Abstract: A contrastive credibility propagation trainer (“trainer”) trains a representation neural network to learn credibility vectors for partially labeled data samples that represent certainty of samples belonging to each of a set of classes. The representation neural network is trained according to a loss function that accounts for both the credibility vectors and similarity of representations generated by the neural network itself. Using the credibility vectors as soft labels, the trainer trains a classifier neural network to generate labels for unlabeled samples in the partially labeled samples.

Abstract: A copy of a model comprising a plurality of trees is received, as is a copy of training set data comprising a plurality of training set examples. For each tree included in the plurality of trees, the training set data is used to determine which training set examples are classified as a given leaf. A blame forest is generated at least in part by mapping each training set item to the respective leaves at which it arrives.

Abstract: An OCR filter described herein filters non-textual files in scanned customer data from optical character recognition (OCR) and pattern analysis of text generated thereof for sensitive customer data. The OCR filter is trained on files labelled using feature values for features generated from OCR applied to the corresponding files. Moreover, the OCR filter stores internal representations of the files during training to avoid leaking potential sensitive customer data contained therein. Once trained, performance of the OCR filter in filtering files comprising image data without text is evaluated according to false positive rates and false negative rates by comparing classifications of the OCR filter to classifications according to feature values for features generated from OCR. Evaluation of the OCR filter ensures continued model performance and informs model updates.

Abstract: Techniques for providing innocent until proven guilty (IUPG) solutions for building and using adversary resistant and false positive resistant deep learning models are disclosed. In some embodiments, a system, process, and/or computer program product includes storing a set comprising one or more innocent until proven guilty (IUPG) models for static analysis of a sample; performing a static analysis of content associated with the sample, wherein performing the static analysis includes using at least one stored IUPG model; and determining that the sample is malicious based at least in part on the static analysis of the content associated with the sample, and in response to determining that the sample is malicious, performing an action based on a security policy.

Abstract: The present application discloses a method, system, and computer system for automatically detecting protocol compliance of applications. The method includes determining a URL of a webpage for a software-as-a-service (SaaS) product, extracting body text from the webpage, and using a classifier to determine whether the SaaS product is compliant with one or more protocols.

Abstract: Techniques for providing innocent until proven guilty (IUPG) solutions for building and using adversary resistant and false positive resistant deep learning models are disclosed. In some embodiments, a system, process, and/or computer program product includes storing a set comprising one or more innocent until proven guilty (IUPG) models for static analysis of a sample; performing a static analysis of content associated with the sample, wherein performing the static analysis includes using at least one stored IUPG model; and determining that the sample is malicious based at least in part on the static analysis of the content associated with the sample, and in response to determining that the sample is malicious, performing an action based on a security policy.

Abstract: A system/process/computer program product for building multi-representational learning models for static analysis of source code includes receiving training data, wherein the training data includes a set of source code files for training a multi-representational learning (MRL) model for classifying malicious source code and benign source code based on a static analysis; generating a first feature vector based on a set of characters extracted from the set of source code files; generating a second feature vector based on a set of tokens extracted from the set of source code files; and performing an ensemble of the first feature vector and the second feature vector to form a target feature vector for classifying malicious source code and benign source code based on the static analysis.

Abstract: A copy of a model comprising a plurality of trees is received, as is a copy of training set data comprising a plurality of training set examples. For each tree included in the plurality of trees, the training set data is used to determine which training set examples are classified as a given leaf. A blame forest is generated at least in part by mapping each training set item to the respective leaves at which it arrives.

Abstract: Adaptive pooling layers for compressing variably sized inputs use window sizes and stride lengths specific to variable input size and fixed output size at the pooling layer. A naïve and an optimal adaptive pooling algorithm disclosed herein determine window size and stride length for variable sized inputs while minimizing window size and ensuring no padding is used in the output representation. These adaptive pooling algorithms are implemented in a pipeline for text document classification involving a natural language processor that generates embedding vectors for variably sized text documents and at least one of the adaptive pooling algorithms at a first adaptive pooling layer of a classification neural network to process the embedding vectors.

