Abstract: A method includes receiving, at a first server from a second server, a first file attribute associated with a file. The method includes making a determination, at the first server based on the first file attribute, of availability of a classification for the file from a cache of the first server. The method includes, in response to the determination indicating that the classification is not available from the cache, sending a notification to the second server indicating that the classification for the file is not available. The method also includes receiving a first classification for the file from the second server at the first server. The first classification is generated by the second server responsive to the notification.

Abstract: A computing device including a memory configured to store instructions. The computing device includes a processor configured to execute the instructions from the memory to perform operations. The operations include identifying, among multiple files of a file package, a first file having a first file type. The operations include identifying, among the multiple files of the file package, a second file having a second file type. The operations include generating, based on the first file type, a first feature vector based on first features extracted from the first file. The operations include generating, based on the second file type, a second feature vector based on second features extracted from the second file. The operations include generating classification data associated with the file package, the classification data indicating whether the file package is predicted to include malware.

Abstract: Automated malware detection for application file packages using machine learning (e.g., trained neural network-based classifiers) is described. A particular method includes generating, at a first device, a first feature vector based on occurrences of character n-grams corresponding to a first subset of files of multiple files of an application file package. The method includes generating, at the first device, a second feature vector based on occurrences of attributes in a second subset of files of the multiple files. The method includes sending the first feature vector and the second feature vector from the first device to a second device as inputs to a file classifier. The method includes receiving, at the first device from the second device, classification data associated with the application file package based on the first feature vector and the second feature vector. The classification data indicates whether the application file package includes malware.

Abstract: A method includes receiving, at a first server from a second server, a first file attribute associated with a file. The method includes making a determination, at the first server based on the first file attribute, of availability of a classification for the file from a cache of the first server. The method includes, in response to the determination indicating that the classification is not available from the cache, sending a notification to the second server indicating that the classification for the file is not available. The method also includes receiving a first classification for the file from the second server at the first server. The first classification is generated by the second server responsive to the notification.

Abstract: A processor-readable storage device storing instructions that cause a processor to perform operations including, subsequent to determining, at a first device based on a first file attribute associated with a file, that a classification for the file is unavailable at the first device, sending the first file attribute from the first device to a second device to determine whether the classification for the file is available at the second device. The operations include receiving a notification at the first device from the second device that the classification for the file is unavailable at the second device. The operations include, determining the classification for the file by performing, at the first device, an analysis of a second file attribute based on a trained file classification model. The operations include sending the classification from the first device to the second device and to a third device.

Abstract: Automated malware detection for application file packages using machine learning (e.g., trained neural network-based classifiers) is described. A particular method includes generating, at a first device, a first feature vector based on occurrences of character n-grams corresponding to a first subset of files of multiple files of an application file package. The method includes generating, at the first device, a second feature vector based on occurrences of attributes in a second subset of files of the multiple files. The method includes sending the first feature vector and the second feature vector from the first device to a second device as inputs to a file classifier. The method includes receiving, at the first device from the second device, classification data associated with the application file package based on the first feature vector and the second feature vector. The classification data indicates whether the application file package includes malware.

Abstract: Automated malware detection for application file packages using machine learning (e.g., trained neural network-based classifiers) is described. A particular method includes generating, at a first device, a first feature vector based on occurrences of character n-grams corresponding to a first subset of files of multiple files of an application file package. The method includes generating, at the first device, a second feature vector based on occurrences of attributes in a second subset of files of the multiple files. The method includes sending the first feature vector and the second feature vector from the first device to a second device as inputs to a file classifier. The method includes receiving, at the first device from the second device, classification data associated with the application file package based on the first feature vector and the second feature vector. The classification data indicates whether the application file package includes malware.

Abstract: Automated malware detection for application file packages using machine learning (e.g., trained neural network-based classifiers) is described. A particular method includes generating, at a first device, a first feature vector based on occurrences of character n-grams corresponding to a first subset of files of multiple files of an application file package. The method includes generating, at the first device, a second feature vector based on occurrences of attributes in a second subset of files of the multiple files. The method includes sending the first feature vector and the second feature vector from the first device to a second device as inputs to a file classifier. The method includes receiving, at the first device from the second device, classification data associated with the application file package based on the first feature vector and the second feature vector. The classification data indicates whether the application file package includes malware.

Abstract: A processor-readable storage device storing instructions that cause a processor to perform operations including, subsequent to determining, at a first device based on a first file attribute associated with a file, that a classification for the file is unavailable at the first device, sending the first file attribute from the first device to a second device to determine whether the classification for the file is available at the second device. The operations include receiving a notification at the first device from the second device that the classification for the file is unavailable at the second device. The operations include, determining the classification for the file by performing, at the first device, an analysis of a second file attribute based on a trained file classification model. The operations include sending the classification from the first device to the second device and to a third device.

Abstract: Automated malware detection for application file packages using machine learning (e.g., trained neural network-based classifiers) is described. A particular method includes generating, at a first device, a first feature vector based on occurrences of character n-grams corresponding to a first subset of files of multiple files of an application file package. The method includes generating, at the first device, a second feature vector based on occurrences of attributes in a second subset of files of the multiple files. The method includes sending the first feature vector and the second feature vector from the first device to a second device as inputs to a file classifier. The method includes receiving, at the first device from the second device, classification data associated with the application file package based on the first feature vector and the second feature vector. The classification data indicates whether the application file package includes malware.

