Abstract: A method for multi-instance learning (MIL)-based classification of a streaming input is described. The method includes running a first biased MIL model using extracted features from a subset of instances received in the streaming input to obtain a first classification result. The method also includes running a second biased MIL model using the extracted features to obtain a second classification result. The first biased MIL model is biased opposite the second biased MIL model. The method further includes classifying the streaming input based on the classification results of the first biased MIL model and the second biased MIL model.

Abstract: Certain aspects of the present disclosure provide a method of wireless communications at a user equipment (UE), generally including detecting, within a period, a number of indications for modification to system information from a cell and performing one or more actions, after the detection, to prevent the UE from attempting to access the cell.

Abstract: Various aspects of the present disclosure generally relate to wireless communication. In some aspects, a user equipment (UE) may detect a misbehavior condition in a local vehicle-to-everything (V2X) information source. The UE may receive an incoming V2X message. The UE may generate a misbehavior decision for the incoming V2X message based at least in part on the misbehavior condition in the local V2X information source. Numerous other aspects are described.

Abstract: Various embodiments may include methods and systems for avoiding connecting an illegitimate call within a telecommunications network. Various embodiments may include receiving, from a telecommunications network, an incoming call initiating message notifying the first wireless device of an incoming call, in which the incoming call initiating message includes caller information.

Abstract: Various embodiments include methods, components and wireless devices configured to identify illegitimate base station. The processor of the wireless device may determine that a device in communication with the wireless device is a suspect base station. The processor may send a fabricated message to the device, and may receive one or more response messages from the device. The processor may determine whether one or more of the response messages received from the device is an appropriate response or an inappropriate response to the fabricated message. In response to determining that a response message is an inappropriate response, the processor may determine that the device is an illegitimate base station. In response to determining that the device is an illegitimate base station, the wireless device may perform a protective action.

Abstract: Methods for detecting and preventing an adversarial network entity (e.g., fake base stations, etc.) from tracking a wireless device's location. A wireless device may be equipped with a random value (RAND) database or cache memory RAND values previously received by the wireless device. In response to receiving an authentication request message from a network component, performing AKA procedures and determining that the authentication failed, the wireless device may compare the RAND value included in the received authentication request message to RAND values stored in secure storage memory. The wireless device may generate an authentication response message that includes an error code that is different than standard error code used so that the target wireless device can't be differentiated from other wireless devices thereby preventing tracking in response to determining that the RAND value included in the received authentication request message is included in the RAND secure storage memory.

Abstract: Methods for countering a shared paging channel hijack attack. In an example embodiment, a wireless device may monitor the shared paging channel during a paging occasion in a DRX cycle to detect a first IMSI-based paging message in the paging occasion, and continue monitoring for IMSI-based paging in subsequent radio subframes in the paging frame and radio subframes in subsequent radio frames within the DRX cycle to determine whether there are indications of a paging channel hijack attack. In an example embodiment, this monitoring may be to determine whether one or more subframes that are not the paging occasion receive IMSI-based paging messages, in response to which a threat probability may be increased. The wireless device may perform an operation (e.g., an actuation operation such as disabling monitoring of, and preventing connection attempts to, the base station, etc.) to protect against a shared paging channel hijack attack.

Abstract: Systems, devices, and methods for communications among access points (APs) and mobile wireless devices are disclosed. A database having a persistent profile table (PPT) can be used to store information related to access point operations. Information related to a plurality of APs can be detected and stored in the PPT. Certain information may be common to multiple of the APs, allowing for compression of the data for more efficient storage. Fingerprint data related to the APs can be clustered based on a first order identifier (e.g., SSID, PLMN) and a second order identifier (e.g., MAC, MAC prefix, cell ID). The clusters can be further compressed by, for example, storing common features only once, and storing uncommon features individually, along with an identifier frame indicating which features are unique within the group of clusters. A mobile device can query the persistent profile table to verify the identity of unknown APs.

Abstract: In various embodiments, a wireless device processor may determine a threat score for a first cell, determine whether the first cell threat score is below a first threat score threshold, update a good neighbor cell data structure using neighbor cell information from the first cell in response to determining that the first cell threat score is below the first threat score threshold, performing cell reselection to a second cell, determine whether the second cell transmits a system information block message indicating fake neighbor cell information, and increase a threat score for the second cell in response to determining that the second cell provides the SIB message indicating fake neighbor cell information and that a good neighbor cell data structure includes an indication of one or more good neighbor cells that are within the time threshold and the location threshold and doing countermeasures in a response to the determination.

Abstract: Various embodiments include methods, components and wireless devices configured to identify illegitimate base station. The processor of the wireless device may determine that a device in communication with the wireless device is a suspect base station. The processor may send a fabricated message to the device, and may receive one or more response messages from the device. The processor may determine whether one or more of the response messages received from the device is an appropriate response or an inappropriate response to the fabricated message. In response to determining that a response message is an inappropriate response, the processor may determine that the device is an illegitimate base station. In response to determining that the device is an illegitimate base station, the wireless device may perform a protective action.

Abstract: Methods for detecting and preventing an adversarial network entity (e.g., fake base stations, etc.) from tracking a wireless device's location. A wireless device may be equipped with a random value (RAND) database or cache memory RAND values previously received by the wireless device. In response to receiving an authentication request message from a network component, performing AKA procedures and determining that the authentication failed, the wireless device may compare the RAND value included in the received authentication request message to RAND values stored in secure storage memory. The wireless device may generate an authentication response message that includes an error code that is different than standard error code used so that the target wireless device can't be differentiated from other wireless devices thereby preventing tracking in response to determining that the RAND value included in the received authentication request message is included in the RAND secure storage memory.

