Abstract: A method for processing information security events of a computer system includes receiving information related to a plurality of information security events occurred in the computer system. Each of the events includes an event related to a possible violation of information security of the computer system. A verdict is determined for each of the events. The verdict includes: i) information security incident or ii) false positive. The verdict is false positive if the probability of a false positive for the corresponding event is greater than a first threshold. Verdicts are changed for a subset of the events from the false positive to the information security incident. A number of events in the subset is lower than a second threshold. An analysis of the events having a verdict of the information security incident is performed to determine if the computer system is under a cyberattack.

Abstract: A method for emulating execution of a file includes emulating execution of the instructions of a file on a virtual processor of an emulator. The execution of the instructions is halted in response to an invocation of an API function. A determination is made whether the invoked API function is present in the updatable modules of the emulator. The updatable modules contain implementation of API functions. In response to determining that the invoked API function is present in the updatable modules, execution of the invoked API function is emulated according to corresponding implementation contained in the updatable modules. Otherwise, result of execution of the invoked API function is generated by executing a corresponding virtual API function on a processor of a computing device.

Abstract: Disclosed herein are systems and methods for assessing an impact of malicious software causing a denial of service of components of industrial automation and control systems (IACS). In one aspect, an exemplary method comprises, generating a configuration of the IACS on a testing device based on specifications, obtaining a set of investigated software, where the set includes at least one sample of one malicious software, testing the generated configuration using the received set of investigated software, identifying occurrences of denials of service of the components of the testing device which are used to simulate the generated configuration, determining an impact of the malicious software on the generated configuration, and a degree of degradation of a performance of the generated configuration of IACS, and pronouncing a verdict as to a danger of the malicious software for the generated configuration of IACS based on the determined impact of the malicious software.

Abstract: Disclosed herein are methods and systems for detecting malicious files. An exemplary method comprises: selecting a file from a database of files used to perform training of a model for detecting a malicious file, forming one or more behavior patterns from intercepted one or more commands and parameters during execution of the file, forming a detection model, wherein the detection model selects a method of machine learning and is initialized with one or more hyper-parameters, training the detection model by calculating the one or more hyper-parameters based on the one or more behavior patterns to form a group of rules for calculating a degree of maliciousness of a resource and calculating a degree of maliciousness of another file based on the trained detection model.

Abstract: Disclosed herein are systems and methods for casting a vote in an electronic balloting system. In one aspect, an exemplary method comprises, authenticating a voter from whom a request for casting a vote is received, when the voter is successfully authenticated, generating an electronic ballot based on voting information, gathering data about an electronic vote of the voter, the electronic vote representing a choice of the voter on the electronic ballot, generating and sending at least one request to the voter, the request being generated for confirmation of a validity of the gathered data on the electronic vote, generating a hardcopy of the ballot filled out by the voter and placing the generated hardcopy in a centralized repository, and counting the vote, when the hardcopy of the ballot is successfully generated and an affirmative response is received from the voter in response to the at least one request.

Abstract: A method for detecting unmanned aerial vehicles (UAV) includes detecting an unknown flying object in a monitored zone of air space. An image of the detected unknown flying object is captured. The captured image is analyzed to classify the detected unknown flying object. A determination is made, based on the analyzed image, whether the detected unknown flying object comprises a UAV.

Abstract: Disclosed herein are systems and methods for granting access to data of a user. In one aspect, an exemplary method comprises, blocking the processing of data of a user, transferring the data of the user to a storage device, receiving a request for data processing from a collected data processor of a device, redirecting the received request to the storage device, determining, by the storage device, data access rights for the collected data processor of the device from which the request for data processing is received in accordance with data access rights established by a data access rights manager, and providing access to the data in accordance with the determined data access rights.

Abstract: Disclosed are systems and methods for countering a cyber-attack on computing devices by means of which users are interacting with services, which store personal data on the users. Data is collected about the services with which the users are interacting by means of the devices, as well as data about the devices themselves. The collected data is analyzed to detect when a cyber-attack on the devices is occurring as a result of a data breach of personal data on users from the online service. A cluster of the computing devices of different users of the online service experiencing the same cyber attack is identified. Attack vectors are identified based on the characteristics of the cyber attack experienced by the computing devices in the cluster. Actions are selected for countering the cyber-attack based on the identified attack vector and are sent to the devices of all users of the corresponding cluster.

Abstract: A method for controlling secure access to user requested data includes retrieving information related to potential unauthorized access to user requested data. The information is collected by a plurality of sensors of user's mobile device. A trained statistical model representing an environment surrounding a user is generated based on the retrieved information. A first data security value is determined using the generated trained statistical model. The first data security value indicates a degree of information security based on user's environment. A second data security value is determined using the generated trained statistical model. The second data security value indicates a degree of confidentiality of the user requested data. The user requested data is filtered based on a ratio of the determined first data security value and the second data security value.

Abstract: Systems and methods for protecting an automated system (AS) including building a security configuration based on architecture data of the AS such that compliance with the security configuration ensures a security level for AS devices, installing a data transmission application on a gateway of an AS network using the security configuration, and transmitting data from one of the AS devices through the data transmission application such that the actions of the data transmission application are defined by the security configuration.

Abstract: Disclosed herein are systems and methods for generating heuristic rules for identifying spam emails based on fields in headers of emails. In one aspect, an exemplary method comprises, collecting statistical data on contents of a plurality of emails; analyzing the statistical data to identify different types of content, including headers or hyperlinks in said emails; grouping the emails into clusters based on types of content identified in said emails, wherein at least one cluster group being based on fields in headers of said emails; generating a hash from the most frequent combination of group of data in each cluster; formulating regular expressions based on analysis of hyperlinks of emails corresponding to the generated hashes; and generating heuristic rule for identifying spam emails by combining the hashes and the corresponding regular expressions, wherein the hash is generated based on fields in the headers of said emails.

