Abstract: A compute instance may be configured to extract a feature of a data instance accessed by the compute instance, generate an anonymized feature value for the feature of the data instance, include the anonymized feature value in a feature vector corresponding to the data instance, and transmit the feature vector to a server-based computing system.

Abstract: A compute instance stores a programmable feature extractor associated with a machine learning model maintained by a server-based computing system configured to communicate with the compute instance by way of a network. The machine learning model is based on a feature set that includes a plurality of features. The compute instance executes the programmable feature extractor to generate a feature vector corresponding to a data instance accessed by the compute instance, where the feature vector includes a feature value specific to the data instance for each feature included in the feature set. The compute instance transmits the feature vector corresponding to the data instance to the server-based computing system for use as a training input to the machine learning model.

Abstract: A technique for dynamically updating a user interface for threat investigation may include receiving a scheduled transmittal of events in an event stream from an endpoint at a threat management facility, processing the event stream at the threat management facility to detect an intermediate threat, in response to detecting the intermediate threat at the threat management facility, requesting a transmittal of supplemental information from a data recorder on the endpoint, receiving the supplemental information in a supplemental transmittal from the endpoint to the threat management facility, and displaying a description of the intermediate threat and the supplemental information in a user interface hosted by the threat management facility, where the user interface is configured for user investigation and disposition of the intermediate threat.

Abstract: A rule generator can automatically generate a machine-learning-powered detection system capable of recognizing a new malicious object or family of malicious objects and deployable as a text-based, pastable detection rule. The text may be quickly distributed and integrated into existing cybersecurity infrastructure, for example, if the cybersecurity infrastructure supports a rules engine. After initial distribution, the identity may be refined, updated, and replaced. This allows for rapid development and distribution of an initial level of protection, and for updating and improvement over time.

Abstract: In a natural language processing model such as a Bidirectional Encoder Representations from Transformers (BERT) model, transformer layers can be replaced with simplified adapters without significant loss of predictive ability. This compressed model may in turn be trained to perform security classification tasks such as detection of new phishing attacks in electronic mail communications.

Abstract: An apparatus for detecting malicious files includes a memory and a processor communicatively coupled to the memory. The processor receives multiple potentially malicious files. A first potentially malicious file has a first file format, and a second potentially malicious file has a second file format different than the first file format. The processor extracts a first set of strings from the first potentially malicious file, and extracts a second set of strings from the second potentially malicious file. First and second feature vectors are defined based on lengths of each string from the associated set of strings. The processor provides the first feature vector as an input to a machine learning model to produce a maliciousness classification of the first potentially malicious file, and provides the second feature vector as an input to the machine learning model to produce a maliciousness classification of the second potentially malicious file.

Abstract: An automated system attempts to characterize code as safe or unsafe. For intermediate code samples not placed with sufficient confidence in either category, human-readable analysis is automatically generated to assist a human reviewer in reaching a final disposition. For example, a random forest over human-interpretable features may be created and used to identify suspicious features in a manner that is understandable to, and actionable by, a human reviewer. Similarly, a k-nearest neighbor algorithm may be used to identify similar samples of known safe and unsafe code based on a model for, e.g., a file path, a URL, an executable, and so forth. Similar code may then be displayed (with other information) to a user for evaluation in a user interface. This comparative information can improve the speed and accuracy of human interventions by providing richer context for human review of potential threats.

Abstract: In some embodiments, a processor can receive an input string associated with a potentially malicious artifact and convert each character in the input string into a vector of values to define a character matrix. The processor can apply a convolution matrix to a first window of the character matrix to define a first subscore, apply the convolution matrix to a second window of the character matrix to define a second subscore and combine the first subscore and the second subscore to define a score for the convolution matrix. The processor can provide the score for the convolution matrix as an input to a machine learning threat model, identify the potentially malicious artifact as malicious based on an output of the machine learning threat model, and perform a remedial action on the potentially malicious artifact based on identifying the potentially malicious artifact as malicious.

Abstract: An apparatus for detecting malicious files includes a memory and a processor communicatively coupled to the memory. The processor receives multiple potentially malicious files. A first potentially malicious file has a first file format, and a second potentially malicious file has a second file format different than the first file format. The processor extracts a first set of strings from the first potentially malicious file, and extracts a second set of strings from the second potentially malicious file. First and second feature vectors are defined based on lengths of each string from the associated set of strings. The processor provides the first feature vector as an input to a machine learning model to produce a maliciousness classification of the first potentially malicious file, and provides the second feature vector as an input to the machine learning model to produce a maliciousness classification of the second potentially malicious file.

Abstract: An automated system attempts to characterize code as safe or unsafe. For intermediate code samples not placed with sufficient confidence in either category, human-readable analysis is automatically generated to assist a human reviewer in reaching a final disposition. For example, a random forest over human-interpretable features may be created and used to identify suspicious features in a manner that is understandable to, and actionable by, a human reviewer. Similarly, a k-nearest neighbor algorithm may be used to identify similar samples of known safe and unsafe code based on a model for, e.g., a file path, a URL, an executable, and so forth. Similar code may then be displayed (with other information) to a user for evaluation in a user interface. This comparative information can improve the speed and accuracy of human interventions by providing richer context for human review of potential threats.

Abstract: Apparatus and methods describe herein, for example, a process that can include receiving a potentially malicious file, and dividing the potentially malicious file into a set of byte windows. The process can include calculating at least one attribute associated with each byte window from the set of byte windows for the potentially malicious file. In such an instance, the at least one attribute is not dependent on an order of bytes in the potentially malicious file. The process can further include identifying a probability that the potentially malicious file is malicious, based at least in part on the at least one attribute and a trained threat model.

