Abstract: Disclosed herein are systems and methods for connecting a Domain Name System (DNS) secure resolution protocol. In one aspect, an exemplary method comprises, by a protection module, determining a DNS query from a client, determining a fulfillment of at least one condition for connecting the DNS secure resolution protocol, wherein the at least one condition is obtained from a database, and connecting the DNS secure resolution protocol for the client when the at least one condition for connecting the DNS secure resolution protocol is fulfilled.

Abstract: Systems and methods for configuring a gateway for an automated system (AS) including an assembly tool to obtain a security configuration including a set of requirements for applications operating with AS devices, analyze assembly components for compliance with the security configuration, the assembly components for building one of applications, assemble an application package using a subset of the assembly components based on compliance with the security configuration, and a control tool to install the application package on the gateway such that execution of an individual application derived from the application package ensures a required level of information security for the AS.

Abstract: Disclosed herein are systems and methods for detecting anomalies in a technological system. In one aspect, an exemplary method comprises, intercepting, by a duplicator running on an upper-level element of the technological system at least one outgoing data packet addressed to a middle-level element of the technological system, sending, by the duplicator, information about the intercepted at least one outgoing data packet to a monitor using a secure connection, the monitor running on the middle-level element, intercepting, by the monitor, at least one incoming data packet, comparing, by the monitor, the information received from the duplicator with the intercepted at least one incoming data packet, and detecting, by the monitor, an anomaly in the technological system when the intercepted at least one incoming data packet does not conform to the information received from the duplicator.

Abstract: A method for detecting unmanned aerial vehicles (UAV) includes detecting an unknown flying object in a monitored zone of air space. An image of the detected unknown flying object is captured. The captured image is analyzed to classify the detected unknown flying object. A determination is made, based on the analyzed image, whether the detected unknown flying object comprises a UAV. In response to determining that the detected unknown flying object comprises a UAV, one or more radio signals exchanged between the UAV and a user of the UAV are suppressed until the UAV departs from the monitored zone of air space.

Abstract: Disclosed herein are methods and systems for detecting a source of malicious activity in a computer system. An exemplary method comprises gathering information related to the objects of the computer system, forming a graph based on the information gathered on the objects, selecting at least two induced subgraphs (hereinafter, subgraph) from the resulting graph, determining the coefficient of harmfulness for each selected subgraph, the coefficient of harmfulness representing a numerical characteristic describing the strength of the relations between the vertices of that subgraph, determining, from the selected subgraphs, a subgraph whose coefficient of harmfulness is a minimum among the determined coefficients of harmfulness of the subgraphs, and the total coefficient of harmfulness of the subgraphs related to that subgraph is a maximum, identifying the object correlated with at least one vertex of the determined subgraph as a source of the malicious activity in the computer system.

Abstract: The present disclosure provides a system and method for allocating computer resources for detection of malicious files. In one aspect, the system comprises: a hardware processor configured to: form at least one behavior pattern grouping selected commands with shared parameters, apply a hash function on the at least one of the formed behavior pattern to obtain computed parameters, calculate a degree of harmfulness based on the obtained computed parameters using the hash function and a model for detection of malicious files, wherein the degree of harmfulness is a number value characterizing a probability that a malicious activity will be manifested by a time of computing said degree of harmfulness and wherein the model is a machine learning model trained using computed parameters of previous behavior patterns on which the hash function was applied to output degrees of harmfulness, and allocate the computing resources based on the calculated degree of harmfulness.

Abstract: Disclosed herein are systems and methods of categorizing a .NET application. In one aspect, an exemplary method comprises, by a hardware processor of a security module, launching a CLR profiler upon launching of the .NET application, forming an execution log of the .NET application and adding information about events occurring during the execution of the .NET application via the launched CLR profiler, assigning to the .NET application, a category of a predetermined list of categories based on an analysis of the execution log of the .NET application, and determining whether the .NET application is categorized as being a malicious application.

Abstract: Disclosed herein are systems and method for correlating events to detect an information security incident, a correlation module may receive a plurality of network events indicating potential security violations, wherein each network event of the plurality of network events has a respective timestamp. The correlation module may identify, from the plurality of network events, a subset of network events that have occurred within a period of time, based on each respective timestamp. The correlation module may determine a plurality of potential orders of occurrence for the subset of network events. The correlation module may apply at least one correlation rule to each respective potential order of the plurality of potential orders. In response to determining that the at least one correlation rule is fulfilled, the correlation module may detect the information security incident.

Abstract: Systems and methods for anonymous collection of malware-related data from client devices. The system comprising a network node configured to (i) receive a first data structure from a client device, wherein the first data structure contain an identifier of the client device and an encrypted data that includes an identifier of a user of the client device and/or personal data of the user, and wherein the encrypted data was encrypted by the client device with a public key of the client device, wherein the public key was provided to the client device by an independent certification authority, (ii) transform the received first data structure by replacing the identifier of the client device with an anonymized identifier, and (iii) transmit the transformed first data structure containing the anonymized identifier and the encrypted data to a server.

Abstract: Systems and methods for anonymously transmitting data in a network are provided, in which a request data structure is received by a network node from a client device. A first substructure containing personal data (PD) and a second substructure not containing PD are identified in the request data structure, by the network node. The first substructure is encrypted, by the network node, and is transmitted along with the second substructure to a server. A response data structure is received, by the network node, from the server. The first encrypted substructure and a third encrypted substructure are identified, by the network node, in the response data structure. The first encrypted substructure is decrypted, by the network node, and is transmitted along with the third encrypted substructure to the client device. The third encrypted substructure can be decrypted and viewed by the client device.

