Abstract: Various embodiments include systems and methods of determining whether media access control (MAC) address spoofing is present in a network by a wireless communication device. A processor of the wireless communication device may determine an anticipated coherence interval based on a beacon frame received from an access point. The processor may schedule an active scan request and may determine whether a response frame corresponding to the scheduled active request is received within the anticipated coherence interval. The processor may calculate a first correlation coefficient in response to the response frame being received within the anticipated coherence interval and may determine that MAC address spoofing is not present in the network when the first correlation coefficient is greater than a first predetermined threshold.

Abstract: Embodiments include computing devices, apparatus, and methods implemented by the apparatus for implementing wake lock aware scheduling. The apparatus may receive a wake lock request by a wake lock profiler and acquire wake lock information of a wake lock event associated with the wake lock request. The wake lock information may include a wake lock time parameter. The apparatus may send a hint having the wake lock time parameter. The apparatus may receive the hint, determine whether ready jobs can execute during the wake lock event, and send a request for permission to schedule the ready jobs for execution during the wake lock event in response to determining that the ready jobs can execute during the wake lock event.

Abstract: Various embodiments provide methods, devices, and non-transitory processor-readable storage media enabling network probing with a communication device based on the communication device sending a probe via a first network connection and receiving the probe via a second network connection. By leveraging a capability of a communication device to establish two network connections at the same time, various embodiments may enable a single communication device to act as both a probing client and a probing server. In this manner, various embodiments may enable standalone network probing, i.e., network probing that may not require a remote dedicated probing server to act as a probe generator or a probe sink.

Abstract: Methods, systems, computer-readable media, and apparatuses for determining a position indicator are presented. In some embodiments, position data indicating a position of a mobile device is obtained. A position indicator is determined based on at least one region of a map. The position of the mobile device is located within the at least one region. The position indicator indicates a map-feature-dependent region of the map. The position indicator is provided.

Abstract: Methods and systems for providing information associated with a location history of a mobile device to one or more applications are disclosed. A mobile device generates one or more location history records based on one or more locations of the mobile device, each location history record comprising one or more points of interest and a duration at the one or more points of interest, receives an information request from at least one application, determines a subset of the one or more location history records that meet criteria from the information request, determines a level of permission for the at least one application based on the information request and the subset of the one or more location history records, and provides information associated with the subset of the one or more location history records to the at least one application based on the level of permission.

Abstract: Various embodiments provide methods, devices, and non-transitory processor-readable storage media enabling rogue access point detection with a communications device by sending multiple probes via different network connections to a remote server and receiving probe replies. Various embodiments may include a communication device transmitting a first probe addressed to a server via a first network connection and a second probe addressed to the server via a second network connection. Upon receiving a first probe reply from the server via the first network connection and a second probe reply from the server via the second network connection server, the communications device may analyze the received probe replies to determine whether an access point of either the first network or the second network is a rogue access point.

Abstract: Embodiments include systems and methods of detecting a rogue access point by a computing device. A processor of the computing device may determine one or more features of a purported access point. The processor may calculate delta features of the purported access point based on the determined one or more features and an access point profile. The processor may apply the calculated delta features to a machine-learning model. The processor may generate an access point classification based on the application of the calculated delta features to the machine-learning model. The processor may prevent the computing device from associating with the purported access point in response to determining that the purported access point is a rogue access point, and permit associating with the access point otherwise.

Abstract: Various embodiments include systems, methods and devices for reducing the burden on mobile devices of memory data collection for memory forensics. Various embodiments may include monitoring for changes sections or portions of memory within the computing device that been identified by a network device based on a prior memory snapshot. When changes are detected, the computing device may determine whether data changes in the monitored sections or portions of memory satisfy a criterion for transmitting an incremental snapshot of memory. Such criteria may be defined in information received from the network device. When the criteria are satisfied, the computing device may transmit an incremental memory snapshot to the network device. The computing device may transmit to the network device results of analysis of the data changes observed in the memory. Various embodiments may be performed in a secure environment or in a memory collection processor within the computing device.

Abstract: Methods, systems, computer-readable media, and apparatuses for determining a position indicator are presented. In some embodiments, position data indicating a position of a mobile device is obtained. A position indicator is determined based on at least one region of a map. The position of the mobile device is located within the at least one region. The position indicator indicates a map-feature-dependent region of the map. The position indicator is provided.

Abstract: Systems, methods, and devices of the various aspects enable identification of anomalous application behavior. A computing device processor may detect network communication activity of an application on the computing device. The processor may identify one or more device states of the computing device, and one or more categories of the application. The processor may determine whether the application is behaving anomalously based on a correlation of the detected network communication activity of the application, the identified one or more device states of the computing device, and the identified one or more categories of the application.

Abstract: Methods, apparatuses, systems, and computer-readable media for using haptic technologies to provide enhanced media experiences are presented. According to one or more aspects of the disclosure, a computing device, such as a smart phone, tablet computer, or portable media player, may establish a connection with a local content receiver. Subsequently, the computing device may receive, from the local content receiver, a sensation data signal that specifies one or more haptic effects to be provided at a particular time relative to playback of a media content item received by the local content receiver. Thereafter, the computing device may provide the one or more haptic effects.