Abstract: An inline and offline machine learning pipeline for detection of phishing attacks with a holistic, easily upgradeable framework is presented herein. A packet analyzer records capture logs of network traffic between an endpoint device and a firewall. A parser extracts inputs from the capture logs inline that it communicates to one of an inline model and an offline model for phishing detection. The inline model and offline model are neural networks with parallelizable network architectures that do not depend on handcrafted inputs. The inline model operates inline with the packet analyzer and parser and makes fast phishing attack classifications based on inputs generated from capture logs. The offline model uses additional inputs such as inputs generated from network logs to make phishing attack classifications.

Abstract: A URL categorization query is received. The URL categorization query includes at least one URL. The URL is used to determine a set of data distribution keys. A distributed key-value data store is queried using at least one data distribution key included in the determined set of data distribution keys. Categorization information is returned. The returned URL categorization information can be used to enforce policies.

Abstract: Malware signature generation through combination rule mining is disclosed. A set of properties associated, collectively, with a plurality of data samples is received. A first data sample has a first set of properties and a second data sample has a second set of properties. A combination signature comprising at least a first property included in the first set of properties and a second property included in the second set of properties is generated.

Abstract: The present application discloses a method, system, and computer system for detecting malicious files. The method includes executing a sample in a virtual environment, and determining whether the sample is malware based at least in part on memory-use artifacts obtained in connection with execution of the sample in the virtual environment.

Abstract: Techniques for multi-representational learning models for static analysis of source code are disclosed. In some embodiments, a system/process/computer program product for multi-representational learning models for static analysis of source code includes receiving at a networked device a set comprising one or more multi-representation learning (MRL) models for static analysis of source code; performing a static analysis of source code associated with a sample received at the network device, wherein performing the static analysis includes using at least one MRL model; and determining that the sample is malicious based at least in part on the static analysis of the source code associated with the sample and without performing dynamic analysis of the sample, and in response to determining that the sample is malicious, performing an action based on a security policy.

Abstract: A URL categorization query is received. The URL categorization query includes at least one URL. The URL is used to determine a set of keys. A database is queried using the determined set of keys. Categorization information is returned. The returned URL categorization information can be used to enforce policies.

Abstract: Malware signature generation through combination rule mining is disclosed. A set of properties associated, collectively, with a plurality of data samples is received. A first data sample has a first set of properties and a second data sample has a second set of properties. A combination signature comprising at least a first property included in the first set of properties and a second property included in the second set of properties is generated.

Abstract: A system/process/computer program product for building multi-representational learning models for static analysis of source code includes receiving training data, wherein the training data includes a set of source code files for training a multi-representational learning (MRL) model for classifying malicious source code and benign source code based on a static analysis; generating a first feature vector based on a set of characters extracted from the set of source code files; generating a second feature vector based on a set of tokens extracted from the set of source code files; and performing an ensemble of the first feature vector and the second feature vector to form a target feature vector for classifying malicious source code and benign source code based on the static analysis.

Abstract: Generating models usable by data appliances to perform inline malware analysis is disclosed. A set of features, including a plurality of n-grams, extracted from a set of files is received. A reduced set of features is determined that includes at least some of the plurality of n-grams. The reduced set of features is used to generate a model usable by a data appliance to perform inline malware analysis.

Abstract: A system/process/computer program product for building multi-representational learning models for static analysis of source code includes receiving training data, wherein the training data includes a set of source code files for training a multi-representational learning (MRL) model for classifying malicious source code and benign source code based on a static analysis; generating a first feature vector based on a set of characters extracted from the set of source code files; generating a second feature vector based on a set of tokens extracted from the set of source code files; and performing an ensemble of the first feature vector and the second feature vector to form a target feature vector for classifying malicious source code and benign source code based on the static analysis.

Abstract: Techniques for multi-representational learning models for static analysis of source code are disclosed. In some embodiments, a system/process/computer program product for multi-representational learning models for static analysis of source code includes receiving at a networked device a set comprising one or more multi-representation learning (MRL) models for static analysis of source code; performing a static analysis of source code associated with a sample received at the network device, wherein performing the static analysis includes using at least one MRL model; and determining that the sample is malicious based at least in part on the static analysis of the source code associated with the sample and without performing dynamic analysis of the sample, and in response to determining that the sample is malicious, performing an action based on a security policy.