Abstract: A method for detection of malicious files includes training a mapping model for mapping files in a probability space. A plurality of characteristics of an analyzed file is determined based on a set of rules. A mapping of the analyzed file in probability space is generated based on the determined plurality of characteristics. A first database is searched using the generated mapping of the analyzed file to determine whether the analyzed file is associated with a family of malicious files. The first database stores mappings associated with one or more families of malicious files. In response to determining that the analyzed file is associated with the family of malicious files, a selection of one or more methods of malware detection is made from a second database. The second database stores a plurality of malware detection methods. The selected method is used to detect the associated family.

Abstract: A method for voice call analysis and classification includes intercepting a voice call session between an initiating device and a recipient device. Voice call data exchanged between the initiating device and the recipient device during the voice call session is transformed into a predefined data format. The transformed voice call data is analyzed to determine one or more attributes of the intercepted voice call. One or more features associated with the intercepted voice call session are identified based on the determined one or more attributes. The intercepted voice call is classified using the identified one or more features.

Abstract: A system and method is provided for detecting anomalous events based on a dump of an address space of a software process in a memory of a computing device. An exemplary method includes detecting at least one event occurring in an operating system of the computing device during an execution of the software process, determining a context of the detected event, wherein the context comprises a dump of an address space of the software process containing code that was being executed at the moment of occurrence of the detected event, selecting a set of features of the dump for use in determining whether or not the event is anomalous, transforming the selected set of features of the dump into a convolution, determining a popularity of the convolution by polling a database, and determining that the detected event is an anomalous event if the determined popularity is below a threshold value.

Abstract: Techniques are provided for generating groups of filtering rules. A priority list of filtering rules having a highest indicator of frequency of utilization among the filtering rules from the plurality of lists is determined from a plurality of lists of filtering rules. The priority list of filtering rules is transmitted to a mobile device. Each of remaining lists of filtering rules that have not been transmitted to the mobile device is divided into a plurality of parts. A plurality of groups of filtering rules is generated based on frequency of utilization within each of the remaining lists of filtering rules. Each generated group contains at most one part of each remaining list of filtering rules.

Abstract: Disclosed herein are systems and methods for detecting malicious files based on file fragments. In one aspect, an exemplary method comprises, extracting data fragments from a file, for each extracted data fragment, determining a category selected from a list of categories that includes at least: trusted, malicious, and untrusted, when a number of data fragments categorized as being malicious is below a predetermined threshold, avoiding categorization of the file as malicious, and when a number of data fragments categorized as being malicious reaches or exceeds the predetermined threshold, determining whether at least one malicious file detection rule having criteria for detecting a malicious file is found, when at least one malicious file detection rule whose criteria is met is found, categorizing the file as a malicious file, and when no malicious file detection rule whose criteria is met is found, avoiding categorization of the file as a malicious file.

Abstract: A method for providing an interprocess interaction in an electronic control unit having an operating system defining a kernel space, wherein the method involves steps in which: the kernel of the operating system intercepts a request for an interprocess communication between a first application and a second application of the electronic control unit. A verdict is requested, from an access control component of the operating system, with respect to granting access for the requested interprocess communication between the first application and the second application of the electronic control unit. The access control component generates the verdict for the requested interprocess communication based on a security policy. The kernel of the operating system selectively allows the requested interprocess communication between the first application and the second application based on the generated verdict.

Abstract: A method for using inventory rules to identify devices of a computer network includes intercepting data traffic across one or more communication links of the computer network. The intercepted data traffic is analyzed to determine whether one or more of a plurality of inventory rules is satisfied by the intercepted data traffic. Each of the plurality of inventory rules includes one or more conditions indicating the presence of a particular computer network device having a set of parameters. Devices of the computer network are identified using one or more satisfied inventory rules.

Abstract: Disclosed herein are systems and methods for access control in an electronic control unit (ECU). In one aspect, an exemplary method comprises, by an operating system (OS) kernel of the ECU of a vehicle, intercepting at least one request for an interaction of a control application with a basic component through an interaction interface provided by the basic component for interactions with applications, requesting from a security subsystem of the operating system, a verdict as to whether or not access for the interaction of the control application with the basic component through the interaction interface can be provided, and when the verdict is received from the security subsystem granting the access, providing the interaction between the basic component and the control application through the interaction interface in accordance with the received verdict.

Abstract: Disclosed herein are systems and methods for blocking information from being received on a computing device. In one aspect, an exemplary method comprises, by a hardware processor, intercepting a Domain Name System (DNS) request, the intercepted DNS request being associated with the information being blocked from the computing device, obtaining a set of rules for a transmission of the intercepted DNS request, determining, whether at least one rule of the obtained set of rules subscribes to a blocking of the transmission of the intercepted DNS request, and blocking the transmission of the intercepted DNS request when at least on rule of the set of rules subscribes to the blocking of the transmission of the intercepted DNS request, wherein the blocking of the transmission of the intercepted DNS request blocks the information from being received on the computing device.

Abstract: Disclosed herein are systems and method for intercepting malicious messages for training a malware detection classifier. In an exemplary aspect, an application selection module may select, from a plurality of applications, an application for execution in an execution environment based on a priority level of the application. During the execution of the selected application, a network interception module may monitor network activity comprising information about data being sent and received over a network connected to the execution environment and storing the network activity in memory of the execution environment (e.g., in a network activity log). A message selection module may subsequently extract, from the stored network activity, an electronic message, in response to determining that the electronic message corresponds to the selected application, may storing the electronic message in a message database used for training the malware detection classifier.

