Abstract: A multi-layer path-planning system and method calculates trajectories for autonomous vehicles using a global planner, a fast local planner, and an optimizing local planner. The calculated trajectories are used to guide the autonomous vehicle along a bounded path between a starting point and a destination.

Abstract: Disclosed herein are systems and method for selectively restoring a computer system to an operational state. In an exemplary aspect, the method may create a backup image of the computer system comprising a set of data blocks, and create and start a virtual machine based on the backup image. The method may identify a subset of the data blocks accessed from the backup image during startup of the virtual machine. In response to determining that the computer system should be restored, the method may restore the subset of the data blocks such that the computer system is operational during startup, and restore a remaining set of the data blocks from the backup image after the startup of the computer system.

Abstract: Aspects of the disclosure describe methods and systems for cross-referencing forensic snapshots over time. In one exemplary aspect, a method may comprise receiving a first snapshot of a computing device at a first time and a second snapshot of the computing device at a second time and applying a pre-defined filter to the first snapshot and the second snapshot, wherein the pre-defined filter includes a list of files that are to be extracted from each snapshot. The method may comprise subsequent to applying the pre-defined filter, identifying differences in the list of files extracted from the first snapshot and the second snapshot. The method may comprise creating a change map for the computing device that comprises the differences in the list of files over a period of time, wherein the period of time comprises the first time and the second time, and outputting the change map in a user interface.

Abstract: The invention relates to data recovery technology. An archive connection driver creates a virtual storage medium that is readable by an operating system, with the operating system running antivirus scanning algorithms on the connected virtual storage medium. Corrupted data and malware are deleted and the relevant data blocks repaired in a connected backup. Corrupted data and infected files are restored in marked invalid data in the backup.

Abstract: A rootkit detection system and method analyzes memory dumps to determine connections between intercepted system driver operations requested by unknown files and changes in system memory before and after those operations. Memory dump differences and I/O buffers are analyzed with machine learning models to identify clustered features associated with rootkits.

Abstract: Described herein are systems and methods for controlling access to a protected resource based on various criteria. In one exemplary aspect, a method comprises designating a plurality of program data installed on a computing system as protected program data; intercepting, by a kernel mode driver, a request from an untrusted application executing on the computing system to alter at least one of the protected program data; classifying, by a self-defense service, the untrusted application as a malicious application based on the intercepted request and information related to the untrusted application; and responsive to classifying the untrusted application as a malicious application, denying, by the kernel mode driver, access to the at least one of the protected program data.

Abstract: A system and method for malware classification using machine learning models trained using synthesized feature sets based on features extracted from samples of known malicious objects and known safe objects. The synthesized feature sets act as virtual samples for training a machine learning classifier to recognize new objects in the wild that are likely to be malicious.

Abstract: Systems and methods for trusted storage of encrypted data onto a cloud storage server are disclosed. The system includes a client device and the cloud storage server. The client device includes a processing unit, a client agent, and a trusted data loading device. The client agent has no access to the network and is implemented within the client device. The client agent receives data and requests to upload the data from the processing unit. The client agent encrypts the data and wraps the data into an encrypted data container.

Abstract: A system and method for malware detection uses static and dynamic analysis to train a machine learning model. At the training step, static and dynamic features are extracted from training datasets and used to train a malware classification model. The malware classification model is used to classify unknown files based on verdicts from both static and dynamic models.

Abstract: A system and method for malware detection uses static and dynamic analysis to augment a machine learning model. At the training step, static and dynamic features are extracted from training datasets and used to train a malware classification model. The malware classification model is used to classify unknown files based on verdicts from both static and dynamic models.

Abstract: Disclosed herein are systems and method for preventing the spread of malware in a synchronized data network, the method including: receiving, at a first time by a server connected to a plurality of computing devices, a file from a first computing device; monitoring for changes to the file stored on the server; in response to detecting a change, generating a record indicative of the change to the file; receiving, at the server from a second computing device, a download request for the file at a second time; determining whether at least one record exists that indicates any change to the file between the first time and the second time; in response to determining that the record exists, scanning the file for malware; and in response to determining that the file stored on the server is associated with malware, denying the download request.

Abstract: Disclosed herein are systems and method for controlling data access, the method including: receiving a request to access data on a computing device; determining that the data requested for access has a first degree of confidentiality, wherein the first degree of confidentiality indicates that the data can only be accessed in an environment occupied by a threshold number of persons; retrieving sensor data from a plurality of sensors located in the environment; determining, based on the sensor data, a number of persons occupying the environment; determining whether the number of persons exceeds the threshold number of persons; and in response to determining that the number of persons exceeds the threshold number of persons, denying the request to access the data.

