Abstract: Example techniques described herein determine a validation dataset, determine a computational model using the validation dataset, or determine a signature or classification of a data stream such as a file. The classification can indicate whether the data stream is associated with malware. A processing unit can determine signatures of individual training data streams. The processing unit can determine, based at least in part on the signatures and a predetermined difference criterion, a training set and a validation set of the training data streams. The processing unit can determine a computational model based at least in part on the training set. The processing unit can then operate the computational model based at least in part on a trial data stream to provide a trial model output. Some examples include determining the validation set based at least in part on the training set and the predetermined criterion for difference between data streams.

Abstract: Systems and methods for analyzing network traffic are provided. An exemplary system may include a plurality of network nodes distributed in multiple geographical regions. The plurality of network nodes may be configured to collect mass scanning network traffic data. The system may also include at least one processor. The processor may be configured to receive, from a first network node, a first network scanning request from a source scanner. In response to the reception of the first network scanning request, the processor may also be configured to transmit, via a second network node, a second network scanning request to the source scanner. The processor may further be configured to determine, based on feedback from the source scanner, whether the source scanner is compromised.

Abstract: Techniques for restricting the execution of algorithms contained in applications executing on virtual machines executing within a computer system are described herein. A first sampled set of computer executable instructions is gathered from a virtual machine by a controlling domain and compared against a reference set of computer executable instructions. If the first set is similar to the reference set, and if the execution of the algorithm corresponding to the reference set is restricted by one or more computer system polices, one or more operations limiting the execution of the restricted algorithm are performed, thus ensuring conformance with the computer system policies.

Abstract: There is provided a network monitoring apparatus including a memory in which information of a remote operation and a combination of one or more command codes are associated with each other, and a processor coupled to the memory and the processor configured to acquire a command code of the one or more commands codes from a header of an encrypted execution request packet for executing the one or more commands for implementing a remote operation, determine whether or not there exists the combination included in a command code list in which acquired command codes are sequentially indicated, by referring the memory, and determine that the remote operation associated with the combination is successful when it is determined that there exists the combination included in the command code list.

Abstract: In some implementations, a method performed by data processing apparatuses includes receiving a new script document in a scripting language that has not yet been classified; identifying features of the new script document, wherein at least some of the features are script-language commands contained in the new script document; generating first feature-data for the new script document, the first feature-data comprising measures of frequency of occurrences of the features within the new script document; and assigning a classification to the new script document based on a comparison of the first feature-data with training data that comprises second feature-data for known-malicious script documents and third feature-data for known-benign script documents.

Abstract: A gateway device includes a network interface connected to data sources, and computer instructions, that when executed cause a processor to access data portions from the data sources. The processor accesses classification rules, which are configured to classify a data portion of the plurality of data portions as sensitive data in response to the data portion satisfying the rule. Each rule is associated with a significance factor representative of an accuracy of the classification rule. The processor applies each of the set of classification rules to a data portion to obtain an output of whether the data is sensitive data. The output are weighed by significance factors to produce a set of weighted outputs. The processor determines if the data portion is sensitive data by aggregating the set of weighted outputs, and presents the determination in a user interface. Security operations may also be performed on the data portion.

Abstract: In one embodiment, a traffic analysis service receives captured traffic data regarding a Transport Layer Security (TLS) connection between a client and a server. The traffic analysis service applies a first machine learning-based classifier to TLS records from the traffic data, to identify a set of the TLS records that include Hypertext Transfer Protocol (HTTP) header information. The traffic analysis service estimates one or more HTTP transaction labels for the connection by applying a second machine learning-based classifier to the identified set of TLS records that include HTTP header information. The traffic analysis service augments the captured traffic data with the one or more HTTP transaction labels. The traffic analysis service causes performance of a network security function based on the augmented traffic data.

Abstract: An apparatus and method for storing an audit trail in response to execution of a virtual-machine process. The method for storing an audit trail, performed by the apparatus for storing an audit trail in response to execution of a virtual-machine process, includes detecting execution of a process inside a virtual machine, determining whether the executed process is a monitoring target process and determining a type of the process, activating one or more monitoring events for monitoring at least one of an upload, a download and a drop by the process based on a result of the determination, and storing information about occurrence of the activated monitoring event as an audit trail.

