Abstract: A behavior of a computer security threat is described in a root-cause chain, which is represented by a detection rule. The detection rule includes the objects of the root-cause chain and computer operations that represent links of the root-cause chain. An endpoint computer establishes a link between objects described in the detection rule when a corresponding computer operation between the objects is detected. Detected computer operations are accumulated to establish the links between objects. The threat is identified to be in the computer when the links of the detection rule have been established.

Abstract: An apparatus in one embodiment comprises a security appliance having a processor coupled to a memory. The security appliance is associated with at least one storage device and comprises a ransomware detector configured to generate a detection score for one or more sets of files stored in the storage device. The ransomware detector comprises a file analyzer configured to compare characteristics relating to a current state of the files with information stored in a file history database, and a detection score generator having a weighting module for applying weights to respective comparison results from the file analyzer in generating the detection score for the one or more sets of files. The ransomware detector is further configured to generate an alert if the detection score for the one or more sets of files exceeds a specified threshold. The alert may be transmitted by the security appliance to a network security system.

Abstract: The disclosed computer-implemented method for determining the trustworthiness of files within organizations may include (1) identifying a file on a computing device within multiple computing devices managed by an organization, (2) in response to identifying the file, identifying at least one additional computing device within the multiple computing devices that is potentially associated with the file, (3) distributing at least a portion of the file to a user of the additional computing device with a request to receive an indication of the trustworthiness of the file, and then (4) receiving, from the additional computing device, a response that indicates the trustworthiness of the file. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: Disclosed is a computerized system for neutralizing misappropriated electronic files. The system typically includes a processor, a memory, and an electronic file neutralizing module stored in the memory. The system is typically configured for: determining that a first electronic file has been misappropriated; determining one or more identifying characteristics of the first electronic file; creating a second electronic file, wherein the second electronic file has different content than the first electronic file but comprises the one or more identifying characteristics of the first electronic file; and submitting the second electronic file to a third party providing a content inspection system that neutralizes malicious electronic documents.

Abstract: There is disclosed in an example a computing apparatus configured to operate as an enterprise threat intelligence server, and including: a network interface configured to communicatively couple to a network; and one or more logic elements providing a reputation engine, operable for: receiving a first uniform resource locator (URL) identifier; determining that a first URL identified by the first URL identifier has an unknown enterprise reputation; and establishing a baseline reputation for the URL. There is further disclosed a method of providing the reputation engine, and one or more computer-readable mediums having stored thereon executable instructions for providing the reputation engine.

Abstract: A secure and efficient technique to prevent cross-site scripting attacks based on segregating the content within a given content page among independent endpoints, or servers, where static content is provided from one endpoint and active content is provided from another endpoint. Together, the different endpoints make up an endpoint segregation system. Further, security features of HTTP/HTML are used to restrict sources from which active content may be executed according to the division of static and active content among the endpoints of the endpoint segregation system.

Abstract: Methods and systems for identifying malicious URIs. The system accepts a list of URIs as input and extracts features related to a given URI and uses the features to discover patterns that indicate malicious content. Once trained, the classifier can then classify new inputs as either malicious or non-malicious.

Abstract: Example embodiments of the present invention relate to methods, systems, and a computer program product for detecting and responding to the presence of persistently executing malware. The method includes receiving a host-level I/O log and receiving a storage-level I/O log. An analysis may be performed on the host-level I/O log and the storage-level I/O log and evidence of malware may be detected according thereto.

Abstract: An electronic message is analyzed for malware contained in the message. Text of an electronic message may be analyzed to detect and process malware content in the electronic message itself. The present technology may analyze an electronic message and attachments to electronic messages to detect a uniform resource location (URL), identify whether the URL is suspicious, and analyze all suspicious URLs to determine if they are malware. The analysis may include re-playing the suspicious URL in a virtual environment which simulates the intended computing device to receive the electronic message. If the re-played URL is determined to be malicious, the malicious URL is added to a black list which is updated throughout the computer system.

