Abstract: Disclosed herein are systems and methods for monitoring delivery of messages passed between processes from different operating systems. In one aspect, an exemplary method comprises, creating a proxy process in a first Operating System (OS) for a second process, wherein the second process is from a second OS, the first and second OS being installed in respective computing environments, assigning at least one security policy to the created proxy process for monitoring delivery of messages associated with the created proxy process, where the messages are transmitted through a programming interface of the created proxy process corresponding to a programming interface of the second process, generating a security monitor for the first OS based on the created proxy process and security policies of the first OS, and monitoring the delivery of messages between at least a first process in the first OS and the second process based on the security policies.

Abstract: Disclosed herein are systems and methods for granting a user data processor access to a cryptocontainer of user data. In one aspect, an exemplary method comprises, creating a cryptocontainer for user's data, wherein the cryptocontainer receives at least one element of the user's data and encrypts the element; for the user data processor, establishing rights for accessing the element using a first key, and forming at least one access structure, the forming including, placing the first key in the access structure based on the established rights, receiving, from the user data processor, a second key linked to the user data processor which is to be used for accessing the first key, and encrypting the first key with the second key; and when a request for access to the cryptocontainer is received, granting, to the user data processor, access to the cryptocontainer based on the formed at least one access structure.

Abstract: A method for transferring data from a first network to a second network using a gateway includes setting, by a security monitor, a state of the gateway to a first state indicating to a destination agent that access is granted to trusted memory and denied to the second network and untrusted memory. The destination agent is configured, while the gateway is in the first state, based on parameters stored in the trusted memory, to transfer data received from a source agent to the second network. The state of the gateway is changed to a second state indicating to the destination agent that access is denied to the trusted memory and granted to the second network and the untrusted memory. Transfer of the data from the source agent of the first network to the destination agent of the second network is controlled, while the gateway is in the second state.

Abstract: A method for building a security monitor includes identifying one or more objects of a microkernel Operating System (OS) participating in transmission of an Inter Process Communication (IPC) message. The one or more OS objects include one or more processes and/or one or more applications executed by the microkernel OS. One or more security policies associated with the identified microkernel OS objects are selected from a security policy database. A policy verification module is configured based on the selected security policies to generate a decision related to controlling the transmission of the IPC message. A security monitor is generated using the configured policy verification module to control the transmission of the message based on the decision generated by the policy verification module.

Abstract: A method for generating a signature of a spam message includes determining one or more classification attributes and one or more clustering attributes contained in successively intercepted first and second electronic messages. The first electronic message is classified using a trained classification model for classifying electronic messages based on the one or more classification attributes. The first electronic message is classified as spam if a degree of similarity of the first electronic message to one or more spam messages is greater than a predetermined value. A determination is made whether the first electronic message and the second electronic message belong to a single cluster based on the determined one or more clustering attributes. A signature of a spam message is generated based on the the identified single cluster of electronic messages.

Abstract: A method creating a heuristic rule to identify Business Email Compromise (BEC) attacks includes filtering text of received email messages, using a first classifier, to extract one or more terms indicative of a BEC attack from the text of the received email messages, wherein the first classifier includes a trained recurrent neural network that includes a language model, generating, using the first classifier, one or more n-grams based on the extracted terms, wherein each of the n-grams characterizes a particular extracted term, generating, using a second classifier, a vector representation of the extracted terms based on the generated n-grams, assigning a weight coefficient to each of the extracted terms, wherein a higher weight coefficient indicates higher relevancy to BEC attack of the corresponding extracted term, and generating a heuristic rule associated with the BEC attack by combining the weight coefficients of a combination of the extracted terms.

Abstract: Systems and methods for verifying the integrity of a software installation image before installing the software. Security of the software installation process is ensured by providing access to the software image from a security monitor using security policies. An installation system for protecting the installation of a software image includes instructions that, when executing on computing hardware, cause the computing hardware to implement: a verifier engine to verify the integrity of the software image, a security monitor engine to set an initial access state for the software image granting access to the verifier engine and to update the access state for the software image in accordance with at least one security policy, and an installer engine to install software contained in the software image according to the access state.

Abstract: Disclosed herein are systems and methods of a cloud server for providing content to a user. In one aspect, an exemplary method comprises receiving data, from a user device, the data comprising at least one of: hash and type of intercepted search requests and site names, incrementing a value of a popularity counter of the received data, when the value of the popularity counter of the received data exceeds a predetermined threshold, sending an inquiry for the intercepted search requests and site names in plain form, and when the intercepted search requests and site names are received in plain form, performing categorization of the intercepted search requests and site names, and transmitting, to the user device, content associated with the intercepted search requests and rules for establishing a category of the content.

Abstract: Disclosed herein are systems and methods for identifying a cryptor that encodes files of a computer system. An exemplary method comprises, identifying one or more files into which a data entry is performed by a suspect process; for each identified file, determining characteristics of the identified file, identifying classes of file modifications using a trained machine learning model and respective characteristics of the identified file, identifying a suspect process as being associated with the cryptor based on the identified classes of file modification of the file, and protecting the computer system from the cryptor.

