Abstract: Methods, systems, and apparatus, including computer programs encoded on computer storage media, for detecting anomalous user interface interactions. One of the methods includes receiving, for a user interface element, interaction locations that indicate where interactions with the user interface element occurred when the user interface element was provided on behalf of a first system; determining a difference between (i) a first distribution of the interaction locations for the user interface element when the user interface element was provided on behalf of the first system and (ii) a second distribution of the interaction locations for the user interface element when the user interface element was provided on behalf of a second system; classifying the first distribution of the interaction locations as anomalous in response to the difference not satisfying a condition; and preventing the first system from accessing another system to which the first system was trying to gain access.

Abstract: A computer-implemented method for detecting malware using machine learning may include (1) identifying data to be analyzed for malware, (2) classifying, using a classifier created by a combination of at least one deep learning neural network and at least one supervised data mining method, the data to be analyzed for malware, (3) determining, based on a predefined threshold, that the classification of the data indicates potential malware on the computing device, and (4) performing a security action based on the determination of potential malware on the computing device. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A computer-implemented method for maintaining encrypted search indexes on third party storage systems may include (1) identifying a plurality of encrypted files, (2) identifying a plurality of keywords contained in the plurality of encrypted files, and (3) generating an encrypted search index for searching the plurality of encrypted files by (i) identifying, for each keyword in the plurality of keywords, a list of encrypted files in the plurality of encrypted files that contain the keyword, (ii) encrypting the list of encrypted files, and (iii) storing the encrypted list of encrypted files such that the encrypted list of encrypted files can be identified using a lookup key generated by applying a pseudo-random function to the keyword. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A computer-implemented method for detecting anomalies that are potentially indicative of malicious attacks may include (1) identifying a sequence of activities performed on a computing device, (2) calculating a cumulative influence score between pairs of activities in the sequence of activities through convolution of the sequence of activities, (3) detecting an anomaly that is potentially indicative of a malicious attack based on a comparison of the cumulative influence score and an expected threshold for a user of the computing device, and (4) in response to detecting the anomaly, performing a security action. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A computer-implemented method for maintaining encrypted search indexes on third-party storage systems may include (1) identifying a plurality of encrypted files, (2) identifying a plurality of keywords contained in the plurality of encrypted files, and (3) generating an encrypted search index for searching the plurality of encrypted files by (i) identifying, for each keyword in the plurality of keywords, a list of encrypted files in the plurality of encrypted files that contain the keyword, (ii) encrypting the list of encrypted files, and (iii) storing the encrypted list of encrypted files such that the encrypted list of encrypted files can be identified using a lookup key generated by applying a pseudo-random function to the keyword. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A computer-implemented method for selectively authenticating a request based on an authentication policy is described. A request is received from a client. A determination is made as to which authentication threshold is applied to the request based on an authentication policy. The request is authenticated if the authentication threshold is satisfied. The authentication threshold is modified if the request is not successfully authenticated.

Abstract: A computer-implemented method for searching shared encrypted files on third-party storage systems may include (1) receiving, at a server-side computing system, a request from a user to search at least one encrypted file to which a group of users that includes the user shares access, (2) identifying, in response to the request, at least one encrypted search index compiled for and shared by the group of users that enables the encrypted file to be searched, (3) decrypting the encrypted search index with a key with which each user within the group of users has access, and (4) using the decrypted search index to respond to the request from the user. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A computer-implemented method for securing data at third-party storage services may include (1) receiving, at a server-side computing system, a request to provide a user with access to a file that is encrypted, (2) determining, in response to the request, whether a transitory symmetric key of the user is available to encrypt a decryption key with which the file may be decrypted, (3) encrypting the decryption key with the transitory symmetric key of the user if the transitory symmetric key of the user is available or encrypting the decryption key with the public key of an asymmetric key pair designated for the user if the transitory symmetric key of the user is unavailable, and (4) storing the encrypted decryption key. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: Profile information is maintained concerning users and files in the context of a file sharing and collaboration environment. Profile information quantifies each user's interest level in specific files, and levels of similarity between users and between files. Machine learning techniques are applied to monitored actions taken by users directed towards files, and profile information is dynamically updated in response. Natural language processing such as n-gram analysis is applied to files, and file similarity levels are increased in response to requisite amounts of common content. The event notification stream is filtered. For each specific event notification, a relevance value is quantified for each specific user, based on profile information concerning the specific user, the file to which the event is directed, and the user who undertook the event. The corresponding notification is only transmitted to specific users for whom the relevance value exceeds a predetermined threshold.

