Abstract: Disclosed herein are systems and method for verifying user identity. In one exemplary aspect, a method comprises receiving sensor data from at least one sensor and parsing the sensor data to determine a plurality of identifiers of a user authorized to access data via a computing device. The method comprises generating, for each identifier, an event including the user. The method comprises intercepting, on the computing device, a data access request including an identifier of the user. The method comprises verifying whether the data access request is from the user authorized to access data by generating a chain of events including the user for a period of time preceding the data access request, determining a deviation of the chain of events from a target chain of events, and in response to determining the deviation is less than a threshold deviation value, granting the data access request.

Abstract: Disclosed herein are systems and method for backing up data in a load-balanced clustered environment. A clustered resource to be backed up is selected, wherein the clustered resource is stored on a common storage system and operated on by a cluster-aware application executing on at least a first node and a second node of a computing cluster. A load-balanced application may migrate the clustered resource from the first node with a high-load consumption to the second node with low-load consumption. A list of changes made by both nodes are received and merged. A backup agent then generates a consistent incremental backup using data retrieved from the common storage system according to the merged list of changes to the clustered resource.

Abstract: Disclosed herein are systems and method for performing recovery using a backup image. In one exemplary aspect, a method comprises scanning a plurality of files on one or more storage devices of a computing device. The method may determine a first set of files from the plurality of files that will be used during recovery of the one or more storage devices, and tag a second set of files that will not be used during recovery. The method may copy the second set of files that have been tagged to an external storage device, and may store the first set of files in a backup image for the computing device (excluding the tagged second set of files from the backup image). The method may add, to the backup image, a respective link to each of the tagged second set of files in the external storage device.

Abstract: Disclosed herein are systems and methods for pattern-based QoS violation prediction. In one exemplary aspect, a method may comprise identifying a service on a computing device that is connected to a plurality of client devices and determining a plurality of micro-services comprised in the identified service. The method may comprise parsing access information to detect that a first client device is accessing a micro-service. The method may comprise determining, for a first period of time, QoS evaluation parameters for the access between the micro-service and the first client device. The method may comprise identifying changes in the QoS evaluation parameters within the first period of time, detecting a predetermined QoS violation pattern, and executing a QoS action based on the predetermined QoS violation pattern.

Abstract: A system and method for detecting malware using hierarchical clustering analysis. Unknown files classified by clustering and in view of known malicious and known safe files. Machine learning models and detection rules are used to enhance classification accuracy.

Abstract: A system and method for firewall policy control in a system comprising endpoints, including functionality for isolating network elements on endpoints under management. An endpoint management agent cooperates with a remote management service to carry out policy management and synchronization, implement isolation mode when required, and perform related supporting tasks.

Abstract: Disclosed herein are systems and method for authenticating user identity based on supplemental environment data. When a structured approach to acquiring user identifiers (e.g., facial images, voice clips, biometric data, etc.) of authorized user is inconclusive (e.g., a matching face is similar, but not a direct match) the systems and methods describe retrieving supplemental environment data that indirectly verifies a presence of the user in an environment. The systems and methods further comprise determining whether the supplemental environment data indicates that a respective identifier belongs to the user, and in response to determining that the supplemental environment data indicates that the respective identifier belongs to the user, authenticating the respective identifier as belonging to the user and storing the respective identifier in a database of identifiers.

Abstract: A system and method are disclosed for identifying malicious activity on a target device based on behavior analysis of the target device. The system includes a behavioral analyzer run on a virtual machine connected to the target device. The virtual machine collects system events and parameters from the target device and run a script, independent of the target device, to detect a threat. The script is a set of instructions executed to analyze behavior of an object by processing and correlating the events. The script includes a rule structure which stores signatures and expressions of the known malwares. By correlating the selected event parameters with known malware parameters, it is determined whether the event imposes a threat or not. A finite state machine is used for the state transition table.

Abstract: Disclosed herein are systems and method for scanning objects of a computing device, by an anti-malware, using a white list created for an organization based on data of the organization. In one aspect, an exemplary method comprises obtaining one or more objects of the organization from the computing device, and for each obtained object of the one or more objects, computing a hash value of the obtained object, determining whether the obtained object is whitelisted, and scanning the obtained object based on whether the obtained object is whitelisted, wherein the whitelist is created based on scanning of objects stored in archives of the organization, and the obtained object is determined as being whitelisted when the computed hash value of the obtained object matches a hash value of an object in a whitelist created for the organization.

Abstract: A system and method is provided for detecting a suspicious process in an operating system environment. In an exemplary aspect, a method comprises generating, by a hardware processor, a file honeypot in a directory in a file system and receiving a directory enumeration request from a process executing in the operating system environment. The method comprises determining whether the process is identified in a list of trusted processes and in response to determining that the process is not in the list of trusted processes, providing, to the process by the file system, a file list including the file honeypot responsive to the directory enumeration request. The method further comprises intercepting, by a file system filter driver, a file modification request for the file honeypot from the process, and identifying the process as a suspicious object responsive to intercepting the file modification request from the process.

Abstract: Disclosed herein are systems and methods for protecting user data. In one aspect, an exemplary method comprises, by a hardware processor, detecting one or more user files modified by a user on a user device; identifying user actions executed by the user to modify the one or more user files; training a machine learning algorithm to identify whether an arbitrary user action is performed by the user, wherein the user actions used by the user to modify the one or more user files are comprised in a training dataset of the machine learning algorithm; detecting a user action to modify a user file; determining, using the machine learning algorithm, whether the user action classifies as being performed by the user; and in response to determining that the machine learning algorithm classifies the user action as being performed by the user, modifying the user action to mask an identity of the user.

