Abstract: Technologies pertaining to analyzing content extracted from web pages by a static crawler to determine whether respective web pages are members of a malware distribution network (MDN) are described. A set of features is learned based upon output of a dynamic crawler over known landing pages of a particular MDN, wherein the set of features are indicative of membership in the MDN. Using such set of features, additional members of the MDN (not subjected to crawling by a dynamic crawler) are identified.

Abstract: Technologies pertaining to analyzing content extracted from web pages by a static crawler to determine whether respective web pages are members of a malware distribution network (MDN) are described. A set of features is learned based upon output of a dynamic crawler over known landing pages of a particular MDN, wherein the set of features are indicative of membership in the MDN. Using such set of features, additional members of the MDN (not subjected to crawling by a dynamic crawler) are identified.

Abstract: Technologies pertaining to analyzing content extracted from web pages by a static crawler to determine whether respective web pages are members of a malware distribution network (MDN) are described. A set of features is learned based upon output of a dynamic crawler over known landing pages of a particular MDN, wherein the set of features are indicative of membership in the MDN. Using such set of features, additional members of the MDN (not subjected to crawling by a dynamic crawler) are identified.

Abstract: Architecture that selects a classification engine based on the expertise of the engine to process a given entity (e.g., a file). Selection of an engine is based on a probability that the engine will detect an unknown entity classification using properties of the entity. One or more of the highest ranked engines are activated in order to achieve the desired performance. A statistical, performance-light module is employed to skip or select several performance-demanding processes. Methods and algorithms are utilized for learning based on matching the best classification engine(s) to detect the entity class based on the entity properties. A user selection option is provided for specifying a maximum number of ranked, classification engines to consider for each state of the machine. A user can also select the minimum probability of detection for a specific entity (e.g., unknown file). The best classifications are re-evaluated over time as the classification engines are updated.

Abstract: An analysis system is described for identifying potentially malicious activity within a computer network. It performs this task by interacting with a user to successively remove known instances of non-malicious activity, to eventually reveal potentially malicious activity. The analysis system interacts with the user by inviting the user to apply labels to identified examples of network behavior; upon response by the user, the analysis system supplies new examples of network behavior to the user. In one implementation, the analysis system generates such examples using a combination of feature-based analysis and graph-based analysis. The graph-based analysis relies on analysis of graph structure associated with access events, such as by identifying entropy scores for respective portions of the graph structure.

Abstract: A reliable automated malware classification approach with substantially low false positive rates is provided. Graph-based local and/or global file relationships are used to improve malware classification along with a feature selection algorithm. File relationships such as containing, creating, copying, downloading, modifying, etc. are used to assign malware probabilities and simultaneously reduce the false positive and false negative rates on executable files.

Abstract: Technologies pertaining to analyzing content extracted from web pages by a static crawler to determine whether respective web pages are members of a malware distribution network (MDN) are described. A set of features is learned based upon output of a dynamic crawler over known landing pages of a particular MDN, wherein the set of features are indicative of membership in the MDN. Using such set of features, additional members of the MDN (not subjected to crawling by a dynamic crawler) are identified.

Abstract: A reliable automated malware classification approach with substantially low false positive rates is provided. Graph-based local and/or global file relationships are used to improve malware classification along with a feature selection algorithm. File relationships such as containing, creating, copying, downloading, modifying, etc. are used to assign malware probabilities and simultaneously reduce the false positive and false negative rates on executable files.

Abstract: A system level automatic gain control (“System AGC”) automatically initializes and controls analog microphone gain in an environment where multiple independent applications simultaneously receive an input from a single analog microphone or microphone array. In one embodiment, the System AGC also prevents those applications from acting to separately control the gain by intercepting external gain control commands and responding to the corresponding application with a corresponding digital gain applied to the input signal from the microphone. Consequently, the System AGC avoids problems relating to oscillations and instability in the microphone gain resulting from multiple applications trying to simultaneously control the gain while preventing each application from adversely affecting the quality of another application's audio capture signal.

Abstract: An acoustic echo cancellation technique. The present adaptive acoustic echo cancellation technique employs a plurality of acoustic echo cancellation filters which use different adaptation techniques which may employ different parameters such as step size, to improve both the adaptation algorithm convergence time and misadjustment over previously known acoustic echo cancellation techniques.

Abstract: A method for classifying search query traffic can involve receiving a plurality of labeled sample search query traffic and generating a feature set partitioned into human physical limit features and query stream behavioral features. A model can be generated using the plurality of labeled sample search query traffic and the feature set. Search query traffic can be received and the model can be utilized to classify the received search query traffic as generated by a human or automatically generated.

