Abstract: Obfuscation techniques used in phishing attacks that evade detection using current machine learning models can be identified and statistically characterized for use in generating adversarial training samples to improve the performance of a machine learning model phishing classifier. By using statistical information regarding the prevalence and effectiveness of various obfuscation techniques observed in real-world samples, adversarial samples that are effective and realistic examples of phishing content that evades phishing content classifier detection can be generated and used to augment the data set used for training or re-training the machine learning model classifier.

Abstract: A QR code on a receipt or invoice for a transaction facilitates a verified review for the transaction. The QR code or similar code contains information regarding the transaction and is printed on a review or invoice, such that a user wishing to write a review can scan the printed code such as with a camera and an app on a smartphone. The printed QR code comprises an encoded reference to a purchase and allows the user to employ the app (and/or a network-based service supporting the review app) to verify that a review has not yet been published for the purchase, and to compose a verified review for the purchase. The user may further select one or more review sites on which to publish the verified review, such as Google, Yelp, TripAdvisor, and the like, and publish the verified review on the selected review sites.

Abstract: A machine learning model is trained to classify data as malicious or benign, including receiving the machine learning model in a user device and training the machine learning model on the user device user-generated data that has been classified as known benign. A result of the training is sent to a remote server. Training samples on the user device may be classified automatically, such as classifying sent emails, instant messages, or other content generated by the user as benign.

Abstract: Systems and methods enable a notification based on determining a particular electronic message is associated with a particular cluster of electronic messages. A plurality of electronic messages from a first plurality of accounts directed to a second plurality of accounts over a network are received. The plurality of electronic messages are compared to determine a plurality of clusters of electronic messages. A particular electronic message is received from a first particular account directed to a second particular account. The particular electronic message is compared to the plurality of clusters of electronic messages to determine that the particular electronic message is associated with a particular cluster of the plurality of clusters of electronic messages. A notification is provided based on the determining that the particular electronic message is associated with the particular cluster of the plurality of clusters of electronic messages.

Abstract: A system and method are provided by which an electronic address associated with a user is monitored. Based on the monitoring, an electronic message is detected including a digital document. A cryptographic function is applied to the digital document to generate a hash which is rendered accessible at a network location. An identification of the network location of the hash is transmitted to a first computing system associated with the user.

Abstract: The disclosed computer-implemented method for detecting malware based on anomalous cross-customer financial transactions may include (i) detecting, using a machine-learning algorithm, a set of anomalies associated with fraudulent financial transactions for source user accounts in a group of customer financial accounts, (ii) identifying, based on customer transaction metadata associated with a group of target user accounts in the customer financial accounts, a cluster of financial transactions having anomaly instances in common with the set of anomalies, (iii) linking each of the customer financial accounts having the common anomaly instances in the cluster of financial transactions with a corresponding customer threat protection account to discover a user device identification, (iv) determining that artifacts appearing on a group of user devices are associated with a potential malware attack, and (v) performing a security action that protects against the potential malware attack.

Abstract: A computer-implemented method for protecting data on devices may include (i) identifying a device that is operated by a user and that comprises private data pertaining to the user, (ii) determining that stalkerware on the device is sending the private data to an unauthorized device not operated by the user, (iii) requesting, in response to determining that the stalkerware is sending the private data to the unauthorized device, that the user select at least one safety plan step from a set of safety plan options, and (iv) modifying, at least in part based on the safety plan step selected by the user, outgoing data sent by the stalkerware to the unauthorized device. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: The disclosed computer-implemented method for utilizing user identity notifications to protect against potential privacy attacks on mobile devices may include (i) monitoring a mobile computing device to detect one or more user interactions by a current user, (ii) identifying the current user of the mobile computing device, (iii) determining that the current user is a potentially malicious user associated with one or more privacy-invasive applications installed on the mobile computing device, and (iv) performing a security action that protects a benign user of the mobile computing device against an attack initiated by the potentially malicious user associated with the privacy-invasive applications. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: The disclosed computer-implemented method for protecting search privacy may include (i) receiving, via a search interface, a search query comprising at least one search term, (ii) determining a sensitivity level of the search query based on the at least one search term, (iii) directing the search query to a search engine that has a level of privacy correlated with the sensitivity level of the search query, and (iv) returning, via the search interface, at least one result of directing the search query to the search engine that has the level of privacy correlated with the sensitivity level of the search query. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: The disclosed computer-implemented method for detecting inter-personal attack applications may include (i) receiving application marketplace information describing application feature information, (ii) creating, by performing natural language processing on the feature information, a feature vector identifying a potentially malicious functionality of the application, (iii) creating a profiling vector that is a categorical feature representation of installation information from an application installation file, and (iv) performing a security action including (A) mapping, using a machine learning model, the feature vector and the profiling vector to a multi-dimensional output vector having element corresponding to a malware category and (B) determining a malicious extent of the application by combining the categories identified by the multi-dimensional output vector with bi-partite graph information identifying (I) relations between a plurality of applications and (II) relations between a plurality of computing

