Abstract: A computer-implemented method for protecting data on devices may include (i) identifying a device that is operated by a user and that comprises private data pertaining to the user, (ii) determining that stalkerware on the device is sending the private data to an unauthorized device not operated by the user, (iii) requesting, in response to determining that the stalkerware is sending the private data to the unauthorized device, that the user select at least one safety plan step from a set of safety plan options, and (iv) modifying, at least in part based on the safety plan step selected by the user, outgoing data sent by the stalkerware to the unauthorized device. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: The disclosed computer-implemented method for utilizing user identity notifications to protect against potential privacy attacks on mobile devices may include (i) monitoring a mobile computing device to detect one or more user interactions by a current user, (ii) identifying the current user of the mobile computing device, (iii) determining that the current user is a potentially malicious user associated with one or more privacy-invasive applications installed on the mobile computing device, and (iv) performing a security action that protects a benign user of the mobile computing device against an attack initiated by the potentially malicious user associated with the privacy-invasive applications. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: The disclosed computer-implemented method for detecting fraudulent shopping websites may include (i) identifying a shopping website that advertises a plurality of allegedly available payment options for completing transactions on the shopping website, (ii) determining, based at least in part on an analysis of the plurality of allegedly available payment options that at least one of the plurality of allegedly available payment options is suspicious, (iii) calculating a trustworthiness score for the shopping website that is based at least in part on the determination that at least one of the allegedly available payment options is suspicious, and (iv) displaying an alert to a user based on the trustworthiness score of the shopping website. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: The disclosed computer-implemented method for detecting inter-personal attack applications may include (i) receiving application marketplace information describing application feature information, (ii) creating, by performing natural language processing on the feature information, a feature vector identifying a potentially malicious functionality of the application, (iii) creating a profiling vector that is a categorical feature representation of installation information from an application installation file, and (iv) performing a security action including (A) mapping, using a machine learning model, the feature vector and the profiling vector to a multi-dimensional output vector having element corresponding to a malware category and (B) determining a malicious extent of the application by combining the categories identified by the multi-dimensional output vector with bi-partite graph information identifying (I) relations between a plurality of applications and (II) relations between a plurality of computing

Abstract: The disclosed computer-implemented method for authenticating digital media content may include (i) receiving digital media content that has been captured by a capturing device and digitally signed through a cryptoprocessor embedded within the capturing device to provide an assurance of authenticity regarding how the capturing device captured the digital media content, and (ii) encoding an identifier of the received digital media content and a digital signature to an encrypted distributed ledger, the digital signature including at least one of a digital signature of the digital media content by the capturing device or a digital signature of the digital media content by an entity encoding the received digital media content such that the encoding becomes available for subsequent verification through the encrypted distributed ledger. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: Identifying and protecting against malicious apps installed on client devices. In some embodiments, a method may include (a) identifying client devices, (b) identifying apps installed on the client devices, (c) assigning each of the apps known to be a malicious app with a highest app suspicion score, (d) assigning each of the other apps as an unknown app with a lowest app suspicion score, (e) assigning each of the client devices with a device suspicion score, (f) assigning each of the unknown apps with an updated app suspicion score, (g) repeating (e), and repeating (f) with a normalization, until the device suspicion scores and the app suspicion scores converge within a convergence threshold, (h) identifying one of the unknown apps as a malicious app, and (i) protecting against the malicious app by directing performance of a remedial action to protect the client device from the malicious app.

Abstract: Protecting against an impersonation scam in a live video stream. In some embodiments, a method may include periodically extracting and storing signature features from verified video streams of verified streamers, identifying an unverified live video stream of an unverified streamer being viewed by one or more users, extracting and storing signature features from the unverified live video stream, computing overall distance scores between the signature features of the unverified live video stream and the signature features of the verified video streams, determining whether the unverified streamer is impersonating one or more of the verified streamers by determining whether one or more of the overall distance scores are less than a distance threshold, determining whether one or more text signature features of the unverified live video stream include an impersonation scam, and performing a remedial action to protect the one or more users from the impersonation scam.

Abstract: The disclosed method for assuring authenticity of electronic sensor data may include (i) capturing, using a sensor within a device, electronic sensor data, and (ii) digitally signing, using a cryptoprocessor embedded within the device, the electronic sensor data to create a digital signature that verifies that the signed electronic sensor data has not been modified since the electronic sensor data was captured by the sensor. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A method for improving memory efficiency of production rule systems is described. In one embodiment, the method includes identifying a rule associated with production rule systems, constructing a production rule network based at least in part on the rule, identifying a positional constraint associated with the rule, and implementing an alpha memory gate in the production rule network based at least in part on the positional constraint. In some cases, the alpha memory gate is one of a plurality of nodes of the production rule network.

Abstract: Identifying and protecting against computer security threats while preserving privacy of individual client devices using condensed local differential privacy (CLDP). In one embodiment, a method may include accessing an actual data value, generating a perturbed data value by adding noise to the actual data value, aggregating the perturbed data values to at least partially cancel out aggregate noise of the aggregated perturbed data values at a population level, analyzing, using CLDP, the aggregated perturbed data values to identify a computer security threat, and in response, protecting against the computer security threat by performing a remedial action. The amount of noise added to each actual data value may be probabilistically computed such that a probability of noise being added decreases as an amount of added noise increases. The perturbed data values may preserve privacy of the actual data values.