Abstract: Disclosed herein are systems and methods for selection of a model to describe a user. In one aspect, an exemplary method comprises, creating data on preferences of the user based on previously gathered data on usage of a computing device by the user and a base model that describes the user, wherein the base model is previously selected from a database of models including a plurality of models, determining an accuracy of the data created on the preferences of the user, wherein the determination is based on observed behaviors of the user, when the accuracy of the data is determined as being less than a predetermined threshold value, selecting a correcting model related to the base model, and retraining the base model, and when the accuracy of the data is determined as being greater than or equal to the predetermined threshold value, selecting the base model to describe the user.

Abstract: Systems and methods for detecting malicious activity in a computer system. One or more graphs can be generated based on information objects about the computer system and relationships between the information objects, where the information objects are vertices in the graphs and the relationships are edges in the graphs. Comparison of generated graphs to existing graphs can determine a likelihood of malicious activity.

Abstract: A method for restricting reception of e-mail messages from a sender of bulk spam mail includes identifying an unknown sender of received e-mail messages. A set of e-mail messages received from the identified sender is selected. A type of bulk spam mailing is determined based on the selected set of e-mail messages using one or more spam identification signatures. Restrictions on reception of e-mail messages from a sender distributing bulk spam of the determined type are generated.

Abstract: A method for protecting subscriber data includes intercepting network traffic associated with a call. The network traffic includes call parameters and call stream data. A first set of the call parameters is analyzed. A first probability value of the call being declared as unwanted is determined. The call stream data is analyzed to define a second set of call parameters. The first set of call parameters is reanalyzed based on the second set. A second probability value of the call being declared as unwanted is determined. A determination is made if the second probability value exceeds a second threshold value. The call is declared as unwanted, in response to determining that the second probability value exceeds the second threshold. The first and second sets of call parameters are transmitted to an application configured to protect data of a protected subscriber.

Abstract: Disclosed herein are systems and methods for training a model to identify a user to a predetermined degree of reliability. In one aspect, an exemplary method comprises, parameterizing gathered data on behavior of a user in a form of a first vector, deriving a second vector from the first vector by removing noise and low-priority information from the first vector, providing the second vector to a training algorithm, and generating a trained model for the user, the generated trained model being different for each user such that only the trained model generated for the user satisfies the predetermined degree of reliability.

Abstract: A method for classifying incoming events includes intercepting an incoming event received by a mobile device. The content of the intercepted event is analyzed to determine one or more attributes of the intercepted event. The intercepted event is compared to a plurality of previously collected and classified events, stored in an event repository, based on the one or more determined attributes to identify one or more similar events. A rating of each of the one or more similar events is determined. The rating characterizes probability that the corresponding event belongs to a particular class. The intercepted event is classified as undesirable on the mobile device if the rating value of the one or more similar events is less than a predetermined threshold value.

Abstract: Disclosed herein are systems and methods for detecting malicious use of a remote administration tool. In one aspect, an exemplary method comprises, gathering, from a flow of events, data that comprises any number of keyboard entry events, wherein each event is related at least to actions indicating a keyboard entry and a context in which the event occurred, comparing the gathered keyboard entry events with signatures from a database, and when a match is found with at least one signature, identifying an activity which is a characteristic that indicates that the remote administration tool is being controlled remotely.

Abstract: The present disclosure provides systems and methods for increasing the cybersecurity of a control subject of an industrial technological system. In an exemplary aspect, the method comprises installing a protected Operating System (OS) on a control subject of the industrial technological system, receiving, by the protected OS, a plurality of log files from the control subject, analyzing, by the protected OS, the plurality of log files to determine if a suspicious action has been applied to the control subject, wherein the control subject is configured to apply a controlling action to the object of control, intercepting, by the protected OS, network packets transmitted by an application launched in a guest OS to the control subject, and preventing, by the protected OS, an interaction between the application and the control subject, in response to determining that the suspicious action has been applied to the control subject.

Abstract: Disclosed herein are systems and methods for processing personal data by application of policies. In one aspect, an exemplary method comprises, by the network infrastructure component, analyzing communication protocols between an IoT device and the network infrastructure component, identifying at least one field that contains personal data, for each identified field, analyzing the identified field using personal data processing policies uploaded to the network infrastructure component, and applying the personal data policies for enforcement.

Abstract: Disclosed herein are systems and method for spam identification. A spam filter module may receive an email at a client device and may determine a signature of the email. The spam filter module may compare the determined signature with a plurality of spam signatures stored in a database. In response to determining that no match exists between the determined signature and the plurality of spam signatures, the spam filter module may placing the email in quarantine. A spam classifier module may extract header information of the email and determine a degree of similarity between known spam emails and the email. In response to determining that the degree of similarity exceeds a threshold, the spam filter module may transfer the email from the quarantine to a spam repository.

Abstract: An example of a method for detecting hacking activities includes categorizing a plurality of web pages of a web site providing bank services using a trained semantic model. The trained semantic model uses at least one resource identifier of a web page as an input and generates a web page category as an output. One or more attributes of an interaction between a user and bank services are identified. The one or more identified attributes are analyzed by comparing the one or more identified attributes with attributes known to belong to hacking interactions based on a corresponding web page category. Hacking activity is identified based on the results of the analysis.