Abstract: According to one aspect, a method of assessing typicality of a first name that includes a plurality of characters includes obtaining the first name, determining at least a first N-gram size, and extracting a first plurality of N-grams of the first N-gram size from the first name. The first plurality of N-grams is analyzed with respect to a model. Analyzing the first plurality of N-grams with respect to the model includes obtaining a first score. Finally, the method includes determining whether the first score indicates that the first name is typical.

Abstract: A first graph comprises multiple nodes and edges. At least one successive summary graph is created, using the original graph as a predecessor. To create a second graph from a first, nodes of the first graph are grouped into a plurality of subsets, and each subset becomes a super-node. For each super-node, the edges of each corresponding node are replaced with one or more super-edges. Each super-edge represents a relationship between a pair of super-nodes. The nodes of the successor graph comprise the super-nodes and the edges of the successor graph comprise the super-edges. The steps are tracked for restoring each omitted edge of each predecessor graph. Based on a determined quantified value for the restoration of each omitted edge of each predecessor graph, customized summary graphs can be created for and presented to specific parties. Determined values can be, for example, monetary or based on trust levels.

Abstract: Machine-learning based detection (MLD) profiles can be used to identify sensitive information in documents. The MLD profile can be used to generate a confidence value for the document that expresses the degree of confidence with which the MLD profile can classify the document as sensitive or not. In one embodiment, a data loss prevention system provides or suggests a confidence level threshold to a user of the data loss prevention system by providing a confidence level threshold for the MLD profile to the user, the confidence level threshold to be used as the boundary between sensitive data and non-sensitive data. In one embodiment the provided confidence level threshold is determined by scanning a random data set using the MLD profile.

Abstract: A method and apparatus for encrypted universal resource identifier (URI) based messaging is described. In one embodiment of the method, a server computing system receives an encrypted message from a first client computing system over a network, decrypts the encrypted message, stores the decrypted message in a message data store, and generates a shortened uniform resource locator (URL) for subsequent retrieval of the stored message. The server computing system sends the shortened URL to the first client computing system. Subsequently, the server computing system receives from a requesting computing system, a request, including the shortened URL, to retrieve the stored message, encrypts the stored message in a uniform resource identifier (URI) with an encryption type URI, and sends the encrypted URI to the requesting computing system.

Abstract: A computer-implemented method for clustering data may include (1) identifying a plurality of samples, (2) locating a sample, from within the plurality of samples, that is a centroid of a cluster, (3) locating another sample that is, among the plurality of samples, next closest to the centroid relative to a most-recently located sample, (4) determining whether an attribute of the next-closest sample matches an attribute of the centroid, (5) determining whether to adjust a radius of the cluster based on whether the attribute of the next-closest sample matches the attribute of the centroid, and (6) repeating the steps of locating the next-closest sample, determining whether the attributes match, and determining whether to adjust the radius of the cluster, until the attribute of the next-closest sample does not match the attribute of the centroid. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A method for lost device location is disclosed. The method includes transmitting a last known location from the lost device, receiving a command to lock the lost device at the lost device and locking the lost device. Machine identification data and current location data is transmitted from the lost device, that is accessible by a backend server, to a second device that is located within a designated proximity to the lost device.

Abstract: A computer-implemented method for healing infected document files may include (1) receiving an electronic message directed to a target client computing system, the electronic message including a document file, (2) in response to receiving the electronic message, discovering, by a security program, that the document file is infected with potentially malicious content by, parsing the document file into separate objects and detecting that one of the separate objects is infected with potentially malicious content, (3) healing, by the security program, the infected object by removing the potentially malicious content from the object, (4) reconstructing, by the security program, the document file by reuniting the healed separate object with a remainder of the separate objects in a manner that preserves readability of the document, and (5) providing access to the readable reconstructed document file at the target client computing system. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A computer-implemented method for maintaining encrypted search indexes on third-party storage systems may include (1) identifying a plurality of encrypted files, (2) identifying a plurality of keywords contained in the plurality of encrypted files, and (3) generating an encrypted search index for searching the plurality of encrypted files by (i) identifying, for each keyword in the plurality of keywords, a list of encrypted files in the plurality of encrypted files that contain the keyword, (ii) encrypting the list of encrypted files, and (iii) storing the encrypted list of encrypted files such that the encrypted list of encrypted files can be identified using a lookup key generated by applying a pseudo-random function to the keyword. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A computer-implemented method for detecting display-controlling malware may include (1) identifying a software program that is controlling a display of the computing device, (2) detecting one or more measures taken by the software program to prevent loss of control of the computing device display, (3) performing an analysis of the software program that may include determining, based on the measure taken by the software program to prevent loss of control of the computing device display, that the software program is suspicious and possibly includes display-controlling malware, and (4) performing a security action in response to determining that the software program is suspicious and possibly includes display-controlling malware. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A method of renewing a plurality of digital certificates includes receiving, at a first time, a request from a user to renew a first digital certificate and determining an expiration date for the first digital certificate. The method also includes receiving, at a second time, a request from the user to renew a second digital certificate and determining an expiration date for the second digital certificate. The expiration date for the second certificate is later than the expiration date for the first certificate. The method further includes determining a new expiration date occurring after the first time and the second time and renewing the first digital certificate. An expiration date for the renewed first digital certificate is equal to the new expiration date. Moreover, the method includes renewing the second digital certificate. An expiration date for the renewed second digital certificate is equal to the new expiration date.

