Abstract: Computerized methods and systems determine an entry point or source of an attack on an endpoint, such as a machine, e.g., a computer, node of a network, system or the like. These computerized methods and systems utilize an attack execution/attack or start root, to build an attack tree, which shows the attack on the end point and the damage caused by the attack, as it propagates through the machine, network, system, or the like.

Abstract: Computerized methods and systems determine an initial execution of an attack on an endpoint. An indicator of the attack is obtained by analysis of a first process on the endpoint. A sequence of processes that includes the first process associates the initial execution of the attack with the first process. Each respective process in the sequence of processes is created or executed by at least one of the initial execution or a process in the sequence of processes. The initial execution is identified based on linking from the first process to the initial execution through a combination of executions and creations of the processes in the sequence of processes.

Abstract: Computerized methods and systems determine an entry point or source of an attack on an endpoint, such as a machine, e.g., a computer, node of a network, system or the like. These computerized methods and systems utilize an attack execution/attack or start root, to build an attack tree, which shows the attack on the end point and the damage caused by the attack, as it propagates through the machine, network, system, or the like.

Abstract: Disclosed are methods and systems for detecting malware and potential malware based on using generalized attack trees (generalized attack tree graphs). The generalized attack trees are based on attack trees (attack tree graphs), whose objects, such as links and vertices, have been analyzed, and some of these objects have been generalized, resulting in the generalized attack tree of the invention.

Abstract: Computerized methods and systems identify events associated with an attack initiated on an endpoint client. A listing of processes executed or created on the endpoint during the attack is obtained. The listing of processes includes a first process and at least one subsequent process executed or created by the first process. The computerized methods and systems analyze for the occurrence of at least one event during a time interval associated with the attack. The computerized methods and systems determine whether the listing of processes includes a process that when executed caused the occurrence of the at least one event. If the listing of processes excludes process that when executed caused the occurrence of the at least one event, the at least one event and the causing process are stored, for example, in a database or memory.

Abstract: Computerized methods and systems determine an entry point or source of an attack on an endpoint, such as a machine, e.g., a computer, node of a network, system or the like. These computerized methods and systems utilize an attack execution/attack or start root, to build an attack tree, which shows the attack on the end point and the damage caused by the attack, as it propagates through the machine, network, system, or the like.

Abstract: Computerized methods and systems determine summary events from an attack on an endpoint. The detection and determination of these summary events is performed by a machine, e.g., a computer, node of a network, system or the like.

Abstract: Disclosed are methods and systems for detecting malware and potential malware based on using generalized attack trees (generalized attack tree graphs). The generalized attack trees are based on attack trees (attack tree graphs), whose objects, such as links and vertices, have been analyzed, and some of these objects have been generalized, resulting in the generalized attack tree of the invention.

Abstract: Disclosed are methods and systems for detecting malware and potential malware based on using generalized attack trees (generalized attack tree graphs). The generalized attack trees are based on attack trees (attack tree graphs), whose objects, such as links and vertices, have been analyzed, and some of these objects have been generalized, resulting in the generalized attack tree of the invention.

Abstract: Computerized methods and systems identify events associated with an attack initiated on an endpoint client. A listing of processes executed or created on the endpoint during the attack is obtained. The listing of processes includes a first process and at least one subsequent process executed or created by the first process. The computerized methods and systems analyze for the occurrence of at least one event during a time interval associated with the attack. The computerized methods and systems determine whether the listing of processes includes a process that when executed caused the occurrence of the at least one event. If the listing of processes excludes process that when executed caused the occurrence of the at least one event, the at least one event and the causing process are stored, for example, in a database or memory.

Abstract: Computerized methods and systems determine summary events from an attack on an endpoint. The detection and determination of these summary events is performed by a machine, e.g., a computer, node of a network, system or the like.

Abstract: Disclosed are methods and systems for detecting malware and potential malware based on using generalized attack trees (generalized attack tree graphs). The generalized attack trees are based on attack trees (attack tree graphs), whose objects, such as links and vertices, have been analyzed, and some of these objects have been generalized, resulting in the generalized attack tree of the invention.

