Abstract: A threat detection system for detecting malware can automatically decide, without manual expert-level interaction, the best set of features on which to train a classifier, which can result in the automatic creation of a signature-less malware detection engine. The system can use a combination of execution graphs, anomaly detection and automatic feature pruning. Execution graphs can provide a much richer structure of runtime execution behavior than conventional flat execution trace files, allowing the capture of interdependencies while preserving attribution (e.g., D happened because of A followed by B followed by C). Performing anomaly detection on this runtime execution behavior can provide higher order knowledge as to what behaviors are anomalous or not among the sample files. During training the system can automatically prune the features on which a classifier is trained based on this higher order knowledge without any manual intervention until a desired level of accuracy is achieved.

Abstract: A threat detection system for detecting malware can automatically decide, without manual expert-level interaction, the best set of features on which to train a classifier, which can result in the automatic creation of a signature-less malware detection engine. The system can use a combination of execution graphs, anomaly detection and automatic feature pruning. Execution graphs can provide a much richer structure of runtime execution behavior than conventional flat execution trace files, allowing the capture of interdependencies while preserving attribution (e.g., D happened because of A followed by B followed by C). Performing anomaly detection on this runtime execution behavior can provide higher order knowledge as to what behaviors are anomalous or not among the sample files. During training the system can automatically prune the features on which a classifier is trained based on this higher order knowledge without any manual intervention until a desired level of accuracy is achieved.

Abstract: A threat detection system for detecting malware can automatically decide, without manual expert-level interaction, the best set of features on which to train a classifier, which can result in the automatic creation of a signature-less malware detection engine. The system can use a combination of execution graphs, anomaly detection and automatic feature pruning. Execution graphs can provide a much richer structure of runtime execution behavior than conventional flat execution trace files, allowing the capture of interdependencies while preserving attribution (e.g., D happened because of A followed by B followed by C). Performing anomaly detection on this runtime execution behavior can provide higher order knowledge as to what behaviors are anomalous or not among the sample files. During training the system can automatically prune the features on which a classifier is trained based on this higher order knowledge without any manual intervention until a desired level of accuracy is achieved.

Abstract: A threat detection system for detecting malware can automatically decide, without manual expert-level interaction, the best set of features on which to train a classifier, which can result in the automatic creation of a signature-less malware detection engine. The system can use a combination of execution graphs, anomaly detection and automatic feature pruning. Execution graphs can provide a much richer structure of runtime execution behavior than conventional flat execution trace files, allowing the capture of interdependencies while preserving attribution (e.g., D happened because of A followed by B followed by C). Performing anomaly detection on this runtime execution behavior can provide higher order knowledge as to what behaviors are anomalous or not among the sample files. During training the system can automatically prune the features on which a classifier is trained based on this higher order knowledge without any manual intervention until a desired level of accuracy is achieved.

Abstract: Apparatus, systems, and methods may operate to include transforming subsequent unmarked contexts into additional tainted contexts in response to identifying a tainted event as a link between a prior tainted context and the subsequent unmarked contexts. Further operations may include publishing an event horizon to a display. The event horizon may include the tainted event and all other events associated with a linked chain of contexts that include the prior tainted context and the additional tainted contexts, where the tainted event and the other events share the taint in common. In this way, a taint associated with malicious behavior can be propagated and tracked as it moves between contexts. Additional apparatus, systems, and methods are disclosed.

Abstract: Apparatus, systems, and methods may operate to generate a reference statistical model of an operating system, such as a computer system, and display the reference statistical model as a hierarchical, segmented time series event stream graph, along with a graph representing current behavior of the system. The event stream graph may be derived from one or more streams of security events. Additional operations may include receiving requests to display further detail respecting discrepancies between the reference statistical model and the current behavior. Other apparatus, systems, and methods are disclosed.

Abstract: Apparatus, systems, and methods may operate to receive multiple security event data streams from a plurality of hardware processing nodes, the multiple security event data streams comprising multiple security events. Additional operations may include extracting multiple security events from multiple security event data streams, and classifying the extracted multiple security events to form domain-specific, categorized data streams. A hierarchy of statistical data streams may then be generated from the domain-specific, categorized data streams. Additional apparatus, systems, and methods are disclosed.

Abstract: Apparatus, systems, and methods may operate to generate a reference statistical model of an operating system, such as a computer system, and display the reference statistical model as a hierarchical, segmented time series event stream graph, along with a graph representing current behavior of the system. The event stream graph may be derived from one or more streams of security events. Additional operations may include receiving requests to display further detail respecting discrepancies between the reference statistical model and the current behavior. Other apparatus, systems, and methods are disclosed.

Abstract: Apparatus, systems, and methods may operate to receive multiple security event data streams from a plurality of hardware processing nodes, the multiple security event data streams comprising multiple security events. Additional operations may include extracting multiple security events from multiple security event data streams, and classifying the extracted multiple security events to form domain-specific, categorized data streams. A hierarchy of statistical data streams may then be generated from the domain-specific, categorized data streams. Additional apparatus, systems, and methods are disclosed.

Abstract: Apparatus, systems, and methods may operate to include transforming subsequent unmarked contexts into additional tainted contexts in response to identifying a tainted event as a link between a prior tainted context and the subsequent unmarked contexts. Further operations may include publishing an event horizon to a display. The event horizon may include the tainted event and all other events associated with a linked chain of contexts that include the prior tainted context and the additional tainted contexts, where the tainted event and the other events share the taint in common. In this way, a taint associated with malicious behavior can be propagated and tracked as it moves between contexts. Additional apparatus, systems, and methods are disclosed.