Abstract: The disclosed computer-implemented method for preparing honeypot computer files may include (1) identifying, at a computing device, a search term used by a cyber attacker in an electronic search request, (2) identifying, without regard to a search access restriction, a sensitive computer document in search results stemming from the electronic search request, (3) creating, as a security action in response to the electronic search request, a honeypot computer file based on the sensitive computer document and including the identified search term, and (4) placing the honeypot computer file in the search results. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: The disclosed computer-implemented method for malware classification may include receiving dynamic analysis traces that include event descriptions regarding malware programs, and labels regarding classes of malware programs; performing a first mapping of the event descriptions to a first set of vector representations, wherein order of the events is not taken into account by the first mapping; performing a second mapping of the event descriptions to a second set of vector representations, wherein order of the events is taken into account by the second mapping; combining the first set of vector representations and the second set of vector representations into a combined set of vector representations; inputting the combined set of vector representations, along with the labels, into an autoencoder; and training the autoencoder to generate a feature space representation that correlates identified features with classes of malware. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: The disclosed computer-implemented method for cross-product malware categorization may include accessing computer readable media storing an incomplete feature dataset and an incomplete label dataset, determining a correlation between the plurality of features and the plurality of malware labels, and constructing at least one of a complete feature dataset based on the incomplete feature dataset and the correlation and a complete label dataset based on the incomplete label dataset and the correlation. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: The disclosed computer-implemented method for preventing decentralized malware attacks may include (i) receiving, by a computing device, node data from a group of nodes over a network, (ii) training a machine learning model by shuffling the node data to generate a set of outputs utilized for predicting malicious data, (iii) calculating a statistical deviation for each output in the set of outputs from an aggregated output for the set of outputs, and (iv) identifying, based on the statistical deviation, an anomalous output in the set of outputs that is associated with one or more of the malicious nodes, the one or more malicious nodes hosting the malicious data. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: Methods and systems are provided for detecting privacy leakage risks in text. One example method generally includes receiving, at a computing device from a client device, a keyword and generating, by the computing device, a combined query comprising the keyword and a sensitive topic query associated with a sensitive topic. The method further includes transmitting the keyword from the computing device to a search engine and transmitting the combined query from the computing device to the search engine. The method further includes receiving, at the computing device from the search engine, a number of search results for the keyword and receiving, at the computing device from the search engine, a number of search results for the combined query. The method further includes determining, by the computing device, a confidence score and transmitting the confidence score from the computing device to the client device.

Abstract: A method for improving memory efficiency of production rule systems is described. In one embodiment, the method includes identifying a rule associated with production rule systems, constructing a production rule network based at least in part on the rule, identifying a positional constraint associated with the rule, and implementing an alpha memory gate in the production rule network based at least in part on the positional constraint. In some cases, the alpha memory gate is one of a plurality of nodes of the production rule network.

Abstract: Detecting abnormal user behavior via temporally regularized tensor factorization.

Abstract: The disclosed computer-implemented method for establishing restricted interfaces for database applications may include analyzing, by a computing device, query behavior of an application for query requests from the application to a remote database in a computer system and identifying, based on the analysis, an expected query behavior for the application. The method may include establishing, between the application and the remote database, a restricted interface. The method may include receiving, at the restricted interface, a query request from the application to the remote database and limiting, by the restricted interface, the query request from the application to the remote database based on the expected query behavior. The method may include determining, by checking the query request against the expected query behavior, that the query request is anomalous query behavior and performing a security action with respect to the computer system.

Abstract: Reputation-based transaction security. In one embodiment, a method for reputation-based transaction security may include obtaining data regarding a user device associated with a first party; obtaining data regarding an intended second party, the user device being used in a transaction between the first party and the intended second party; calculating a reputation score based on the data obtained regarding the user device and the intended second party; determining a likelihood that resources related to the transaction will be received by the intended second party based on determining that the reputation score satisfies a pre-determined threshold; and automatically initiating a remedial action to the user device based on determining the likelihood that resources related to the transaction will be received by the intended second party.

Abstract: The disclosed computer-implemented method for enforcing age-based application constraints may include (1) receiving a selection of age-based use constraints to be associated with one or more applications installed on the computing device, (2) associating the age-based use constraints with the applications, (3) determining that a user attempting to access the applications does not meet the age-based use constraints, and (4) performing a security action that restricts user access to the applications when the user does not meet the age-based use constraints. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: An entity runs in background mode on a computing device and automatically determines when the current user is attempting to open an age-restricted app. The age of the user is automatically determined, e.g., by passively capturing a biometric image and estimating the user's age. A camera on the computing device can be used to take a picture of the user, and a facial image can be recognized in the picture by applying a facial recognition algorithm. The age of the user can be estimated based on the facial image, by applying an age estimation algorithm. The app is locked responsive to determining that the user's age does not meet a corresponding requirement. A communication can be transmitted to the primary user of the computing device, indicating that the current user of the device unsuccessfully attempted to open the app, optionally including a picture of the user.

