Abstract: A computer-implemented method, computer program product and computing system for: obtaining one or more artifacts concerning a detected security event; obtaining artifact information concerning the one or more artifacts; and generating a conclusion concerning the detected security event based, at least in part, upon the detected security event, the one or more artifacts, and the artifact information.

Abstract: Systems, methods, and software described herein provide security actions based on related security threat communications. In one example, a method of operating an advisement system includes identifying a security threat within the computing environment, wherein the computing environment comprises a plurality of computing assets. The method further provides obtaining descriptor information for the security threat, and retrieving related communication interactions based on the descriptor information. The method also includes generating a response to the security threat based on the related communication interactions.

Abstract: A secured digital communication system, comprising: at least one secured network connected device, comprising at least one hardware processor connected to at least one digital communication network interface, and adapted for: in at least one of a plurality of iterations: appending an identified cryptographic key value to a first sequence of digital bytes to produce an extended sequence of digital bytes; computing a cryptographic signature value by applying a fixed length low computation complexity chunk-based hash function to the extended sequence of digital bytes; appending the cryptographic signature value to the first sequence of digital bytes to produce a signed sequence of digital bytes; and sending at least one message comprising the signed sequence of digital bytes to at least one other secured network connected device via the at least one digital communication network interface.

Abstract: The disclosed computer-implemented method for protecting users may include (i) intercepting, through a cloud-based security proxy service, network traffic originating from a mobile application at a mobile device connected to a local area network protected by the cloud-based security proxy service, (ii) detecting, by the cloud-based security proxy service, a threat indicator indicated by the mobile application, and (iii) modifying the network traffic originating from the mobile application at the mobile device by applying, by the cloud-based security proxy service based on detecting the threat indicator indicated by the mobile application, a security policy to protect the local area network from a candidate threat corresponding to the threat indicator. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A computer-implemented method and system for protecting a host computer in a computer network from security threats uses local security-relevant data for the host computer, as well as global security-relevant data for other components in the computer network downloaded from a security information plane system to the host computer, to determine a security threat to the host computer. When a security threat is determined to be a legitimate threat, a security alert is issued, and then an action is initiated in response to the security alert.

Abstract: A method and system for determining a power consumption pattern for at least one application being executed on a computer is provided. The method comprises measuring a DC current and measuring a DC supply voltage provided to a data processing device, thereby creating a stream of time-stamped voltage value samples and current value samples. The method comprises further determining a product of the streams at identical times and converting the product into a real and an imaginary data stream using I/Q digital signal processing, combining these into a complex data stream, applying a signal processing demodulation step to the complex data stream, thereby generating a demodulated data stream, and extracting from the demodulated data stream at least one stream-based parameter signature, the at least one stream-based parameter signature representing the power consumption pattern of the at least one corresponding application being executed on the data processing device.

Abstract: Processor(s) for detecting malicious software. A hardware virtual machine monitor (HVMM) operates under a host OS. Container(s) initialized with network application template(s) operate under a guest OS VM. A detection module operates under the guest OS VM includes a trigger detection module, a logging module and a container command module. The trigger detection module monitors activity on container(s) for a trigger event. The logging module writes activity report(s) in response to trigger event(s). The container command module issues command(s) in response to trigger event(s). The command(s) include a container start, stop and revert commands. A virtual machine control console operates under the host OS and starts/stops the HVMM. A container control module operates under the guest OSVM and controls container(s) in response to the command(s). The server communication module sends activity report(s) to a central collection network appliance that maintains a repository of activities for infected devices.

Abstract: A security system detects anomalous activity in a network. The system logs user activity, which can include ports used, compares users to find similar users, sorts similar users into cohorts, and compares new user activity to logged behavior of the cohort. The comparison can include a divergence calculation. Origins of user activity can also be used to determine anomalous network activity. The hostname, username, IP address, and timestamp can be used to calculate aggregate scores and convoluted scores.

