Abstract: A system and method for performing a task on a computing device based on access rights are described. In one aspect, an exemplary method comprises, gathering data characterizing a task by intercepting function calls used to perform the task, and sending a request to an operating system of the computing device to temporarily interrupt the called functions until access rights are determined, determining a threat level of the task based on the gathered data and task templates, generating a test based on the threat level and test generating rules and presenting the test to the user, analyzing results of the test and determining access rights of the task based on the results, and performing the task based on the access rights.

Abstract: Disclosed are systems and methods for enabling transmission of data and commands between a mobile device and a vehicle. An exemplary method comprises connecting a security device to a vehicle and to a mobile device, the security device having a protected memory, verifying, by the security device, an authenticity of the mobile device, allowing, by the security device, transmission of data and commands between the mobile device and at least one actuating device of the vehicle when the mobile device is verified as being authentic, transmitting, by the security device, results of executions of commands from the at least one actuating device of the vehicle to the mobile device.

Abstract: Disclosed herein are systems and method for securely sending user data. In an exemplary aspect, a trusted party device may receive a request for user data and a first hash of the request stored in a distributed registry. In response to verifying that the first hash matches a hash of the request as calculated by the trusted party device, the trusted party device may generate and transmit both a confirmation request to send the user data and a second hash of the confirmation request to an authorized user device. The trusted party device may receive, from the authorized user device, both a confirmation message and a third hash of the confirmation message stored in the distributed registry. In response to verifying that the third hash matches a hash of the confirmation message as calculated by the trusted party device, the trusted party device may send the requested user data.

Abstract: System and methods are provided for searching users that meet one or more search requirements. Configuration profiles are obtained of computing systems operated by sample users that have at least one determined characteristic. A machine learning model is generated that associates the determined characteristic of the sample users with the configuration profiles of the computing systems of the sample users. Identifying at least one target user that matches the at least one determined characteristic specified in a search query based on analysis of the configuration profile of the computing system of said target user by the machine learning model.

Abstract: Disclosed herein are methods and systems for detecting malicious files. An exemplary method comprises emulating execution of a file under analysis, forming a behavior log of the emulated execution of the file under analysis, forming one or more behavior patterns from commands and parameters selected from the behavior log, calculating a convolution of the one or more behavior patterns, selecting two or more models for detecting malicious files from a database, calculating a degree of maliciousness of the file being executed based using the convolution and the two or more models, forming a decision making template based on the degree of maliciousness and determining that the file is malicious when a degree of similarity between the decision making template and a predetermined decision making template exceeds a predetermined threshold value.

Abstract: The present disclosure provides systems and methods to stepwise increasing the IT security of elements of a technological system. In an exemplary aspect, the method comprises gathering data on technological systems and a plurality of elements comprising the technological system by intercepting traffic between the plurality of elements using data exchange protocols, identifying vulnerable elements of the technological system by one or more of: detecting suspicious actions on the vulnerable elements and statistical data relating to the elements, analyzing the vulnerable elements to generate a classification of severity of vulnerabilities of the vulnerable elements, identifying most vulnerable portions of the vulnerable elements as compared to other elements in the vulnerable elements, operating the most vulnerable portions of the vulnerable elements in a protected environment.

Abstract: A system and method is provided for providing a set of convolutions to a computing device for detecting anomalous events occurring in an operating system of the computing device. An exemplary method includes launching an agent in an operating system of a client device, registering, by the agent, events occurring in the operating system, for each registered event, determining a context of the event, wherein the context comprises a call stack at a moment of occurrence of the event, selecting a set of features based on the call stack of the event, generating a convolution based on the selected set of features of the event and the context of the event, and adding the generated convolution to a set of convolutions of events occurring on client devices, and providing, to a client device from which a request is received, the set of convolutions of events occurring on client devices.

Abstract: Methods and systems are described in the present disclosure for classifying malicious objects. In an exemplary aspect, a method includes: collecting data describing a state of an object of the computer system, forming a vector of features, calculating a degree of similarity based on the vector, calculating a limit degree of difference that is a numerical value characterizing the probability that the object being classified will certainly belong to another class, forming a criterion for determination of class of the object based on the degree of similarity and the limit degree of difference, determining that the object belongs to the determined class when the data satisfies the criterion, wherein the data is collected over a period of time defined by a data collection rule and pronouncing the object as malicious when it is determined that the object belongs to the specified class.

Abstract: Disclosed herein are methods and systems for detecting malicious files. An exemplary method comprises: forming a feature vector based on behavioral data of execution of a file, calculating parameters based on the feature vector using a trained model for calculation of parameters, wherein the parameters comprise: i) a degree of maliciousness that is a probability that the file may be malicious, and ii) a limit degree of safety that is a probability that the file will definitely prove to be malicious, wherein an aggregate of consecutively calculated degrees is described by a predetermined time law, deciding that the file is malicious when the degree of maliciousness and the limit degree of safety satisfy a predetermined criterion, wherein that criterion is a rule for the classification of the file according to an established correlation between the degree of maliciousness and the limit degree of safety.

Abstract: The present disclosure provides systems and methods of early determination of anomalies using a graphical user interface. In one aspect such a method comprises: receiving information about one or more features of a cyber-physical system, receiving information about a period of time for monitoring the one or more features, generating a forecast of values of the one or more features of the cyber-physical system over the period of time based on a forecasting model for graphing in a graphical user interface, determining a total error of the forecast for all of the one or more features and determining an error for each of the one or more features over the period of time, determining that the error for one feature of the one or more features is greater than a predetermined threshold and identifying the one feature as a source of an anomaly in the cyber-physical system.

