Abstract: A computer-implemented method for protecting data on devices may include (i) identifying a device that is operated by a user and that comprises private data pertaining to the user, (ii) determining that stalkerware on the device is sending the private data to an unauthorized device not operated by the user, (iii) requesting, in response to determining that the stalkerware is sending the private data to the unauthorized device, that the user select at least one safety plan step from a set of safety plan options, and (iv) modifying, at least in part based on the safety plan step selected by the user, outgoing data sent by the stalkerware to the unauthorized device. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: The disclosed computer-implemented method for utilizing user identity notifications to protect against potential privacy attacks on mobile devices may include (i) monitoring a mobile computing device to detect one or more user interactions by a current user, (ii) identifying the current user of the mobile computing device, (iii) determining that the current user is a potentially malicious user associated with one or more privacy-invasive applications installed on the mobile computing device, and (iv) performing a security action that protects a benign user of the mobile computing device against an attack initiated by the potentially malicious user associated with the privacy-invasive applications. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: The disclosed computer-implemented method for protecting search privacy may include (i) receiving, via a search interface, a search query comprising at least one search term, (ii) determining a sensitivity level of the search query based on the at least one search term, (iii) directing the search query to a search engine that has a level of privacy correlated with the sensitivity level of the search query, and (iv) returning, via the search interface, at least one result of directing the search query to the search engine that has the level of privacy correlated with the sensitivity level of the search query. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: The disclosed computer-implemented method for detecting inter-personal attack applications may include (i) receiving application marketplace information describing application feature information, (ii) creating, by performing natural language processing on the feature information, a feature vector identifying a potentially malicious functionality of the application, (iii) creating a profiling vector that is a categorical feature representation of installation information from an application installation file, and (iv) performing a security action including (A) mapping, using a machine learning model, the feature vector and the profiling vector to a multi-dimensional output vector having element corresponding to a malware category and (B) determining a malicious extent of the application by combining the categories identified by the multi-dimensional output vector with bi-partite graph information identifying (I) relations between a plurality of applications and (II) relations between a plurality of computing

Abstract: The disclosed computer-implemented method for customizing security alert reports may include (i) identifying a local machine learning model that predicts how a client responds to security alerts generated for the client, (ii) identifying a set of peer machine learning models that predict how a set of peers of the client each responds to security alerts generated for each respective peer, (iii) measuring a level of similarity between the client and each respective peer of the set of peers according to a similarity metric to create a similarity model, (iv) aggregating the local machine learning model and at least one of the set of peer machine learning models based on the similarity model to create an aggregated machine learning model, and (v) protecting the client by applying the aggregated machine learning model to customize an electronically displayed security alert report. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: The disclosed computer-implemented method for training malware classifiers may include (1) perturbing, at a computing device, a binary file in a manner that maintains functionality of the binary file, (2) classifying the perturbed binary file with a first machine learning classifier to produce a classification result, (3) producing a transformed file by repeating the perturbing and classifying steps until the transformed file becomes misclassified, and (4) performing a security action comprising training a second machine learning classifier with the transformed file and an associated correct classification result. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: The present disclosure relates to using correlations between support interaction data and telemetry data to discover emerging incidents for remediation. One example method generally includes receiving a corpus of support interaction data and a corpus of telemetry data. Topics indicative of underlying problems experienced by users of an application are extracted from the corpus of support interaction data. A topic having a rate of appearance in the support interaction data above a threshold value is identified. A set of telemetry data relevant to the topic is extracted from the corpus of telemetry data, and a subset of the relevant set of telemetry data having a frequency in the relevant set of telemetry data above a second threshold value is identified. The topic and the subset of telemetry data are correlated to an incident to be remediated, and one or more actions are taken to remedy the incident.

Abstract: The disclosed computer-implemented method for protecting search privacy may include (i) receiving, via a search interface, a search query comprising at least one search term, (ii) determining a sensitivity level of the search query based on the at least one search term, (iii) directing the search query to a search engine that has a level of privacy correlated with the sensitivity level of the search query, and (iv) returning, via the search interface, at least one result of directing the search query to the search engine that has the level of privacy correlated with the sensitivity level of the search query. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: The disclosed computer-implemented method for preparing honeypot computer files may include (1) identifying, at a computing device, a search term used by a cyber attacker in an electronic search request, (2) identifying, without regard to a search access restriction, a sensitive computer document in search results stemming from the electronic search request, (3) creating, as a security action in response to the electronic search request, a honeypot computer file based on the sensitive computer document and including the identified search term, and (4) placing the honeypot computer file in the search results. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: The disclosed computer-implemented method for preventing decentralized malware attacks may include (i) receiving, by a computing device, node data from a group of nodes over a network, (ii) training a machine learning model by shuffling the node data to generate a set of outputs utilized for predicting malicious data, (iii) calculating a statistical deviation for each output in the set of outputs from an aggregated output for the set of outputs, and (iv) identifying, based on the statistical deviation, an anomalous output in the set of outputs that is associated with one or more of the malicious nodes, the one or more malicious nodes hosting the malicious data. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A method for improving memory efficiency of production rule systems is described. In one embodiment, the method includes identifying a rule associated with production rule systems, constructing a production rule network based at least in part on the rule, identifying a positional constraint associated with the rule, and implementing an alpha memory gate in the production rule network based at least in part on the positional constraint. In some cases, the alpha memory gate is one of a plurality of nodes of the production rule network.