Abstract: The disclosed computer-implemented method for customizing security alert reports may include (i) identifying a local machine learning model that predicts how a client responds to security alerts generated for the client, (ii) identifying a set of peer machine learning models that predict how a set of peers of the client each responds to security alerts generated for each respective peer, (iii) measuring a level of similarity between the client and each respective peer of the set of peers according to a similarity metric to create a similarity model, (iv) aggregating the local machine learning model and at least one of the set of peer machine learning models based on the similarity model to create an aggregated machine learning model, and (v) protecting the client by applying the aggregated machine learning model to customize an electronically displayed security alert report. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: The disclosed computer-implemented method for training malware classifiers may include (1) perturbing, at a computing device, a binary file in a manner that maintains functionality of the binary file, (2) classifying the perturbed binary file with a first machine learning classifier to produce a classification result, (3) producing a transformed file by repeating the perturbing and classifying steps until the transformed file becomes misclassified, and (4) performing a security action comprising training a second machine learning classifier with the transformed file and an associated correct classification result. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: The present disclosure relates to using correlations between support interaction data and telemetry data to discover emerging incidents for remediation. One example method generally includes receiving a corpus of support interaction data and a corpus of telemetry data. Topics indicative of underlying problems experienced by users of an application are extracted from the corpus of support interaction data. A topic having a rate of appearance in the support interaction data above a threshold value is identified. A set of telemetry data relevant to the topic is extracted from the corpus of telemetry data, and a subset of the relevant set of telemetry data having a frequency in the relevant set of telemetry data above a second threshold value is identified. The topic and the subset of telemetry data are correlated to an incident to be remediated, and one or more actions are taken to remedy the incident.

Abstract: The disclosed computer-implemented method for protecting search privacy may include (i) receiving, via a search interface, a search query comprising at least one search term, (ii) determining a sensitivity level of the search query based on the at least one search term, (iii) directing the search query to a search engine that has a level of privacy correlated with the sensitivity level of the search query, and (iv) returning, via the search interface, at least one result of directing the search query to the search engine that has the level of privacy correlated with the sensitivity level of the search query. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: The disclosed computer-implemented method for preparing honeypot computer files may include (1) identifying, at a computing device, a search term used by a cyber attacker in an electronic search request, (2) identifying, without regard to a search access restriction, a sensitive computer document in search results stemming from the electronic search request, (3) creating, as a security action in response to the electronic search request, a honeypot computer file based on the sensitive computer document and including the identified search term, and (4) placing the honeypot computer file in the search results. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: The disclosed computer-implemented method for preventing decentralized malware attacks may include (i) receiving, by a computing device, node data from a group of nodes over a network, (ii) training a machine learning model by shuffling the node data to generate a set of outputs utilized for predicting malicious data, (iii) calculating a statistical deviation for each output in the set of outputs from an aggregated output for the set of outputs, and (iv) identifying, based on the statistical deviation, an anomalous output in the set of outputs that is associated with one or more of the malicious nodes, the one or more malicious nodes hosting the malicious data. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A method for improving memory efficiency of production rule systems is described. In one embodiment, the method includes identifying a rule associated with production rule systems, constructing a production rule network based at least in part on the rule, identifying a positional constraint associated with the rule, and implementing an alpha memory gate in the production rule network based at least in part on the positional constraint. In some cases, the alpha memory gate is one of a plurality of nodes of the production rule network.

Abstract: The disclosed computer-implemented method for categorizing security incidents may include (i) generating, within a training dataset, a feature vector for each of a group of security incidents, the feature vector including features that describe the security incidents and the features including categories that were previously assigned to the security incidents as labels to describe the security incidents, (ii) training a supervised machine learning function on the training dataset such that the supervised machine learning function learns how to predict an assignment of future categories to future security incidents, (iii) assigning a category to a new security incident by applying the supervised machine learning function to a new feature vector that describes the new security incident, and (iv) notifying a client of the new security incident and the category assigned to the new security incident. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: The disclosed computer-implemented method for labeling automatically generated reports may include (i) identifying incident reports that describe incidents that each involve at least one computing system and that comprise automatically collected information about the incidents and a manually analyzed subset of incident reports that comprise manually generated information, (ii) assigning at least one label to at least one incident report in the manually analyzed subset based on applying a machine learning model to the manually generated information, (iii) deriving, from the automatically collected information, a set of features that describe incident reports, (iv) propagating at least one label from a labeled incident report to an incident report that is not in the manually analyzed subset and that comprises similar features with the labeled incident report, and (v) performing an action related to the label on the incident report. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A method for determining sandbox configurations for malware analysis is described. In one embodiment, the method may include receiving a plurality of files, extracting at least one element from at least one file from the plurality of files, identifying one or more properties associated with an endpoint, determining a correlation between the at least one extracted element and the one or more properties of the endpoint, and determining one or more sandbox configurations based at least in part on the determined correlation. In some cases, the endpoint is related to at least one of the plurality of files.