Abstract: Systems and methods for identifying anomalous activities in a cloud computing environment are provided. According to one embodiment, a customer's infrastructure may be fortified by leveraging deep learning technology (e.g., an encoder-decoder machine-learning (ML) model) to predict events in the cloud environment. During a training phase, the ML model may be trained to make a prediction regarding a next event based on a predetermined or configurable length of a sequence of contextual events. For example, historical events (e.g., cloud application programming interface (API) events logged to a cloud activity trace) observed within the customer's cloud infrastructure over the course of a particular date range may be split into appropriate event/context pairs and fed to the ML model. Subsequently, during a run-time anomaly detection phase, the ML model may be used to predict a next event based on a sequence of immediately preceding events to facilitate identification of anomalous activity.

Abstract: Implementations are directed to methods for detecting and identifying advanced persistent threats (APTs) in networks, including receiving first domain activity data from a first network domain and second domain activity data from a second network domain, including multiple alerts from the respective first and second network domains and where each alert of the multiple alerts results from one or more detected events in the respective first or second network domains. A classification determined for each alert of the multiple alerts with respect to a cyber kill chain. A dependency is then determined for each of one or more pairs of alerts and a graphical visualization of the multiple alerts is generated, where the graphical visualization includes multiple nodes and edges between the nodes, each node corresponding to the cyber kill chain and representing at least one alert, and each edge representing a dependency between alerts.

Abstract: Methods, systems, and apparatus, including computer programs encoded on a computer storage medium, for container image vulnerability reduction. In one aspect, a method includes obtaining a first container image that is formed from a set of files, determining that a first particular file of the set of files is necessary for an application and a second particular file of the set of files is not necessary for the application based on execution of the application in a first container instantiated with the first container image, in response generating a second container image from the first particular file and not from the second particular file, and executing the application in a second container instantiated with the second container image.

Abstract: Implementations are directed to methods for detecting and identifying advanced persistent threats (APTs) in networks, including receiving first domain activity data from a first network domain and second domain activity data from a second network domain, including multiple alerts from the respective first and second network domains and where each alert of the multiple alerts results from one or more detected events in the respective first or second network domains. A classification determined for each alert of the multiple alerts with respect to a cyber kill chain. A dependency is then determined for each of one or more pairs of alerts and a graphical visualization of the multiple alerts is generated, where the graphical visualization includes multiple nodes and edges between the nodes, each node corresponding to the cyber kill chain and representing at least one alert, and each edge representing a dependency between alerts.

Abstract: A device processes, with a model, an application to identify a set of file paths with process identifiers. The device identifies patterns associated with the set of file paths with process identifiers, and determines positions of random elements in each file path of the set of file paths with process identifiers. The device processes the patterns and the positions of the random elements to train a machine learning model, and utilizes the machine learning model to generate a first set of rules to identify files required for execution of the application, and a second set of rules to identify files not required for execution of the application. The device generates a mandatory access control policy based on the first set of rules and the second set of rules, and provides the mandatory access control policy to be implemented by an operating system of a client device.

Abstract: Implementations are directed to methods for detecting and identifying advanced persistent threats (APTs) in networks, including receiving first domain activity data from a first network domain and second domain activity data from a second network domain, including multiple alerts from the respective first and second network domains and where each alert of the multiple alerts results from one or more detected events in the respective first or second network domains. A classification determined for each alert of the multiple alerts with respect to a cyber kill chain. A dependency is then determined for each of one or more pairs of alerts and a graphical visualization of the multiple alerts is generated, where the graphical visualization includes multiple nodes and edges between the nodes, each node corresponding to the cyber kill chain and representing at least one alert, and each edge representing a dependency between alerts.

Abstract: Methods, systems, and apparatus, including computer programs encoded on a computer storage medium, for container image vulnerability reduction. In one aspect, a method includes obtaining a first container image that is formed from a set of files, determining that a first particular file of the set of files is necessary for an application and a second particular file of the set of files is not necessary for the application based on execution of the application in a first container instantiated with the first container image, in response generating a second container image from the first particular file and not from the second particular file, and executing the application in a second container instantiated with the second container image.

Abstract: A device processes, with a model, an application to identify a set of file paths with process identifiers. The device identifies patterns associated with the set of file paths with process identifiers, and determines positions of random elements in each file path of the set of file paths with process identifiers. The device processes the patterns and the positions of the random elements to train a machine learning model, and utilizes the machine learning model to generate a first set of rules to identify files required for execution of the application, and a second set of rules to identify files not required for execution of the application. The device generates a mandatory access control policy based on the first set of rules and the second set of rules, and provides the mandatory access control policy to be implemented by an operating system of a client device.