Abstract: Aspects of the present disclosure involve systems and methods computing devices to access a public network posing as a user to the network to detect one or more malware programs available for downloading through the network. More particularly, a malware detection control system utilizes a browser executed on a computing device to access a public network, such as the Internet. Through the browser, sites or nodes of the public network are accessed by the control system with the interactions with the sites of the public network designed to mimic or approximate a human user of the browser. More particularly, the control system may apply the one or more personality profiles to the browser of the computing device to access and interact with the nodes of the public network. Further, the control system may monitor the information retrieved from the network sites to detect the presence of malware within the nodes.

Abstract: Embodiments of the present disclosure relate to a data analysis system that may automatically generate memory-efficient clustered data structures, automatically analyze those clustered data structures, and provide results of the automated analysis in an optimized way to an analyst. The automated analysis of the clustered data structures (also referred to herein as data clusters) may include an automated application of various criteria or rules so as to generate a compact, human-readable analysis of the data clusters. The human-readable analyses (also referred to herein as “summaries” or “conclusions”) of the data clusters may be organized into an interactive user interface so as to enable an analyst to quickly navigate among information associated with various data clusters and efficiently evaluate those data clusters in the context of, for example, a fraud investigation. Embodiments of the present disclosure also relate to automated scoring of the clustered data structures.

Abstract: In some embodiments, a target host may have provided the change data in response to detecting the change, and the change data may include one or more rules, settings, and/or parameters. Also, in various embodiments, the compliance server may determine whether the one or more rules, settings, and/or parameters meet one or more compliance policies and generate one or more test results based at least on the results of the determining. Further, in some embodiments, the target host may detect a change to a rule, setting, and/or parameter based on a collection policy defining what change data is to be collected by the target host and provide data associated with the rule, setting, and/or parameter as change data to the compliance server.

Abstract: Disclosed are systems and methods for machine learning of a model for detecting malicious files. The described system samples files from a database of files and trains a detection model for detecting malicious files on the basis of an analysis of the sampled files. The described system forms behavior logs based on executable commands intercepted during execution of the sampled files, and generates behavior patterns based on the behavior log. The described system determines a convolution function based on the behavior patterns, and trains a detection model for detecting malicious files by calculating parameters of the detection model using the convolution function on the behavior patterns. The trained detection model may be used to detect malicious files by utilizing the detection model on a system behavior log generated during execution of suspicious files.

Abstract: There are disclosed devices, system and methods for feeding identification data of malicious creatives existing in internet advertisements to a supply side platform (SSP) by receiving reports of unwanted actions without user action by malicious creatives of internet advertisements (ads) requested from the SSP by webpages being displayed to users. The reports include a creative identification (ID), a malicious code chain of events, and a demand side platform (DSP) ID or a seat ID. The reports are pre-processed by classifying the unwanted action attempts based on the chain of events. The pre-processed reports are parsed to extract the creative IDs, the SSP IDs and the DSP IDs; and then stored in a searchable database. The stored parsed pre-processed reports are feed to SSPs based on the SSP identifications. The feed includes the creative IDs, the SSP IDs, the DSP IDs, timestamps of the unwanted action attempt and the classifications.

Abstract: Systems, methods, computer readable media and articles of manufacture consistent with innovations herein are directed to computer virtualization, computer security and/or memory access. According to some illustrative implementations, innovations herein may utilize and/or involve a separation kernel hypervisor which may include the use of a guest operating system virtual machine protection domain, a virtualization assistance layer, and/or a detection mechanism (which may be proximate in temporal and/or spatial locality to malicious code, but isolated from it), inter alia, for detection and/or notification of, and action by a monitoring guest upon access by a monitored guest to predetermined physical memory locations.

Abstract: A system and methods for sandboxed malware analysis and automated patch development, deployment and validation, that uses a business operating system, vulnerability scoring engine, binary translation engine, sandbox simulation engine, at least one network endpoint, at least one database, a network, and a combination of machine learning and vulnerability probing techniques, to analyze software, locate any vulnerabilities or malicious behavior, and attempt to patch and prevent undesired behavior from occurring, autonomously.

