable. A determination can be made if a behavior represented by the first plurality of hash values is a permitted behavior based on the comparison.

Abstract: Systems and methods for determining software recommendations for a user. A first application list of applications installed on a user's computer is received. A distribution score is determined for each application in the first application list. A set of least distributed applications is determined based on the distribution score. A similarity score is determined for each user in a set of users having one or more applications of the set of least distributed applications installed on their respective systems. A second list of applications is determined based on applications installed by users in the set of users having a similarity score above a threshold. Recommendations for applications in the first list of applications are determined based, at least in part, on typicality scores for the applications.

Abstract: A hybrid location service maintains a user state for each of a plurality of mobile devices communicably coupled to the hybrid location service via one or more networks. The hybrid location service can receive a request for a location of a mobile device. In response, the hybrid location service can determine a consent source. The consent source can include the mobile device or a network operator of the network used by the mobile device. The hybrid location service determines a response to the request for the location of the mobile device based, at least in part, on a user state of the mobile device and a user consent obtained from the consent source.

Abstract: A file similarity vector for an executable file or executable object can be determined using function lengths of functions in the executable file or data object. The executable file or data object can be scanned, and lengths of functions can be determined. Various statistics such as number of functions, maximum function length, minimum function length, and average function length can be used to create a file similarity vector. The file similarity vector can be used to compare files.

Abstract: A content filter setting method includes enabling a user to choose a setting of a filter for a particular application in a user interface of a user device. The setting of the filter is received from the user via the user interface, and a model is applied to determine a plurality of default settings of a plurality of filters of the particular application based on the setting of the filter and the identifying information of the user. The plurality of default settings is displayed in the user interface, and modified settings of the default settings are received via the user interface.

Abstract: Detecting a Domain Name Service (DNS) hijacking includes resolving names in a hijack target group list to their respective Internet Protocol (IP) addresses. In response to determining that two names in the hijack target group list resolved to a common IP address, a determination is made whether a legitimate reason exists for the two names in the hijack target group list to resolve to the common IP address. In response to determining that a legitimate reason does not exist for the two names in the hijack target group list to resolve to a common IP address, a DNS hijacking is indicated.

Abstract: A system and method is provided for sharing mobile device location information. The method includes receiving signals by a mobile device and determining by the mobile device a first location of the mobile device at a first time based on the signals received by the mobile device. Time data is accessed by the mobile device and the mobile device determines based on the time data that the first time is in a first time window. The first location is transmitted to a particular user device at least responsive to the first time being in the first time window. The mobile device determines a second location of the mobile device at a second time based on the signals received by the mobile device. A first error is applied to the second location at least responsive to the determining of the second location at the second time, and the second location is transmitted including the first error to the particular user device.

Abstract: A computing device can initiate a pairing operation with mobile computing device. The computing device encodes a pairing secret into a displayable code for presentation. The size of the displayable code can be determined in accordance with a threshold distance and display parameters. The mobile computing device is positioned such that an image of the displayable code substantially fills a boundary whose size is determined according to a desired threshold distance, a focal length, and parameters of a sensor chip. The displayable code is decoded to reveal the pairing secret to the mobile computing device. The pairing secret is used to complete the pairing process with the computing device. Once pairing has been completed, the computing device can measure a signal strength between the computing device and the mobile computing device. The signal strength can be stored to be used for later authorization purposes.

Abstract: A processor-implemented method including scanning wirelessly by a plurality of mobile devices and selecting a plurality of wireless access points based on the scanning by the plurality of mobile devices. Particular attributes of the plurality of wireless access points are determined, and the particular attributes of the plurality of wireless access points are compared. A particular set of the plurality of wireless access points are grouped based on the comparing of the particular attributes, and a particular geographic location is assigned to the particular set of the plurality of wireless access points. A particular security protocol is assigned to the particular geographic location based on the particular attributes of the particular set of the plurality of wireless access points. A particular mobile device is determined to be positioned within a particular distance of the particular geographic location, and wireless communication of the particular mobile device is restricted.

Abstract: A system and method is provided for sharing mobile device location information. The method includes receiving signals by a mobile device and determining by the mobile device a first location of the mobile device at a first time based on the signals received by the mobile device. Time data is accessed by the mobile device and the mobile device determines based on the time data that the first time is in a first time window. The first location is transmitted to a particular user device at least responsive to the first time being in the first time window. The mobile device determines a second location of the mobile device at a second time based on the signals received by the mobile device. A first error is applied to the second location at least responsive to the determining of the second location at the second time, and the second location is transmitted including the first error to the particular user device.