Abstract: Techniques for remote tracking may be realized as a method including: receiving tracking parameters comprising one or more restrictions, wherein each restriction of the one or more restrictions includes a property other than a position; monitoring a position of a client device; receiving location information for the monitored position of the client device, the location information including one or more properties other than position; and determining that the monitored position of the client device transgresses a restriction of the one or more restrictions, wherein the determination includes determining that location information of the monitored position satisfies a property of the restriction other than position.

Abstract: A method, a device, and a system for alerting against unknown malicious codes are disclosed. The method includes: detecting characteristics of a packet; judging whether any suspicious code exists in the packet according to a result of the detection; recording a source address of the suspicious code if the suspicious code exists in the packet; and sending alert information that carries the source address to a monitoring device. The embodiments of the present invention can report source addresses of numerous suspicious codes proactively at the earliest possible time, lay a foundation for shortening the time required for overcoming virus threats, and avoid the trouble of installing software on the client.

Abstract: Techniques for clipboard monitoring are disclosed. In one embodiment, the techniques may be realized as a method including identifying text that has been copied from an application to a clipboard; copying the identified text to a cache separate from the clipboard; replacing the identified text in the clipboard with a delayed clipboard object; in response to a reference call from the delayed clipboard object, analyzing the copied text for sensitive data; and in response to determining that the copied text includes sensitive data, providing a response to the reference call from the delayed clipboard object that does not include the copied text.

Abstract: A computer-implemented method for detecting malware-induced crashes may include (1) identifying, by analyzing a health log associated with a previously stable computing device, the occurrence of an unexpected stability problem on the previously stable computing device, (2) identifying, by analyzing an event log associated with the previously stable computing device, an event that is potentially responsible for the occurrence of the unexpected stability problem on the previously stable computing device, (3) determining, due at least in part to the event being potentially responsible for the occurrence of the unexpected stability problem on the previously stable computing device, that the event is potentially malicious, and (4) performing a security action in response to determining that the event is potentially malicious. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A computer-implemented method for detecting webpages belonging to spam campaigns may include (1) identifying a web address of a suspicious webpage that potentially hosts a spam message, (2) capturing an image of the suspicious webpage, (3) comparing the image of the suspicious webpage to at least one spam image from a spam database, the spam image being associated with a spam campaign in the spam database, (4) determining, based on the comparison of the image of the suspicious webpage with the spam image, whether the suspicious webpage is associated with the spam campaign, and (5) updating the spam database in response to the determination of whether the suspicious webpage is associated with the spam campaign. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: Application programming interface (API) hooks are injected into an application program executing at a client during run-time. Responsive to these hooks, data intended for encryption prior to transmission from the client is diverted, for example for content filtering, compression, etc., prior to being encrypted. In the case of encrypted data received at the client, the data is decrypted but before being passed to the application it is diverted, under control of the API hooks, for content filtering, decompression, etc.

Abstract: A computer-implemented method for protecting virtual machine program code may include (1) identifying one or more software program functions developed for execution in a virtual machine to be protected against reverse engineering, (2) converting one or more of the software program functions to native code for the computing device, (3) obtaining a memory address of one or more virtual machine functions, (4) generating one or more at least partially random alphanumeric values to identify the memory address of the virtual machine functions, (5) invoking the converted native code using a native code interface for the virtual machine, and (6) invoking one or more of the virtual machine functions from the converted native code using the alphanumeric value. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: The disclosed computer-implemented method for generating repair scripts that facilitate remediation of malware side-effects may include (1) identifying a potentially malicious file located on a computing system, (2) determining at least one potential side-effect of the potentially malicious file, (3) generating, based at least in part on the potential side-effect of the potentially malicious file, a repair script that facilitates remediation of the potential side-effect, and then (4) remedying the potential side-effect by directing the computing system to execute the repair script. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A method for intruder detection is provided. The method includes determining received signal strength of a first wireless device, while the first wireless device is moved at random within a region and generating a profile of the received signal strength of the first wireless device. The method includes determining received signal strength of a second wireless device and issuing an alert, responsive to received signal strength of the second wireless device meeting the profile. An intruder detection system is also provided.