Abstract: Examples relate to snapshots of system memory. In an example implementation, structural information of a process in a snapshot of system memory is compared with hashes or fuzzy hashes of executable regions of the same process in a previous snapshot of system memory to determine whether there is a structural anomaly.

Abstract: Embodiments of the present application provide a method and apparatus for removing a root-privileged virus and an electronic device. The method includes: scanning the smart device to find a root-privileged virus file; obtaining a root-privileged removing process according to the virus file; and removing the root-privileged virus file according to a preset removing strategy by using the root-privileged removing process. As a root-privileged process is directly obtained in this embodiment by using a found virus file, the smart device can obtain the root privileges more quickly, improving the speed of killing the root-privileged virus.

Abstract: Errors encountered by executing applications can be recorded in one or more logs. A search engine can be configured to retrieve error data from the one or more logs using pre-specified rules. A portion of the error data can be included in a small portable message (e.g., SMS text message) and sent to the developers or administrators of the applications. An administrative console can generate different visualizations based upon what errors the search engine retrieved.

Abstract: An electronic device will identify an electronic message received by a messaging client that is associated with a first recipient, and it will analyze the electronic message to determine whether the electronic message is a simulated malicious message. Upon determining that electronic message is a simulated malicious message, the device will identify an actuatable element in the electronic message. The actuatable element will include a service address. The device will modify the electronic message by appending a user identifier of the first recipient to the service address of the actuatable element. Then, when the actutable element is actuated, the system may determine whether the first recipient actuated the actuatable element or an alternate recipient did so based on whether the user identifier of the first recipient is still appended (or is the only user identifier appended) to the actuatable element.

Abstract: A program file classification method, a program file classification apparatus, and a program file classification system, where the system sets an agent program in a client and a sandbox server to obtain behavior information corresponding to at least two behaviors executed by a program file at runtime. Each piece of behavior information includes a behavior identifier and a path related during execution of a corresponding behavior. A classification server performs normalization process on the path in each piece of behavior information, where the normalization process reduces path diversity, generates a feature vector according to at least two pieces of behavior information obtained after the path normalization process, and determines, according to the feature vector, a category to which the program file belongs. Because normalization process is performed on the path, randomness of a path obtained after the normalization process is reduced.

Abstract: A method to transform the function of a circuit is provided. The method provides a first register-transfer level (RTL) document and a second RTL document, provides a first gate level (GTL) netlist and a second GTL netlist, compares the two RTL documents to identify the instances to be modified, locates the instances to be modified in the first GTL netlist, and transforms the function of the circuit by patching the circuit such that the patched first GTL netlist is equivalent to the second GTL netlist. The method improves performance and efficiency of the transformation by reducing the number of instances to be input into the engineering change order (ECO) engine, and also minimizes change in circuit design.

Abstract: A method, including identifying over a set of classified applications a set of discriminating features, determining via code analysis, when a first application is subjected to classification, positions of the first application's code that correspond to discriminating features, and forwarding to a classification algorithm, such that according to its output the code fragments corresponding to the discriminating features are reported beyond a determination itself of the discriminating features.

Abstract: An electronic message is analyzed for malware contained in the message. Text of an electronic message may be analyzed to detect and process malware content in the electronic message itself. The present technology may analyze an electronic message and attachments to electronic messages to detect a uniform resource location (URL), identify whether the URL is suspicious, and analyze all suspicious URLs to determine if they are malware. The analysis may include re-playing the suspicious URL in a virtual environment which simulates the intended computing device to receive the electronic message. If the re-played URL is determined to be malicious, the malicious URL is added to a black list which is updated throughout the computer system.

Abstract: A bot characteristic detection method and apparatus, where the apparatus obtains a first dynamic behavior file and a second dynamic behavior file, where the first dynamic behavior file is a behavior file resulting from dynamic behavior detection performed on a malicious file in a first sandbox, and the second dynamic behavior file is a behavior file resulting from dynamic behavior detection performed on the malicious file in a second sandbox. The apparatus determines a bot characteristic of the malicious file based on a common characteristic of the first dynamic behavior file and the second dynamic behavior file.

