Abstract: Phishing detection techniques for predicting a password for decrypting an attachment for the purpose of malicious content detection are described herein. According to one embodiment, in response to a communication message, as such an electronic mail (email) message having an encrypted attachment, content of the communication message is parsed to predict a password based on a pattern of the content. The encrypted attachment is then decrypted using the predicted password to generate a decrypted attachment. Thereafter, a malicious content analysis is performed on the decrypted attachment to determine a likelihood as to whether the decrypted attachment contains malicious content.

Abstract: In an embodiment, a system, device and method for detecting a malicious attack is described. Herein, the system includes a security network device that conducts an analysis on received network traffic to detect a suspicious object associated with the network traffic and determine an identifier associated with a source of the suspicious object. Information associated with the suspicious object and/or ancillary data, including information that identifies a return path for analysis results to a customer, are uploaded to a detection cloud. The detection cloud includes provisioning logic and one or more virtual machines that are provisioned by the provisioning logic in accordance with at least a portion of the ancillary data. The provisioning logic to customize functionality of the detection cloud for a specific customer.

Abstract: According to one embodiment, a system features analysis circuitry and detection circuitry. The analysis circuitry features a first processing unit and a first memory that includes a filtering logic configured to produce a second plurality of objects from a received first plurality of objects. The second plurality of objects is a subset of the first plurality of objects. The detection circuitry is communicatively coupled to and remotely located from the analysis circuitry. The detection circuitry includes a second processing unit and a second memory. The second memory includes a virtual execution logic to process content within at least a first object of the second plurality of objects. The virtual execution logic is configured to monitor for behaviors, during the processing of the first object, and determine whether any or all of the monitored behaviors correspond to activities indicative that the first object is associated with a malicious attack.

Abstract: A threat detection system is integrated with intrusion protection system (IPS) logic and virtual execution logic is shown. The IPS logic is configured to receive a first plurality of objects and filter the first plurality of objects by identifying a second plurality of objects as suspicious objects. The second plurality of objects is a subset of the first plurality of objects and is lesser or equal in number to the first plurality of objects. The virtual execution logic is configured to automatically verify whether any of the suspicious objects is an exploit. The virtual execution logic comprises at least one virtual machine configured to virtually process content within the suspicious objects and monitor for anomalous behaviors during the virtual processing that are indicative of exploits.

Abstract: In an embodiment, a system, device and method for detecting a malicious attack is described. Herein, the system includes a security network device that conducts an analysis on received network traffic to detect a suspicious object associated with the network traffic and determine an identifier associated with a source of the suspicious object. Both information associated with the suspicious object and ancillary data, including information that identifies a return path for analysis results to a customer, are uploaded to a detection cloud. The detection cloud includes provisioning logic and one or more virtual machines that are provisioned by the provisioning logic in accordance with at least a portion of the ancillary data. The provisioning logic to customize functionality of the detection cloud for a specific customer.

Abstract: Techniques for efficient and effective malicious content detection in plural versions of a software application are described herein. According to one embodiment, multiple versions of a software application are concurrently within a virtual machine (VM) executed within a data processing system. For each of the versions of the software application, a corresponding one of the versions is invoked to access a malicious content suspect within the VM without switching to another VM. The behaviors of each of the versions of the software application in response to the malicious content suspect is monitored to detect anomalous behavior indicative of malicious content in the malicious content suspect during execution of any of the versions of the software application. The detected anomalous behaviors, and, associated therewith, a version number corresponding to each of the versions of the software application whose execution resulted in the anomalous behavior are stored.

Abstract: According to one embodiment, a network security device configured to detect malicious content within received network traffic comprises a traffic analysis controller (TAC) is provided. The traffic analysis controller comprises a network processing unit (NPU) and is configured to perform at least packet processing on the NPU with a set of pre-filters. In addition, the network security device further comprises a central processing unit (CPU) and is configured to perform at least virtual machine (VM)-based processing. The set of pre-filters is configured to distribute objects of received network traffic such that either static analysis or dynamic analysis may be performed on an object to determine whether the object contains malicious content. The static analysis may be performed on either the NPU or the CPU while the dynamic analysis is performed on the CPU.

Abstract: Systems and methods for detecting malicious content on portable data storage devices or remote network servers are provided. In an exemplary embodiment, a system comprises a quarantine module configured to detect one or more portable data storage devices upon insertion of the devices into a security appliance, wherein the security appliance is configured to receive the portable data storage devices, a controller configured to receive from the security appliance, via a communication network, data associated with the portable data storage devices, an analysis module configured to analyze the data to determine whether the data includes malware, and a security module to selectively identify, based on the determination, the one or more portable data storage devices storing the malware.

Abstract: In an embodiment, a threat detection and prevention system comprises a network-traffic static analysis logic and a classification engine. The network-traffic static analysis logic is configured to conduct an analysis of a multi-flow object by analyzing characteristics of the multi-flow object and determining if the characteristics of the multi-flow object is associated with a malicious attack such as being indicative of an exploit for example. The classification engine is configured to receive results of the analysis of the multi-flow object and, based on the results of the analysis of the multi-flow object, determine whether the multi-flow object is associated with a malicious attack.