Abstract: Identifying and protecting against computer security threats while preserving privacy of individual client devices using condensed local differential privacy (CLDP). In one embodiment, a method may include mapping non-ordinal data values to ordinal data values, generating a first ordering scheme for the ordinal data values, accessing actual non-ordinal data values, converting the actual non-ordinal data values to actual ordinal data values according to the mapping, generating first perturbed ordinal data values by adding noise, and aggregating the first perturbed ordinal data values.

Abstract: The disclosed computer-implemented method for detecting security incidents may include (i) collecting, by a security server, security information describing security events detected on at least one client device, (ii) generating, based on the collected security information, a mathematical graph that includes a set of nodes designating machine-windows of data and a set of nodes designating detected security events, (iii) executing a random-walk-with-restart algorithm on the generated mathematical graph to sort the set of nodes designating machine-windows of data in terms of relevance to a set of ground truth nodes that indicate confirmed security threats, and (iv) performing a remedial security action to protect a user in response to detecting a candidate security threat based on sorting the set of nodes designating machine-windows of data by executing the random-walk-with-restart algorithm. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: The disclosed computer-implemented method for using electronic text information to automatically determine untrustworthy voice calls, at least a portion of the method being performed by a computing device comprising at least one processor, may include (1) during a voice call, receiving, by the computing device, text information representing contents of the voice call, (2) analyzing, by the computing device, the text information representing the contents of the voice call, (3) determining, by the computing device, that the voice call is untrustworthy based on the analysis of the text information, and (4) during the voice call, advising a recipient of the voice call of the determination that the voice call is untrustworthy. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: Systems, apparatuses, methods, and computer readable mediums for modeling malicious behavior that occurs in the absence of users. A system trains an anomaly detection model using attributes associated with a first plurality of events representing system activity on one or more clean machines when users are not present. Next, the system utilizes the trained anomaly detection model to remove benign events from a second plurality of events captured from infected machines when users are not present. Then, the system utilizes malicious events, from the second plurality of events, to train a classifier. Next, the classifier identifies a first set of attributes which are able to predict if an event is caused by malware with a predictive power greater than a threshold.

Abstract: The disclosed computer-implemented method may include (i) monitoring computing activity, (ii) detecting, during a specific time period, at least one malicious network connection that involves a computing device within a network, (iii) determining that no malicious network connections involving the computing device were detected during another time period, (iv) identifying a feature of the computing activity that (a) occurred during the specific time period and (b) did not occur during the other time period, (v) determining that the feature is likely indicative of malicious network activity due at least in part to the feature having occurred during the specific time period and not having occurred during the other time period, and in response to detecting the feature at a subsequent point in time, (vi) performing a security action on a subsequent network connection attempted around the subsequent point in time. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A disclosed method may include (1) tracking the health of a computing system over time by calculating, for each of several time periods, a health metric that indicates the computing system's health during the time period, (2) evaluating the health metrics of the time periods to identify an anomalous time period during which the health of the computing system changed, (3) locating one or more files that were present on the computing system during the anomalous time period and absent from the computing system during one or more other time periods, and (4) basing a reputation for the file(s) on an association between the file(s) and the computing system that includes the anomalous time period and excludes the other time period. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: The disclosed computer-implemented method for detecting malware using file clustering may include (1) identifying a file with an unknown reputation, (2) identifying at least one file with a known reputation that co-occurs with the unknown file, (3) identifying a malware classification assigned to the known file, (4) determining a probability that the unknown file is of the same classification as the known file, and (5) assigning, based on the probability that the unknown file is of the same classification as the known file, the classification of the known file to the unknown file. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A computer-implemented method for adjusting suspiciousness scores in event-correlation graphs may include (1) detecting a suspicious event involving a first actor and a second actor within a computing system, (2) constructing an event-correlation graph that includes (i) a representation of the first actor, (ii) a representation of the suspicious event, and (iii) a representation of the second actor, and (3) adjusting a suspiciousness score associated with at least one representation in the event-correlation graph based at least in part on a suspiciousness score associated with at least one other representation in the event-correlation graph such that the adjusted suspiciousness score associated with the at least one representation is influenced by the suspicious event. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A computer-implemented method for using event-correlation graphs to detect attacks on computing systems may include (1) detecting a suspicious event involving a first actor within a computing system, (2) constructing an event-correlation graph that includes a first node that represents the first actor, a second node that represents a second actor, and an edge that interconnects the first node and the second node and represents a suspicious event involving the first actor and the second actor, (3) calculating, based at least in part on the additional suspicious event, an attack score for the event-correlation graph, (4) determining that the attack score is greater than a predetermined threshold, and (5) determining, based at least in part on the attack score being greater than the predetermined threshold, that the suspicious event may be part of an attack on the computing system. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A computer-implemented method for using event-correlation graphs to detect attacks on computing systems may include (1) detecting a suspicious event involving a first actor within a computing system, (2) constructing an event-correlation graph that includes a first node that represents the first actor, a second node that represents a second actor, and an edge that interconnects the first node and the second node and represents a suspicious event involving the first actor and the second actor, (3) calculating, based at least in part on the additional suspicious event, an attack score for the event-correlation graph, (4) determining that the attack score is greater than a predetermined threshold, and (5) determining, based at least in part on the attack score being greater than the predetermined threshold, that the suspicious event may be part of an attack on the computing system. Various other methods, systems, and computer-readable media are also disclosed.