Abstract: Disclosed herein are systems and methods for detecting unauthorized alteration with regard to a certificate store. In one aspect, an exemplary method comprises, tracking changes in a file system or a system registry of an operating system of a device with regard to the certificate store, detecting an alteration or an attempted alteration with regard to the certificate and sending information about the alternation or the attempted alteration to an analysis module, obtaining information about at least one certificate with which a change in the file system or the system registry with regard to the certificate store is connected, and determining a class of the change, where the class of the change is determined from a portion of the respective system registry or the file system in which the change occurred and from an action associated with the change, and comparing the obtained information to similar information on known certificates.

Abstract: The present disclosure is directed to methods and systems for training a classifier for determining the category of a document. In an exemplary aspect, a method comprises obtaining one or more documents belonging to a first category as a training sample for a classifier, determining objects contained in each of the one or more documents, forming, by a hardware processor, a set of features consisting of the objects, constructing the classifier by selecting a classification model and training the classifier based on the set of features, obtaining additional documents belonging to the first category, calculating an error of classification of the additional documents using the classifier and when the error exceeds a given value, obtaining a second set of documents belonging to the first category or one or more new categories, otherwise, determining that the classifier is complete.

Abstract: Disclosed are systems and methods for recognizing files as malicious. One exemplary method comprises intercepting a file for analysis received at a computing device of a user, opening the file for analysis in an environment for safe execution, generating a log that stores a portion of information occurring during opening of the file for analysis in the environment for safe execution, analyzing the log to recognize a first set of security related events from the portion of information, tracking a second set of security related events when the file for analysis is opened on the computing device, comparing the second set of security related events and the first set of security related events to identify a discrepancy; and in response to identifying the discrepancy, recognizing the file under analysis as malicious.

Abstract: Disclosed herein are systems and methods for generating heuristic rules for identifying spam emails. In one aspect, an exemplary method comprises, collecting and analyzing statistical data on contents of a emails to identify different types of content, including headers or hyperlinks, grouping the emails into clusters based on identified types of content, at least one cluster including groups of fields in the headers of said emails, selecting at least one most frequent combination of groups of data in each cluster, generating a hash from the at least one most frequent combination of groups, formulating at least one regular expression based on an analysis of hyperlinks corresponding to the generated hashes, and generating at least one heuristic rule for identifying emails containing spam by combining at least one hash and the corresponding regular expression, wherein at least one hash is from sequences of fields in the headers of said emails.

Abstract: Systems and methods for detecting malicious activity in a computer system. One or more graphs can be generated based on information objects about the computer system and relationships between the information objects, where the information objects are vertices in the graphs and the relationships are edges in the graphs. Comparison of generated graphs to existing graphs can determine a likelihood of malicious activity.

Abstract: Systems and methods for identifying unknown attributes of web data fragments during operation of a web browser with a web page. A security engine allows for the correct displaying of a web page in a browser when no information is available about the attributes of web data fragments for the web page by identifying the attributes of web data fragments for the web page.

Abstract: Disclosed is a methods for secure online authentication comprising determining, by a secure device, that a connection is being established between a browser and a protected website by analyzing web requests from the browser, obtaining information for the protected website when a request for authentication is received from the protected website, establishing a protected data transmission channel between the secure device and the protected website, receiving one or more authentication certificates from the protected website, verifying validity of the one or more authentication certificates, performing authentication and transmitting, from the device, authentication data stored on the device to the protected website, transmitting a new session identifier from the device to the browser for enabling access to the protected website and requesting that the browser dispatch the new session identifier to the protected website in response to the connection being established via the web requests.

Abstract: A system and method is provided for changing parameter values of a computer system without changing security properties. An exemplary method includes receiving a request to change a system configuration of the computer system and identifying a parameter relating to system configurations based on the received request. Furthermore, based on the identified parameter, the method includes receiving instructions to change the identified at least one parameter and initiating a transaction to change the identified at least one parameter based on the received instructions. The initiated transaction is then analyzed to determine whether the change to the parameter will lower a security level of the computer system. If not, the method will execute the change of the identified parameter related to the system configuration.

Abstract: Disclosed herein are systems and methods of selecting security virtual machines (SVMs) for a virtual machine (VM) in a virtual infrastructure. In one aspect, an exemplary method comprises, forming a list of SVMs, wherein SVM performs security tasks for the VM, and VM includes a security agent configured to interact with the SVM, determining restriction requirements of the security agent and removing from the list SVMs not conforming to restriction requirements on limits of interaction area of the security agent, polling SVMs remaining on the list to determine network accessibility of said SVMs and removing inaccessible SVMs, for each accessible SVM remaining on the list, determining whether a marker of the SVM matches that of the security agent of the VM and removing SVMs whose markers do not match the marker of the security agent, and providing the list of remaining SVMs to the security agent of the VM.

Abstract: Systems and methods for provided for detecting compatible modules for replacing anomalous elements in computing systems. The described technique includes receiving system parameters specifying functionality of a first computing system, and querying a state model using the received system parameters to detect an anomaly within the first computing system. In response to detecting an anomaly in the first computing system based on the state model, the system determines a recovery method based on a recovery-method model and information about the detected anomaly, and selecting, from a tool database, a third-party, system-compatible tool configured to implement the determined recovery method.