Abstract: A system is provided for training a machine learning model to detect malicious container files. The system may include at least one processor and at least one memory. The memory may include program code which when executed by the at least one processor provides operations including: processing a container file with a trained machine learning model, wherein the trained machine learning is trained to determine a classification for the container file indicative of whether the container file includes at least one file rendering the container file malicious; and providing, as an output by the trained machine learning model, an indication of whether the container file includes the at least one file rendering the container file malicious. Related methods and articles of manufacture, including computer program products, are also disclosed.

Abstract: In one respect, there is provided a system for training a neural network adapted for classifying one or more scripts. The system may include at least one processor and at least one memory. The memory may include program code which when executed by the at least one memory provides operations including: receiving a disassembled binary file that includes a plurality of instructions; processing the disassembled binary file with a convolutional neural network configured to detect a presence of one or more sequences of instructions amongst the plurality of instructions and determine a classification for the disassembled binary file based at least in part on the presence of the one or more sequences of instructions; and providing, as an output, the classification of the disassembled binary file. Related computer-implemented methods are also disclosed.

Abstract: In some implementations there may be provided a system. The system may include a processor and a memory. The memory may include program code which causes operations when executed by the processor. The operations may include analyzing a series of events contained in received data. The series of events may include events that occur during the execution of a data object. The series of events may be analyzed to at least extract, from the series of events, subsequences of events. A machine learning model may determine a classification for the received data. The machine learning model may classify the received data based at least on whether the subsequences of events are malicious. The classification indicative of whether the received data is malicious may be provided. Related methods and articles of manufacture, including computer program products, are also disclosed.

Abstract: In one respect, there is provided a system for training a neural network adapted for classifying one or more scripts. The system may include at least one processor and at least one memory. The memory may include program code which when executed by the at least one memory provides operations including: receiving a disassembled binary file that includes a plurality of instructions; processing the disassembled binary file with a convolutional neural network configured to detect a presence of one or more sequences of instructions amongst the plurality of instructions and determine a classification for the disassembled binary file based at least in part on the presence of the one or more sequences of instructions; and providing, as an output, the classification of the disassembled binary file. Related computer-implemented methods are also disclosed.

Abstract: In one respect, there is provided a system for training a machine learning model to detect malicious container files. The system may include at least one processor and at least one memory. The memory may include program code which when executed by the at least one processor provides operations including: processing a container file with a trained machine learning model, wherein the trained machine learning is trained to determine a classification for the container file indicative of whether the container file includes at least one file rendering the container file malicious; and providing, as an output by the trained machine learning model, an indication of whether the container file includes the at least one file rendering the container file malicious. Related methods and articles of manufacture, including computer program products, are also disclosed.

Abstract: In one respect, there is provided a system for training a machine learning model to detect malicious container files. The system may include at least one processor and at least one memory. The at least one memory may include program code that provides operations when executed by the at least one processor. The operations may include: training, based on a training data, a machine learning model to enable the machine learning model to determine whether at least one container file includes at least one file rendering the at least one container file malicious; and providing the trained machine learning model to enable the determination of whether the at least one container file includes at least one file rendering the at least one container file malicious. Related methods and articles of manufacture, including computer program products, are also disclosed.

Abstract: Using a recurrent neural network (RNN) that has been trained to a satisfactory level of performance, highly discriminative features can be extracted by running a sample through the RNN, and then extracting a final hidden state hi, where i is the number of instructions of the sample. This resulting feature vector may then be concatenated with the other hand-engineered features, and a larger classifier may then be trained on hand-engineered as well as automatically determined features. Related apparatus, systems, techniques and articles are also described.

Abstract: In one respect, there is provided a system for training a machine learning model to detect malicious container files. The system may include at least one processor and at least one memory. The at least one memory may include program code that provides operations when executed by the at least one processor. The operations may include: training, based on a training data, a machine learning model to enable the machine learning model to determine whether at least one container file includes at least one file rendering the at least one container file malicious; and providing the trained machine learning model to enable the determination of whether the at least one container file includes at least one file rendering the at least one container file malicious. Related methods and articles of manufacture, including computer program products, are also disclosed.

Abstract: An endpoint computer system can harvest data relating to a plurality of events occurring within an operating environment of the endpoint computer system and can add the harvested data to a local data store maintained on the endpoint computer system. A query response can be generated, for example by identifying and retrieving responsive data from the local data store. The responsive data are related to an artifact on the endpoint computer system and/or to an event of the plurality of events. In some examples, the local data store can be an audit log and/or can include one or more tamper resistant features. Systems, methods, and computer program products are described.