Abstract: The present invention relates to the detection of malicious software in electronic documents and comprises: detecting an executable code in the electronic document provided to a client module; extracting information from the electronic document comprising the executable code and metadata of the electronic document; creating a binary vector associated with the electronic document; comparing, in a classifier module (200), the binary vector with one or more groups of vectors previously classified and stored in a database (400); classifying the vector in one of the groups, where each group has associated therewith a verdict about the presence of malicious software; and determining that the document contains malicious software depending on the verdict associated with the group in which its associated vector has been classified.

Abstract: Unauthenticated client access to an application (e.g., a SaaS-based web application) that employs unauthenticated API endpoints is monitored and protected by an access control system and method that leverages a neural network. The neural network is trained to recognize user behaviors that should be deemed to be “inappropriate” according to a policy. Using the neural network, the system provides effective discrimination with respect to unauthenticated user behavior, and it enables access controls to be more effectively enforced with respect to users that are not using the application according to an enterprise security policy. By training the neural network to recognize pattern(s) behind regular user behavior, the approach enables robust access control with respect to users that are unauthenticated.

Abstract: Counterfeit uniform resource locators (URLs) are detected and blocked in real-time by a browser extension in communication with a counterfeit URL detection system. The browser extension receives a URL requested within a browser application. Content from a webpage associated with the received URL is extracted and transmitted to the counterfeit URL detection system, which is configured to analyze the content and return an assessment indicating whether the URL is counterfeit. If the assessment indicates that the URL is counterfeit, the browser extension blocks the browser application from accessing content associated with the URL.

Abstract: The present teaching relates to a method and system for reducing request traffic directed to a server. Upon receiving a request associated with an application in a time-window, an identifier that is to be associated with the request is generated. A first criterion associated with the request is evaluated based on the identifier, and the request is transmitted to a server based on a second criterion related to the time-window and the first criterion.

Abstract: There is disclosed in one example a computing apparatus, including: a processor; and a memory having encoded therein executable instructions to instruct the processor to: divide a file-under-analysis into a plurality of features; build a plurality of categories from the plurality of features, including a category of unrelated features; construct a first decision tree from a first category of the plurality of features, the first category including related features; construct a second decision tree from a second category of the plurality of features, the second decision tree including unrelated features; and determine, based at least partly on the first decision tree and the second decision tree, that the file under analysis has malware content.

Abstract: A method for learning latent representations of individual users in a personalization system uses a graph-based machine learning framework. A graph representation is generated based on input data in which the individual users are each represented by a node. The nodes are associated with labels. Node vector representations are learned by combining label latent representations from a vertex and neighboring nodes so as to reconstruct the label latent representation of the vertex and updating the label latent representations of the neighboring nodes using gradients resulting from application of a reconstruction loss. A classifier/regressor is trained using the node vector representations and the node vector representations are mapped to personalizations. Actions associated with the personalizations are then initiated.

Abstract: A system for integrated natural language programming (“NLP”) and event analysis provides threat detection in computing systems. In particular, the system may use an NLP unit to analyze threat logs from various sources according to multiple different metrics and/or analysis paradigms. Upon completing the analysis, the system may extract, via machine learning, event and/or threat patterns which may be integrated into the system's threat detection processes.

Abstract: A method for processing data includes receiving an offload request by a first virtual machine (VM), issuing, in response to the offload request and based on a processing pipeline, a processing request to a processing unit, and servicing, by the processing unit, the processing request to obtain a result.

Abstract: Filename-based malware pre-scanning is described herein. A method as described herein can include obtaining, by a device operatively coupled to a processor, a malware scan request for a first file in a directory of a file system, the first file having a first filename belonging to a filename sequence; appending, by the device, the first file to a first malware scan queue; and appending, by the device, respective second files in the directory to a second malware scan queue that is distinct from the first malware scan queue, wherein the respective second files are distinct from the first file and have respective second filenames belonging to the filename sequence.

Abstract: Disclosed herein are systems and methods for reducing a number of false positives in classification of files. In one aspect, an exemplary method comprises, analyzing a file to determine whether or not the file is to be recognized as being malicious, when the file is recognized as being malicious, analyzing the file to detect a false positive outcome, when the false positive outcome is detected, excluding the file from being scanned and calculating a flexible hash of the file, and storing the calculated flexible hash in a database of exceptions.