Abstract: In an embodiment, a dynamic analysis engine is configured to receive an identifier associated with a source for network traffic including at least one object having at least a prescribed probability of being associated with an exploit. Deployed within a detection cloud, the dynamic analysis engine comprises one or more virtual machines and monitoring logic. The virtual machines are adapted to virtually process the identifier by establishing a communication session with a server hosting a website accessible by the identifier. In communication with the virtual machines, the monitoring logic is adapted to detect anomalous behaviors by the virtual machines during the communication session with the server.

Abstract: Techniques for malicious content detection using memory dump are described herein. According to one embodiment, a monitoring module is configured to monitor activities of a malicious content suspect executed within a sandboxed operating environment. In response to detection of one or more predetermined events triggered by the malicious content suspect, a memory dump module is configured to generate a memory dump of the malicious content suspect. An analysis module is configured to analyze the memory dump to determine whether the malicious content suspect should be declared as malicious based on a set of one or more rules.

Abstract: A threat detection system is integrated with intrusion protection system (IPS) logic, virtual execution logic and reporting logic is shown. The IPS logic is configured to identify a first plurality of objects as suspicious objects and outputting information associated with the suspicious objects. The virtual execution logic is configured to receive the suspicious objects and verify whether any of the suspicious objects is an exploit. The virtual execution logic includes at least one virtual machine configured to virtually process content within the suspicious objects and monitor for anomalous behaviors during the virtual processing that are indicative of exploits. The reporting logic is configured to issue a report including the information associated with the suspicious objects from the IPS logic and results of the virtual processing of the content within the suspicious objects.

Abstract: Techniques detect bootkits resident on a computer by detecting a change or attempted change to contents of boot locations (e.g., the master boot record) of persistent storage, which may evidence a resident bootkit. Some embodiments may monitor computer operations seeking to change the content of boot locations of persistent storage, where the monitored operations may include API calls performing, for example, WRITE, READ or APPEND operations with respect to the contents of the boot locations. Other embodiments may generate a baseline hash of the contents of the boot locations at a first point of time and a hash snapshot of the boot locations at a second point of time, and compare the baseline hash and hash snapshot where any difference between the two hash values constitutes evidence of a resident bootkit.

Abstract: A method for making one or more nanostructures is disclosed, the method comprising: depositing a conducting layer on an upper surface of a substrate; depositing a patterned layer of catalyst on the conducting layer; growing the one or more nanostructures on the layer of catalyst; and selectively removing the conducting layer between and around the one or more nanostructures. A device is also disclosed, comprising a substrate, wherein the substrate comprises one or more exposed metal islands separated by one or more insulating areas; a conducting helplayer disposed on the substrate covering at least some of the one or more exposed metal islands or insulating areas; a catalyst layer disposed on the conducting helplayer; and one or more nanostructures disposed on the catalyst layer.

Abstract: A method for making one or more nanostructures is disclosed, the method comprising: depositing a conducting layer on an upper surface of a substrate; depositing a patterned layer of catalyst on the conducting layer; growing the one or more nanostructures on the layer of catalyst; and selectively removing the conducting layer between and around the one or more nanostructures. A device is also disclosed, comprising a substrate, wherein the substrate comprises one or more exposed metal islands separated by one or more insulating areas; a conducting helplayer disposed on the substrate covering at least some of the one or more exposed metal islands or insulating areas; a catalyst layer disposed on the conducting helplayer; and one or more nanostructures disposed on the catalyst layer.

Abstract: Techniques for detecting malicious content using simulated user interactions are described herein. In one embodiment, a monitoring module monitors activities of a malicious content suspect executed within a sandboxed operating environment. In response to detection of a predetermined event triggered by the malicious content suspect requesting a user action on a graphical user interface (GUI) presented by the malicious content suspect, simulating, a user interaction module simulates a user interaction with the GUI without user intervention. An analysis module analyzes activities of the malicious content suspect in response to the simulated user interaction to determine whether the malicious content suspect should be declared as malicious.

Abstract: An electronic message is analyzed for malware contained in the message. Text of an electronic message may be analyzed to detect and process malware content in the electronic message itself. The present technology may analyze an electronic message and attachments to electronic messages to detect a uniform resource location (URL), identify whether the URL is suspicious, and analyze all suspicious URLs to determine if they are malware. The analysis may include re-playing the suspicious URL in a virtual environment which simulates the intended computing device to receive the electronic message. If the re-played URL is determined to be malicious, the malicious URL is added to a black list which is updated throughout the computer system.

Abstract: According to one embodiment, a threat detection system is integrated with intrusion protection system (IPS) logic and virtual execution logic. The IPS logic is configured to receive a first plurality of objects and filter the first plurality of objects by identifying a second plurality of objects as suspicious objects. The second plurality of objects is a subset of the first plurality of objects and is lesser or equal in number to the first plurality of objects. The virtual execution logic is configured to automatically verify whether any of the suspicious objects is an exploit. The virtual execution logic comprises at least one virtual machine configured to virtually process content within the suspicious objects and monitor for anomalous behaviors during the virtual processing that are indicative of exploits.

Abstract: A solvent-free mechanical process of reacting amine compounds with acetylating agents resulting in amides such as acetaminophen is described.

Abstract: A system and method are disclosed for network-based file analysis for malware detection. Network content is received from a network tap. A binary packet is identified in the network content. A binary file, including the binary packet, is extracted from the network content. It is determined whether the extracted binary file is detected to be malware.