Abstract: Disclosed are a malicious program finding and killing device, method and server. The device comprises: one or more non-transitory computer readable medium configured to store computer-executable instructions; at least one processor to execute the computer-executable instructions to perform operations comprising: sending information to a server, and receiving information returned by the server; starting a scan task to scan an object to be scanned, calculating an index tag of a file scanned, send the index tag to the server, and receiving a script returned by the server, the script being found according to the index tag and corresponding to the file scanned; and executing the received script to find and kill the malicious program in the file scanned.

Abstract: A mail monitoring system comprises a mail communications apparatus and a control server that controls a log relating to operation of the apparatus. The apparatus includes a detector that detects transmission of an e-mail, a log generation unit that determines whether to generate a transmission log based on a set policy, and generates the transmission log, a mail creating unit that determines whether to store mail information based on the set policy, and generates the mail information, and a transmitter that transmits the mail information and the transmission log to the server, and transmits the e-mail to a mail server designated as a transmission destination of the e-mail. The server includes a receiver that receives the transmission log and the mail information and a storage unit that stores therein the transmission log and the mail information when the receiver receives the transmission log and the mail information.

Abstract: A method comprises obtaining a potentially malicious file, decoding the file to identify one or more code streams, processing each of the identified code streams to determine the presence of respective ones of a set of indicators of compromise, determining whether the file is malicious based on the presence of one or more of the indicators of compromise in the code streams, and modifying access by a given client device to the file responsive to determining that the file is malicious.

Abstract: In an example, a computing device includes a trusted execution environment (TEE), including an enclave. The enclave may include both a binary translation engine (BTE) and an input verification engine (IVE). In one embodiment, the IVE receives a trusted binary as an input, and analyzes the trusted binary to identify functions, classes, and variables that perform input/output operations. To ensure the security of these interfaces, those operations may be performed within the enclave. The IVE tags the trusted binary and provides the binary to the BTE. The BTE then translates the trusted binary into a second format, including designating the tagged portion for execution within the enclave. The BTE may also sign the new binary in the second format and export it out of the enclave.

Abstract: Embodiments of the present invention provide a method to temporally isolate data accessed by a computing device so that the data accessed by the computing device is limited to a single set of data. The method includes removing any data that is accessed by the computing device when operating in different modes so that the data is inaccessible by the computing device when operating in the mode. The method also includes switching to the mode after the data associated with the modes different from the mode have been removed. The method also includes operating in the mode based on a plurality of rules associated with the security policy in temporal isolation from any other mode associated with the computing device. The computing device is limited to operating in the mode and is prevented from accessing any data that is distinct from the single set of data of the mode.

Abstract: Techniques for generating malware signatures based on developer fingerprints in debug information are disclosed. In some embodiments, a system, process, and/or computer program product for generating malware signatures based on developer fingerprints in debug information includes receiving a sample, in which the sample includes a binary executable file; matching one or more paths in content of the binary executable file based on a plurality of patterns; extracting meta information from the one or more matched paths; and automatically generating a signature based on the extracted meta information.

Abstract: A deception management system to detect attackers within a dynamically changing network of computer resources, including a deployment governor dynamically designating deception policies, each deception policy including names of non-existing web servers, and levels of diversity for planting the names of non-existing web servers in browser histories of web browsers within resources of the network, the levels of diversity specifying how densely the name of each non-existing web server is planted within resources of the network, a deception deployer dynamically planting the names of non-existing web servers in the browser histories of the web browsers in resources in the network, in accordance with the levels of diversity of the current deception policy, and a notification processor transmitting an alert to an administrator of the network in response to an attempt to access one of the non-existing web servers.

Abstract: System, method and medium for securely transferring untrusted files from a portable storage medium to a computer. The invention can filter, scan and detonate untrusted files to be transferred to a computer from a portable storage medium. First, the types of files which are eligible to be selected for transfer are limited, by file type and/or content. Second, each file selected for transfer is scanned against a collection of signatures of known malware. Thus, files contain malware which has been previously identified as such can be blocked from ever being transferred to the computer. Finally, each file to be transferred is detonated by opening it in a controlled, sterile environment to determine if it adversely impact the operation of that sterile environment. Malware detected in this way can then be added to the collection of malware that can be detected by the second step.

