Abstract: Disclosed herein are systems and methods for detecting malicious use of a remote administration tool. In one aspect, an exemplary method comprises, gathering, from a flow of events, data that comprises any number of keyboard entry events, wherein each event is related at least to actions indicating a keyboard entry and a context in which the event occurred, comparing the gathered keyboard entry events with signatures from a database, and when a match is found with at least one signature, identifying an activity which is a characteristic that indicates that the remote administration tool is being controlled remotely.

Abstract: The present disclosure provides systems and methods for increasing the cybersecurity of a control subject of an industrial technological system. In an exemplary aspect, the method comprises installing a protected Operating System (OS) on a control subject of the industrial technological system, receiving, by the protected OS, a plurality of log files from the control subject, analyzing, by the protected OS, the plurality of log files to determine if a suspicious action has been applied to the control subject, wherein the control subject is configured to apply a controlling action to the object of control, intercepting, by the protected OS, network packets transmitted by an application launched in a guest OS to the control subject, and preventing, by the protected OS, an interaction between the application and the control subject, in response to determining that the suspicious action has been applied to the control subject.

Abstract: Disclosed herein are systems and methods for processing personal data by application of policies. In one aspect, an exemplary method comprises, by the network infrastructure component, analyzing communication protocols between an IoT device and the network infrastructure component, identifying at least one field that contains personal data, for each identified field, analyzing the identified field using personal data processing policies uploaded to the network infrastructure component, and applying the personal data policies for enforcement.

Abstract: An example of a method for detecting hacking activities includes categorizing a plurality of web pages of a web site providing bank services using a trained semantic model. The trained semantic model uses at least one resource identifier of a web page as an input and generates a web page category as an output. One or more attributes of an interaction between a user and bank services are identified. The one or more identified attributes are analyzed by comparing the one or more identified attributes with attributes known to belong to hacking interactions based on a corresponding web page category. Hacking activity is identified based on the results of the analysis.

Abstract: Disclosed herein are systems and method for spam identification. A spam filter module may receive an email at a client device and may determine a signature of the email. The spam filter module may compare the determined signature with a plurality of spam signatures stored in a database. In response to determining that no match exists between the determined signature and the plurality of spam signatures, the spam filter module may placing the email in quarantine. A spam classifier module may extract header information of the email and determine a degree of similarity between known spam emails and the email. In response to determining that the degree of similarity exceeds a threshold, the spam filter module may transfer the email from the quarantine to a spam repository.

Abstract: Systems and methods for building systems of honeypot resources for the detection of malicious objects in network traffic. A system includes at least two gathering tools for gathering data about the computer system on which it is installed, a building tool configured for building at least two virtual environments, each including an emulation tool configured for emulating the operation of the computer system in the virtual environment, and a distribution tool configured for selecting at least one virtual environment for each computer system and for establishing connection between the computer system and the virtual environment.

Abstract: A method for creating a heuristic rule to identify Business Email Compromise (BEC) attacks includes filtering text of received email messages, using a first classifier, to extract one or more terms indicative of a BEC attack from the text of the received email messages. One or more n-grams are generated, using the first classifier, based on the extracted terms. A vector representation of the extracted terms is generated, using a second classifier, based on the generated one or more n-grams. The second classifier includes a logit model. A weight coefficient is assigned to each of the one or more extracted terms based on an output of the trained logit model. A higher weight coefficient indicates higher relevancy to BEC attack of the corresponding term. A heuristic rule associated with the BEC attack is generated by combining the weight coefficients of a combination of the one or more extracted terms.

Abstract: Disclosed herein are systems and methods for detecting potentially malicious changes in an application. In one aspect, an exemplary method comprises, selecting a first file to be analyzed and at least one second file similar to the first file, for each of the at least one second file, calculating at least one set of features, identifying a set of distinguishing features of the first file by finding, for each of the at least one second file, a difference between a set of features of the first file and the calculated at least one set of features of the second file, and detecting a presence of potentially malicious changes in the identified set of distinguishing features of the first file.

Abstract: Disclosed herein are systems and methods for protecting a user's devices based on types of anomalies. In one aspect, an exemplary method comprises, determining, by a feature determiner, one or more values of features of a user's activity performed using at least one of the user's devices, detecting, by an anomaly detector, anomalies indicative of at least one threat to information security of the user's devices based on the one or more values of the features, for each detected anomaly, identifying, by the anomaly detector, a type of the anomaly and at least one device that is a source of the anomaly, wherein the type of anomaly is identified using an anomaly classifier and one or more values of features, and for each user's device, modifying, by a device protector, one or more information security settings of the user's device based on the identified type of the anomaly.

Abstract: Disclosed herein are methods and systems for selecting a detection model for detection of a malicious file. An exemplary method includes: monitoring a file during execution of the file within a computer system by intercepting commands of the file being executed and determining one or more parameters of the intercepted commands. A behavior log of the file being executed containing behavioral data is formed based on the intercepted commands and based on the one or more parameters of the intercepted commands. The behavior log is analyzed to form a feature vector. The feature vector characterizes the behavioral data. One or more detection models are selected from a database of detection models based on the feature vector. Each of the one or more detection models includes a decision-making rule for determining a degree of maliciousness of the file being executed.