Abstract: The disclosed computer-implemented method for identifying malicious file droppers may include (1) detecting a malicious file on the computing device, (2) constructing an ordered list of files that resulted in the malicious file being on the computing device where the malicious file is the last file in the ordered list of files and each file in the ordered list of files placed the next file in the ordered list of files on the computing device, (3) determining that at least one file prior to the malicious file in the ordered list of files comprises a malicious file dropper, and (4) performing a security action in response to determining that the file prior to the malicious file in the ordered list of files comprises the malicious file dropper. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: The disclosed computer-implemented method for performing application container introspection may include (1) identifying a request issued by an application launched from an application container, (2) determining that the request calls a function that facilitates transferring data between the application container and at least one external data source, and then in response to determining that the request calls the function, (3) directing the request to a function library that includes a custom version of the function that facilitates both (A) transferring, between the application container and the external data source, an encrypted version of the data that is unintelligible to an external application running outside the application container and (B) providing an unencrypted version of the data to the external application to enable the external application to inspect the data. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: Implementations are directed to methods for detecting and identifying advanced persistent threats (APTs) in networks, including receiving first domain activity data from a first network domain and second domain activity data from a second network domain, including multiple alerts from the respective first and second network domains and where each alert of the multiple alerts results from one or more detected events in the respective first or second network domains. A classification determined for each alert of the multiple alerts with respect to a cyber kill chain. A dependency is then determined for each of one or more pairs of alerts and a graphical visualization of the multiple alerts is generated, where the graphical visualization includes multiple nodes and edges between the nodes, each node corresponding to the cyber kill chain and representing at least one alert, and each edge representing a dependency between alerts.

Abstract: The disclosed computer-implemented method for categorizing mobile devices as rooted may include (1) gathering a set of metadata describing a plurality of rooted mobile devices that have been modified to allow a user to alter protected systems and an additional set of metadata describing a plurality of unrooted mobile devices that have not been modified to allow the user to alter the protected systems, (2) comparing the set of metadata with the additional set of metadata to determine at least one feature that differentiates the rooted mobile devices from the unrooted mobile devices, (3) determining whether the feature is present in metadata that describes an uncategorized mobile device, and (4) categorizing the uncategorized mobile device as a rooted mobile device based on the presence of the feature in the metadata that describes the uncategorized mobile device. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: The disclosed computer-implemented method for generating device-specific security policies for applications may include (1) installing, onto a computing device, an application requested by the computing device, (2) while the application is running on the computing device, monitoring interactions between the application and a computing environment in which the computing device operates to identify (A) computing resources within the computing environment required by the application and (B) potential security concerns related to the application within the computing environment, and then (3) generating, based on the monitored interactions, a set of device-specific security policies to enforce for the application while the application runs on the computing device that allow the application to access the required computing resources while mitigating the potential security concerns. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: Techniques of obfuscation for enterprise data center services are disclosed. In one embodiment, the techniques may be realized as a system for obfuscation comprising one or more processors. The one or more processors may be configured to receive a command from at least one of a user and an application and determine whether the command is authorized. If the command is determined to be unauthorized, the one or more processors may be further configured to generate a rewritten output of the command that is different from an original output of the command and return the rewritten output in response to the command.

Abstract: A processor-based method to defeat file and process hiding techniques in a computing device is provided. The method includes generating one of a path permutation, a symlink, or an address, for a path to open or obtain status of a tool or function in a library in a mobile computing device and making an open or status call for the tool or function, using the one of the path permutation, symlink or address. The method includes avoiding a pattern match and blocking, by an injected library, of the open or status call, the avoiding being a result of making the open or status call using the path permutation, symlink or address.

Abstract: A computer-implemented method for evaluating electronic control units within vehicle emulations may include (1) connecting an actual electronic control unit for a vehicle to a vehicle bus that emulates network traffic rather than actual network traffic generated by operation of the vehicle, (2) manipulating input to the actual electronic control unit to test how safely the actual electronic control unit and the emulated electronic control unit respond to the manipulated input, (3) detecting an output from the actual electronic control unit that indicates a response, from the actual electronic control unit, to manipulating the input, and (4) evaluating a safety level of at least one of the actual electronic control unit and the emulated electronic control unit based on detecting the output from the actual electronic control unit. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: The disclosed computer-implemented method for logging processes within containers may include (i) detecting creation of a new container that comprises a lightweight platform-independent filesystem capable of executing at least one process that is isolated from a host computing device that hosts the container, (ii) launching, within the new container, a monitoring process that maintains a log of events associated with a process that will be executing within the new container, (iii) recording to the log, by the monitoring process, data about at least one event associated with the process executing within the container, and (iv) exporting, by the monitoring process, the log to the host computing device that hosts the new container. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: The disclosed computer-implemented method for enforcing secure software execution may include (1) providing at least one known benign input to an executable file that is susceptible to abnormal code execution, (2) observing a series of function calls made by the executable file as the executable file processes the known benign input, (3) storing the series of function calls as a control flow graph that represents known safe function call pathways for the executable file, and (4) forcing a subsequent execution of the executable file to follow the series of function calls stored in the control flow graph to protect the executable file against abnormal code execution. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: The present disclosure relates to systems and methods based at least in part on managing electronic device configuration and/or features. In some embodiments, a method may include identifying a first configuration state at a first time; generating a virtual configuration state based at least in part on the first configuration state at the first time; determining a first modification to be made to the first configuration state based at least in part on a first characteristic of a first application; modifying the virtual configuration state based at least in part on the determined first modification; and/or modifying the first configuration state at a second time after the first time based at least in part on the determined first modification.

Abstract: A processor-based method to defeat file and process hiding techniques in a computing device is provided. The method includes generating one of a path permutation, a symlink, or an address, for a path to open or obtain status of a tool or function in a library in a mobile computing device and making an open or status call for the tool or function, using the one of the path permutation, symlink or address. The method includes avoiding a pattern match and blocking, by an injected library, of the open or status call, the avoiding being a result of making the open or status call using the path permutation, symlink or address.