Abstract: The disclosed computer-implemented method for categorizing security incidents may include (i) generating, within a training dataset, a feature vector for each of a group of security incidents, the feature vector including features that describe the security incidents and the features including categories that were previously assigned to the security incidents as labels to describe the security incidents, (ii) training a supervised machine learning function on the training dataset such that the supervised machine learning function learns how to predict an assignment of future categories to future security incidents, (iii) assigning a category to a new security incident by applying the supervised machine learning function to a new feature vector that describes the new security incident, and (iv) notifying a client of the new security incident and the category assigned to the new security incident. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: The disclosed computer-implemented method for labeling automatically generated reports may include (i) identifying incident reports that describe incidents that each involve at least one computing system and that comprise automatically collected information about the incidents and a manually analyzed subset of incident reports that comprise manually generated information, (ii) assigning at least one label to at least one incident report in the manually analyzed subset based on applying a machine learning model to the manually generated information, (iii) deriving, from the automatically collected information, a set of features that describe incident reports, (iv) propagating at least one label from a labeled incident report to an incident report that is not in the manually analyzed subset and that comprises similar features with the labeled incident report, and (v) performing an action related to the label on the incident report. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A method for determining sandbox configurations for malware analysis is described. In one embodiment, the method may include receiving a plurality of files, extracting at least one element from at least one file from the plurality of files, identifying one or more properties associated with an endpoint, determining a correlation between the at least one extracted element and the one or more properties of the endpoint, and determining one or more sandbox configurations based at least in part on the determined correlation. In some cases, the endpoint is related to at least one of the plurality of files.

Abstract: A computer-implemented method for managing computer security of client computing machines may include (i) monitoring a set of client computing devices, (ii) receiving security data on sets of security-related events from each client computing device in the set of client computing devices, (iii) clustering the sets of security-related events by calculating a dissimilarity value, for each set of security-related events, that indicates a uniqueness of the set of security-related events in relation to other sets of security-related events using a dissimilarity function and adjusting the dissimilarity function based on a homogeneity of clusters of sets of security-related events, (iv) determining, based on clustering the sets of security-related events by the dissimilarity value, that a set of security-related events comprises an anomaly, and (v) performing a security action in response to determining that the set of security-related events comprises the anomaly.

Abstract: The disclosed computer-implemented method for personalizing security incident reports may include (i) generating, within a training dataset, a feature vector for each of a group of security incidents, the feature vector including features that describe the security incidents and the features including response codes that a set of clients previously assigned to the security incidents as labels, (ii) training a supervised machine learning function on the training dataset using the response codes that the set of clients previously assigned to the security incidents, (iii) applying the supervised machine learning function to a feature vector that describes a new security incident on the set of clients to predict that the set of clients will ignore the new security incident, and (iv) personalizing a list of security incidents that is electronically reported to the set of clients by deprioritizing the new security incident. Other methods, systems, and computer-readable media are also disclosed.

Abstract: The disclosed computer-implemented method for detecting security incidents may include (i) collecting, by a security server, security information describing security events detected on at least one client device, (ii) generating, based on the collected security information, a mathematical graph that includes a set of nodes designating machine-windows of data and a set of nodes designating detected security events, (iii) executing a random-walk-with-restart algorithm on the generated mathematical graph to sort the set of nodes designating machine-windows of data in terms of relevance to a set of ground truth nodes that indicate confirmed security threats, and (iv) performing a remedial security action to protect a user in response to detecting a candidate security threat based on sorting the set of nodes designating machine-windows of data by executing the random-walk-with-restart algorithm. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: The disclosed computer-implemented method for using electronic text information to automatically determine untrustworthy voice calls, at least a portion of the method being performed by a computing device comprising at least one processor, may include (1) during a voice call, receiving, by the computing device, text information representing contents of the voice call, (2) analyzing, by the computing device, the text information representing the contents of the voice call, (3) determining, by the computing device, that the voice call is untrustworthy based on the analysis of the text information, and (4) during the voice call, advising a recipient of the voice call of the determination that the voice call is untrustworthy. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: The disclosed computer-implemented method for categorizing security incidents may include (i) generating, within a training dataset, a feature vector for each of a group of security incidents, the feature vector including features that describe the security incidents and the features including categories that were previously assigned to the security incidents as labels to describe the security incidents, (ii) training a supervised machine learning function on the training dataset such that the supervised machine learning function learns how to predict an assignment of future categories to future security incidents, (iii) assigning a category to a new security incident by applying the supervised machine learning function to a new feature vector that describes the new security incident, and (iv) notifying a client of the new security incident and the category assigned to the new security incident. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: The disclosed computer-implemented method for making security-related predictions may include (i) gathering information that comprises both signatures of events that occurred on computing systems during consecutive time slots and incident labels about incidents on the computing systems during the consecutive time slots, (ii) using the gathered information to train a machine learning model, (iii) predicting, by the machine learning model, at least one of an incident label about an incident and a signature of an event on a computing system during a time slot, wherein the computing system does not comprise at least one of an application capable of generating the signature and information about events occurring during the time slot due to the time slot having not yet occurred, and (iv) performing an action in response to the prediction. Various other methods, systems, and computer-readable media are also disclosed.