Abstract: Disclosed herein are methods and systems for detecting malicious files by a user computer. For example, in one aspect, the method comprises registering application programming interface (API) calls made by a file during an execution of the file on the user computer in a local call log, the local call log comprising control flow graphs of processes launched from the file, searching for a rule that matches behavioral rules a local database, when the behavioral rules are found, determining the file is malicious and halting execution of the file on the user computer, otherwise, transmitting the local call log to a remote server, receiving a verdict, when the verdict indicates the file is malicious, receiving a virus signature corresponding to the verdict, and updating the local call log based on the verdict and virus signature, wherein the updating enables detection of subsequently received malicious files.

Abstract: Disclosed herein are systems and method for automatic activation of a service on a computing device. In an exemplary aspect, a service activation module may link, using an activation model, user behavioral data to an automated activation of the service based on the detecting a prior activation of the service subsequent to receiving the user behavioral data. The service activation module may receive, at a later time, additional sensor data from a plurality of sensors of a computing device. The service activation module may parse the additional sensor data to generate additional user behavioral data. The service activation module may compute, using the activation model, a degree of similarity between the user behavioral data and the additional user behavioral data, and in response to determining that the degree of similarity is greater than a predetermined threshold value, may automatically activating the service on the computing device.

Abstract: Disclosed herein are systems and methods for providing content to a user. In one aspect, an exemplary method comprises intercepting a search request and a site-name in a browser, and sending to a content-provision tool, the intercepted search request and site name, computing a hash of the intercepted search request and site-name, determining a type of the intercepted search request and site name, and transmitting the computed hash and the type of intercepted search request and site-name to a cloud server, transmitting the intercepted request and site-name to the cloud server in plain form, receiving, from the cloud server, content based on a categorization of the intercepted request and site-name and rules for establishing a category of the content, and when the rules are executed, displaying to the user, the content on the computing device of the user in accordance with a category established based on the rules.

Abstract: Disclosed herein are systems and methods for blocking information from being received on a computing device. In one aspect, an exemplary method comprises, by a hardware processor, intercepting a Domain Name System (DNS) request, the intercepted DNS request being initiated by an advertising module of the computing device; obtaining a set of rules for a transmission of the intercepted DNS request; estimating a probability of the intercepted DNS request being a DNS request that was initiated by one or more actions of a user based on the obtained set of rules; and blocking displaying the advertisement information on the computing device based on the estimated probability, wherein the blocking displaying the advertisement information comprises blocking the advertisement information from being received on the computing device.

Abstract: Disclosed herein are systems and methods for categorizing an application on a computing device including gathering a set of attributes of an application. The set of attributes of the application includes at least one of: a number of files in an application package of the application; a number of executable files in the application package; numbers and types of permissions being requested; a number of classes in the executable files in the application package; and a number of methods in the executable files in the application package. sending the gathered set of attributes to a trained classification model. The application is classified, using the classification model, based on the gathered set of attributes by generating one or more probabilities of the application belonging to respective one or more categories of applications. A category of the application is determined based on the generated one or more probabilities.

Abstract: An example of a method for detecting hacking activities includes identifying one or more attributes of each interaction in a sequence of interactions between one or more users and bank services during a predetermined time period. The one or more users are categorized into a plurality of groups based on the identified attributes. Each of the plurality of groups includes users performing the sequence of interactions with the bank services during the predetermined time period. A degree of anomaly is calculated for each of the plurality of groups based on a total number of users associated with a corresponding sequence of interactions and based on a number of users associated with the corresponding sequence of interactions during the predetermined time period. The calculated degree of anomaly is compared with a predetermined threshold. Hacking activity is identified, in response to determining that the calculated degree of anomaly exceeds the predetermined threshold.

Abstract: A method for using inventory rules to identify devices of a computer network includes intercepting data traffic across one or more communication links of the computer network. The intercepted data traffic is analyzed to determine whether one or more of a plurality of inventory rules is satisfied by the intercepted data traffic. Each of the plurality of inventory rules comprises one or more conditions indicating the presence of a particular computer network device having a set of parameters. Each one of the plurality of inventory rules has a weighting factor value indicative of a priority of the application of a corresponding rule. The weighting factor value depends on previously identified devices. One or more devices of the computer network are identified using the weighting factor value of the one or more satisfied inventory rules.

Abstract: A method for detecting a false positive outcome in classification of files includes, analyzing a file to determine whether or not the file is to be recognized as being malicious, analyzing a file to determine whether a digital signature certificate is present for the file, in response to recognizing the file as being malicious; comparing the digital certificate of the file with one or more digital certificates stored in a database of trusted files, in response to determining that the digital signature certificate is present for the file; and detecting a false positive outcome if the digital certificate of the file is found in the database of trusted files, when the false positive outcome is detected, excluding the file from further determination of whether the file is malicious and calculating a flexible hash value of the file.

Abstract: Disclosed herein are systems and methods for generating individual content for a user of a service. In one aspect, an exemplary method comprises, gathering data on behavior of a user of a computing device, training a model of a user behavior based of the gathered data, wherein the trained data identifies the user to a predetermined degree of reliability, and generating an individual content for the user of the service based on a predetermined service environment in accordance with a trained model received from a model transmitter.

Abstract: Disclosed herein are systems and methods for counting a ballot in an electronic voting system. In one aspect, an exemplary method comprises, generating, by a token generator of the system, a number of tokens, wherein every token unambiguously identify actions of a user during an electronic voting, when the user is identified and authenticated successfully, enabling the user to select a token from the number of tokens, activating, by a ballot activator of the system, a ballot for the user, wherein activating includes generating the ballot, unambiguously relating the token selected by the user to the ballot, and enabling the user to access the ballot, and counting, by a ballot counter of the system, the ballot filled out by the user.