Abstract: Identifying and protecting against a computer security threat while preserving privacy of individual client devices using differential privacy machine learning for streaming data. In some embodiments, a method may include receiving first actual data values streamed from one or more first local client devices, generating first perturbed data values by adding noise to the first actual data values using a differential privacy mechanism, storing the first perturbed data values, training a machine learning classifier using the first perturbed data values, receiving a second actual data value streamed from a second local client device, generating a second perturbed data value by adding noise to the second actual data value, storing the second perturbed data value, identifying a computer security threat to the second local client device using the second actual data value as input to the trained machine learning classifier, and protecting against the computer security threat.

Abstract: The disclosed computer-implemented method for preventing system level browser attacks through mobile applications may include (i) intercepting a message transmitted by a mobile application, wherein the message is based on data received by the mobile application, (ii) obtaining a universal resource locator (URL) from the message, (iii) obtaining reputation data using the URL, (iv) determining that the URL is for a malicious website based on the reputation data, and (v) in response to determining that the URL is for the malicious website, performing a security action to protect the computing device from system level browser attacks. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: The disclosed computer-implemented method for performing micro-segmenting may include (i) identifying at least a portion of a device, (ii) measuring a variance value that indicates a level of variance in terms of websites accessed by the portion of the device over a period of time, and (iii) locking, in response to determining that the variance value satisfies a threshold level of simplicity, the portion of the device by applying a security profile to the portion of the device that limits the portion of the device to accessing a set of websites that is defined in terms of the websites accessed by the portion of the device over the period of time. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: The disclosed computer-implemented method for recovering an infected endpoint may include receiving an acoustic signal having an embedded command for executing a security application at the infected endpoint, decoding the acoustic signal to obtain the embedded command, and executing the embedded command to start a security application at the infected endpoint, where the security application is operable to mitigate the infected endpoint. Various other methods, systems and computer-readable media are also disclosed.

Abstract: The disclosed computer-implemented method for system recovery from a system user interface process malfunction may include (i) determining that a system user interface (UI) process is executing on the computing device, (ii) determining that a message indicating a malfunction of the system UI process is displayed on the computing device, (iii) identifying a mobile application that was executing on the computing device at a time of the malfunction of the system UI process, and (iv) in response to identifying the mobile application that was executing at the time of the malfunction of the system UI process, performing a security action for recovery from the malfunction of the system UI process. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A mobile computing device is infected by malware which blocks access to the infected device by an authorized user. A download and installation request is generated from another device and sent to a third-party service via the internet to allow a first instance of a mobile device security application to be downloaded and installed on the infected device. A second instance of the same mobile device security application is also downloaded and installed on a clean device, with the first and second instances of the mobile device security application being covered under a single license. An instruction is generated on the mobile device security application on the clean device and transmitted to the infected device. Based on the received instruction, the mobile device security app is initiated and at least one access setting is modified on the infected device to enable user access.

Abstract: The disclosed computer-implemented method for virtual boundary enforcement using network filters may include (i) applying a network filter to network traffic associated with a target computing device, (ii) analyzing data generated by the network filter, (iii) identifying, based on an analysis of the data, a potential violation of a virtual boundary associated with the target computing device, and (iv) in response to identifying the potential violation, performing a security action to enforce the virtual boundary associated with the target computing device. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: The disclosed computer-implemented method for verifying connection integrity may include (i) receiving a request from a client to initiate a connection to a server via a middlebox, (ii) receiving, from the client, via a side protocol executing in parallel with a transport layer security protocol, a request for a certificate for the middlebox, (iii) sending, to the client, via the side protocol, the certificate, (iv) receiving, from the client, via the side protocol, a request for an additional certificate from a device upstream of the middlebox, (v) requesting, from the device upstream of the middlebox, via the side protocol, the additional certificate, (vi) receiving, from the device upstream of the middlebox, via the side protocol, the additional certificate, (vii) sending, to the client, via the side protocol, the additional certificate, and (viii) relaying data via the connection. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: Communications received by a computing device originating from communicating entities that are members of the same group(s) as a user are tracked. A corresponding unique identifier is maintained for each such communicating entity, and an associated security rating is configured. A security analysis is performed on content received by the computing device from these communicating entities. The security ratings associated with given communicating entities are adjusted, responsive to given security analyses of content received by the computing device from these associated communicating entities, where such an analysis identifies security concerns. Responsive to the security rating of a specific communicating entity exceeding a predefined threshold, one or more security actions are taken to prevent the user of the computing device from being exposed to communication from that communicating entity.