Abstract: A distributed agent for backup and restoration of virtual machines collects backup data and meta-data. The distributed agent includes an agent inside a virtual machine and an agent outside the virtual machine. The two kinds of agents communicate with each other to collect data of different types used to backup and restore virtual machines.

Abstract: Disclosed herein are systems and method for restoring a clean backup after a malware attack. In one aspect, a method forms a list of files that are of a plurality of designated file types that can be infected by malicious software. The method performs one or more snapshots of the files according to a predetermined schedule over a predetermined period of time and performs one or more backups. The method determines that a malware attack is being carried out on the computing device and generates a list of dangerous objects that spread the malware attack. The method compares the list of dangerous objects with the one or more snapshots to determine when the malware attack occurred. The method identifies a clean backup that was created most recently before the malware attack as compared to other backups and recovers data for the computing device from the clean backup.

Abstract: Disclosed herein are systems and method for anti-malware scanning, including identifying a plurality of objects in a backup archive that is connected to a first network comprising a plurality of computing devices; scanning the plurality of objects in the backup archive to generate a whitelist indicating a subset of the plurality of objects that do not need to be scanned at a subsequent time; performing, using the whitelist, a first malware scan in a computing device of the plurality of computing devices; detecting that the computing device has left the first network to join a second network; and performing a second malware scan on the computing device, wherein the second malware scan uses a different whitelist of the second network, and wherein the second malware scan comprises scanning a first object that is not in the different whitelist and was not scanned in the first malware scan.

Abstract: Disclosed herein are systems and method for detecting passwords vulnerable to compromise. In one exemplary aspect, a method comprises identifying a plurality of files in at least one storage device of an organization. For each respective file in the plurality of files, in response to determining that the respective file type is in the database of vulnerable file types, the method comprises parsing text in the respective file and identifying, for the respective file, at least one demographic associated with the organization. The method further comprises retrieving dictionaries and expressions specific to the at least one demographic and determining the text in the respective file comprises a password using the retrieved dictionaries and expressions of the at least one demographic. In response to determining that the text comprises the password, the method comprises generating a security alert for an administrator of the storage device.

Abstract: Disclosed herein are systems and methods for verifying user activity based on behavioral models. In an exemplary aspect, a method may include receiving and parsing sensor data from at least one sensor in an environment to determine a first identifier of a person that is not authorized to access data via a computing device. The method may include intercepting, on the computing device, a data access request including a second identifier of a user that is authorized to access the data via the computing device. The method may include verifying whether the data access request is from the user authorized to access data by determining whether a chain of events involving the first person and the user corresponds to a behavioral model indicative of malicious activity. Based on the verification, the data access request is either granted or denied.

Abstract: Described herein are systems and methods for controlling access to a protected resource based on various criteria. In one exemplary aspect, a method comprises designating a plurality of program data installed on a computing system as protected program data; intercepting, by a kernel mode driver, a request from an untrusted application executing on the computing system to alter at least one of the protected program data; classifying, by a self-defense service, the untrusted application as a malicious application based on the intercepted request and information related to the untrusted application; and responsive to classifying the untrusted application as a malicious application, denying, by the kernel mode driver, access to the at least one of the protected program data.

Abstract: Disclosed herein are systems and methods for preventing anti-forensics actions. In one exemplary aspect, a method may identify a suspicious object from a plurality of objects on a computing device and monitor actions performed by the suspicious object. The method may intercept a first command by the suspicious object to create and/or modify a digital artifact on the computing device and subsequent to intercepting the first command, intercept a second command by the suspicious object to delete at least one of the suspicious object and the digital artifact. In response to intercepting both the first command to create and/or modify the digital artifact and the second command to delete at least one of the suspicious object and the digital artifact, the method may block the second command, and may store the suspicious object and the digital artifact in a digital repository.

Abstract: Disclosed herein are systems and methods for continuous user authentication during access of a digital service. In an exemplary aspect, a continuous authentication module may receive, at a computing device, initial authentication credentials of the user. The initial authentication credentials enable access to a service via the computing device. While the service is being accessed, the continuous authentication module may continuously monitor whether an unauthorized user has replaced the user in accessing the service by comparing usage attributes of the service with historic usage attributes associated with the user. In response to determining that the unauthorized user has replaced the user, the continuous authentication module may cease the access to the service via the computing device.