Abstract: Systems and methods for classifying malware based on the frequency of feature reuse are provided. The system can identify a malicious feature frequency, a benign feature frequency, and a first weight value. The system can generate a first reuse vector based on the malicious feature frequency and the benign feature frequency. The system can determine that a training binary associated with a known classification includes the first feature and a second feature, the second feature associated with a second reuse vector and a second weight value. The system can construct, responsive to the determination that the first binary includes the first feature and the second feature, a reuse tensor using the first reuse vector, the second reuse vector, the first weight value, and the second weight value. The system can train a malware classification model using the reuse tensor and the known classification associated with the training binary.

Abstract: Systems and methods for classifying malware based on the frequency of feature reuse are provided. The system can identify a malicious feature frequency, a benign feature frequency, and a first weight value. The system can generate a first reuse vector based on the malicious feature frequency and the benign feature frequency. The system can determine that a training binary associated with a known classification includes the first feature and a second feature, the second feature associated with a second reuse vector and a second weight value. The system can construct, responsive to the determination that the first binary includes the first feature and the second feature, a reuse tensor using the first reuse vector, the second reuse vector, the first weight value, and the second weight value. The system can train a malware classification model using the reuse tensor and the known classification associated with the training binary.

Abstract: Methods, systems, and apparatus, including computer programs encoded on computer storage media, for automatically generating intrusion detection system (IDS) signatures. One of the systems includes obtaining a new data object and determining whether the new data object is malicious or not malicious; identifying a plurality of components of the new data object; updating tracking data that identifies, for each of a plurality of tracked components of previous data objects, a frequency with which the tracked component has been identified in previous data objects determined to be malicious and a frequency with which the tracked component has been identified in previous data objects determined not to be malicious; and determining, from the tracking data, that one or more particular tracked components satisfy one or more conditions and, in response: automatically generating a new IDS signature for identifying malicious data objects that include the one or more particular tracked components.

Abstract: Systems and methods for classifying malware based on the frequency of feature reuse are provided. The system can identify a malicious feature frequency, a benign feature frequency, and a first weight value. The system can generate a first reuse vector based on the malicious feature frequency and the benign feature frequency. The system can determine that a training binary associated with a known classification includes the first feature and a second feature, the second feature associated with a second reuse vector and a second weight value. The system can construct, responsive to the determination that the first binary includes the first feature and the second feature, a reuse tensor using the first reuse vector, the second reuse vector, the first weight value, and the second weight value. The system can train a malware classification model using the reuse tensor and the known classification associated with the training binary.

Abstract: Malicious network activity can be detected using methods and systems that monitor execution of code on computing nodes. The computing nodes may be network-connected nodes, may be infected with malicious code or malware, and/or may be protected by the monitor to prevent such infection or to mitigate impact of such infection. In some implementations, a monitoring system monitors execution of malicious code on an infected network node, detects an interaction between the infected network node and a remote node, and records information representative of actions taken by the malicious code subsequent to the interaction. In some implementations, the monitoring system monitors execution of suspect code on a protected computing node, records information representative of a network interaction between the protected computing node and a remote node, and detects actions taken by the suspect code consistent with the actions taken by the malicious code represented in the recorded information recorded.

Abstract: A shadow sandbox is maintained for malware detection. The shadow sandbox is a virtual machine replica of a target computing environment from a protected computing system. The shadow sandbox is maintained through all change events that occur to the target computing environment. The described systems and methods of detecting or preventing malware execution include maintaining a virtual machine replica of a target computing system by monitoring the target computing system for a plurality of possible events, the plurality of possible events including change events and risk events, detecting a change event on the target computing system, and updating the virtual machine based on the detected change event. The described systems and methods detect a risk event on the target computing system, execute the risk event on the virtual machine, and determine whether the risk event is malicious based on observation of execution of the risk event on the virtual machine.

Abstract: Malicious network activity can be detected using methods and systems that monitor execution of code on computing nodes. The computing nodes may be network-connected nodes, may be infected with malicious code or malware, and/or may be protected by the monitor to prevent such infection or to mitigate impact of such infection. In some implementations, a monitoring system monitors execution of malicious code on an infected network node, detects an interaction between the infected network node and a remote node, and records information representative of actions taken by the malicious code subsequent to the interaction. In some implementations, the monitoring system monitors execution of suspect code on a protected computing node, records information representative of a network interaction between the protected computing node and a remote node, and detects actions taken by the suspect code consistent with the actions taken by the malicious code represented in the recorded information recorded.

Abstract: A shadow sandbox is maintained for malware detection. The shadow sandbox is a virtual machine replica of a target computing environment from a protected computing system. The shadow sandbox is maintained through all change events that occur to the target computing environment. The described systems and methods of detecting or preventing malware execution include maintaining a virtual machine replica of a target computing system by monitoring the target computing system for a plurality of possible events, the plurality of possible events including change events and risk events, detecting a change event on the target computing system, and updating the virtual machine based on the detected change event. The described systems and methods detect a risk event on the target computing system, execute the risk event on the virtual machine, and determine whether the risk event is malicious based on observation of execution of the risk event on the virtual machine.