Abstract: The present invention involves with a cloud tenant oriented method and system for protecting privacy data. The method comprises at least the following steps: analyzing event handler information and/or behavioral signature information of request information and determining an execution mode, selecting at least one node without a behavioral signature plot to execute the tenant request and recording an execution result, generating a behavioral signature plot based on the execution result, and dynamically detecting security-sensitive behavior based on the behavioral signature plot. The present invention ensures data security during processing of security-sensitive data for cloud services by adopting a technology based on behavioral signatures, and prevents attackers from exploiting vulnerabilities and bypassing security control to conduct malicious operations.

Abstract: A system, method, and computer program product are provided for identifying a file utilized to automatically launch content as unwanted. In one embodiment, a file is identified in response to a detection of unwanted code, the file utilized to automatically launch content. Additionally, it is determined whether an identifier associated with the unwanted code is included in the file. Further, the file is identified as unwanted based on the determination.

Abstract: A system and method for determining malware threats based on behavior of a host/IP address uses netflow data, white lists, black lists and machine learning classification with a model. A white list generation method may be used and a machine learning model validation method.

Abstract: Techniques are provided herein for classifying domains based on DNS traffic so that domains that are malicious or associated with malicious activity can be identified. Traffic between one or more domain name system (DNS) resolvers and one or more authoritative name servers hosted on the Internet is analyzed analyzing at a server having network connectivity. A mismatch between a hostname and Internet Protocol (IP) information for the hostname is detected in the traffic and domains included in the traffic are classified based on the detecting.

Abstract: In one embodiment, a service receives traffic telemetry data regarding encrypted traffic sent by an endpoint device in a network. The service analyzes the traffic telemetry data to infer characteristics of an application on the endpoint device that generated the encrypted traffic. The service receives, from a monitoring agent on the endpoint device, application telemetry data regarding the application. The service determines that the application is evasive malware based on the characteristics of the application inferred from the traffic telemetry data and on the application telemetry data received from the monitoring agent on the endpoint device. The service initiates performance of a mitigation action in the network, after determining that the application on the endpoint device is evasive malware.

Abstract: User interfaces are generated by operations that include receive and store formatted static data and dynamic data. A first query is received, and first response data is selected. A user interface is generated containing the first response data and the user interface is displayed. An indication of user selection is received. A second query is generated and second response data is selected. The user interface is updated to a second user interface, which is displayed.

Abstract: A behavior inference model building apparatus and a behavior inference model building method thereof are provided. The behavior inference model building apparatus converts a plurality of program operation sequences of a plurality of program operation sequence data into a plurality of word vectors through a word embedding model, and inputs the first M word vectors of the word vectors, corresponding to each program operation sequence data, into a generative adversarial network (GAN) model to train and optimize the GAN model. The behavior inference model building apparatus integrates the word embedding model and the generator of the optimized GAN model to build a behavior inference model.

Abstract: A technique for detecting malware looks at startup hooks that may be created by malware to assist in ensuring that the malware is started upon a reboot of a programmable device. After enumerating startup hooks in the system, startup hooks associated with untrusted executables are deleted. If the startup hook is restored, that is an indication that the untrusted executable may be malware. An indication may then be passed to an anti-malware software to analyze the executable further.

Abstract: In one embodiment, a computing device provides a feature vector as input to a random decision forest comprising a plurality of decision trees trained using a training dataset, each decision tree being configured to output a classification label prediction for the input feature vector. For each of the decision trees, the computing device determines a conditional probability of the decision tree based on a true classification label and the classification label prediction from the decision tree for the input feature vector. The computing device generates weightings for the classification label predictions from the decision trees based on the determined conditional probabilities. The computing device applies a final classification label to the feature vector based on the weightings for the classification label predictions from the decision trees.

Abstract: Example techniques herein determine that a trial data stream is associated with malware (“dirty”) using a local computational model (CM). The data stream can be represented by a feature vector. A control unit can receive a first, dirty feature vector (e.g., a false miss) and determine the local CM based on the first feature vector. The control unit can receive a trial feature vector representing the trial data stream. The control unit can determine that the trial data stream is dirty if a broad CM or the local CM determines that the trial feature vector is dirty. In some examples, the local CM can define a dirty region in a feature space. The control unit can determine the local CM based on the first feature vector and other clean or dirty feature vectors, e.g., a clean feature vector nearest to the first feature vector.

