Abstract: Disclosed is a threat detection network for monitoring a security threat for a computer network, including a back end system and sensors coupled to the back end system, wherein each sensor: collects data describing respective predefined events in a respective node of the network, each event involving interaction of a subject entity operating in the respective node with an object entity associated with the node, applies predefined anomaly detection models to determine respective anomaly detection scores for interactions captured in the collected data, arranges the captured interactions into a local activity graph describing interactions of subject entities operating in the node with object entities associated with the node, and transmits portions of the local activity graph as status data to the back end system depending on the anomaly scores for the respective interactions captured in the local activity graph. The back end system derives security parameters describing security threats.

Abstract: A network node of a threat detection network, a backend system of a threat detection network, a threat detection network and a threat detection method in a threat detection network. The threat detection network comprises interconnected network nodes and a backend system, wherein the backend system utilizes a backend threat detection model, and wherein at least part of the network nodes comprise security agent modules which collect data related to the respective network node, wherein the network nodes utilize a local threat detection model and a local consistency model. The local consistency model is configured to provide a confidence level information between the local threat detection model and the backend threat detection model.

Abstract: There is provided a method comprising: detecting a new process start at a network node of a computer network; determining that said process requires external code modules; observing the times at which one or more external code modules required by the new process are loaded relative to the process starting time; determining that the usage of an external code module required by the new process is anomalous when the time elapsed between the start of the process and loading of said external code module lies outside predetermined expected boundaries; and taking further action to protect the network node and/or the computer network based on determining that the usage of the external code module required by the detected new process is anomalous.

Abstract: Disclosed is a system and a method of threat detection in a computer network, the method including detecting by a first node a security threat, e.g. relating to anomalous or malicious behavior, digital object and/or context, at the first node, collecting context information at the first node relating to the detected security threat, reporting at least one detected security threat and the collected context information to at least a second node, analyzing at the second node the received information relating to the security threat and collecting context information relating to the analysis at the second node, and sending the threat related information with added analysis and context information collected from the second node to at least one further node or backend.

Abstract: There is provided a method of detecting a threat against a computer system. The method includes monitoring installation and operation of multiple different versions of the same application in a computer system; analysing evolutionary changes between the behaviours of the different versions of the same application; detecting and monitoring a new version of the same application in a computer system; monitoring the behavior of the computer system to detect one or more procedures of the monitored application that do not match expected behaviors of the monitored application on the basis of the analysis; and upon detection of one or more procedures not matching the expected behaviors of the monitored application, identifying the monitored application as malicious or suspicious.

Abstract: A method including collecting and aligning raw data from a plurality of network nodes, wherein dissimilar data types are aligned as input events; filtering the input events by discarding events and/or parts of events that are detected to be equal or similar to previously observed events or events and/or parts of events found to be redundant by using predetermined criteria; separating processing of the input events into event aggregation and event enrichment processes, wherein the event aggregation process includes processing all the input events for generating aggregated events, and the event enrichment process includes processing only events passed by the filtering and the aggregated events from the event aggregation process; and analysing the data received from the event enrichment process for generating a security related decision.

Abstract: A system and a method for distributing components of a threat detection model for a threat control network, the threat control network comprising interconnected network nodes. The threat control network comprises security agent modules which collect data related to the respective network node of the security agent module, share information based on the collected data in the established internal network and use the collected data and information received from the internal network for generating and adapting threat detection models related to the respective network node. At least part of the nodes comprise at least the following components of the threat detection model: detection logic part comprising detection rules, detection logic parameter part comprising parameter values, core data primitive part comprising a set of key primitives. The method comprises distributing the said components of a threat detection model to a node independently from the other said components of the same node.

Abstract: There is provided a method comprising: detecting a new process start at a network node of a computer network; determining that said process requires external code modules; observing the times at which one or more external code modules required by the new process are loaded relative to the process starting time; determining that the usage of an external code module required by the new process is anomalous when the time elapsed between the start of the process and loading of said external code module lies outside predetermined expected boundaries; and taking further action to protect the network node and/or the computer network based on determining that the usage of the external code module required by the detected new process is anomalous.