Abstract: Analysis of samples for maliciousness is disclosed. A sample is executed and one or more network activities associated with executing the sample are recorded. The recorded network activities are compared to a malware profile. The malware profile comprises a set of network activities taken by a known malicious application during execution of the known malicious application. A verdict of “malicious” is assigned to the sample based at least in part on a determination that the recorded network activities match the malware profile.

Abstract: A collection and assignment unit collects attribute information for each file and assigns attribute information to a file to which attribute information is not assigned, when checking a file in a present information processing device. A reception unit receives attribute information of a tracking target file from a distribution device that distributes a pattern file. A search unit searches for a file associated with the attribute information of the tracking target file that is received. A transmission/procedure unit transmits, when there exists information regarding the file associated with the attribute information, the information regarding the file associated with the attribute information of the tracking target file to the distribution device and/or performs a procedure on the file.

Abstract: A method and system for implementing security patches on a computer system is disclosed. The method includes finding one or more security patches; analyzing one of the one or more security patches to find one or more localized security fixes within the one or more security patches; and transforming a security patch within the one or more security patches into a honey patch that is configured to report security violations.

Abstract: A system is provided for training a machine learning model to detect malicious container files. The system may include at least one processor and at least one memory. The memory may include program code which when executed by the at least one processor provides operations including: processing a container file with a trained machine learning model, wherein the trained machine learning is trained to determine a classification for the container file indicative of whether the container file includes at least one file rendering the container file malicious; and providing, as an output by the trained machine learning model, an indication of whether the container file includes the at least one file rendering the container file malicious. Related methods and articles of manufacture, including computer program products, are also disclosed.

Abstract: Systems and methods for mitigating the impact of malware by reversing malware related modifications in a computing device are provided. According to an embodiment, a sandbox service running within a network security platform protecting an enterprise network receives a file containing malware and associated contextual information from an endpoint security solution running on an endpoint device, which has been infected by the malware. The sandbox service captures information regarding a first series of actions performed by the malware and based on the first series of actions generates a remediation script specifying a second series of actions that are configured to restore the endpoint device to a pre-infected state. The network security platform causes the endpoint device to be returned to the pre-infected state by causing the endpoint security solution to execute the remediation script on the endpoint device.

Abstract: A computer-implemented method for exporting a database container from a database includes exporting database container metadata including artifact definitions in the metadata along with the actual metadata content to a database management system, exporting the database container including the database objects deployed therein to the database management system. The exporting of the database container includes exporting dependencies and structures of the database objects deployed therein, but not the actual content of the database objects. In some instances, however, exporting of the database container can include exporting the actual content of the database objects in response to user request. The method further includes packing the exported database container metadata and the exported database container in an archive. The data in the archive can be unpacked in substantially reverse order to import the database container into another database.

Abstract: Counterfeit uniform resource locators (URLs) are detected and blocked in real-time by a browser extension in communication with a counterfeit URL detection system. The browser extension receives a URL requested within a browser application. Content from a webpage associated with the received URL is extracted and transmitted to the counterfeit URL detection system, which is configured to analyze the content and return an assessment indicating whether the URL is counterfeit. If the assessment indicates that the URL is counterfeit, the browser extension blocks the browser application from accessing content associated with the URL and redirects the browser extension to a legitimate URL.

Abstract: A system for detecting artifacts associated with a cyber-attack features a cybersecurity intelligence hub remotely located from and communicatively coupled to one or more network devices via a network. The hub includes a data store and retroactive reclassification logic. The data store includes stored meta-information associated with each prior evaluated artifact of a plurality of prior evaluated artifacts. Each meta-information associated with a prior evaluated artifact of the plurality of prior evaluated artifacts includes a verdict classifying the prior evaluated artifact as a malicious classification or a benign classification. The retroactive reclassification logic is configured to analyze the stored meta-information associated with the prior evaluated artifact and either (a) identify whether the verdict associated with the prior evaluated artifact is in conflict with trusted cybersecurity intelligence or (b) identify inconsistent verdicts for the same prior evaluated artifact.