Abstract: This disclosure discusses methods, systems, and an apparatus that can determine whether email content is potentially malicious, contains potentially malicious content, has originated from a potentially malicious entity, or contains links or other references to potentially malicious web content. The disclosure discusses some embodiments that include evaluating text in the email content to determine if predetermined suspected malicious phrases are present in the text, evaluating one or more links in the email content using an IP address, URL, or DNS to determine if the links reference potentially malicious web content, and evaluating metadata in the email content to determine if the email content is potentially malicious.

Abstract: Systems and methods for detecting false code in web pages linked to a web site are provided. One system includes a web server for administering the web site and a surveillance server for collecting generated or updated web pages from among the web pages linked to the web site, selecting tags of a given tag type included in the collected web pages, determining whether the selected tags comprise false code, and providing the determination result to an administrator terminal such that an administrator can check the determination result. One method includes collecting web pages that were generated or updated within a set time period from among the web pages linked to the web site, determining whether tags included in the collected web pages comprise false code, and providing the determination result to an administrator terminal such that an administrator can check the determination result.

Abstract: The present invention provides a method for scanning information to be scanned in a computer device, the information to be scanned needing multiple scans, and the method comprising the steps of: a. determining a delay duration from the end of a scan for the information to be scanned to the start of a next scan according to current performance information about the CPU of the computer device; and b. scanning the information to be scanned according to the delay duration. According to the solution of the present invention, by determining a delay duration from the end of a scan for the information to be scanned to the start of a next scan according to current performance information about the CPU of a computer device, and scanning according to the delay duration, problems such as slow running due to high occupancy ratio of CPU resources during scanning can be avoided.

Abstract: An upload management system for managing data upload from a client to a storage system includes an acquisition unit, a determination unit, and a control unit. The acquisition unit acquires information about data already uploaded by the client from the storage system in response to a request from the client which performs the data upload. The determination unit determines whether the client violates a predetermined condition based on the information acquired by the acquisition unit. The control unit performs control to return authentication information for performing the data upload to the client in a case where the determination unit determines that the client does not violate the condition, and performs control not to return the authentication information in a case where the determination unit determines that the client violates the condition.

Abstract: According to one embodiment, a threat detection system is integrated with at least a dynamic analysis engine. The dynamic analysis engine is configured to automatically determine whether one or more objects included in received network traffic contains a heap spray attack. Upon detection of a potential heap spray attack, the dynamic analysis engine may copy potential shellcode within an object included in the received network traffic, insert the copy of the potential shellcode into a second region of allocated memory and analyze the execution of the potential shellcode to determine whether characteristics associated with an exploit are present.

Abstract: This disclosure is directed to a system for system for application program interface (API) monitoring bypass prevention. Operation of an API function may be preserved by generating a binary translation based on the API function native code. The native code may then be protected to prevent API monitoring bypassing. In one embodiment, access permission may be set to non-executable for a memory page in which the native code is stored. Attempts to execute the native code may generate exceptions triggering API monitoring. Alternatively, some or all of a body section of the native code may be replaced with at least one trap instruction that cause exceptions triggering API monitoring or engaging protective measures. Use of the trap instruction may be combined with at least one jump instruction added after a header section of the native code. Execution of the jump instruction may cause execution to be redirected to API monitoring.

Abstract: In some embodiments, a content management system can initiate a scan of a content item when the content management system detects that activity associated with the content item triggers a scan policy. In some embodiments, a content management system can initiate a scan of a user's account when the content management system detects that activity associated with the content item triggers a scan policy. A scan policy can specify, for example, a number of shares, downloads and/or previews of the content item allowable in a period of time. When the number of shares, downloads, and/or previews exceeds the specified number in the policy in the specified period of time, the content management system can initiate a scan (e.g., virus scan, malware scan, etc.) of the content item and/or the user's account.

Abstract: Techniques are disclosed for detecting malicious remote-administration tool (RAT) software by detecting reverse-connection communication activity. Communications are monitored over one or more persistent connections, such as TCP (Transmission Control Protocol) connections. Each monitored connection is between an initiator device and a follower device, and the initiator device is identified as the device that sent an initial packet to the follower device in order to open the connection. The disclosed techniques detect reverse-connection activity on the connection by detecting that communications over the connection are actually driven by the follower device, indicating that a malicious RAT is using the connection.