Abstract: Methods for detecting and responding to unauthorized alert messages. In an example embodiment, a wireless device may detect a first system information block (SIB1) broadcast from a base station that includes an alert message flag that indicates that an emergency alert message is scheduled for broadcast in another system information block (e.g., in one of SIBs 10-14, etc.). The wireless device may detect an unauthorized alert based on inconsistent inputs from various base stations, and the server may detect fake or unauthorized base stations or detect unauthorized alerts based on inconsistent inputs from various UEs about same Cell ID, or same PLMN and geolocation, etc.

Abstract: A method of detecting compromised message information includes: wirelessly receiving, at a mobile wireless communication device, present unprotected information and present protected information; retrieving previous unprotected information, corresponding to the present unprotected information, and previous protected information, corresponding to the present protected information, from a memory of the mobile wireless communication device; comparing the present unprotected information to the previous unprotected information to determine that an unprotected information change has occurred; comparing the present protected information to the previous protected information to determine whether a protected information change has occurred; and determining that the present unprotected information is valid in response to the protected information change having occurred and being consistent with the unprotected information change, or that the present unprotected information is invalid otherwise.

Abstract: Systems, methods, and computer programs are disclosed for scheduling decompression of an application from flash storage. One embodiment of a system comprises a flash memory device and a preemptive decompression scheduler component. The preemptive decompression scheduler component comprises logic configured to generate and store metadata defining one or more dependent objects associated with the compressed application in response to an application installer component installing a compressed application to the flash memory device. In response to a launch of the compressed application by an application launcher component, the preemptive decompression scheduler component determines from the stored metadata the one or more dependent objects associated with the compressed application to be launched. The preemptive decompression scheduler component preemptively schedules decompression of the one or more dependent objects based on the stored metadata.

Abstract: Methods for countering a shared paging channel hijack attack. In an example embodiment, a wireless device may monitor the shared paging channel during a paging occasion in a DRX cycle to detect a first IMSI-based paging message in the paging occasion, and continue monitoring for IMSI-based paging in subsequent radio subframes in the paging frame and radio subframes in subsequent radio frames within the DRX cycle to determine whether there are indications of a paging channel hijack attack. In an example embodiment, this monitoring may be to determine whether one or more subframes that are not the paging occasion receive IMSI-based paging messages, in response to which a threat probability may be increased. The wireless device may perform an operation (e.g., an actuation operation such as disabling monitoring of, and preventing connection attempts to, the base station, etc.) to protect against a shared paging channel hijack attack.

Abstract: Systems, methods, and computer programs are disclosed for detecting high-level functionality of an application executing on a computing device. One method comprises storing, in a secure memory on a computing device, a virtual address mapping table for an application. The virtual address mapping table comprises a plurality of virtual addresses in the application binary code mapped to corresponding target application functionalities. The application is registered with a high-level operating system (HLOS). During execution of the application binary code, the HLOS detects when one or more of the virtual addresses corresponding to the target application functionalities are executed based on the virtual address mapping table.

Abstract: Systems and methods are disclosed for detecting high-level functionality of an application executing on a computing device. One method includes storing, in a secure memory, an application-specific virtual address mapping table for an application. The application-specific virtual address mapping table comprises a plurality of virtual address offsets in the application binary code mapped to corresponding target application functionalities. In response to launching the application, a process-specific virtual address mapping table is generated for an instance of an application process to be executed. The process-specific virtual address mapping table defines actual virtual addresses corresponding to the target application functionalities using the virtual address offsets in the application-specific virtual address mapping table.

Abstract: This disclosure relates to allocating memory resources of a computing device comprising non-volatile random access memory (NVRAM) and dynamic random access memory (DRAM). An exemplary method is performed for every independently executable component of an application and includes determining attributes of the component. The method also includes associating the component with a memory profile of a plurality of memory profiles based on the attributes, wherein each memory profile of the plurality of memory profiles specifies a number of banks of the NVRAM and a number of banks of the DRAM. The method also includes causing the computing device to generate an assignment of the component to banks of the NVRAM and DRAM based on the memory profile associated with the component so the computing device can execute the component using the banks of the NVRAM and DRAM based on the assignment.

Abstract: Systems, methods, and computer programs are disclosed for updating virtual memory addresses of target application functionalities for an updated version of application binary code. The method comprises storing a virtual address mapping table associated with application binary code registered with a high-level operating system. The virtual address mapping table comprises a plurality of virtual addresses mapped to corresponding target application functionalities in the application binary code. In response to receiving an updated version of the application binary code, a pseudo binary code template is selected, which is associated with one or more of the plurality of virtual addresses in the virtual address mapping table. The pseudo binary code template is matched to binary instructions in the updated version of the application binary code. The new virtual addresses corresponding to the matching binary instructions are determined. The virtual address mapping table is updated with the new virtual addresses.

Abstract: Systems, devices, and methods for communications among access points (APs) and mobile wireless devices are disclosed. A database having a persistent profile table (PPT) can be used to store information related to access point operations. Information related to a plurality of APs can be detected and stored in the PPT. Certain information may be common to multiple of the APs, allowing for compression of the data for more efficient storage. Fingerprint data related to the APs can be clustered based on a first order identifier (e.g., SSID, PLMN) and a second order identifier (e.g., MAC, MAC prefix, cell ID). The clusters can be further compressed by, for example, storing common features only once, and storing uncommon features individually, along with an identifier frame indicating which features are unique within the group of clusters. A mobile device can query the persistent profile table to verify the identity of unknown APs.