Abstract: Methods, apparatuses and systems for automatic binary file segmentation include receiving binary content, applying a first machine learning process to the binary content to determine data segments in the binary content by identifying at least one of a respective starting point or end point of different data types in the binary content, examining the determined data segments of the binary content to identify data segments that are resistant to analysis, and applying respective techniques to the identified, analysis-resistant data segments to render the content of the identified, analysis-resistant data segments. In some embodiments, the rendering of the content of the identified, analysis-resistant data segments enables the identified, analysis-resistant segments to be analyzed, for example, to determine if the identified, analysis-resistant segments contain malicious content.

Abstract: A method and apparatus for generating a dataset for training a content detection machine learning model. The method applies one or more transforms to a content containing bitstream that produce feature tensors representing the content, labels the feature tensors by type of content, stores feature tensors and labels in a dataset. The dataset my be used to train a content detection machine learning model. The model may be exported to content detectors to identify and classify bitstream content contained in other bitstreams.

Abstract: A method and apparatus for generating a content detection dataset using file creation dates. The method accesses a database comprising data files. The files are analyzed by a machine learning model to determine file creation dates. The creation dates are used to identify relevant content files. The most relevant files are included into a content detection dataset as content samples. The dataset may be used for training machine learning based content detectors.

Abstract: A method and apparatus for testing a malware detection machine learning model. The method trains a malware detection model using a first dataset containing malware samples from a particular time period. The trained model is then tested using a second dataset that is a time shifted version of the first dataset.

Abstract: A method including analyzing affected data known to include harmful content, and clean data known to be free of the harmful content; determining, based on analyzing the affected data and the clean data, harmful traits that appear in the affected data with a frequency that satisfies a threshold frequency, and clean traits that appear in the clean data with the frequency that satisfies the threshold frequency; mixing the harmful traits and the clean traits to determine a mixed set; analyzing the affected data based on utilizing the mixed set to determine a harmful pattern that indicates characteristics associated with the harmful traits and the clean traits; and transmitting pattern information indicating the harmful pattern to enable the user device to determine whether given data includes the harmful content is disclosed. Various other aspects are contemplated.

Abstract: A method including receiving, by a security device from a network device, an initial security instruction set including a plurality of initial security instructions associated with operation of the security device; receiving, by the security device from the network device, an event signal associated with the security device carrying out a network-facing operation; transmitting, by the security device to the network device based on receiving the event signal, a security instruction associated with the security device carrying out the network-facing operation, the security instruction being from among the plurality of initial security instructions; receiving, by the security device from the network device based on transmitting the security instruction, communication information to enable the security device to carry out the network-facing operation; and carrying out, by the security device, the network-facing operation based on utilizing the communication information is disclosed.

Abstract: A method including transmitting, by a network device to a security device, an initial security instruction set including a plurality of initial security instructions; transmitting, by the network device to the security device based on transmitting the initial security instruction set, an event signal associated with the security device carrying out a network-facing operation; transmitting, by the security device to the network device based on receiving the event signal, a security instruction associated with the security device carrying out the network-facing operation, the security instruction being from among the plurality of initial security instructions; translating, by the network device, the security instruction into a host instruction to be executed by the network device; and receiving, by the security device from the network device based on transmitting the security instruction, communication information to enable the security device to carry out the network-facing operation is disclosed.

Abstract: A method including determining, by an infrastructure device, a mixed set of harmful traits and clean traits, the harmful traits being associated with affected data known to include harmful content and the clean traits being associated with clean data known to be free of the harmful content; determining, by the infrastructure device, harmful patterns indicating characteristics of the harmful traits based on comparing the affected data with the mixed set, wherein a harmful pattern indicates a particular combination of one or more of the harmful traits; transmitting, by the infrastructure device to a user device, the harmful patterns; determining, by the user device, a determined pattern based at least in part on traits included in given data; and determining, by the user device, whether the given data includes the malicious content based on comparing the determined pattern with the harmful patterns is disclosed. Various other aspects are contemplated.

Abstract: Systems and methods for archive scanning are provided herein. In some embodiments, a method includes: selecting an archive; reading a metadata representing a plurality of files within the archive; reading a plurality of hash strings from the archive; comparing the plurality of hash strings with a database of hash strings; and determining, based on the comparing, if the plurality of files within the archive represent a security threat based on the plurality of hash strings.

Abstract: A method and apparatus for generating a malware detection dataset. The method accesses a database comprising malware files and metadata related to the files. The metadata is ranked and the rankings combined into a relevancy score. The most relevant files in the database are identified as malware samples. The malware samples and their related scores are stored in a malware detection dataset.

Abstract: Systems and methods for malware filtering are provided herein. In some embodiments, a system having one or more processors is configured to: retrieve a file downloaded to a user device; break the downloaded file into a plurality of chunks; scan the plurality of chunks to identify potentially malicious chunks; predict whether the downloaded file is malicious based on the scan of the plurality of chunks; and determine whether the downloaded file is malicious based on the prediction.