Abstract: A system for collection and analysis of forensic and event data comprising a server and an endpoint agent operating on a remote system. The server is configured to receive event data including process creation data, persistent process data, thread injection data, network connection data, memory pattern data, or any combination thereof, and analyze the event data to detect compromises of a remote system. The endpoint agent is configured to acquire event data, and communicate the event data to the server.

Abstract: A method, article of manufacture, and apparatus for automating application activity is disclosed. In some embodiment, this comprises monitoring an active folder in a computer system for file events, triggering an intermediary application based on the monitoring, and activating an application based on the triggered intermediary application. In some embodiments, an application remote to the computer system is activated. In some embodiments, an application local to the computer system is activated.

Abstract: Disclosed are various embodiments for inspecting malware with little or no user interruption. A first computing device may compare a source code of an application to a fingerprint stored locally on the first computing device. The first computing device may transmit the source code to a second computing device to determine whether the source code resides in a database comprising approved applications. If the source code does not reside in the database, a thorough scan of the source code may be conducted.

Abstract: A system and method for rootkit protection in a hypervisor environment includes modules for creating a soft whitelist having entries corresponding to each guest kernel page of a guest operating system in a hypervisor environment, wherein each entry is a duplicate page of the corresponding guest kernel page, generating a page fault when a process attempts to access a guest kernel page, and redirecting the process to the corresponding duplicate page. If the page fault is a data page fault, the method includes fixing the page fault, and marking a page table entry corresponding to the guest kernel page as non-executable and writeable. If the page fault is an instruction page fault, the method includes marking a page table entry corresponding to the guest kernel page as read-only. Redirecting changing a machine page frame number in a shadow page table of the hypervisor to point to the corresponding duplicate page.

Abstract: A communication monitoring device is used in a network that includes a plurality of nodes. The communication monitoring device includes: a plurality of ports; and a processor. The processor is configured to execute a procedure including: detecting an abnormal frame from among received frames, a first arrival port at which the abnormal frame has arrived, and an order in which the abnormal frame arrived in received frames that have arrived at any of the plurality of ports, and transmitting order information that indicates the detected order to a node connected to the first arrival port.

Abstract: Embodiments described herein perform cleanup of backup images of a storage system by applying a record of I/O operations recorded while performing anti-malware operations on the storage system. The recording of the I/O operations can be replayed to resolve malware infections in the backup images, snapshots, or replicas of the storage system without requiring a restore-cleanup cycle for each backup image.

Abstract: A threat-aware virtualization module may be deployed in a malware detection appliance architecture and execute on a malware detection system (MDS) appliance to provide exploit and malware detection within a network environment. The virtualization module may underlie an operating system kernel of the MDS appliance and execute in kernel space of the architecture to control access to kernel resources of the appliance for any operating system process. A type 0 virtual machine monitor may be disposed over the virtualization module and execute in user space of the architecture as a pass-through module configured to expose the kernel resources of the appliance to the operating system kernel. One or more hypervisors, e.g., type 1 VMM, may be further disposed over the virtualization module and execute in user space of the architecture under control of the virtualization module to support execution of one or more guest operating systems inside one or more full virtual machines.

Abstract: Methods and systems are described for malware learning and detection. According to one embodiment, an antivirus (AV) engine includes a training mode for internal lab use, for example, and a detection mode for use in commercial deployments. In training mode, an original set of suspicious patterns is generated by scanning malware samples. A set of clean patterns is generated by scanning clean samples. A revised set of suspicious patterns is created by removing the clean patterns from the original set. A further revised set of suspicious patterns is created by: (i) applying a statistical filter to the first revised set; and (ii) removing any suspicious patterns therefrom that do not meet a predefined frequency of occurrence. A detection model, based on the further revised set, can then be used in detection mode to flag executables as malware when the presence of one or more of the suspicious patterns is identified.