Abstract: A computer-implemented method for secure third-party data storage may include (1) identifying, at a server-side computing system, a data access request from a client system to access an encrypted file stored under a user account, (2) receiving a long poll request from the client system, (3) identifying an asymmetric key pair designated for the user account, the asymmetric key pair including an encryption key and a decryption key that has been encrypted with a client-side key, (4) responding to the long poll request with a message notifying the client system to transmit the client-side key, (5) receiving, from the client system, the client-side key, (6) decrypting the decryption key with the client-side key, and (7) using the decryption key to access an unencrypted version of the encrypted file. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A computer-implemented method for sharing data stored on secure third-party storage platforms may include (1) identifying a request from a client system for a token that provides temporary access to an encrypted file stored under a user account, (2) identifying, in response to the request, an asymmetric key pair designated for the user account that includes an encryption key and a decryption key that has been encrypted with a client-side key, (3) receiving, from the client system, the client-side key, (4) decrypting the decryption key with the client-side key, (5) using the decryption key to generate temporary decryption data that facilitates the decryption of the encrypted file and that is set to expire, (6) generating the token and designating the temporary decryption data as available in exchange for the token, and (7) providing the token to the client system. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: The disclosed computer-implemented method for secure hybrid third-party data storage may include (1) identifying, at a trusted proxy system, an access request from a client system to access an encrypted file stored under a user account at a third-party storage system, where the requested access requires decryption of the encrypted file, (2) retrieving, from the third-party storage system, (i) the encrypted file and (ii) a decryption key that has been encrypted with a cryptographic key, where an asymmetric key pair designated for the user account includes an encryption key and the encrypted decryption key, (3) decrypting, at the trusted proxy system, the decryption key with the cryptographic key, and (4) using the decryption key to access an unencrypted version of the encrypted file at the trusted proxy system. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A computer-implemented method for managing malware signatures. The method may include maintaining a set of active malware signatures and maintaining a set of dormant malware signatures. The method may also include providing the set of active malware signatures for use in malware detection more frequently than the set of dormant malware signatures and determining that a first malware signature from the set of dormant malware signatures triggers one or more positive malware detection responses. The method may further include, in response to the determination, moving the first malware signature from the set of dormant malware signatures to the set of active malware signatures. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: Reputations of objects are determined by a reputation system using reports from clients identifying the objects. Confidence metrics for the clients are generated using information determined from the reports. Confidence metrics indicate the amounts of confidence in the veracity of the reports. Reputation scores of objects are calculated using the reports from the clients and the confidence metrics for the clients. Confidence metrics and reputation scores are stored in correlation with identifiers for the objects. An object's reputation score is provided to a client in response to a request.

Abstract: Reputations of objects are determined by a reputation system using reports from clients identifying the objects. Confidence metrics for the clients are generated using information determined from the reports. Confidence metrics indicate the amounts of confidence in the veracity of the reports. Reputation scores of objects are calculated using the reports from the clients and the confidence metrics for the clients. Confidence metrics and reputation scores are stored in correlation with identifiers for the objects. An object's reputation score is provided to a client in response to a request.

Abstract: The disclosed computer-implemented method for secure hybrid third-party data storage may include (1) identifying, at a trusted proxy system, an access request from a client system to access an encrypted file stored under a user account at a third-party storage system, where the requested access requires decryption of the encrypted file, (2) retrieving, from the third-party storage system, (i) the encrypted file and (ii) a decryption key that has been encrypted with a client-side key, where an asymmetric key pair designated for the user account includes an encryption key and the encrypted decryption key, (3) receiving, at the trusted proxy system, the client-side key, (4) decrypting, at the trusted proxy system, the decryption key with the client-side key, and (5) using the decryption key to access an unencrypted version of the encrypted file at the trusted proxy system. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A computer-implemented method for secure third-party data storage may include 1) identifying, at a server-side computing device, a request from a client system to access an encrypted file stored under a user account, 2) identifying, in response to the request, an asymmetric key pair designated for the user account that includes an encryption key and a decryption key that has been encrypted with a client-side key, 3) receiving, from the client system, the client-side key, 4) decrypting the decryption key with the client-side key, and 5) using the decryption key to access an unencrypted version of the encrypted file. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A computer-implemented method for managing malware signatures. The method may include maintaining a set of active malware signatures and maintaining a set of dormant malware signatures. The method may also include providing the set of active malware signatures for use in malware detection more frequently than the set of dormant malware signatures and determining that a first malware signature from the set of dormant malware signatures triggers one or more positive malware detection responses. The method may further include, in response to the determination, moving the first malware signature from the set of dormant malware signatures to the set of active malware signatures. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A computer-implemented method for secure third-party data storage may include 1) identifying, at a server-side computing device, a request from a client system to access an encrypted file stored under a user account, 2) identifying, in response to the request, an asymmetric key pair designated for the user account that includes an encryption key and a decryption key that has been encrypted with a client-side key, 3) receiving, from the client system, the client-side key, 4) decrypting the decryption key with the client-side key, and 5) using the decryption key to access an unencrypted version of the encrypted file. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A mechanism is provided for determining a safety reputation for a network site in a manner that provides both wide coverage of potentially malicious sites as well as improves the freshness of information from which the safety reputation is derived. Community-based information, such as reports from users related to recently-visited network sites, malware detected by reporting network nodes, non-specific information such as unusual CPU usage and network activity of visiting nodes, and information received from other types of external feeds is used in determining the safety reputation and updating the safety reputation. Such information is analyzed in order to determine network sites that are potential sources of malware, which can then be subjected to more detailed analysis.