Abstract: Various methods, apparatuses and/or articles of manufacture are provided which may be implemented for use by a mobile device to alter a scan operation. Various methods, apparatuses and/or articles of manufacture are provided which may be implemented for use by one or more electronic devices to determine one or more scan factors for use by a mobile device in altering a scan operation.

Abstract: Various methods, apparatuses and articles of manufacture are provided which may be used in determining an altitude of a mobile device. For example, an electronic device may select a subset of reporting mobile devices located within a particular environment, estimate a reference parameter that is indicative, at least in part, of a reference altitude within the particular region, e.g., based, at least in part, on one or more altitude measurements for one or more of the reporting mobile devices, and initiate transmission of the reference parameter to at least a target mobile device. In another example, a mobile device may obtain such a reference parameter, and estimate its altitude based, at least in part, on the reference parameter.

Abstract: Disclosed is an apparatus and method for a computing device to determine if an application is malware. The computing device may include: a query logger to log the behavior of the application on the computing device to generate a log; a behavior analysis engine to analyze the log from the query logger to generate a behavior vector that characterizes the behavior of the application; and a classifier to classify the behavior vector for the application as benign or malware.

Abstract: Methods, apparatuses, and non-transitory processor-readable media of the present disclosure are presented for efficiently executing applications based on pressure sensor data. In some embodiments, a method includes monitoring pressure, and determining a rate of change in the pressure over time exceeds a predetermined rate-of-pressure-change threshold. The method further includes subsequently determining that the rate of change in the pressure over time no longer exceeds the predetermined rate-of-pressure-change threshold. The method further includes determining a change in pressure has exceeded a predetermined pressure-change threshold, and performing floor disambiguation.

Abstract: Various embodiments include methods, and computing devices configured to implement the methods, for anomaly monitoring using context-based sensor output correlation. A computing device may obtain output of a first sensor and may determine that an anomaly is likely to occur based on the obtained output of the first sensor. The computing device may transmit a message indicating that the anomaly is likely to occur, causing receiving computing devices to begin logging output of sensors of the receiving computing devices. The computing device may determine whether the anomaly did occur. If the anomaly did occur, the computing device may transmit a sensor output request. Nearby computing devices may receive this sensor output request and may transmit collected sensor data to the first computing device. The first computing device may receive the sensor output collected by the various receiving devices and may correlate the first sensor output with the received sensor output.

Abstract: Methods, and computing devices implementing the methods, that enable client computing devises to work in conjunction with a server device to identify and temporarily defend against non-benign applications (e.g., malware, etc.) and other threats before a more permanent solution or defense (e.g., a patch or software upgrade) becomes available and installed on the client computing device. The server device may be configured to receive reports from the client computing devices, receive threat feeds from a third-party server (e.g., threat intelligence servers, etc.), and use information included in the received threat feed and information included in the received reports to analyze, in the server computing device, a software application that is operating on a client device in multiple passes. The server may generate one or more threat scores and send the one or more threat scores to the client computing device for use in devising a customized security response.

Abstract: Methods, and computing devices implementing the methods, that enable client computing devises to work in conjunction with a server device to identify and temporarily defend against non-benign applications (e.g., malware, etc.) and other threats before a more permanent solution or defense (e.g., a patch or software upgrade) becomes available and installed on the client computing device. The server device may be configured to receive reports from the client computing devices, receive threat feeds from third-party servers (e.g., threat intelligence servers, etc.), and use information included in the received threat feed and information included in the received reports to analyze, in the server computing device, a software application that is operating on a client device in multiple passes. The server may generate threat scores (e.g., one for each pass, etc.), and the threat scores to the client computing device for use in devising a customized security response.

Abstract: Various embodiments include methods and a memory data collection processor for performing online memory data collection for memory forensics. Various embodiments may include determining whether an operating system executing in a computing device is trustworthy. In response to determining that the operating system is not trustworthy, the memory data collection processor may collect memory data directly from volatile memory. Otherwise, the operating system to collect memory data from volatile memory. Memory data may be collected at a variable memory data collection rate determined by the memory data collection processor. The memory data collection rate may depend upon whether an available power level of the computing device exceeds a threshold power level, whether an activity state of the processor of the computing device equals a sleep state whether a security risk exists on the computing device, and whether a volume of memory traffic in the volatile memory exceeds a threshold volume.

Abstract: A network and its devices may be protected from non-benign behavior, malware, and cyber attacks by configuring a server computing device to work in conjunction with a multitude of client computing devices in the network. The server computing device may be configured to receive data that was collected from independent executions of different instances of the same software application on different client computing devices. The server computing device may combine the received data, and use the combined data to identify unexplored code space or potential code paths for evaluation. The server computing device may then exercise the software application through the identified unexplored code space or identified potential code paths in a client computing device emulator to generate analysis results, and use the generated analysis results to determine whether the software application is non-benign.