Abstract: The present disclosure describes systems and methods for detection and mitigation of malicious activity regarding user data by a network backup system. In a first aspect, a backup system receiving and deduplicating backup data from a plurality of computing devices may detect, based on changes in uniqueness or shared rates for files, atypical modifications to common files, and may take steps to mitigate any potential attack by maintaining versions of the common files prior to the modifications or locking backup snapshots. In a second aspect, the backup system may monitor file modification behaviors on a single device, relative to practices of an aggregated plurality of devices. Upon detection of potentially malicious modification activity, a previously backed up or synchronized store of data may be locked and/or duplicated, preventing any of the malicious modifications from being transferred to the backup system.

Abstract: In an example, there is provided a system and method for execution profiling detection of malicious software objects. An execution profiling (EXP) engine may be provided in conjunction with a binary translation engine (BTE). Both may operate within a trusted execution environment (TEE). Because many malware objects make assumptions about memory usage of host applications, they may cause exceptions when those assumptions prove untrue. The EXP engine may proactively detect such exceptions via the BTE when the BTE performs its translation function. Thus, malicious behavior may be detected before a binary runs on a system, and remedial measures may be provided.

Abstract: Malware detection techniques that detect malware by identifying the C&C communication between the malware and the remote host, and distinguish between communication transactions that carry C&C communication and transactions of innocent traffic. The system distinguishes between malware transactions and innocent transactions using malware identification models, which it adapts using machine learning algorithms. However, the number and variety of malicious transactions that can be obtained from the protected network are often too limited for effectively training the machine learning algorithms. Therefore, the system obtains additional malicious transactions from another computer network that is known to be relatively rich in malicious activity. The system is thus able to adapt the malware identification models based on a large number of positive examples—The malicious transactions obtained from both the protected network and the infected network.

Abstract: Approaches for providing data protection in a networked computing environment are provided. A method includes detecting, by at least one computer device, a breach of a first system in the networked computing environment. The method also includes generating, by the at least one computer device, a second system in the networked computing environment, wherein the second system includes a patch based on the breach. The method additionally includes converting, by the at least one computer device, the first system to a decoy system. The method further includes generating, by the at least one computer device, a third system in the networked computing environment, wherein the third system has reduced security relative to the first system.

Abstract: The execution of a process within a virtual machine (VM) may be monitored, and when a trigger event occurs, additional monitoring is initiated, including storing behavior data describing the real-time events taking place inside the VM. This behavior data may then be compared to information about the expected behavior of that type of process in order to determine whether malware has compromised the VM. The trigger event may be analyzed in relation to a set of heuristics, and based on the analysis, a data collection process may be initiated wherein the data comprises information about events occurring in the first virtual machine.

Abstract: A method of establishing centralized trust includes, at a policy server having connectivity to a network, establishing a trust relationship with a first enterprise network domain and a second enterprise network domain. One or more criterion from a server in the first enterprise network domain are received by the policy server and a federation relationship is established between at least a portion of the first enterprise network domain and one or more entities in the second enterprise network domain based on the one or more criterion. Based on the federation relationship, the policy server enables the one or more entities in the second enterprise network domain to access the at least a portion of the first enterprise network domain.

Abstract: A data migration system and method are disclosed for migrating data from a source server to a target server. The system includes an index containing a plurality of data migration operations in a normalized data model, each data migration operation being stored in association with an attribute, and a data mover communicably connected to the index. The data mover is adapted to move data from the source server to the target server in accordance with the data migration operations contained in the index. The data mover has an attribute corresponding to the associated attribute of at least one data migration operation contained in the index, the attribute indicating the type of data migration operations that can be performed by the data mover.

Abstract: A malware analysis system for automating cause and effect analysis of malware infections is provided. The malware analysis system monitors and records computer system activities. Upon being informed of a suspected malware infection, the malware analysis system creates a time-bounded snapshot of the monitored activities that were conducted within a time frame prior to the notification of the suspected malware infection. The malware analysis system may also create a time-bounded snapshot of the monitored activities that are conducted within a time frame subsequent to the notification of the suspected malware infection. The malware analysis system provides the created snapshot or snapshots for further analysis.