Abstract: Disclosed herein are systems and method for malicious behavior detection in processing chains comprising identifying and monitoring events generated by a first process executing on a computing device; storing snapshots of data modified by any of the events; determining a level of suspicion for the first process, wherein the level of suspicion is a likelihood of the first process being attributed to malware based on the data modified by any of the events; in response to determining that the first process is not trusted based on the determined level of suspicion, identifying at least one sub-process of the first process; and restoring, from the snapshots, objects affected by the first process and the at least one sub-process.

Abstract: Disclosed herein are systems and method for generating and storing forensics-specific metadata. In one aspect, a digital forensics module is configured to generate a backup of user data stored on a computing device in accordance with a backup schedule. The digital forensics module identifies, from a plurality of system metadata of the computing device, forensics-specific metadata of the computing device based on predetermined rules, wherein the forensics-specific metadata is utilized for detecting suspicious digital activity. The digital forensics module generates a backup of the forensics-specific metadata in accordance with the backup schedule and analyzes the forensics-specific metadata for an indication of the suspicious digital activity on the computing device. In response to detecting the suspicious digital activity based on the analysis, generates a security event indicating that the suspicious digital activity has occurred.

Abstract: Disclosed herein are systems and method for customizing a user workspace environment using user action sequence analysis. In one exemplary aspect, a method may comprise detecting user actions in a user workspace environment that provides access to a plurality of workspace elements further comprising a plurality of files and a plurality of applications and identifying a plurality of user action sequences based on each timestamp of a respective user action. The method may comprise generating action sequence groups, each comprising a unique subset of the user action sequences and sequence trigger. In response to detecting a particular sequence trigger, the method may comprise executing a corresponding customization action that alters the user workspace environment such that an amount of steps and/or processing time to perform in the user workspace environment to access workspace elements associated with the associated action sequence group is reduced.

Abstract: Disclosed are systems and methods for detecting malicious applications. An exemplary method may comprise detecting that a first process has been launched on a computing device. The method may comprise receiving, from the first process, an execution stack associated with one or more control points of the first process. The method may comprise applying a machine learning classifier on the execution stack, wherein the machine learning classifier is configured to classify whether a process is malicious based on activity on control points captured on a given execution stack, and wherein a feature of a malicious process is detection of a system call to create a remote thread that runs in a virtual address space of a shared-service process configured to import third-party processes to be embedded as separate threads. The method may comprise generating an indication that the execution of the first process is malicious/non-malicious.

Abstract: Disclosed herein are systems and method for preventing malware reoccurrence when restoring a computing device using a backup image. In one exemplary aspect, a method may identify, from a plurality of backup images for a computing device, a backup image that was created most recently before the computing device was compromised. The method may mount the backup image as a disk and scanning the disk for malicious software. The method may disable all ports and services on the computing device to prevent unauthorized network connections and service launches. The method may restore data to the computing device from the mounted disk. The method may update software on the computing device and applying latest patches, and reopen the ports and restart the services on the computing device subsequent to updating the software and applying the latest patches.

Abstract: Methods for file archiving using machine learning are disclosed herein. An exemplary method comprises archiving a first file of a plurality of files from a storage server to a tiered storage system, training a machine learning module based on file access operations for the plurality of files, determining one or more rules for predicting access to the archived files using the machine learning module, determining a prediction of access of the archived file based on the one or more rules and retrieving the archived file from the tiered storage system into a file cache in the storage server based on the prediction of access.

Abstract: The present disclosure includes methods and systems for protecting network resources. A method may start, by a processor, copy-on-write snapshotting for modifications to a plurality of files stored on electronic storage. A method may monitor, by the processor, access to objects within a file system associated with the electronic storage for a set of operations. A method may intercept, by the processor, one or more operation of the set of operations for modifying a region of a file in the file system. A method may capture, by the processor, one or more of original contents, modified contents and written contents of the region. A method may end, by the processor, copy-on-write snapshotting. A method may perform malware and/or ransomware analysis on a process performing the modification to the region of the file in the file system.

Abstract: A system and method for implementing management of a system context database is disclosed herein. The system context from a target computing system is collected. The system context is set in accordance with the configuration status of a context consumer. The context consumer includes one or more data security components. A system context database is initialized in response to the configuration status. The collected system context is restored in a cache. The attributes from the cache are provided to the context consumer where the attributes are compared with predefined attributes of the known malware threats. Each data security component of the context consumer is configured to access the cache in a synchronized manner to avoid duplication of the scanning process. The comparison result indicates the presence of a malware threat.

Abstract: Disclosed herein are systems and method for inspecting archived slices for malware using empty spare files. In one exemplary aspect, the method comprises generating a backup slice and a virtual volume comprising a list of files in the backup slice and associated file information. The method comprises mounting the virtual volume to a disk. The method comprises creating, in the virtual volume, empty sparse files that are placeholders of the files reference in the list of files. The method comprises detecting a change between a respective empty sparse file and a corresponding file in a previous backup slice and accordingly storing the actual content of the file in the virtual volume in place of the respective empty sparse file. The method comprises scanning the virtual volume for malicious software and generating a cured slice that replaces the backup slice in the backup archive upon detection.