Abstract: A method and a system for clustering executable files are provided. The method comprises: obtaining a plurality of executable files; for each executable file: (i) detecting repeat sequences of commands of a predetermined length in a given executable file; (ii) determining at least one frequently occurring sequence of the repeat sequences in the given executable file; and based on the at least one frequently occurring sequence of commands, attributing the given executable file to a respective family; iteratively executing the detecting, the determining, and the attributing until one of: all of the plurality of executable files are attributed to at least one respective family, and until un-attributed files of the plurality of executable files do not contain any repeat sequences of commands; and responsive to presence of un-attributed files, attributing each of the un-attributed files of the plurality of executable files to a separate family.

Abstract: A method and a system for identifying indicators of compromise are provided. The method comprises: obtaining a given malware carrier configured for execution a main malware module; generating, based on the given malware carrier, an attack roadmap, the attack roadmap including a plurality of malware carriers; determining a malware class of each one of the plurality of malware carriers; generating a current list of indicators of compromise of each of the plurality of malware carriers; searching a database to locate at least one stored attack roadmap including a plurality of stored malware carriers; retrieving from the database a stored list of indicators of compromise for each of the plurality of stored malware carriers; generating an amalgamated list of indicators of compromise based on the current list of indicators and the stored digital list of indicators of compromise; storing, in the database, the amalgamated list of indicators of compromise.

Abstract: Methods and systems for determining an affiliation of a given software with target software are provided. The method comprises: receiving a software source code of the given software; executing the software source code in an isolated program environment to identify at least one outgoing request of the given software, the at least one outgoing request being indicative of at least one respective function of the software source code; generating, based on the at least one outgoing request, a respective function identifier associated with the at least one respective function; applying at least one classifier to the respective function identifier to determine a likelihood parameter indicative of the given software being affiliated to a respective target software; in response to the likelihood parameter being equal to or greater than a predetermined likelihood parameter threshold: identifying the given software as being affiliated to the respective target software.

Abstract: There are disclosed a method and computing device for detecting malicious domain names in network traffic. The method comprises: receiving the network traffic from a data network, extracting a plurality of data packets from the network traffic, analyzing the plurality of data packets in order to extract at least one domain name from the plurality of data packets; generating, for a given one of the at least one domain names, a given numerical value representative of a suspiciousness of the given one of the at least one domain name, the given numeric value being based on a given set of features of domain name suspiciousness corresponding to one of the given set of analysis methods; classifying the at least one domain name as malicious domain names, in response to an analysis being indicative the given domain name being a malicious domain name.

Abstract: A method and a system for determining vulnerabilities on a network are provided. The method comprises: receiving data indicative of a first network architecture element; determining, based on the data, a respective one of a plurality of predetermined task templates, the respective one of the plurality of predetermined task templates including one or more tasks for identifying respective vulnerabilities associated with the first network architecture element; in response to identifying, based on the respective one of the plurality of predetermined task templates, at least one vulnerability associated with the first network architecture element, the at least one vulnerability providing access to a second network architecture element associated with the first network architecture element: determining data indicative of the second network architecture element; and using the data indicative of the second network architecture element for identifying further vulnerabilities on the network.

Abstract: A method and a system for determining an affiliation of a given software with target software are provided. The method comprises: receiving a file including a machine code associated with the given software; determining a file format; identifying, based on the file format, in the machine code, at least one function of a plurality of functions; generating, for each one of the plurality of functions associated with the given software, a respective function identifier; aggregating respective function identifiers, thereby generating an aggregated array of function identifiers associated with the given software; applying at least one classifier to the aggregated array of function identifiers to determine a likelihood parameter indicative of the given software being affiliated to a respective target software; in response to the likelihood parameter being equal to or greater than a predetermined likelihood parameter threshold: identifying the given software as being affiliated to the respective target software.

Abstract: There is disclosed a method for determining malicious files in a network traffic, the method executable by a server. The method comprises: receiving the network traffic from a data communication network, retrieving a plurality of files from the network traffic, analyzing the plurality of files in order to detect at least one suspicious file, running the at least one suspicious file in at least one virtual machine, the at least one virtual machine associated with a set of the status parameters, determining changes in the set of the status parameters of the at least of one virtual machine, analyzing the changes in the set of status parameters using a set of the analysis rules such that to classify the at least one suspicious file as a malicious file based on the changes in the set of status parameters being indicative of the at least one file being the malicious file.

Abstract: There is provided a method for auto-generation of decision rules for attack detection feedback systems. The method is executed on a server. The method comprises: receiving at least one event from an event database, the event database having been generated from data obtained by at least one sensor; analyzing the at least one event to determine whether the at least one event belongs to a class of malware control center interactions; if the at least one event belongs to the class of malware control center interactions, extracting at least one attribute from the at least one event; generating decision rules using the at least one attribute; and saving the decision rules; saving the decision rules, the decision rules being instrumental in updating what type of further data is obtained by the at least one sensor based on the decision rule.