Abstract: An endpoint computer system can harvest data relating to a plurality of events occurring within an operating environment of the endpoint computer system and can add the harvested data to a local data store maintained on the endpoint computer system. In some examples, the local data store can be an audit log and/or can include one or more tamper resistant features. Systems, methods, and computer program products are described.

Abstract: In one respect, there is provided a system for training a neural network adapted for classifying one or more scripts. The system may include at least one processor and at least one memory. The memory may include program code that provides operations when executed by the at least one memory. The operations may include: extracting, from an icon associated with a file, one or more features; assigning, based at least on the one or more features, the icon to one of a plurality of clusters; and generating, based at least on the cluster to which the icon is assigned, a classification for the file associated with the icon. Related methods and articles of manufacture, including computer program products, are also provided.

Abstract: An endpoint computer system can harvest data relating to a plurality of events occurring within an operating environment of the endpoint computer system and can add the harvested data to a local data store maintained on the endpoint computer system. A query response can be generated, for example by identifying and retrieving responsive data from the local data store. The responsive data are related to an artifact on the endpoint computer system and/or to an event of the plurality of events. In some examples, the local data store can be an audit log and/or can include one or more tamper resistant features. Systems, methods, and computer program products are described.

Abstract: In one aspect there is provided a method. The method may include: determining that an executable implements a sub-execution environment, the sub-execution environment being configured to receive an input, and the input triggering at least one event at the sub-execution environment; intercepting the event at the sub-execution environment; and applying a security policy to the intercepted event, the applying of the policy comprises blocking the event, when the event is determined to be a prohibited event. Systems and articles of manufacture, including computer program products, are also provided.

Abstract: Methods are described herein for communications bus data transmission using relative ground shifting. A plurality of voltage lines of at least one electronic control unit (ECU) are monitored. The at least one ECU electrically coupled to a communications bus. A voltage differential across at least two of the plurality of voltage lines of the at least one ECU is measured. A pulse or data stream is injected into the communications bus via one or two voltage lines based on the measured voltage differential having an amplitude lower than a predetermined voltage threshold.

Abstract: Described are techniques to enable computers to efficiently determine if they should run a program based on an immediate (i.e., real-time, etc.) analysis of the program. Such an approach leverages highly trained ensemble machine learning algorithms to create a real-time discernment on a combination of static and dynamic features collected from the program, the computer's current environment, and external factors. Related apparatus, systems, techniques and articles are also described.

Abstract: An agent inserts one or more hooks into a sub-execution runtime environment that is configured to include a script and/or targeted to include the script. The agent including the one or more hooks monitors a behavior of the sub-execution runtime environment and/or the script. The agent subsequently obtains context information regarding the sub-execution runtime environment and/or the script so that it can control the runtime of at least the sub-execution runtime environment. Related systems, methods, and articles of manufacture are also disclosed.

Abstract: In one respect, there is provided a system for training a neural network adapted for classifying one or more scripts. The system may include at least one processor and at least one memory. The memory may include program code which when executed by the at least one memory provides operations including: receiving a disassembled binary file that includes a plurality of instructions; processing the disassembled binary file with a convolutional neural network configured to detect a presence of one or more sequences of instructions amongst the plurality of instructions and determine a classification for the disassembled binary file based at least in part on the presence of the one or more sequences of instructions; and providing, as an output, the classification of the disassembled binary file. Related computer-implemented methods are also disclosed.

Abstract: Data is received or accessed that includes a structured file encapsulating data required by an execution environment to manage executable code wrapped within the structured file. Thereafter, code and data regions are iteratively identified in the structured file. Such identification is analyzed so that at least one feature can be extracted from the structured file. Related apparatus, systems, techniques and articles are also described.

Abstract: A plurality of data files is received. Thereafter, each file is represented as an entropy time series that reflects an amount of entropy across locations in code for such file. A wavelet transform is applied, for each file, to the corresponding entropy time series to generate an energy spectrum characterizing, for the file, an amount of entropic energy at multiple scales of code resolution. It can then be determined, for each file, whether or not the file is likely to be malicious based on the energy spectrum. Related apparatus, systems, techniques and articles are also described.

Abstract: Determining, by a machine learning model in an isolated operating environment, whether a file is safe for processing by a primary operating environment. The file is provided, when the determining indicates the file is safe for processing, to the primary operating environment for processing by the primary operating environment. When the determining indicates the file is unsafe for processing, the file is prevented from being processed by the primary operating environment. The isolated operating environment can be maintained on an isolated computing system remote from a primary computing system maintaining the primary operating system. The isolating computing system and the primary operating system can communicate over a cloud network.