Abstract: A unified backup workflow process for different hypervisor configurations of virtual machines on different storage of a cluster leverages RCT-based backup functionality so that backup operations can be performed by a single host of the cluster. The process enables backing up together virtual machines that are local, as well as part of CSV or SMB storage using virtual machine level snapshots as checkpoints rather than volume level snapshots that were traditionally used. Backup data is sent to a backup server as a data stream rather than a file, which avoids the necessity of maintaining chains or structures that identify parent-child disks on the server.

Abstract: Systems, methods, and software can be used to generating security manifests for software components using binary static analysis. In some aspects, one computer-implemented method includes performing a binary static analysis of a binary software component to determine one or more security characteristics of the binary software component; generating a security manifest for the binary software component including the determined one or more security characteristics of the binary software component; and providing the security manifest to a software management system configured to determine whether to deploy the binary software component based on the security manifest.

Abstract: This document discloses a system and method for consolidating threat intelligence data for a computer and its related networks. Massive volumes of raw threat intelligence data are collected from a plurality of sources and are partitioned into a common format for cluster analysis whereby the clustering of the data is done using unsupervised machine learning algorithms. The resulting organized threat intelligence data subsequently undergoes a weighted asset based threat severity level correlation process. All the intermediary network vulnerabilities of a particular computer network are utilized as the critical consolidation parameters of this process. The final processed intelligence data gathered through this high speed automated process is then formatted into predefined formats prior to transmission to third parties.

Abstract: Disclosed are systems and methods for detection of malicious intermediate language files. In one exemplary aspect, the system comprises a database comprising hashes of known malicious files, a resource allocation module configured to select a set of resources from a file being analyzed, a hash calculation module, coupled to the resource allocation module, configured to calculate a perceptive hash of the set of resources; and an analysis module, coupled to the other modules, configured to identify a degree of similarly between the set of resources and a set of resources from known malicious files by comparing the perceptive hash with perceptive hashes of the set of resources from known malicious files, determine a harmfulness of the file being analyzed based on the degree of similarity and remove or quarantine the file being analyzed when the harmfulness exceeds a predetermined threshold.

Abstract: Described systems and methods allow protecting a computer system from malicious software. In some embodiments, a security application organizes a set of monitored executable entities (e.g., processes) into a plurality of groups, wherein members of a group are related by filiation and/or code injection. The security application may further associate a malice-indicative entity score with each monitored entity, and a malice-indicative group score with each entity group. Group scores may be incremented when a member of the respective group performs certain actions. Thus, even though actions performed by individual members may not be malware-indicative per se, the respective group score may capture collective malicious behavior and trigger malware detection.

Abstract: An example embodiment may include a security enforcement point device disposed within a managed network and a security decision point device disposed within a computational instance of a remote network management platform. The security decision point device may be configured to: receive a message by way of the managed network; parse the message to identify observable indicators of one or more of the security threats, where the observable indicators include at least one of a network addresses, a hyperlink, or a representation of an attached file; remotely query a security threat database for the observable indicators; receive, from the security threat database, an indication that the observable indicators are associated with a particular security threat, and transmit, to the security enforcement point device, a command to update its associated security policy such that the particular security threat is mitigated.

Abstract: The disclosed computer-implemented method for efficiently classifying data objects may include (1) receiving a data object to be classified according to a group of rules, where each rule includes one or more clauses, (2) creating, for each rule, a rule evaluation job that directs a rule evaluation processor to evaluate the data object according to the clauses within the rule, where the rule evaluation processor evaluates the clauses in increasing order of estimated processing time, (3) submitting the rule evaluation jobs created for the rules to rule evaluation queues for processing by the rule evaluation processor, where the rule evaluation jobs are submitted in decreasing order of estimated processing time, (4) receiving an evaluation result for each rule evaluation job, and (5) in response to receiving the evaluation results, classifying the data object according to the evaluation results. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: Examples relate to identifying algorithmically generated domains. In one example, a computing device may: receive a query domain name; split the query domain name into an ordered plurality of portions of the query domain name, the ordered plurality of portions beginning with a first portion and ending with a last portion, the last portion including a top level domain of the query domain name; provide, in reverse order beginning with the last portion, the portions of the query domain name as input to a predictive model that has been trained to determine whether the query domain name is an algorithmically generated domain name, the determination being based on syntactic features of the query domain name; and receive, as output from the predictive model, data indicating whether the query domain name is algorithmically generated.