Abstract: A method including receiving, by a user device, harmful patterns indicating characteristics of harmful traits included in affected data known to include malicious content and clean patterns indicating characteristics of clean traits included in clean data known to be free of the malicious content; determining, by the user device, a pattern associated with traits included in given data; and determining, by the user device, whether the given data includes the malicious content based at least in part on comparing the determined pattern with the harmful patterns and the clean patterns. Various other aspects are contemplated.

Abstract: A method including determining, by an infrastructure device, harmful patterns indicating characteristics of harmful traits included in affected data known to include harmful content, and clean patterns indicating characteristics of clean traits included in clean data known to be free of the harmful content; training, by the infrastructure device, a machine learning model to indicate presence of the harmful content based at least in part on utilizing the harmful patterns and the clean patterns; transmitting, by the infrastructure device to a user device, the harmful patterns, the clean patterns, and the machine learning model; and determining, by the user device, whether given data includes the harmful content based at least in part on utilizing the harmful patterns, the clean patterns, and the machine learning model. Various other aspects are contemplated.

Abstract: Systems and methods for archive scanning are provided herein. In some embodiments, a method includes: selecting an archive; reading a metadata representing a plurality of files within the archive; reading a plurality of hash strings from the archive; comparing the plurality of hash strings with a database of hash strings; and determining, based on the comparing, if the plurality of files within the archive represent a security threat based on the plurality of hash strings.

Abstract: A method, apparatus and system for data augmentation include receiving a first plurality of binary files each having a first binary structure and including one or more known files containing malicious content and one or more known files not containing malicious content, altering a source code of each of the first plurality of binary files to produce a second plurality of binary files each having a second binary structure that is different from the first binary structure, wherein each altered binary file is functionality similar to the corresponding file in the first plurality of binary files from which it was produced, using the first and second plurality of binary files to train the AM machine learning model to distinguish between binary files containing malicious content and binary files not containing malicious content, and applying the trained AM machine learning model to identify unknown binary files containing malicious content.

Abstract: An exemplary system and method are disclosed for detecting malware via an antimalware application employing adversarial machine learning such as generative adversarial machine learning and the training and/or configuring of such systems. The exemplary system and method are configured with two or more generative adversarial networks (GANs), including (i) a first generative adversarial network (GAN) that can be configured using a library of malware code or non-malware code and (ii) a second generative adversarial network (GAN) that operates in conjunction with the first generative adversarial network (GAN) in which the second generative adversarial network is configured using a library of non-malware code.

Abstract: An exemplary system and method are disclosed for detecting malware via an antimalware application employing adversarial machine learning such as generative adversarial machine learning and the training and/or configuring of such systems. The exemplary system and method are configured with two or more generative adversarial networks (GANs), including (i) a first generative adversarial network (GAN) that can be configured using a library of malware code or non-malware code and (ii) a second generative adversarial network (GAN) that operates in conjunction with the first generative adversarial network (GAN) in which the second generative adversarial network is configured using a library of non-malware code.

Abstract: An exemplary system and method are disclosed for detecting malware via an antimalware application employing adversarial machine learning such as generative adversarial machine learning and the training and/or configuring of such systems. The exemplary system and method are configured with two or more generative adversarial networks (GANs), including (i) a first generative adversarial network (GAN) that can be configured using a library of malware code or non-malware code and (ii) a second generative adversarial network (GAN) that operates in conjunction with the first generative adversarial network (GAN) in which the second generative adversarial network is configured using a library of non-malware code.

Abstract: A method including receiving, by a user device, harmful patterns indicating characteristics of harmful traits included in affected data known to include malicious content and clean patterns indicating characteristics of clean traits included in clean data known to be free of the malicious content; receiving, by the user device, a first portion of given data; determining, by the user device, a pattern associated with traits included in the first portion of the given data; determining, by the user device, whether the first portion of the given data includes the malicious content based at least in part on comparing the determined pattern with the harmful patterns and the clean patterns; and selectively receiving, by the user device, a second portion of the given data based at least in part on determining whether the first portion of the given data includes the malicious content is disclosed. Various other aspects are contemplated.

Abstract: Systems and methods for using a kernel module to provide computer security are provided herein. In some embodiments, a method for providing computer security may include launching a kernel module at the kernel-level of a computing device, redirecting, using the kernel module, communications traffic away from a browser executing on the computing device, decoding, using the kernel module, the received traffic to create decoded traffic, analyzing the decoded traffic, using the kernel module, for content having particular characteristics and create analyzed traffic, encoding, using the kernel module, at least a portion of the analyzed traffic to create encrypted traffic, and directing the encrypted traffic to the browser.