Abstract: The present disclosure is directed toward systems and methods for analyzing user-specific information and determining content within one or more web pages that has been experienced by one or more users. Furthermore, the present disclosure is directed toward identifying and providing actionable data based on keywords experienced by one or more users.

Abstract: Methods, computer-readable media, software, and apparatuses may assist a consumer in keeping track of a consumer's accounts in order to prevent unauthorized access or use of the consumer's identified subscription and financial accounts. The discovered subscriptions and financial accounts may be displayed to the consumer along with recommendations and assistance for closing unused or unwanted financial accounts and subscriptions to prevent unauthorized access or use.

Abstract: Embodiments are directed to hooking a call for a malware monitoring logic into a JavaScript API engine interpreter. Upon JavaScript being placed into heap memory, the malware monitoring logic can initiate an evaluation or analysis of the heap spray to determine whether the JavaScript includes malware or other malicious agents prior to execution of the JavaScript shell code. Upon execution of the JavaScript within the sandbox, the malware monitoring logic can initiate monitoring of the JavaScript using malware analysis and/or execution profiling techniques. Inferences can be made of the presence of malware based on a start and end time of the JavaScript execution.

Abstract: Online transaction security is improved by detecting a start of an online financial transaction between a user-controlled online transaction application and a remote payment service. A protected data input module, a protected environment module, and a safe data transfer module each provides a corresponding set of protection operations. A risk level of conducting the financial transaction is assessed based on a vulnerability assessment and on present condition of the local computing system. An initial degree of protection for each of the modules is set, and subsequently adjusted based on the risk level.

Abstract: Network activity detectors, such as firewalls, communicate with one another to form a Unified Threat Management System. A first network activity detector sends a request for configuration settings to a second network activity detector. The second network activity detector sends a set of configuration settings in response to the request. The configuration settings include information for detecting digital security threats and/or for responding to detected digital security threats. In this way, configuration settings are propagated from one network activity detector to another so that network activity detectors within a UTMS system are configured consistently, e.g., have up-to-date information for detecting and/or responding to digital security threats.

Abstract: A malware analysis system for automating cause and effect analysis of malware infections is provided. The malware analysis system monitors and records computer system activities. Upon being informed of a suspected malware infection, the malware analysis system creates a time-bounded snapshot of the monitored activities that were conducted within a time frame prior to the notification of the suspected malware infection. The malware analysis system may also create a time-bounded snapshot of the monitored activities that are conducted within a time frame subsequent to the notification of the suspected malware infection. The malware analysis system provides the created snapshot or snapshots for further analysis.

Abstract: Phishing detection techniques for predicting a password for decrypting an attachment for the purpose of malicious content detection are described herein. According to one embodiment, in response to a communication message, as such an electronic mail (email) message having an encrypted attachment, content of the communication message is parsed to predict a password based on a pattern of the content. The encrypted attachment is then decrypted using the predicted password to generate a decrypted attachment. Thereafter, a malicious content analysis is performed on the decrypted attachment to determine a likelihood as to whether the decrypted attachment contains malicious content.

Abstract: Apparatus and techniques for determining whether a domain name has been generated by a domain generation algorithm (DGA) are disclosed. A first domain name is classified as either a likely domain generation algorithm (DGA) domain name or a likely non-DGA domain name, based on one or more features of the first domain name. In addition, statistics are determined regarding requests for the first domain name. Additional domain names are identified that share an infrastructure with the first domain name. A determination is made regarding whether the first domain name and/or one or more of the additional domain names are likely to have been generated by a DGA, based on a result of one or more of the classifying, the statistics, or the identifying. A security vulnerability related to one or more of the likely DGA domain names is then mitigated.

Abstract: Systems and techniques are provided for creating sensor based rules for detecting and responding to malicious activity. Evidence corresponding to a malicious activity is received. The evidence corresponding to malicious activity is analyzed. Indicators are identified from the evidence. The indicators are extracted from the evidence. It is determined that an action to mitigate or detect a threat needs to be taken based on the indicators and evidence. A sensor to employ the prescribed action is identified. Whether a sensor based rule meets a threshold requirement is validated. A configuration file used to task the sensor based rule to the identified sensor is created. The number of sensor based rule triggers is tracked.