Abstract: A method includes, in response to receiving an email message, detecting one or more artifacts within an email message, wherein each of the artifacts is associated with a payload; for each artifact, generating, a descriptor object representing the artifact that does not include the payload, so that the processor is prevented from accessing the payload via the descriptor object; and at least one payload button based on the payload associated with the artifact for causing the payload to be transmitted to an external system for analysis of the payload; and presenting an artifact dashboard in a graphical user interface (GUI) rendered on a display of the email security system, the artifact dashboard displaying, for each artifact, the descriptor object representing the artifact and the at least one payload button based on the payload associated with the artifact.

Abstract: A method for evaluating a scope of cyber-attack incidents, the method may include detecting original compromised assets and malicious external machines that are related to each of the cyber-attack incidents; classifying potentially compromised assets to different classes based on (a) similarities between the potentially compromised assets and the original compromised assets, (b) a level of accessibility from the original compromised assets and malicious external machines to the potentially compromised assets, and (c) volumes of traffic between the potentially compromised assets and each one of the malicious external machines and the original compromised assets; wherein the different classes comprise compromised and non-compromised; and generating an alert that is indicative of the compromised assets and of potentially compromised assets that were classified as compromised.

Abstract: Examples determine a number of hosts, within an enterprise, which are resolving a particular domain. Based on the number of hosts within the enterprise resolving the particular domain, the examples identify whether the particular domain is benign.

Abstract: To analyze cybersecurity threats, an analysis module of a processor may receive log data from at least one network node. The analysis module may identify at least one statistical outlier within the log data. The analysis module may determine that the at least one statistical outlier represents a cybersecurity threat by applying at least one machine learning algorithm to the at least one statistical outlier.

Abstract: Exemplary embodiments described herein relate to a destination path for use with multiple different types of VMs, and techniques for using the destination path to convert, copy, or move data objects stored in one type of VM to another type of VM. The destination path represents a standardized (canonical) way to refer to VM objects from a proprietary VM. A destination location may be specified using the canonical destination path, and the location may be converted into a hypervisor-specific destination location. A source data object may be copied or moved to the destination location using a hypervisor-agnostic path.

Abstract: An interface, through which functionality of a cloud computing infrastructure can be accessed, can create defined endpoints through which such an interface is accessed, with such defined endpoints limiting the functionality accessible through the interface to only allowed functions. An elevate function can, through a secure key exchange protocol, receive appropriate assurances and can, in response, remove the functionality limitations of the endpoint, thereby enabling unfettered access to the cloud computing infrastructure. Such unrestricted access can be limited in duration, which duration can be established in advance, or agreed-upon through the key exchange mechanism.

Abstract: The subject matter described herein provides protection against zero-day attacks by detecting, via a hypervisor maintaining an extended page table, an attempt to execute arbitrary code associated with malware in a guest operation system (OS) running within a virtual machine (VM). Further, the subject matter provides detection of lateral movement of the malware. The hypervisor uses hidden breakpoints to detect a request for thread creation, and then determines whether the request is to download and execute arbitrary code.

Abstract: A threat level is evaluated for an ongoing attack detected for a set of resources based on received notifications having low weight in the evaluation of the threat level. If the threat level is smaller than an entrapment threshold, sensors associated with resources of an information system infrastructure that are potential subsequent targets of the ongoing attack are activated, the weight of the notifications sent from the activated sensors are set as average weight in the evaluation of the threat level, and the threat level is further evaluated for the ongoing attack. If the threat level is greater than the entrapment threshold, traps are deployed in the information system infrastructure, the weight of the notifications sent from the deployed traps are set as high weight in the evaluation of the threat level, and the threat level is further evaluated for the ongoing attack.