Abstract: Execution of an application in an application-level sandbox is disclosed. A request to launch an application is received by an operating system executing on a device. A determination is made that a stored copy of the application should be executed within an application-level sandbox. The stored copy of the application is executed in the application-level sandbox.

Abstract: The automatic generation of malware family signatures is disclosed. A set of metadata associated with a plurality of samples is received. The samples are clustered. For members of a first cluster, a set of similarities shared among at least a portion of the members of the first cluster is determined. The similarities are evaluated for suitability as a malware family signature. Suitability is evaluated based on how well the similarities uniquely identify the members of the first cluster. In the event the similarities are determined to be suitable as a malware family signature, a signature is generated.

Abstract: A virtualized storage for use in performing dynamic analysis on a sample is configured, at least in part by copying the sample to the virtualized storage. A virtual machine emulator is launched using a snapshot of a virtualized platform. The virtualized platform is previously configured to use the virtualized storage, and the snapshot is configured to use a placeholder file to occupy space for later use when installing the sample. A location of the copied sample in an image corresponding to the virtualized storage is determined. The copied sample is installed and dynamic analysis is performed on the sample.

Abstract: The automatic generation of malware family signatures is disclosed. A set of metadata associated with a plurality of samples is received. The samples are clustered. For members of a first cluster, a set of similarities shared among at least a portion of the members of the first cluster is determined. The similarities are evaluated for suitability as a malware family signature. Suitability is evaluated based on how well the similarities uniquely identify the members of the first cluster. In the event the similarities are determined to be suitable as a malware family signature, a signature is generated.

Abstract: A sample is analyzed to determine a set of events that should be selected for performing by a dynamic analyzer executing the sample in an instrumented, emulated environment. In some cases, analyzing the sample includes extracting the sample's user interface layout into a tree hierarchy of user interface elements. The set of selected events is performed. In some cases, at least one emulator detection resistance action is performed. A maliciousness verdict is determined for the sample based at least in part on one or more responses taken by the sample in response to the set of selected events being performed by the dynamic analyzer.

Abstract: A virtualized storage for use in performing dynamic analysis of a sample is configured, at least in part by copying the sample to the virtualized storage. A virtual machine emulator is launched using a snapshot of a virtualized platform. A location of the copied sample in an image corresponding to the virtualized storage is determined, at least in part by identifying an offset. The copied sample is installed and dynamic analysis is performed on the sample.

Abstract: A virtualized storage for use in performing dynamic analysis of a sample is configured, at least in part by copying the sample to the virtualized storage. A virtual machine emulator is launched using a snapshot of a virtualized platform. A location of the copied sample in an image corresponding to the virtualized storage is determined, at least in part by identifying an offset. The copied sample is installed and dynamic analysis is performed on the sample.

Abstract: A sample is analyzed to determine a set of events that should be selected for performing by a dynamic analyzer executing the sample in an instrumented, emulated environment. The set of selected events is performed. A maliciousness verdict is determined for the sample based at least in part on one or more responses taken by the sample in response to the set of selected events being performed by the dynamic analyzer.

Abstract: Execution of an application in an application-level sandbox is disclosed. A request to launch an application is received by an operating system executing on a device. A determination is made that a stored copy of the application should be executed within an application-level sandbox. The stored copy of the application is executed in the application-level sandbox.

Abstract: A virtualized storage for use in performing dynamic analysis of a sample is configured, at least in part by copying the sample to the virtualized storage. A virtual machine emulator is launched using a snapshot of a virtualized platform. A location of the copied sample in an image corresponding to the virtualized storage is determined, at least in part by identifying an offset. The copied sample is installed and dynamic analysis is performed on the sample.

Abstract: A sample is analyzed to determine a set of events that should be selected for performing by a dynamic analyzer executing the sample in an instrumented, emulated environment. The set of selected events is performed. A maliciousness verdict is determined for the sample based at least in part on one or more responses taken by the sample in response to the set of selected events being performed by the dynamic analyzer.

Abstract: The automatic generation of malware family signatures is disclosed. A set of metadata associated with a plurality of samples is received. The samples are clustered. For members of a first cluster, a set of similarities shared among at least a portion of the members of the first cluster is determined. The similarities are evaluated for suitability as a malware family signature. Suitability is evaluated based on how well the similarities uniquely identify the members of the first cluster. In the event the similarities are determined to be suitable as a malware family signature, a signature is generated.

Abstract: The automatic generation of malware family signatures is disclosed. A set of metadata associated with a plurality of samples is received. The samples are clustered. For members of a first cluster, a set of similarities shared among at least a portion of the members of the first cluster is determined. The similarities are evaluated for suitability as a malware family signature. In the event the similarities are determined to be suitable as a malware family signature, a signature is generated.

Abstract: An extended wireless access point may have many distributed radio units connected to associated processing units via a radio transmission network comprising commodity switches controlled by one or more network controllers. The one or more network controllers may use a load balancing algorithm to select a processing unit to process a signal received by a distributed radio unit. The radio units may receive a wireless signal, and generate compressed samples of the wireless signal for transport via the radio transmission network and processing by a selected processing unit. Similarly, a processing unit may generate and transmit via the radio transmission network compressed samples for decompression and transmission by a radio unit.

Abstract: An extended wireless access point may have many distributed radio units connected to associated processing units via a radio transmission network comprising commodity switches controlled by one or more network controllers. The one or more network controllers may use a load balancing algorithm to select a processing unit to process a signal received by a distributed radio unit. The radio units may receive a wireless signal, and generate compressed samples of the wireless signal for transport via the radio transmission network and processing by a selected processing unit. Similarly, a processing unit may generate and transmit via the radio transmission network compressed samples for decompression and transmission by a radio unit.

Abstract: A method of transmitting data across a wireless mesh network is described which uses network coding at each of the intermediate nodes between the source node and the destination node. Each intermediate node also controls the rate at which it broadcasts packets based on link congestion and the backlog of packets at each of the possible next-hop nodes for the data flow.

Abstract: A method of transmitting data across a wireless mesh network is described which uses network coding at each of the intermediate nodes between the source node and the destination node. Each intermediate node also controls the rate at which it broadcasts packets based on link congestion and the backlog of packets at each of the possible next-hop nodes for the data flow.