Abstract: Embodiments are directed to indexing and querying a sequence of hash values in an indexing matrix. A computer system accesses a document to extract a portion of text from the document. The computer system applies a hashing algorithm to the extracted text. The hash values of the extracted text form a representative sequence of hash values. The computer system inserts each hash value of the sequence of hash values into an indexing matrix, which is configured to store multiple different hash value sequences. The computer system also queries the indexing matrix to determine how similar the plurality of hash value sequences are to the selected hash value sequence based on how many hash values of the selected hash value sequence overlap with the hash values of the plurality of stored hash value sequences.

Abstract: Embodiments are directed to generating a customized classification rule execution order and to identifying optimal ordering rules for previously processed data. In an embodiment, a computer system fingerprints a message received via a computer network. The fingerprinting identifies specific characteristics of the message. The computer system compares the message's fingerprint to various stored message fingerprints generated from previously received messages. The comparison determines that the fingerprint does not match the stored fingerprints. The computer system applies classification rules to the message according to a predetermined rule execution order to determine a classification for the message. The computer system then generates a customized classification rule execution order to order those classification rules that optimally identified the message's class at the top of the customized classification rule execution order.

Abstract: Use of software applications is detected by categorizing components of applications into a usage manifest and implementing a usage detection background service on a client PC that monitors the components according to the usage manifest. The application components are categorized based on the mode of user interaction as well as the component's correlation to active use of an application. The background service tracks events and activities associated with the application components to generate usage metrics that include the frequency of unique launches of an application and the duration of each unique use. A usage manager for the background service may utilize the usage metrics for a component independently, or combine metrics for multiple components in cases where applications work in an interactive manner (such as a plug-in to a web browser) in order to compute application usage by comparing the metrics against predefined thresholds.

Abstract: Embodiments are directed to generating a customized classification rule execution order and to identifying optimal ordering rules for previously processed data. In an embodiment, a computer system fingerprints a message received via a computer network. The fingerprinting identifies specific characteristics of the message. The computer system compares the message's fingerprint to various stored message fingerprints generated from previously received messages. The comparison determines that the fingerprint does not match the stored fingerprints. The computer system applies classification rules to the message according to a predetermined rule execution order to determine a classification for the message. The computer system then generates a customized classification rule execution order to order those classification rules that optimally identified the message's class at the top of the customized classification rule execution order.

Abstract: The present invention extends to methods, systems, and computer program products for decomposing and merging regular expressions. Embodiments of the invention decompose a regular expression into multiple simple keyword graphs, merge those keyword graphs in a compact and efficient manner, and produce a directed acyclic graph (DAG) that can execute a simplified regular expression alphabet. Several of these regular expression DAG's can then be merged together to produce a single DAG that represents an entire collection of regular expressions. DAGs along with other text processing algorithms and a heap collection can be combined in a multi-pass approach to expand the regular expression alphabet.

Abstract: Embodiments are directed to indexing and querying a sequence of hash values in an indexing matrix. A computer system accesses a document to extract a portion of text from the document. The computer system applies a hashing algorithm to the extracted text. The hash values of the extracted text form a representative sequence of hash values. The computer system inserts each hash value of the sequence of hash values into an indexing matrix, which is configured to store multiple different hash value sequences. The computer system also queries the indexing matrix to determine how similar the plurality of hash value sequences are to the selected hash value sequence based on how many hash values of the selected hash value sequence overlap with the hash values of the plurality of stored hash value sequences.

Abstract: Embodiments directed to conditionally executing regular expressions and to simplifying regular expressions by canonicalizing regular expression terms. In an embodiment, a computer system accesses identified regular expression key terms that are to appear in a selected portion of text. The regular expression key terms are identified from terms in a selected regular expression. The computer system determines whether the identified regular expression key terms appear in the selected portion of text. The computer system also, upon determining that none of the identified regular expression key terms appears in the selected portion of text, prevents execution of the regular expression. Upon determining that at least one of the identified regular expression key terms appears in the selected portion of text, the computer system executes the regular expression.

Abstract: Reputation based firewall policy techniques are described, in which, a computer-implemented method may be employed to collect data from a plurality of clients regarding an application attempting to access a network via the clients. The collected data may be exposed to a community of users to obtain feedback on the application which is used to produce a reputation for the application. The reputation may then be provided to the plurality of clients to determine whether to permit the attempt by the application.

Abstract: Use of software applications is detected by categorizing components of applications into a usage manifest and implementing a usage detection background service on a client PC that monitors the components according to the usage manifest. The application components are categorized based on the mode of user interaction as well as the component's correlation to active use of an application. The background service tracks events and activities associated with the application components to generate usage metrics that include the frequency of unique launches of an application and the duration of each unique use. A usage manager for the background service may utilize the usage metrics for a component independently, or combine metrics for multiple components in cases where applications work in an interactive manner (such as a plug-in to a web browser) in order to compute application usage by comparing the metrics against predefined thresholds.

Abstract: Reputation based firewall policy techniques are described, in which, a computer-implemented method may be employed to collect data from a plurality of clients regarding an application attempting to access a network via the clients. The collected data may be exposed to a community of users to obtain feedback on the application which is used to produce a reputation for the application. The reputation may then be provided to the plurality of clients to determine whether to permit the attempt by the application.