Abstract: Systems and methods for transmitting critical data to a server are provided. The data structure intended for transmission to the server is divided up on the client side into a substructure containing critical data (CD) and a substructure not containing CD. The substructure containing CD is further divided up at the client side into at least two substructures and the resulting substructures are sent consecutively to the server via a node with a transformation module. The substructure not containing CD is sent directly to the server, bypassing the node with the transformation module. After receiving the substructures, they are combined at the server side into a single data structure. The critical data are data with respect to which the law of the state in whose jurisdiction the client or an authorized entity is located imposes restrictions on the gathering, storage, accessing, dissemination and processing thereof.

Abstract: Disclosed herein are systems and methods for categorizing an application on a computing device. In one aspect, an exemplary method comprises, obtaining results of a classification of an application from a security server, when the results of the classification satisfy rules of relevance, designating the results of the classification as relevant and determining a category of the application based on the designation of the results as relevant, and when the results of the classification do not satisfy the rules of relevance, performing at least one of: terminating the categorization of the application, and updating the classification of the application based on a set of attributes of the application.

Abstract: Disclosed herein are systems and methods for blocking network connections to network resources of forbidden categories.

Abstract: Disclosed herein are systems and methods for reducing a number of false positives in classification of files. In one aspect, an exemplary method comprises, analyzing a file to determine whether or not the file is to be recognized as being malicious, when the file is recognized as being malicious, analyzing the file to detect a false positive outcome, when the false positive outcome is detected, excluding the file from being scanned and calculating a flexible hash of the file, and storing the calculated flexible hash in a database of exceptions.

Abstract: Disclosed are systems and methods for creating antivirus records for antivirus applications. An exemplary method includes: analyzing a log of records of API function calls of a file for presence of malicious behavior using one or more behavioral rules; determining that the file is malicious when a behavioral rule corresponding to one or more records of API function calls from the log is identified; extracting from the log the one or more API function calls associated with the identified behavioral rule; determining whether the one or more extracted records of API function calls are supported by an antivirus application of a user device; and when the one or more extracted records of API function calls are not supported by the antivirus application, adding to the antivirus application, a support for registering the unsupported records of API function calls.

Abstract: Disclosed herein are systems and methods for optimizing antivirus scanning of files on virtual machines. In one aspect, an exemplary method comprises, determining whether there is a record about a file in a verdict cache, when there is, assigning the verdict found in the verdict cache to the file, and when no record is found in the verdict cache, determining whether the file is currently being scanned in a parallel thread, when the file is currently being scanned in a parallel thread, blocking the scanning of the file until the scanning in the parallel thread is completed, and placing a result of the scanning in the parallel thread in the verdict cache, and when the file is not currently being scanned in a parallel thread, performing the scanning of the file on a current thread, and placing a result of the scanning on the current thread in the verdict cache.

Abstract: Systems and methods for performing a repeat antivirus scan of a file are disclosed. A local database is saved on a mobile device, where each record is added to the database when the corresponding file is recognized as being non-malicious as a result of an antivirus scan. A short hash sum of the file is computed and the long hash sum of the file and information about the antivirus scan performed and corresponding to the first hash sum of the file are found in the aforementioned database. Using the long hash sum, a verdict on the file is requested from the cloud services. An antivirus scan of the file is performed, except when the verdict obtained is unchanged (as compared to the verdict contained in the information about the antivirus scan performed of the obtained record corresponding to the file), and no updating of the antivirus databases has occurred since the date of performing the antivirus scan.

Abstract: Disclosed are systems and methods for generating rules for detecting and blocking attacks on electronics systems of a means of transportation. A security server receives log data having messages that were intercepted on the buses of the means of transportation around the time of a road traffic accident with the means of transportation. The security server detects computer attacks on the electronics systems and generates one or more rules that depend on one or more indicators of compromise, such as malicious messages used in a computer attack and information on at least one ECU that is a recipient of the malicious messages. The generated rules further specify actions for blocking subsequent computer attacks, such as blocking, modifying, or changing communications within the communications bus of the vehicle.

Abstract: Disclosed herein are systems and methods for determining trust levels of files on a computing device. In one aspect, an exemplary method comprises, selecting file names which are stable, generating at least one group of files from at least two files of the selected file names, the at least two files being components of a same application, searching for a presence of a dominant developer such that at least one private key of the dominant developer has been used to sign at least one file of the group of files that is generated, when a dominant developer is found, determining a trust level for all files of the group in accordance with verdicts associated with the dominant developer, and when the dominant developer is not found, determining the trust level for all the files of the group based on verdicts of outside services that have been assigned to the files of the group.

Abstract: A method for protecting memory pages of a computing device using a hypervisor includes detecting, by a hypervisor, a token associated with the trusted program, in response to receiving a hypercall from a trusted program. The token associated with the trusted program is checked against a saved token of the hypervisor to determine trustworthiness of the trusted program. The hypervisor creates a memory page containing a safe hypercall address of the hypervisor. Addresses of the memory page are transmitted from the hypervisor to the trusted program. The hypervisor allows execution of the hypercall by the trusted program accessing the safe hypercall address found at the addresses of the memory page.