Abstract: Methods and systems for securing a network including IoT devices are provided. A networking device system can regulate the ability of IoT devices to communicate with their corresponding cloud servers over the Internet, for example, by allowing a device to connect to its associated cloud servers when a user (e.g., an authorized user) requests to use the device. The system can communicate (e.g., directly) with users outside of the network through an app and/or a software development kit installed on user client device(s), where communications received from the app or kit (e.g., to access one or more IoT devices on the network) can be presumed to originate from authorized users.

Abstract: A system and method for prefix fingerprints for a first file or a first data object. A prefix fingerprint comprises a plurality of hash values. The hash values of the prefix fingerprints are typically generated starting at the same offset within the file or data object, but are generated based on different data sizes. Later, a second file or second data object can be compared with the first file or first data object to determine if the second file or data object is a prefix of the first file or data object. A hash value is selected from the previously determined prefix fingerprint of the first file based on the size of the second file. A hash is generated for the second file using the same offset value and size as was used to generate the selected hash value from the prefix fingerprint. The hash values are then compared.

Abstract: A method and system for an automated classification rating of browser extensions is provided. One embodiments of the present invention can track the behavior of a large number of users in order to determine the reputation of browser extensions such as toolbars. The rating can be determined based on similarity analysis of previously rated browser extension attributes, and can be adjusted in response to a determination of the user's choice on the browser extension removal and reinstallation.

Abstract: A location anomaly for a mobile device can be detected using non-location information from the mobile device. The non-location information does not include data from a location based device, such as a GPS. A probabilistic model is created using historical non-location information accumulated from the mobile device. Current non-location data is compared with the probabilistic model to determine a probability associated with the current non-location information. If the probability is less than a predetermined or configurable threshold, a location anomaly is detected. A notification of the location anomaly may be displayed and/or transmitted in response to detecting the location anomaly.

Abstract: Systems and methods normalize an executable script. A file can be received that potentially contains an executable script. The characters in the file are translated to a single case (either upper case or lower case). Duplicate whitespace can be removed. A script is identified within the file. Tokens in the script are processed to create normalized output. The normalized output can include tokens that are retained keywords, control flow characters or data characters from the script file.

Abstract: Systems and methods index and search log files created after execution of binaries. A plurality of log files each have one or more sequences. An index tree is created for the log files. A first log file is placed into a bucket of the index tree according to the lengths of the one or more sequences of the first log file. Remaining logs files are placed the index tree according to their respective sequence lengths. Each log becomes a representative in the bucket or associated with a representative in the bucket. The index tree can be searched, where an incurred distance and a remaining distance is maintained during the search. Nodes are pruned based, at least in part, on the incurred distance and the remaining distance.

Abstract: Systems and methods are described which integrate file properties that in conventional systems has been considered weaker evidence of malware and analyzes the information to produce reliable results. Properties such as file paths, file names, source domains, IP protocol ASNs, section checksums, digital signatures that are not always present and not always reliable can be integrated into the classification process using a graph. A 1-neighborhood of object values in the graph may be created and analyzed to suggest a malware family label based on files having similar properties.

Abstract: An electronic messaging method is provided, the method implemented by one or more processors. The method includes launching a textual communication application by a user device including a user interface. In the user interface a data entry interface is enabled including language elements in a particular language determined based on an international calling code of a stored textual communication involving a user of the user device or a language of a stored textual communication involving a user of the user device, the stored textual communication comprising text transmitted by the user of the user device or text received by the user of the user device from a particular party. Textual input is received via the data entry interface including the language elements in the particular language.

Abstract: A processor-implemented method including scanning wirelessly by a plurality of mobile devices and selecting a plurality of wireless access points based on the scanning by the plurality of mobile devices. Particular attributes of the plurality of wireless access points are determined, and the particular attributes of the plurality of wireless access points are compared. A particular set of the plurality of wireless access points are grouped based on the comparing of the particular attributes, and a particular geographic location is assigned to the particular set of the plurality of wireless access points. A particular security protocol is assigned to the particular geographic location based on the particular attributes of the particular set of the plurality of wireless access points. A particular mobile device is determined to be positioned within a particular distance of the particular geographic location, and wireless communication of the particular mobile device is restricted.

Abstract: In a system for extracting policy information from text, a processor analyzes if the text is relevant to a top-level category, and then determines if at least a portion of the text is relevant to categories and subcategories within a taxonomy of categories and subcategories related to the top-level category. If at least a portion of the text is determined to be relevant to the category/subcategory, a classifier extracts policy information associated with the category/subcategory. Using text that includes a known policy the classifiers can be trained to correctly recognize categories/subcategories, and the values associated therewith.