Abstract: Disclosed herein are systems and methods for granting access to a file. In one aspect, an exemplary method comprises, calculating a first hash of a portion of the file, searching for the first hash in a local database, when the first hash is found indicates that the file is malicious, calculating a second hash, searching for the second hash in the verdict cache, and pronouncing a final decision as to a harmfulness of the file, and when either the first hash is not found in the verdict cache or the first hash is found and indicates that the file is trusted, granting access to the file, calculating a second hash of the file, generating a request for information about the file and sending the request to a remote server, and pronouncing a decision as to harmfulness of the file based on results of the search received from the remote server.

Abstract: A method for defending a network of electronic devices from cyberattacks includes obtaining information about a plurality of devices and information about communication links between the plurality of devices and surrounding environment and determining types of the communication links using heuristic rules. The types of communication links are compared using corresponding link profiles. One or more similar communication links are identified based on the comparison. A cluster of devices is generated by combining a subset of the plurality of devices. The cluster includes one or more devices having one or more similar communication links. A surrounding environment profile is generated for the generated cluster of devices. When a cyberattack is detected on one of the devices in the cluster, the surrounding environment profile is modified for the cluster of devices in order to defend all devices in the cluster from the cyberattack.

Abstract: Disclosed herein are systems and methods for determining a coefficient of harmfulness of a file using a trained learning model. In one aspect, an exemplary method includes forming a first vector containing a plurality of attributes of a known malicious file. A learning model is trained using the first vector to identify a plurality of significant attributes that influence identification of the malicious file. A second vector is formed containing a plurality of attributes of known safe files. The learning model is trained using the second vector to identify attributes insignificant to the identification of the malicious file. An unknown file is analyzed by the learning model. The learning model outputs a numerical value identifying a coefficient of harmfulness relating to a probability that the unknown file will prove to be harmful.

Abstract: Systems and methods for determining a source of anomaly in a cyber-physical system (CPS). A forecasting tool can obtain a plurality of CPS feature values during an input window and forecast the plurality of CPS feature values for a forecast window. An anomaly identification tool can determine a total forecast error for the plurality of CPS features in the forecast window, identify an anomaly in the cyber-physical system when the total forecast error exceeds a total error threshold, and identify at least one CPS feature as the source of the anomaly.

Abstract: Disclosed are systems and methods of adding tags for use in detecting computer attacks. In one aspect, the system comprises a computer protection module configured to: receive a security notification, extract an object from the security notification, search for the extracted object in a threat database, add a first tag corresponding to the extracted object in the threat database only when the extracted object is found in the threat database, search for signs of suspicious activity in a database of suspicious activities based on the received security notification and the added first tag, and when at least one sign of suspicious activity is found, extract a second tag from the database of suspicious activities and add the second tag to an object database, wherein the object database is used for identifying signature of targeted attacks based on security notifications, objects, first tags and second tags.

Abstract: The present disclosure provides for systems and methods for generating an image of a web resource to detect a modification of the web resource. An exemplary method includes selecting one or more objects of the web resource based on one or more object attributes; identifying a plurality of tokens for each selected object based on contents of the selected object; calculating a hash signature for each selected object of the web resource using the identified plurality of tokens; identifying potentially malicious calls within the identified plurality of tokens; generating an image of the web resource based on the plurality of hash signatures and based on the identified potentially malicious calls, wherein the image of the web resource comprises a vector representation of the contents of the web resource; and detecting whether the web resource is modified based on the image of the web resource.

Abstract: Systems and methods are presented for selection of compatible components for an observed system. An exemplary method comprises collecting parameters of one or more components of the system, assessing conformity of the one or more components of the system with a required state of the system, identifying one or more anomalies based on the assessment of conformity, analyzing the one or more anomalies to identify a class and parameters of the system corresponding to the one or more anomalies, determining one or more models of methods of restoration of the system, selecting one or more components that meets requirements of the one or more models of methods of restoration and implementing the one or more components in the system that are compatible with the system to eliminate the one or more anomalies.

Abstract: A method for protecting electronics systems of a vehicle from cyberattacks includes intercepting messages transmitted on a first communications bus between a plurality of Electronic Control Units (ECUs) of a vehicle. The ECUs are communicatively coupled to the first communications bus. At least one recipient ECU that is a recipient of the intercepted messages is determined. The intercepted messages and information indicating the determined at least one recipient ECU are stored in a log. The method further includes detecting a computer attack of the vehicle based on satisfaction of at least one condition of a rule by the stored messages and information in the log and blocking the computer attack of the vehicle by performing an action associated with the rule. The rule may depend on whether one or more intercepted messages are malicious messages and a recipient ECU of the malicious messages.

Abstract: Disclosed herein are systems and methods for forming a log during an execution of a file with vulnerabilities. In one aspect, an exemplary method comprises, discovering an activation of a trigger during an execution of a thread of a process created upon opening the file, wherein the trigger describes conditions accompanying an event which relates to an attempt to exploit a vulnerability of the file, analyzing a stack of the process created upon opening the file, and discovering a chain of function calls preceding the event in a form of a sequence of call and return addresses, analyzing the discovered chain of function calls for fulfillment of conditions of the trigger which relate to the attempt to exploit the vulnerability, and when the conditions of the trigger are fulfilled, saving information about the chain of function calls in a log.