Abstract: A request to update an original data value in a first row in a database table in a database system. An updated data value is written to a second row in a staging table in the database system. The updated data value corresponds with the original data value. The first row includes a database table key, which is also included in the second row. The original data value in the database table is replaced with a corresponding replacement value, which is determined based on a value replacement update function that takes as input the updated data value. The staging table maintains a record value for reversing the update to the database table.

Abstract: Provided herein are systems and methods for protecting data from injected malware. In some embodiments, a virtual memory validator may execute in user mode memory space on a computing device. The virtual memory validator may monitor an execution stack of an executing thread of a process. The virtual memory validator may identify a memory address referenced in the execution stack, responsive to the process attempting to access a protected resource. The virtual memory validator may determine that the memory address refers to a memory region that is designated as executable. The virtual memory validator may determine that the memory address is outside memory regions identified in a memory range map. The virtual memory validator may, responsive to the determination, identify the process as a potential malware process.

Abstract: One or more embodiments of the present specification relate to a data processing method, apparatus, device, and system for code scanning jumps. An example method includes receiving scan data resulting from a client application having been used to scan an identification code, in which the identification code and the client application have been created under different platforms. A domain name is obtained from the scan data, and a target regular expression corresponding to the domain name is obtained from a regular expression library. A jump rule string corresponding to the identification code is determined based on the target regular expression and a resource path of the domain name of the identification code, and a jump address corresponding to the jump rule string is queried from a rule library that includes mapping relationships between jump rule strings and jump addresses.

Abstract: Systems and methods for monitoring and correcting security measures taken for a computer system are disclosed. Exemplary implementations may: determine a set of risk parameters of the computing system; collect sets of values of the security parameters at various times and determine the efficacy adjustments based on a comparison of the sets of values and an elapsed time between collection of the sets of values.

Abstract: A method of identifying malicious activity in a sequence of computer instructions includes monitoring data flows from a public network to one or more networked devices on a private network and to one or more honeypots that appear to the public network to be devices on the private network, representing each such data flow as a word, and the sequence of data flows as comprising an n-gram of two or more words. The data flows are characterized with a likelihood of being malicious based on their statistical association with the one or more honeypots relative to their statistical association with one or more networked devices. Identified malicious activity is used to train a network device to identify malicious data flows and prevent them from reaching devices on the private network.

Abstract: Techniques for detecting malware via scanning for dynamically generated function pointers in memory are disclosed. In some embodiments, a system/process/computer program product for detecting malware via scanning for dynamically generated function pointers in memory includes monitoring changes in memory during execution of a malware sample in a computing environment; detecting a dynamically generated function pointer in memory based on an analysis of the monitored changes in memory during execution of the malware sample in the computing environment; and generating a signature based on detection of the dynamically generated function pointer in memory, wherein the malware sample was determined to be malicious.

Abstract: Examples of a data transmission method and apparatus in TEE systems are described. One example of the method includes: obtaining first data; obtaining a write offset address by reading a first address; obtaining a read offset address by reading a second address; determining whether the number of bytes in the first data is less than or equal to the number of writable bytes, where the number of writable bytes is determined based on the write offset address and the read offset address, and each address corresponds to one byte; when the number of bytes in the first data is less than or equal to the number of writable bytes, writing the first data into third addresses starting from the write offset address; and updating the write offset address in the first address.

Abstract: A network monitoring device may receive flow-tap information that identifies a traffic flow characteristic and a signed URL associated with a signed URL platform from a mediation device. The network device may map the traffic flow characteristic to the signed URL in an entry of a flow-tap filter that is maintained within a data structure of the network device. The network device may analyze, using the flow-tap filter, network traffic of the network to detect a traffic flow that is associated with the traffic flow characteristic. The network device may generate, based on detecting the traffic flow in the network traffic, a traffic flow copy that is associated with the traffic flow. The network device may provide, based on the signed URL, the traffic flow copy to the signed URL platform, wherein the traffic flow copy is to be accessible to an authorized user device via the signed URL.

