Abstract: A method and a system for detecting a malicious activity are provided. The method comprises: receiving, from a given host of the plurality of hosts, an event flow including data representative of events occurred at the given host; analyzing a given event sequence of the event flow to generate, for a given event thereof, a respective internal event; applying to the respective internal event, a plurality of signature-based rules to determine at least one internal state marker of the given host associated with the given event; feeding the respective internal state markers to a trained machine-learning algorithm (MLA) to determine a prediction outcome thereof of whether the given event sequence is associated with the malicious activity; in response to the prediction outcome exceeding a predetermined threshold, determining the given event sequence as being associated with the malicious activity; and generating a report including the prediction outcome.

Abstract: There is disclosed a method for determining malicious files in a network traffic, the method executable by a server. The method comprises: receiving the network traffic from a data communication network, retrieving a plurality of files from the network traffic, analyzing the plurality of files in order to detect at least one suspicious file, running the at least one suspicious file in at least one virtual machine, the at least one virtual machine associated with a set of the status parameters, determining changes in the set of the status parameters of the at least of one virtual machine, analyzing the changes in the set of status parameters using a set of the analysis rules such that to classify the at least one suspicious file as a malicious file based on the changes in the set of status parameters being indicative of the at least one file being the malicious file.

Abstract: There is disclosed a method for determining malicious files in a network traffic, the method executable by a server. The method comprises: receiving the network traffic from a data communication network, retrieving a plurality of files from the network traffic, analyzing the plurality of files in order to detect at least one suspicious file, running the at least one suspicious file in at least one virtual machine, the at least one virtual machine associated with a set of the status parameters, determining changes in the set of the status parameters of the at least of one virtual machine, analyzing the changes in the set of status parameters using a set of the analysis rules such that to classify the at least one suspicious file as a malicious file based on the changes in the set of status parameters being indicative of the at least one file being the malicious file.