Abstract: Computerized methods and systems determine an entry point or source of an attack on an endpoint, such as a machine, e.g., a computer, node of a network, system or the like. These computerized methods and systems utilize an attack execution/attack or start root, to build an attack tree, which shows the attack on the end point and the damage caused by the attack, as it propagates through the machine, network, system, or the like.

Abstract: Computerized methods and systems determine an initial execution of an attack on an endpoint. An indicator of the attack is obtained by analysis of a first process on the endpoint. A sequence of processes that includes the first process associates the initial execution of the attack with the first process. Each respective process in the sequence of processes is created or executed by at least one of the initial execution or a process in the sequence of processes. The initial execution is identified based on linking from the first process to the initial execution through a combination of executions and creations of the processes in the sequence of processes.

Abstract: File carving is a technique whereby data files are extracted from a digital device without the assistance of file tables or other disk meta-data, and can therefore be used to recover files that are fragmented. Sequential hypothesis testing procedures are used to detect a fragmentation point of a file by sequentially comparing adjacent pairs of blocks from the starting block of a file until the fragmentation point is reached. The detected fragmentation point can be used to help recover the fragmented file. Such a serial analysis helps to minimize errors and improve performance.

Abstract: Files can be reassembled from fragments by (a) accepting (or determining) adjacency scores for each pair of fragments from a set of fragments, (b) identifying header fragments from among the fragments of the set of fragments, and (c) for each of the header fragments identified, reconstructing a corresponding one of two or more files from the fragments of the set of fragments such that the sum of the adjacency scores are optimized. Any of the fragments, other than the identified header fragments, are permitted to belong, at least provisionally, to more than one of the at least two files when reconstructing the file(s).

Abstract: Files can be reassembled from fragments by (a) accepting adjacency scores for each pair of fragments from the set of fragments, (b) identifying header fragments from among the fragments of the set of fragments, and (c) for each of the header fragments identified, reconstructing a corresponding one of the two or more files from the fragments of the set of fragments such that the sum of the adjacency scores are optimized, wherein each of the fragments is permitted to belong to only one of the at least two files, and wherein at least two files are reconstructed such that the results are independent of the order in which the files are reconstructed.

Abstract: File carving is a technique whereby data files are extracted from a digital device without the assistance of file tables or other disk meta-data, and can therefore be used to recover files that are fragmented. Sequential hypothesis testing procedures are used to detect a fragmentation point of a file by sequentially comparing adjacent pairs of blocks from the starting block of a file until the fragmentation point is reached. The detected fragmentation point can be used to help recover the fragmented file. Such a serial analysis helps to minimize errors and improve performance.

Abstract: Files can be reassembled from fragments by (a) accepting adjacency scores for each pair of fragments from a set of fragments, (b) identifying header fragments from the set of fragments, and (c) for each of the header fragments, (i) setting a current fragment to the identified header fragment, (ii) selecting, from any of the fragments not identified as a header fragment, a fragment with a best adjacency score with the current fragment, (iii) determining if the selected fragment has a better adjacency score with any of the other fragments not identified as a header than with the current fragment, (iv) if so, then (A) selecting another fragment, from any of the fragments not identified as a header fragment, a fragment with a next best adjacency score with the current fragment, and continuing, and otherwise (A) adding the selected fragment to a reassembly path started with the identified header fragment, and (B) setting the current fragment to the selected fragment, and continuing until the file is reconstructed.

Abstract: Files can be reassembled from fragments by (a) accepting adjacency scores for each pair of fragments from the set of fragments, (b) identifying header fragments from among the fragments of the set of fragments, and (c) for each of the header fragments identified, reconstructing a corresponding one of the two or more files from the fragments of the set of fragments such that the sum of the adjacency scores are optimized, wherein each of the fragments is permitted to belong to only one of the at least two files, and wherein at least two files are reconstructed such that the results are independent of the order in which the files are reconstructed.