Abstract: Disclosed herein are systems and methods for anonymous sending of data from a source device to a recipient device. In one aspect, an exemplary method comprises, by the source device: receiving a request to send data to the recipient device, processing the data such that an identifier of the user and identification data are not linked to the data to be sent to the recipient, and determining whether the identifier of the user is absent in the source device, when the identifier of the user is absent, generating the identifier of the user, sending the identifier of the user to a token generator, wherein the sent identifier comprises either the generated identifier or an existing identifier found during the determination of whether the identifier is absent in the source device, and sending, to the recipient device, a combination of a random token received from the token generator and the data.

Abstract: Disclosed herein are systems and methods for handling unwanted telephone calls. In one aspect, an exemplary method comprises, intercepting a call request for a call from a terminal device of a calling party to a terminal device of a called party, generating a call recording containing media data transmitted within a connection established by the intercepted call request, determining attributes of the generated call recording, classifying the call as an unwanted call based on the determined attributes, wherein the classification is performed by a classifier trained on previously collected unwanted calls, and wherein the call is classified as unwanted when the attributes belong to an unwanted call class that is known, and handling the call in accordance with the classification of the call, the handling including at least securing information of the call.

Abstract: A method for analyzing relationships between clusters of devices includes selecting a first device from a first cluster of devices and selecting a second device from a second cluster of devices. Information related to a first communication link associated with the first device and information related to a second communication link associated with the second device is obtained. A similarity metric is computed based on the obtained information. The similarity metric represents a similarity between the first communication link and the second communication link associated with the second device. A relationship between the first and second clusters is determined using the computed similarity metric. When a cyberattack is detected on the devices in the first cluster or the second cluster, protection of all devices in the first cluster and the second cluster is modified based on the determined relationship in order to defend the respective clusters from the cyberattack.

Abstract: Systems and methods for assessing an impact of software on components of an industrial automation and control systems (IACS) are disclosed. In one aspect, an exemplary method comprises, selecting samples of software to be analyzed for capability to cause harm to the IACS. In one aspect, the method further comprises, for each particular configuration of the IACS being tested, performing analysis to identify effects of the selected samples on the particular configuration, wherein the identified effects include at least causes and events resulting in disruption of operations of the particular configuration of the IACS, and where the particular configuration including at least components of the industrial system being simulated on a testing device. In one aspect, the method further comprises, analyzing identified causes and events, and based on the analysis, assessing the impact of the selected sample by determining a degree of influence of the software on the particular configuration.

Abstract: A method for detection of malicious files includes training a mapping model for mapping files in a probability space. A plurality of characteristics of an analyzed file is determined based on a set of rules. A mapping of the analyzed file in probability space is generated based on the determined plurality of characteristics. A first database is searched using the generated mapping of the analyzed file to determine whether the analyzed file is associated with a family of malicious files. The first database stores mappings associated with one or more families of malicious files. In response to determining that the analyzed file is associated with the family of malicious files, a selection of one or more methods of malware detection is made from a second database. The second database stores a plurality of malware detection methods. The selected method is used to detect the associated family.

Abstract: A method for voice call analysis and classification includes intercepting a voice call session between an initiating device and a recipient device. Voice call data exchanged between the initiating device and the recipient device during the voice call session is transformed into a predefined data format. The transformed voice call data is analyzed to determine one or more attributes of the intercepted voice call. One or more features associated with the intercepted voice call session are identified based on the determined one or more attributes. The intercepted voice call is classified using the identified one or more features.

Abstract: Techniques are provided for generating groups of filtering rules. A priority list of filtering rules having a highest indicator of frequency of utilization among the filtering rules from the plurality of lists is determined from a plurality of lists of filtering rules. The priority list of filtering rules is transmitted to a mobile device. Each of remaining lists of filtering rules that have not been transmitted to the mobile device is divided into a plurality of parts. A plurality of groups of filtering rules is generated based on frequency of utilization within each of the remaining lists of filtering rules. Each generated group contains at most one part of each remaining list of filtering rules.

Abstract: Disclosed herein are systems and methods for detecting malicious files based on file fragments. In one aspect, an exemplary method comprises, extracting data fragments from a file, for each extracted data fragment, determining a category selected from a list of categories that includes at least: trusted, malicious, and untrusted, when a number of data fragments categorized as being malicious is below a predetermined threshold, avoiding categorization of the file as malicious, and when a number of data fragments categorized as being malicious reaches or exceeds the predetermined threshold, determining whether at least one malicious file detection rule having criteria for detecting a malicious file is found, when at least one malicious file detection rule whose criteria is met is found, categorizing the file as a malicious file, and when no malicious file detection rule whose criteria is met is found, avoiding categorization of the file as a malicious file.

Abstract: A method for providing an interprocess interaction in an electronic control unit having an operating system defining a kernel space, wherein the method involves steps in which: the kernel of the operating system intercepts a request for an interprocess communication between a first application and a second application of the electronic control unit. A verdict is requested, from an access control component of the operating system, with respect to granting access for the requested interprocess communication between the first application and the second application of the electronic control unit. The access control component generates the verdict for the requested interprocess communication based on a security policy. The kernel of the operating system selectively allows the requested interprocess communication between the first application and the second application based on the generated verdict.

Abstract: A method for using inventory rules to identify devices of a computer network includes intercepting data traffic across one or more communication links of the computer network. The intercepted data traffic is analyzed to determine whether one or more of a plurality of inventory rules is satisfied by the intercepted data traffic. Each of the plurality of inventory rules includes one or more conditions indicating the presence of a particular computer network device having a set of parameters. Devices of the computer network are identified using one or more satisfied inventory rules.