Abstract: Apparatus and methods describe herein, for example, a process that can include receiving a potentially malicious file, and dividing the potentially malicious file into a set of byte windows. The process can include calculating at least one attribute associated with each byte window from the set of byte windows for the potentially malicious file. In such an instance, the at least one attribute is not dependent on an order of bytes in the potentially malicious file. The process can further include identifying a probability that the potentially malicious file is malicious, based at least in part on the at least one attribute and a trained threat model.

Abstract: A system for conducting a security recognition task, the system comprising a memory configured to store a model and training data including auxiliary information that will not be available as input to the model when the model is used as a security recognition task model for the security recognition task. The system further comprising one or more processors communicably linked to the memory and comprising a training unit and a prediction unit. The training unit is configured to receive the training data and the model from the memory and subsequently provide the training data to the model, and train the model, as the security recognition task model, using the training data to predict the auxiliary information as well as to perform the security recognition task, thereby improving performance of the security recognition task. The prediction unit is configured to use the security recognition task model output to perform the security recognition task while ignoring the auxiliary attributes in the model output.

Abstract: In example embodiments, techniques are provided to detect LOLBin attacks using a trained machine learning model that classifies command lines as benign or malicious. The machine learning model may be trained using a dataset of command line data that describes executed binary executable files, sourced from the log of events of compute instances. The dataset may be sampled using an approximate content-based logarithmic sampling algorithm (e.g., an algorithm that employs logarithmic sampling based on a locality sensitive hash, for example, a MinHash). The dataset may be labeled and featurized. The featurized labeled dataset may be used to train the machine learning model, which is then deployed to detect LOLBin attacks on a compute instance. In response to detection of a LOLBin attack, a remedial action may be performed on the compute instance.

Abstract: Apparatus and methods describe herein, for example, a process that can include receiving a potentially malicious file, and dividing the potentially malicious file into a set of byte windows. The process can include calculating at least one attribute associated with each byte window from the set of byte windows for the potentially malicious file. In such an instance, the at least one attribute is not dependent on an order of bytes in the potentially malicious file. The process can further include identifying a probability that the potentially malicious file is malicious, based at least in part on the at least one attribute and a trained threat model.

Abstract: A method for prioritizing security events comprises receiving a security event that includes security event data having been generated by an endpoint agent based on a detected activity, wherein the security event data includes one or more features; applying a first computing model to the security event data to automatically determine which of the one or more features are one or more input features to a machine learning system; applying a second computing model to historical data related to the security event data to determine time pattern information of the security event data as an input to the machine learning system; combining the one or more input features from the first computing model and the input from the second computing model to generate a computed feature result; and generating an updated security level value of the security event from the computed feature result.

Abstract: In general, in one aspect, a method for machine learning recognition of portable executable files as malware includes providing training data comprising features of portable executable files and a descriptive information for the portable executable files, the descriptive information comprising a family or type of malware. The method may include training a model using the training data to detect malware. The method may include using the trained model to recognize malware by providing features of a portable executable file as input and providing a threat score and descriptive information as output.

Abstract: Embodiments disclosed include methods and apparatus for visualization of data and models (e.g., machine learning models) used to monitor and/or detect malware to ensure data integrity and/or to prevent or detect potential attacks. Embodiments disclosed include receiving information associated with artifacts scored by one or more sources of classification (e.g., models, databases, repositories). The method includes receiving inputs indicating threshold values or criteria associated with a classification of maliciousness of an artifact and for selecting sample artifacts. The method further includes classifying and selecting the artifacts, based on the criteria, to define a sample set, and based on the sample set, generating a ground truth indication of classification of maliciousness for each sample artifact in the sample set.

Abstract: In general, in one aspect, a method for machine learning recognition of portable executable files as malware includes providing training data comprising features of portable executable files and a descriptive information for the portable executable files, the descriptive information comprising a family or type of malware. The method may include training a model using the training data to detect malware. The method may include using the trained model to recognize malware by providing features of a portable executable file as input and providing a threat score and descriptive information as output.

Abstract: A system for conducting a security recognition task, the system comprising a memory configured to store a model and training data including auxiliary information that will not be available as input to the model when the model is used as a security recognition task model for the security recognition task. The system further comprising one or more processors communicably linked to the memory and comprising a training unit and a prediction unit. The training unit is configured to receive the training data and the model from the memory and subsequently provide the training data to the model, and train the model, as the security recognition task model, using the training data to predict the auxiliary information as well as perform the security recognition task, thereby improving performance of the security recognition task. The prediction unit is configured to use the security recognition task model output to perform the security recognition task while ignoring the auxiliary attributes in the model output.

