Abstract: A method and computing device for statistical data fingerprinting and tracing data similarity of documents. The method comprises applying a statistical function to a subset of text in a first document thereby generating a first fingerprint; applying the statistical function to a subset of text in a second document thereby generating a second fingerprint; comparing the first fingerprint to the second fingerprint; and determining that the subset of text in the first document matches the subset of text in the second document based on the first fingerprint threshold matching the second fingerprint, wherein the statistical function is a measure of randomness of a count of each character in a subset of text against an expected distribution of said characters.

Abstract: Executable memory space is protected by receiving, from a process, a request to configure a portion of memory with a memory protection attribute that allows the process to perform at least one memory operation on the portion of the memory. Thereafter, the request is responded to with a grant, configuring the portion of memory with a different memory protection attribute than the requested memory protection attribute. The different memory protection attribute restricting the at least one memory operation from being performed by the process on the portion of the memory. In addition, it is detected when the process attempts, in accordance with the grant, the at least one memory operation at the configured portion of memory. Related systems and articles of manufacture, including computer program products, are also disclosed.

Abstract: Hash-based application programming interface (API) importing can be prevented by allocating a name page and a guard page in memory. The name page and the guard page being associated with (i) an address of names array, (ii) an address of name ordinal array, and (iii) an address of functions array that are all generated by an operating system upon initiation of an application. The name page can then be filled with valid non-zero characters. Thereafter, protections on the guard page can be changed to no access. An entry is inserted into the address of names array pointing to a relative virtual address corresponding to anywhere within the name page. Access to the guard page causes the requesting application to terminate. Related apparatus, systems, techniques and articles are also described.

Abstract: An artefact is received and parsed into a plurality of observations. A first subset of the observations are inputted into a machine learning model trained using historical data to classify the artefact. In addition, a second subset of the observations are inputted into a xenospace centroid configured to classify the artefact. Thereafter, the artefact is classified based on a combination of an output of the machine learning model and an output of xenospace centroid. Related apparatus, systems, techniques and articles are also described.

Abstract: Systems, methods, and articles of manufacture, including computer program products, are provided for classification systems and methods using modeling. In some example embodiments, there is provided a system that includes at least one processor and at least one memory including program code which when executed by the at least one memory provides operations. The operations can include generating a representation of a sequence of sections of a file and/or determining, from a model including conditional probabilities, a probability for each transition between at least two sequential sections in the representation. The operations can further include classifying the file based on the probabilities for each transition.

Abstract: Presence of malicious code can be identified in one or more data samples. A feature set extracted from a sample is vectorized to generate a sparse vector. A reduced dimension vector representing the sparse vector can be generated. A binary representation vector of reduced dimension vector can be created by converting each value of a plurality of values in the reduced dimension vector to a binary representation. The binary representation vector can be added as a new element in a dictionary structure if the binary representation is not equal to an existing element in the dictionary structure. A training set for use in training a machine learning model can be created to include one vector whose binary representation corresponds to each of a plurality of elements in the dictionary structure.

Abstract: Systems are provided herein for communications bus signal fingerprinting. A security module monitors a plurality of voltage lines of at least one electronic control unit (ECU) electrically coupled to a communications bus. A voltage differential across at least two of the plurality of voltage lines of the at least one ECU is measured. The voltage differential is compared to a plurality of predetermined signal fingerprints associated with the at least one ECU. A variance in the compared voltage differential is identified relative to one or more of the plurality of predetermined signal fingerprints. Data characterizing the identified variance is provided.

Abstract: Systems and methods are described herein for computer user authentication using machine learning. Authentication for a user is initiated based on an identification confidence score of the user. The identification confidence score is based on one or more characteristics of the user. Using a machine learning model for the user, user activity of the user is monitored for anomalous activity to generate first data. Based on the monitoring, differences between the first data and historical utilization data for the user determine whether the user's utilization of the one or more resources is anomalous. When the user's utilization of the one or more resource is anomalous, the user's access to the one or more resource is removed.

Abstract: A system is provided for training a machine learning model to detect malicious container files. The system may include at least one processor and at least one memory. The memory may include program code which when executed by the at least one processor provides operations including: processing a container file with a trained machine learning model, wherein the trained machine learning is trained to determine a classification for the container file indicative of whether the container file includes at least one file rendering the container file malicious; and providing, as an output by the trained machine learning model, an indication of whether the container file includes the at least one file rendering the container file malicious. Related methods and articles of manufacture, including computer program products, are also disclosed.

Abstract: In one respect, there is provided a system for training a neural network adapted for classifying one or more scripts. The system may include at least one processor and at least one memory. The memory may include program code that provides operations when executed by the at least one processor. The operations may include: reducing a dimensionality of a plurality of features representative of a file set; determining, based at least on a reduced dimensional representation of the file set, a distance between a file and the file set; and determining, based at least on the distance between the file and the file set, a classification for the file. Related methods and articles of manufacture, including computer program products, are also provided.