Abstract: A method includes receiving a first file attribute from a computing device. The method also includes determining whether a classification for a file is available from a first cache of the server based on the first file attribute. The method includes sending the first file attribute from the server to a second server to determine whether the classification for the file is available at a base prediction cache of the second server. The method includes receiving a notification at the server from the second server that the classification for the file is unavailable at the base prediction cache. The method includes, in response to receiving the notification, determining the classification for the file by performing an analysis of a second file attribute based on a trained file classification model. The method includes sending the classification to the computing device and sending at least the classification to the base prediction cache.

Abstract: A method includes receiving a first file attribute from a computing device. The method also includes determining whether a classification for a file is available from a first cache of the server based on the first file attribute. The method includes sending the first file attribute from the server to a second server to determine whether the classification for the file is available at a base prediction cache of the second server. The method includes receiving a notification at the server from the second server that the classification for the file is unavailable at the base prediction cache. The method includes, in response to receiving the notification, determining the classification for the file by performing an analysis of a second file attribute based on a trained file classification model. The method includes sending the classification to the computing device and sending at least the classification to the base prediction cache.

Abstract: A method includes receiving, at a server, a first file attribute from a computing device, the first file attribute associated with a file. The method also includes determining, based on the first file attribute, that a classification for the file is unavailable. The method further includes determining the classification for the file based on a trained file classification model accessible to the server and sending the classification to the computing device. The method includes sending at least the classification to a base prediction cache associated with a second server.

Abstract: Automated malware detection for application file packages using machine learning (e.g., trained neural network-based classifiers) is described. A particular method includes generating, at a first device, a first feature vector based on occurrences of character n-grams corresponding to a first subset of files of multiple files of an application file package. The method includes generating, at the first device, a second feature vector based on occurrences of attributes in a second subset of files of the multiple files. The method includes sending the first feature vector and the second feature vector from the first device to a second device as inputs to a file classifier. The method includes receiving, at the first device from the second device, classification data associated with the application file package based on the first feature vector and the second feature vector. The classification data indicates whether the application file package includes malware.

Abstract: A method includes receiving, at a server, a first file attribute from a computing device, the first file attribute associated with a file. The method also includes determining, based on the first file attribute, that a classification for the file is unavailable. The method further includes determining the classification for the file based on a trained file classification model accessible to the server and sending the classification to the computing device. The method includes sending at least the classification to a base prediction cache associated with a second server.

Abstract: A technique that supports improved debugging of kernel loadable modules (KLMs) that involves allocating a first portion of a memory and detecting a first kernel loadable module (KLM) requesting an allocation of at least a portion of the memory. The first KLM is then loaded into the first portion of the memory and a first identifier is associated with the first KLM and the first portion. The access of a second portion of the memory by the first KLM, the second portion being distinct from the first portion is detected and an indication that the first KLM has accessed the second portion is generated.

Abstract: A technique that supports improved debugging of kernel loadable modules (KLMs) that involves allocating a first portion of a memory and detecting a first kernel loadable module (KLM) requesting an allocation of at least a portion of the memory. The first KLM is then loaded into the first portion of the memory and a first identifier is associated with the first KLM and the first portion. The access of a second portion of the memory by the first KLM, the second portion being distinct from the first portion is detected and an indication that the first KLM has accessed the second portion is generated.

Abstract: A technique that supports improved debugging of kernel loadable modules (KLMs) that involves allocating a first portion of a memory and detecting a first kernel loadable module (KLM) requesting an allocation of at least a portion of the memory. The first KLM is then loaded into the first portion of the memory and a first identifier is associated with the first KLM and the first portion. The access of a second portion of the memory by the first KLM, the second portion being distinct from the first portion is detected and an indication that the first KLM has accessed the second portion is generated.

Abstract: The present invention provides a computer implemented method, apparatus, and data processing system for associating a private part of a keystore of a user with a user authentication process in an encrypting file system. A secure shell daemon server establishes the user authentication process with a secure shell client such that the user authentication process is associated with a user and the user is authenticated. The secure shell daemon server obtains an acknowledgment from the secure shell client. The secure shell daemon server accesses a user public key of the user from the keystore of the user, responsive to receiving the acknowledgment. The secure shell daemon obtains a public secure shell cookie associated with the user from the keystore of the user. The public secure shell cookie is an access key in encrypted form. The access key is based on the user's public key to form the public secure shell cookie. The secure shell daemon server obtains the access key from the secure shell client.

Abstract: A technique that supports improved debugging of kernel loadable modules (KLMs) that involves allocating a first portion of a memory and detecting a first kernel loadable module (KLM) requesting an allocation of at least a portion of the memory. The first KLM is then loaded into the first portion of the memory and a first identifier is associated with the first KLM and the first portion. The access of a second portion of the memory by the first KLM, the second portion being distinct from the first portion is detected and an indication that the first KLM has accessed the second portion is generated.