Abstract: Data is received that includes at least a portion of a program. Thereafter, entry point locations and execution-relevant metadata of the program are identified and retrieved. Regions of code within the program are then identified using static disassembly and based on the identified entry point locations and metadata. In addition, entry points are determined for each of a plurality of functions. Thereafter, a set of possible call sequences are generated for each function based on the identified regions of code and the determined entry points for each of the plurality of functions. Related apparatus, systems, techniques and articles are also described.

Abstract: Transaction terminal malicious software is detected by monitoring calls of a first process to identify attempts by the first process to read memory used by a second process. The first and second processes are different from each other and are executed by at least one data processor forming part of a transaction terminal system having at least one transaction terminal. Thereafter, it is determined that the memory used by the second process comprises patterns indicative of sensitive financial or identification information. In response, at least one corrective action is initiated to prevent use of the financial or identification information. Related apparatus, systems, techniques and articles are also described.

Abstract: Data is received that includes a plurality of samples that each characterize interception of data traffic to a computing device over a network. Thereafter, the plurality of samples characterizing the interception of data traffic are grouped into a plurality of clusters. At least a portion of the samples are labeled to characterize a likelihood of each such sample as relating to an unauthorized interception of data traffic. Each cluster is assigned with a label corresponding to a majority of samples within such cluster. At least one machine learning model is trained using the assigned labeled clusters such that, once trained, the at least one machine learning model determines a likelihood of future samples as relating to an unauthorized interception of data traffic to a corresponding computing device.

Abstract: A first node of a networked computing environment initiates each of a plurality of different types of man-in-the middle (MITM) detection tests to determine whether communications between first and second nodes of a computing network are likely to have been subject to an interception or an attempted interception by a third node. Thereafter, it is determined, by the first node, that at least one of the tests indicate that the communications are likely to have been intercepted by a third node. Data is then provided, by the first node, data that characterizes the determination. In some cases, one or more of the MITM detection tests utilizes a machine learning model. Related apparatus, systems, techniques and articles are also described.

Abstract: As part of an analysis of the likelihood that a given input (e.g. a file, etc.) includes malicious code, a convolutional neural network can be used to review a sequence of chunks into which an input is divided to assess how best to navigate through the input and to classify parts of the input in a most optimal manner. At least some of the sequence of chunks can be further examined using a recurrent neural network in series with the convolutional neural network to determine how to progress through the sequence of chunks. A state of the at least some of the chunks examined using the recurrent neural network summarized to form an output indicative of the likelihood that the input includes malicious code. Methods, systems, and articles of manufacture are also described.

Abstract: As part of an analysis of the likelihood that a given input (e.g. a file, etc.) includes malicious code, a convolutional neural network can be used to review a sequence of chunks into which an input is divided to assess how best to navigate through the input and to classify parts of the input in a most optimal manner. At least some of the sequence of chunks can be further examined using a recurrent neural network in series with the convolutional neural network to determine how to progress through the sequence of chunks. A state of the at least some of the chunks examined using the recurrent neural network summarized to form an output indicative of the likelihood that the input includes malicious code. Methods, systems, and articles of manufacture are also described.

Abstract: A first node of a networked computing environment initiates each of a plurality of different man-in-the middle (MITM) detection tests to determine whether communications between first and second nodes of a computing network are likely to have been subject to an interception or an attempted interception by a third node. Thereafter, it is determined, by the first node, that at least one of the tests indicate that the communications are likely to have been intercepted by a third node. Data is then provided, by the first node, data that characterizes the determination. Related apparatus, systems, techniques and articles are also described.

Abstract: In one respect, there is provided a system for loading managed applications. The system may include at least one processor and at least one memory. The memory may include program code which when executed by the at least one memory provides operations including: generating a single process, the generating comprising running a native code executable, the running of the native code execute loading a loader manager as part of the single process; loading, by the loader manager running within the single process, a runtime environment corresponding to a non-native code application; and loading, by the loader manager, the non-native code application, the non-native code application being loaded to run as part of the single process.

Abstract: A first node of a networked computing environment initiates each of a plurality of different man-in-the middle (MITM) detection tests to determine whether communications between first and second nodes of a computing network are likely to have been subject to an interception or an attempted interception by a third node. Thereafter, it is determined, by the first node, that at least one of the tests indicate that the communications are likely to have been intercepted by a third node. Data is then provided, by the first node, data that characterizes the determination. Related apparatus, systems, techniques and articles are also described.