Abstract: Harmonic distortion residual echo suppression (HDRES) technique embodiments are presented which act to suppress the residual echo remaining after a near-end microphone signal has undergone AEC, including harmonic distortion in the signal that was caused by the speaker audio signal playback. In general, an AEC module is employed which suppresses some parts of the speaker audio signal found in a near-end microphone signal and generates an AEC output signal. A HDRES module then inputs the AEC output signal and the speaker audio signal, and suppresses at least a portion of a residual part of the speaker audio signal that was left unsuppressed by the AEC module. This includes at least a portion of the harmonic distortion exhibited in the AEC output signal.

Abstract: An approach for identifying suspect network sites in a network environment entails using one or more malware analysis modules to identify distribution sites that host malicious content and/or benign content. The approach then uses a linking analysis module to identify landing sites that are linked to the distribution sites. These linked sites are identified as suspect sites for further analysis. This analysis can be characterized as “bottom up” because it is initiated by the detection of potentially problematic distribution sites. The approach can also perform linking analysis to identify a suspect network site based on a number of alternating paths between that network site and a set of distribution sites that are known to host malicious content. The approach can also train a classifier module to predict whether an unknown landing site is a malicious landing site or a benign landing site.

Abstract: Architecture that selects a classification engine based on the expertise of the engine to process a given entity (e.g., a file). Selection of an engine is based on a probability that the engine will detect an unknown entity classification using properties of the entity. One or more of the highest ranked engines are activated in order to achieve the desired performance. A statistical, performance-light module is employed to skip or select several performance-demanding processes. Methods and algorithms are utilized for learning based on matching the best classification engine(s) to detect the entity class based on the entity properties. A user selection option is provided for specifying a maximum number of ranked, classification engines to consider for each state of the machine. A user can also select the minimum probability of detection for a specific entity (e.g., unknown file). The best classifications are re-evaluated over time as the classification engines are updated.

Abstract: Signal detectors are described herein. By way of example, a system for detecting signals can include a microphone signal detector, a loudspeaker signal detector, a signal discriminator and a decision component. When the microphone signal detector detects the presence of a microphone signal, the loudspeaker signal detector detects the presence of a loudspeaker signal and the signal discriminator determines that near-end speech dominates loudspeaker echo, the decision component can confirm the presence of doubletalk. When the microphone signal detector detects the presence of a microphone signal and the signal discriminator determines that near-end speech dominates loudspeaker echo, the decision component confirms the presence of near-end signal.

Abstract: Hybrid echo canceller controllers are described herein. By way of example, a system for controlling an echo canceller can include a signal indicator and an echo canceller controller. The signal indicator can be configured to indicate periods of near-end signal and to indicate periods of echo only with echo-path change in the corrupted signal based at least in part on cross-correlation between two signals associated with the echo canceller. The echo canceller controller can be configured to control the echo canceller according to indications from the signal indicator.

Abstract: An analysis system is described for identifying potentially malicious activity within a computer network. It performs this task by interacting with a user to successively remove known instances of non-malicious activity, to eventually reveal potentially malicious activity. The analysis system interacts with the user by inviting the user to apply labels to identified examples of network behavior; upon response by the user, the analysis system supplies new examples of network behavior to the user. In one implementation, the analysis system generates such examples using a combination of feature-based analysis and graph-based analysis. The graph-based analysis relies on analysis of graph structure associated with access events, such as by identifying entropy scores for respective portions of the graph structure.

Abstract: Hybrid echo canceller controllers are described herein. By way of example, a system for controlling an echo canceller can include a cross-correlator, a discriminator and an echo canceller controller. The cross-correlator can be configured to produce a cross-correlation based output that facilitates controlling the echo canceller by cross-correlating two signals associated with the echo canceller. The discriminator can be configured to produce a discriminator output that discriminates between near-end signal and echo in a corrupted signal. The echo canceller controller can be configured to control the echo canceller according to the cross-correlation based output and the discriminator output.

Abstract: Cross-correlation based echo canceller controllers are described herein. By way of example, a system for controlling an echo canceller having one or more adaptive filters can include one or more adaptive filter controllers each corresponding to one of the one or more adaptive filters and each configured to halt adaptation of its corresponding adaptive filter according to the cross-correlation of its corresponding corrupted signal and its corresponding error signal of its corresponding adaptive filter.

Abstract: A malicious behavior detection/prevention system, such as an intrusion detection system, is provided that uses active learning to classify entries into multiple classes. A single entry can correspond to either the occurrence of one or more events or the non-occurrence of one or more events. During a training phase, entries are automatically classified into one of multiple classes. After classifying the entry, a generated model for the determined class is utilized to determine how well an entry corresponds to the model. Ambiguous classifications along with entries that do not fit the model well for the determined class are selected for labeling by a human analyst. The selected entries are presented to a human analyst for labeling. These labels are used to further train the classifier and the models. During an evaluation phase, entries are automatically classified using the trained classifier and a policy associated with determined class is applied.