Abstract: There are provided measures for improvement of distributed behavioral monitoring. Such measures exemplarily include receiving activity data indicative of a behavior of an entity to be monitored from at least one sensor sensing activity of the entity, wherein the at least one sensor is provided to an endpoint associated with said entity, assessing an activity represented by said activity data as malicious, validating a result of said assessing based on a categorization assigned to said entity in relation to said at least one sensor, and deciding, based on a result of said validating, on a response to said assessing.

Abstract: There are provided measures for machine learning based malware detection systems. Such measures exemplarily include analyzing a set of training data, said set of training data comprising a plurality of training data elements, wherein each of said plurality of training data elements is associated with a respective one of at least two maliciousness related properties, learning a malicious object detection model on the basis of first feature combinations of said plurality of training data elements, said first feature combinations characterizing each of said at least two maliciousness related properties, learning an anomalous data detection model on the basis of second feature combinations of said plurality of training data elements, said second feature combinations characterizing said set of training data, said anomalous data detection model being associated with said malicious object detection model, and providing said malicious object detection model and said anomalous data detection model.

Abstract: A method including collecting and aligning raw data from a plurality of network nodes, wherein dissimilar data types are aligned as input events; filtering the input events by discarding events and/or parts of events that are detected to be equal or similar to previously observed events or events and/or parts of events found to be redundant by using predetermined criteria; separating processing of the input events into event aggregation and event enrichment processes, wherein the event aggregation process includes processing all the input events for generating aggregated events, and the event enrichment process includes processing only events passed by the filtering and the aggregated events from the event aggregation process; and analysing the data received from the event enrichment process for generating a security related decision.

Abstract: There is provided a method of detecting a threat against a computer system. The method includes monitoring installation and operation of multiple different versions of the same application in a computer system; analysing evolutionary changes between the behaviours of the different versions of the same application; detecting and monitoring a new version of the same application in a computer system; monitoring the behavior of the computer system to detect one or more procedures of the monitored application that do not match expected behaviors of the monitored application on the basis of the analysis; and upon detection of one or more procedures not matching the expected behaviors of the monitored application, identifying the monitored application as malicious or suspicious.

Abstract: There are provided measures for improvement of distributed behavioral monitoring. Such measures exemplarily include receiving activity data indicative of a behavior of an entity to be monitored from at least one sensor sensing activity of the entity, wherein the at least one sensor is provided to an endpoint associated with said entity, assessing an activity represented by said activity data as malicious, validating a result of said assessing based on a categorization assigned to said entity in relation to said at least one sensor, and deciding, based on a result of said validating, on a response to said assessing.

Abstract: There are provided measures for machine learning based malware detection systems. Such measures exemplarily include analyzing a set of training data, said set of training data comprising a plurality of training data elements, wherein each of said plurality of training data elements is associated with a respective one of at least two maliciousness related properties, learning a malicious object detection model on the basis of first feature combinations of said plurality of training data elements, said first feature combinations characterizing each of said at least two maliciousness related properties, learning an anomalous data detection model on the basis of second feature combinations of said plurality of training data elements, said second feature combinations characterizing said set of training data, said anomalous data detection model being associated with said malicious object detection model, and providing said malicious object detection model and said anomalous data detection model.

Abstract: A method and apparatus for detecting malware in which a computer device that has an operating system and a memory executes an untrusted computer program. In the event that the untrusted program directly accesses a region of the memory used to store information relating to the operating system, a determination is made that the untrusted program is likely to be malware.

Abstract: A method and apparatus for detecting malware in which a computer device that has an operating system and a memory executes an untrusted computer program. In the event that the untrusted program directly accesses a region of the memory used to store information relating to the operating system, a determination is made that the untrusted program is likely to be malware.