Abstract: An endpoint computer system can harvest data relating to a plurality of events occurring within an operating environment of the endpoint computer system and can add the harvested data to a local data store maintained on the endpoint computer system. A query response can be generated, for example by identifying and retrieving responsive data from the local data store. The responsive data are related to an artifact on the endpoint computer system and/or to an event of the plurality of events. In some examples, the local data store can be an audit log and/or can include one or more tamper resistant features. Systems, methods, and computer program products are described.

Abstract: An endpoint computer system can harvest data relating to a plurality of events occurring within an operating environment of the endpoint computer system and can add the harvested data to a local data store maintained on the endpoint computer system. In some examples, the local data store can be an audit log and/or can include one or more tamper resistant features. Systems, methods, and computer program products are described.

Abstract: Data is analyzed using feature hashing to detect malware. A plurality of features in a feature set is hashed. The feature set is generated from a sample. The sample includes at least a portion of a file. Based on the hashing, one or more hashed features are indexed to generate an index vector. Each hashed feature corresponds to an index in the index vector. Using the index vector, a training dataset is generated. Using the training dataset, a machine learning model for identifying at least one file having a malicious code is trained.

Abstract: In one respect, there is provided a system for training a machine learning model to detect malicious container files. The system may include at least one processor and at least one memory. The at least one memory may include program code that provides operations when executed by the at least one processor. The operations may include: training, based on a training data, a machine learning model to enable the machine learning model to determine whether at least one container file includes at least one file rendering the at least one container file malicious; and providing the trained machine learning model to enable the determination of whether the at least one container file includes at least one file rendering the at least one container file malicious. Related methods and articles of manufacture, including computer program products, are also disclosed.

Abstract: Determining, by a machine learning model in an isolated operating environment, whether a file is safe for processing by a primary operating environment. The file is provided, when the determining indicates the file is safe for processing, to the primary operating environment for processing by the primary operating environment. When the determining indicates the file is unsafe for processing, the file is prevented from being processed by the primary operating environment. The isolated operating environment can be maintained on an isolated computing system remote from a primary computing system maintaining the primary operating system. The isolating computing system and the primary operating system can communicate over a cloud network.

Abstract: Systems, methods, and devices are described herein for detecting abnormalities within a system based on signal fingerprinting. A plurality of electrical signals are concurrently received from a transceiver over a time period. The time period is partitioned into a plurality of sampling windows. An electrical signal of the plurality of electrical signals is sequentially selected. For the sequentially selected electrical signal, a temporal snapshot of said electrical signal is iteratively captured over a sampling window of the plurality of sampling windows. This iterative capturing is repeated for remaining sampling windows of the plurality of sampling windows. Each captured temporal snapshot is temporally concatenated over the time period according to its respective temporal position of the time period to generate the signal fingerprint.

Abstract: In one respect, there is provided a system for classifying malware. The system may include a data processor and a memory. The memory may include program code that provides operations when executed by the processor. The operations may include: providing, to a display, contextual information associated with a file to at least enable a classification of the file, when a malware classifier is unable to classify the file; receiving, in response to the providing of the contextual information, the classification of the file; and updating, based at least on the received classification of the file, the malware classifier to enable the malware classifier to classify the file. Methods and articles of manufacture, including computer program products, are also provided.

Abstract: A mismatch between model-based classifications produced by a first version of a machine learning threat discernment model and a second version of a machine learning threat discernment model for a file is detected. The mismatch is analyzed to determine appropriate handling for the file, and taking an action based on the analyzing. The analyzing includes comparing a human-generated classification status for a file, a first model version status that reflects classification by the first version of the machine learning threat discernment model, and a second model version status that reflects classification by the second version of the machine learning threat discernment model. The analyzing can also include allowing the human-generated classification status to dominate when it is available.

Abstract: An artefact is received. Features are extracted from this artefact which are, in turn, used to populate a vector. The vector is then input into a classification model to generate a score. The score is then modified using a step function so that the true score is not obfuscated. Thereafter, the modified score can be provided to a consuming application or process. Related apparatus, systems, techniques and articles are also described.

Abstract: In one aspect, a computer-implemented method is disclosed. The computer-implemented method may include determining a sketch matrix that approximates a matrix representative of a reference dataset. The reference dataset may include at least one computer program having a predetermined classification. A reduced dimension representation of the reference dataset may be generated based at least on the sketch matrix. The reduced dimension representation may have a fewer quantity of features than the reference dataset. A target computer program may be classified based on the reduced dimension representation. The target computer program may be classified to determine whether the target computer program is malicious. Related systems and articles of manufacture, including computer program products, are also disclosed.