Abstract: An endpoint computer system can harvest data relating to a plurality of events occurring within an operating environment of the endpoint computer system and can add the harvested data to a local data store maintained on the endpoint computer system. In some examples, the local data store can be an audit log and/or can include one or more tamper resistant features. Systems, methods, and computer program products are described.

Abstract: In one respect, there is provided a system for classifying malware. The system may include a data processor and a memory. The memory may include program code that provides operations when executed by the processor. The operations may include: providing, to a display, contextual information associated with a file to at least enable a classification of the file, when a malware classifier is unable to classify the file; receiving, in response to the providing of the contextual information, the classification of the file; and updating, based at least on the received classification of the file, the malware classifier to enable the malware classifier to classify the file. Methods and articles of manufacture, including computer program products, are also provided.

Abstract: Data is received or accessed that includes a structured file encapsulating data required by an execution environment to manage executable code wrapped within the structured file. Thereafter, code and data regions are iteratively identified in the structured file. Such identification is analyzed so that at least one feature can be extracted from the structured file. Related apparatus, systems, techniques and articles are also described.

Abstract: Data is received or accessed that includes a structured file encapsulating data required by an execution environment to manage executable code wrapped within the structured file. Thereafter, code and data regions are iteratively identified in the structured file. Such identification is analyzed so that at least one feature can be extracted from the structured file. Related apparatus, systems, techniques and articles are also described.

Abstract: In one respect, there is provided a system for classifying malware. The system may include a data processor and a memory. The memory may include program code that provides operations when executed by the processor. The operations may include: providing, to a display, contextual information associated with a file to at least enable a classification of the file, when a malware classifier is unable to classify the file; receiving, in response to the providing of the contextual information, the classification of the file; and updating, based at least on the received classification of the file, the malware classifier to enable the malware classifier to classify the file. Methods and articles of manufacture, including computer program products, are also provided.

Abstract: An endpoint computer system can harvest data relating to a plurality of events occurring within an operating environment of the endpoint computer system and can add the harvested data to a local data store maintained on the endpoint computer system. In some examples, the local data store can be an audit log and/or can include one or more tamper resistant features. Systems, methods, and computer program products are described.

Abstract: An endpoint computer system can harvest data relating to a plurality of events occurring within an operating environment of the endpoint computer system and can add the harvested data to a local data store maintained on the endpoint computer system. A query response can be generated, for example by identifying and retrieving responsive data from the local data store. The responsive data are related to an artifact on the endpoint computer system and/or to an event of the plurality of events. In some examples, the local data store can be an audit log and/or can include one or more tamper resistant features. Systems, methods, and computer program products are described.

Abstract: In one aspect there is provided a method. The method may include: determining that an executable implements a sub-execution environment, the sub-execution environment being configured to receive an input, and the input triggering at least one event at the sub-execution environment; intercepting the event at the sub-execution environment; and applying a security policy to the intercepted event, the applying of the policy comprises blocking the event, when the event is determined to be a prohibited event. Systems and articles of manufacture, including computer program products, are also provided.

Abstract: In some implementations there may be provided a system. The system may include a processor and a memory. The memory may include program code which causes operations when executed by the processor. The operations may include analyzing a series of events contained in received data. The series of events may include events that occur during the execution of a data object. The series of events may be analyzed to at least extract, from the series of events, subsequences of events. A machine learning model may determine a classification for the received data. The machine learning model may classify the received data based at least on whether the subsequences of events are malicious. The classification indicative of whether the received data is malicious may be provided. Related methods and articles of manufacture, including computer program products, are also disclosed.

Abstract: Described are techniques to enable computers to efficiently determine if they should run a program based on an immediate (i.e., real-time, etc.) analysis of the program. Such an approach leverages highly trained ensemble machine learning algorithms to create a real-time discernment on a combination of static and dynamic features collected from the program, the computer's current environment, and external factors. Related apparatus, systems, techniques and articles are also described.

Abstract: In one respect, there is provided a system for training a neural network adapted for classifying one or more scripts. The system may include at least one processor and at least one memory. The memory may include program code which when executed by the at least one memory provides operations including: receiving a disassembled binary file that includes a plurality of instructions; processing the disassembled binary file with a convolutional neural network configured to detect a presence of one or more sequences of instructions amongst the plurality of instructions and determine a classification for the disassembled binary file based at least in part on the presence of the one or more sequences of instructions; and providing, as an output, the classification of the disassembled binary file. Related computer-implemented methods are also disclosed.