Abstract: A system for conducting a security recognition task, the system comprising a memory configured to store a model and training data including auxiliary information that will not be available as input to the model when the model is used as a security recognition task model for the security recognition task. The system further comprising one or more processors communicably linked to the memory and comprising a training unit and a prediction unit. The training unit is configured to receive the training data and the model from the memory and subsequently provide the training data to the model, and train the model, as the security recognition task model, using the training data to predict the auxiliary information as well as perform the security recognition task, thereby improving performance of the security recognition task. The prediction unit is configured to use the security recognition task model output to perform the security recognition task while ignoring the auxiliary attributes in the model output.

Abstract: In some embodiments, an apparatus includes a memory and a processor operatively coupled to the memory. The processor is configured to identify a feature vector for a potentially malicious file and provide the feature vector as an input to a trained neural network autoencoder to produce a modified feature vector. The processor is configured to generate an output vector by introducing Gaussian noise into the modified feature vector to ensure a Gaussian distribution for the output vector within a set of modified feature vectors. The processor is configured to provide the output vector as an input to a trained neural network decoder associated with the trained neural network autoencoder to produce an identifier of a class associated with the set of modified feature vectors. The processor is configured to perform a remedial action on the potentially malicious file based on the potentially malicious file being associated with the class.

Abstract: Apparatus and methods describe herein, for example, a process that can include receiving a potentially malicious file, and dividing the potentially malicious file into a set of byte windows. The process can include calculating at least one attribute associated with each byte window from the set of byte windows for the potentially malicious file. In such an instance, the at least one attribute is not dependent on an order of bytes in the potentially malicious file. The process can further include identifying a probability that the potentially malicious file is malicious, based at least in part on the at least one attribute and a trained threat model.

Abstract: In general, in one aspect, a method for machine learning recognition of portable executable files as malware includes providing training data comprising features of portable executable files and a descriptive information for the portable executable files, the descriptive information comprising a family or type of malware. The method may include training a model using the training data to detect malware. The method may include using the trained model to recognize malware by providing features of a portable executable file as input and providing a threat score and descriptive information as output.

Abstract: Apparatus and methods describe herein, for example, a process that can include receiving a potentially malicious file, and dividing the potentially malicious file into a set of byte windows. The process can include calculating at least one attribute associated with each byte window from the set of byte windows for the potentially malicious file. In such an instance, the at least one attribute is not dependent on an order of bytes in the potentially malicious file. The process can further include identifying a probability that the potentially malicious file is malicious, based at least in part on the at least one attribute and a trained threat model.

Abstract: Apparatus and methods describe herein, for example, a process that can include receiving a potentially malicious file, and dividing the potentially malicious file into a set of byte windows. The process can include calculating at least one attribute associated with each byte window from the set of byte windows for the potentially malicious file. In such an instance, the at least one attribute is not dependent on an order of bytes in the potentially malicious file. The process can further include identifying a probability that the potentially malicious file is malicious, based at least in part on the at least one attribute and a trained threat model.

Abstract: In some embodiments, an apparatus includes a memory and a processor operatively coupled to the memory. The processor is configured to identify a feature vector for a potentially malicious file and provide the feature vector as an input to a trained neural network autoencoder to produce a modified feature vector. The processor is configured to generate an output vector by introducing Gaussian noise into the modified feature vector to ensure a Gaussian distribution for the output vector within a set of modified feature vectors. The processor is configured to provide the output vector as an input to a trained neural network decoder associated with the trained neural network autoencoder to produce an identifier of a class associated with the set of modified feature vectors. The processor is configured to perform a remedial action on the potentially malicious file based on the potentially malicious file being associated with the class.

Abstract: Apparatus and methods describe herein, for example, a process that can include receiving a potentially malicious file, and dividing the potentially malicious file into a set of byte windows. The process can include calculating at least one attribute associated with each byte window from the set of byte windows for the potentially malicious file. In such an instance, the at least one attribute is not dependent on an order of bytes in the potentially malicious file. The process can further include identifying a probability that the potentially malicious file is malicious, based at least in part on the at least one attribute and a trained threat model.