Abstract: In some embodiments, a processor can receive an input string associated with a potentially malicious artifact and convert each character in the input string into a vector of values to define a character matrix. The processor can apply a convolution matrix to a first window of the character matrix to define a first subscore, apply the convolution matrix to a second window of the character matrix to define a second subscore and combine the first subscore and the second subscore to define a score for the convolution matrix. The processor can provide the score for the convolution matrix as an input to a machine learning threat model, identify the potentially malicious artifact as malicious based on an output of the machine learning threat model, and perform a remedial action on the potentially malicious artifact based on identifying the potentially malicious artifact as malicious.

Abstract: In some embodiments, a method includes processing at least a portion of a received file into a first set of fragments and analyzing each fragment from the first set of fragments using a machine learning model to identify within each fragment first information potentially relevant to whether the file is malicious. The method includes forming a second set of fragments by combining adjacent fragments from the first set of fragments and analyzing each fragment from the second set of fragments using the machine learning model to identify second information potentially relevant to whether the file is malicious. The method includes identifying the file as malicious based on the first information within at least one fragment from the first set of fragments and the second information within at least one fragment from the second set of fragments. The method includes performing a remedial action based on identifying the file as malicious.

Abstract: In some embodiments, a method includes receiving a plurality of descriptors via a network. Each descriptor includes at least one of a descriptor component or a keyword. The method further includes storing the plurality of descriptors in a database, and generating a database index of the plurality of descriptors based on at least one of the descriptor component or the keyword for each descriptor of the plurality of descriptors. The method further includes storing the database index in the database. The method further includes receiving a file component extracted from a file and identifying, based on the file component, a set of descriptors from the plurality of descriptors. The method further includes inferring, based on the set of descriptors, a measure of likelihood of a functionality associated with the file, and transmitting an indication of the measure to a user.

Abstract: In some embodiments, a method includes processing at least a portion of a received file into a first set of fragments and analyzing each fragment from the first set of fragments using a machine learning model to identify within each fragment first information potentially relevant to whether the file is malicious. The method includes forming a second set of fragments by combining adjacent fragments from the first set of fragments and analyzing each fragment from the second set of fragments using the machine learning model to identify second information potentially relevant to whether the file is malicious. The method includes identifying the file as malicious based on the first information within at least one fragment from the first set of fragments and the second information within at least one fragment from the second set of fragments. The method includes performing a remedial action based on identifying the file as malicious.

Abstract: An apparatus can include a processor that can extract, from an input binary file, an image data structure, and can scale the image data structure to a predetermined size, and/or modify the image data structure to represent a grayscale image. The processor can calculate a modified pixel value for each pixel in the image data structure, and can define a binary vector based on the modified pixel value for each pixel in the image data structure. The processor can also identify a set of nearest neighbor binary vectors for the binary vector based on a comparison between the binary vector and a set of reference binary vectors stored in a malware detection database. The processor can then determine a malware status of the input binary file based on the set of nearest neighbor binary vectors satisfying a similarity criterion associated with a known malware image from a known malware file.

Abstract: An automated system attempts to characterize code as safe or unsafe. For intermediate code samples not placed with sufficient confidence in either category, human-readable analysis is automatically generated to assist a human reviewer in reaching a final disposition. For example, a random forest over human-interpretable features may be created and used to identify suspicious features in a manner that is understandable to, and actionable by, a human reviewer. Similarly, a k-nearest neighbor algorithm may be used to identify similar samples of known safe and unsafe code based on a model for, e.g., a file path, a URL, an executable, and so forth. Similar code may then be displayed (with other information) to a user for evaluation in a user interface. This comparative information can improve the speed and accuracy of human interventions by providing richer context for human review of potential threats.

Abstract: An ensemble of detection techniques are used to identify code that presents intermediate levels of threat. For example, an ensemble of machine learning techniques may be used to evaluate suspiciousness based on binaries, file paths, behaviors, reputations, and so forth, and code may be sorted into safe, unsafe, intermediate, or any similar categories. By filtering and prioritizing intermediate threats with these tools, human threat intervention can advantageously be directed toward code samples and associated contexts most appropriate for non-automated responses.

Abstract: An apparatus includes a database configured to store a collection of files. The apparatus also includes a counter module configured to calculate a frequency of a data feature in the collection of files. The apparatus also includes a signature generation module operatively coupled to the counter module. The signature generation module is configured to generate a malware signature based on the frequency of the data feature in the collection of files. The malware signature includes an indication of one or more criterion for the data feature, and the malware signature is associated with a malware. The apparatus also includes a communication module configured to receive a target file, and a detection module operatively coupled to the communication module. The detection module is configured to classify the target file as the malware when the target file meets the one or more criterion of the malware signature.

Abstract: In some embodiments, a processor can receive an input string associated with a potentially malicious artifact and convert each character in the input string into a vector of values to define a character matrix. The processor can apply a convolution matrix to a first window of the character matrix to define a first subscore, apply the convolution matrix to a second window of the character matrix to define a second subscore and combine the first subscore and the second subscore to define a score for the convolution matrix. The processor can provide the score for the convolution matrix as an input to a machine learning threat model, identify the potentially malicious artifact as malicious based on an output of the machine learning threat model, and perform a remedial action on the potentially malicious artifact based on identifying the potentially malicious artifact as malicious.