Abstract: A computer implemented method for protecting data stored in at least one file from being overwritten by malicious code, comprises: monitoring at least one file stored in a storage device location to detect a request to perform an overwrite operation at least a portion of data of the at least one file; redirecting the overwrite operation to a memory location designated as safe for being overwritten; analyzing the overwrite operation at the memory location to identify an association with malicious code; and outputting an indication of an attempt to overwrite the at least one file by malicious code.

Abstract: A method and system for monitoring computer network intrusions, the system comprising at least one security device including a processor and memory. The at least one security device is communicatively coupled to a private network and configured to generate heartbeat pulses comprising operational snapshots of the at least one security device. The system further comprises one or more host systems configured to communicate with the at least one security device from an external network, transmit configuration parameters to the at least one security device, the configuration parameters including instructions for the at least one security device to operate as a given type of network asset, monitor the heartbeat pulse of the at least one security device, determine a change in integrity in the at least one security device based on the monitoring, and send one or more notification messages to a network administrator based on the determination.

Abstract: A network device for collecting and distributing cybersecurity intelligence, which features analytics logic and a plurality of plug-ins. The analytics logic is configured to (i) receive a request message to conduct a cybersecurity analysis and (ii) select one of a first set or second set of plug-ins to conduct the cybersecurity analysis. Responsive to selecting a first plug-in of the first set of plug-ins by the analytics logic, the system conducts and completes the cybersecurity analysis while a communication session between the first plug-in and a network device initiating the request message remains open. Responsive to selecting a second plug-in by the analytics logic, the system conducts and completes the cybersecurity analysis while allowing the cybersecurity intelligence to be provided in response to the request message during a different and subsequent communication session than the communication session during which the request message is received.

Abstract: Disclosed embodiments relate to systems and methods for generating visual representations of scripts based on centralized security assessments. Techniques include identifying, at a centralized script execution resource in a network environment, a first script; performing a multidimensional analysis for a particular action of the first script based on at least: a service identity of the particular action, an action type of the particular action, and a target resource associated with the particular action; and providing a visual representation of a context of the particular action based on the multidimensional analysis, the visual representation expressing the service identity, the action type, and the target resource.

Abstract: Disclosed herein are system, method, and computer program product embodiments for performing threat detection on a monitored system. The monitored system may periodically send artifacts (e.g., database records, binaries, program code, business data) to a repository for storage and creation of a snapshot. This repository is typically held in a cloud-based system. The cloud-based system can compare a snapshot of the artifacts against prior snapshots, and generate a change log. This change log can then be provided to a threat detection system for analysis. By this approach, an intrusion can potentially be detected even when system logs cannot be trusted, due to tampering or other inaccuracies.

Abstract: A system and method for providing automated service-based malware remediation. When a computing device is attacked by malware such as ransomware, multiple manual steps are usually needed to fully remediate the device. Users are typically required to follow several steps to remove the ransomware, and potentially must engage in the challenging task of reimaging the impacted device as well as choosing a restore point for point-in-time recovery. The disclosed systems provide a mechanism by which a cloud-based service manages a fully automated remediation and file recovery process for the user.

Abstract: Techniques for enriching encrypted traffic analytics are presented. In one embodiment, a method includes obtaining telemetry data for one or more domains within a network. The telemetry data includes both encrypted traffic analytics information and traffic flow information associated with the network traffic. For each domain of the one or more domains, the method also includes generating a model comprising a mapping from a plurality of traffic flow information features to at least one encrypted traffic analytics feature. The method includes generating a database comprising generated models for each of the domains and obtaining telemetry data for a target domain that includes traffic flow information, but does not include encrypted traffic analytics information. At least one encrypted traffic analytics feature of the target domain is determined based on a plurality of traffic flow information features of the target domain using the database.

Abstract: A method and system for classification of cyber-threats is provided. The method includes receiving a request for classifying a cyber-threat detected by a cyber-security system, wherein the request includes initial information about the detected cyber-threat; enriching the initial information about the detected cyber-threat to provide textual information about at least one perceived threat related to the detected cyber-threat; and classifying each of the at least one perceived threat into a security service, wherein the classification is performed based on the respective textual information.

Abstract: A method for detecting computer virus applied in a computing device includes obtaining a list of clean files each with file storage path and calculating a hash value of the file name corresponding to each storage path. An original status list according to the hash value and the storage path is generated, and the original status list is written in to a blockchain network. After the computing device becomes connected to a network and therefore exposed to viruses a second list of the files can be obtained and hash value of the file name is compared to the hash value in the original status list. Differences in hash values are deemed the result of a virus and the user is warned. A computing device and storage medium are also disclosed.

Abstract: A method of protecting a computer from malicious software includes receiving a computer file, and scanning, via anti-malware, the computer file for known malicious software. The method include, when the anti-malware fails to detect known malicious software in the computer file, performing a dynamic operating-system-level containerization to access content of the computer file, including creating and launching an isolated container on the computer. The method includes accessing the content of the computer file in the isolated container on the computer, and monitoring execution of computer-readable program code in the isolated container as the content of the computer file is accessed. And the method includes performing a remedial action when as the execution of computer-readable program code in the isolated container is monitored, a pattern in the execution is detected that indicates the computer file contains malicious software that is otherwise unknown.

Abstract: Methods and systems for classifying network users. The system may receive a classification of a user account on a network and network activity data associated with the user account. Upon detecting a discrepancy between the expected behavior of the user account based on its classification and the present behavior of the user account, the system may obtain a corroborating result from one or more directory sources. An alert may then be issued based on the detected discrepancy and the corroborating result.

Abstract: A method, computer program product and computer system are provided. A processor retrieves a target file for inspection of malware. A processor converts the target file to a time domain format. A processor determines one or more time-frequency domain features of the converted target file. A processor generates a malicious classification for the target file based on the one or more time-frequency domain features of the converted target file and one or more classification models.

Abstract: A system and a method to detect malicious software written to an Ethernet solid-state drive (eSSD). The system includes an Ethernet switch, at least one SSD, and a baseboard management controller (BMC). The Ethernet switch receives write data from a communication network in response to a write command. The at least one SSD receives the write data from the Ethernet switch and stores the received write data. The BMC receives from the at least one SSD the received write data. The BMC determines whether the received write data contains malicious software. The received write data may be contained in a plurality of Ethernet packets in which case the BMC stores the received write data in a scan buffer in an order that is based on an assembled order of the received write data.

Abstract: A determining apparatus performs emulation of an attack code included in an attack request that is addressed to a web application (web server), based on the attack type of the attack code, and extracts a feature that appears in a response issued by the web application when the emulation results in a successful attack. The determining apparatus determines that the attack has succeeded if the feature is included in a response from the web application, and determines that the attack has failed if the feature is not included.

Abstract: Methods and apparatus for efficient data transfer within a user space network stack. Unlike prior art monolithic networking stacks, the exemplary networking stack architecture described hereinafter includes various components that span multiple domains (both in-kernel, and non-kernel). For example, unlike traditional “socket” based communication, disclosed embodiments can transfer data directly between the kernel and user space domains. Direct transfer reduces the per-byte and per-packet costs relative to socket based communication. A user space networking stack is disclosed that enables extensible, cross-platform-capable, user space control of the networking protocol stack functionality. The user space networking stack facilitates tighter integration between the protocol layers (including TLS) and the application or daemon. Exemplary systems can support multiple networking protocol stack instances (including an in-kernel traditional network stack).

Abstract: The present teaching generally relates to detecting abnormal user activity associated with an entity. In a non-limiting embodiment, baseline distribution data representing a baseline distribution characterizing normal user activities for an entity may be obtained. Information related to online user activities with respect to the entity may be received, distribution data representation a dynamic distribution may be determined based, at least in part, on the information. One or more measures characterizing a difference between the baseline distribution and the dynamic distribution may be computed, and in real-time it may be assessed whether the information indicates abnormal user activity. If the first information indicates abnormal user activity, then output data including the distribution data and the one or more measures may be generated.