Abstract: Systems and methods for provided for detecting compatible modules for replacing anomalous elements in computing systems. The described technique includes receiving system parameters specifying functionality of a first computing system, and querying a state model using the received system parameters to detect an anomaly within the first computing system. In response to detecting an anomaly in the first computing system based on the state model, the system determines a recovery method based on a recovery-method model and information about the detected anomaly, and selecting, from a tool database, a third-party, system-compatible tool configured to implement the determined recovery method.

Abstract: Disclosed are systems and methods for limiting access of a user profile to dangerous content in a social network service. The described system produces a social graph for a given user profile in the social network service, and identifies clusters of objects (e.g., other user profiles, contents) within the social graph. The described system analyzes whether certain objects in the social graph should be characterized as suspicious based on their clustering and on a database of known forbidden objects. The described system may further learn and add unknown objects to the database of forbidden objects.

Abstract: Disclosed herein are systems and methods for blocking network connections. In one aspect, an exemplary method comprises, intercepting a certificate from the server when establishing a protected connection between a server and a client, determining whether the intercepted certificate is similar to one or more forbidden certificates, the determination of whether the intercepted certificate is similar to one or more forbidden certificates comprising transforming the intercepted certificate in accordance with a method of determining similarities between certificates and a method of saving forbidden certificates in a database of forbidden certificates, and blocking the connection when the intercepted certificate is similar to the one or more forbidden certificates.

Abstract: Disclosed are systems and methods for routing during statistics collection. A method is described of exchanging data in a client/server architecture across a node with an anonymization module situated in a regional network different from the network in which the server is located and not being in the same intranet as the server or the client when making the request.

Abstract: Disclosed is a method for analyzing a log for conducting an antivirus scan of a file. The method includes opening a file in a virtual machine. The opening of the file includes execution of a guest process having a thread in a virtual processor of the virtual machine. A plurality of events in the thread of the guest process is intercepted. Registers associated with a system call made during execution of the first thread of the guest process are determined. Execution of the thread of the guest process is halted. In a log associated with the opening of the file, information is saved indicating events intercepted during execution of the thread in an altered guest physical memory page, and context data of the virtual processor. Using at least one template having rules, the saved log is analyzed to determine whether the file opened in the virtual machine is harmful.

Abstract: Disclosed herein are systems and methods for deleting files. In one aspect, an exemplary method comprises, obtaining at least initial data about a file to be deleted in accordance with an instruction to remove the file from a data storage device, analyzing the file to be deleted and the data storage device to determine at least deletion parameters of the file to be deleted, performing a dynamic formation of a deletion algorithm, wherein the formation further includes the formation of a structure for writing and a determination of a location for the writing during the deletion of the file in accordance with the determined deletion parameters and rules of formation, and deleting the file by applying the deletion algorithm.

Abstract: Disclosed are systems and methods preventing data loss of confidential data in a computer system. The described technique includes searching text data for one or more keywords, and then calculating a density of keywords in the text data based on the one or more keywords that match the text data. The technique classifies the text data as containing confidential data based on whether the density of keywords exceeds a threshold value. If so, the described systems may block the use of the text data containing confidential data in a variety of ways.

Abstract: Disclosed are system and method for building statistical models of malicious elements of web pages. One exemplary method comprises: obtaining, by a control server, data about malicious elements of web pages; transforming, by the control server, the obtained data into at least one N-dimensional vector; creating, by the control server, at least one cluster based on elements of the at least one N-dimensional vector; and building, by the control server, the statistical model of the malicious elements of the web page based on the created at least one cluster.

Abstract: Methods and systems are described in the present disclosure for training a model for detecting malicious objects on a computer system. In an exemplary aspect, a method includes: selecting files from a database used for training a detection model, the selection is performed based on learning rules, performing an analysis on the files by classifying them in a hierarchy of maliciousness, forming behavior patterns based on execution of the files and parameters of the execution, training the detection model according to the analysis of the files and the behavior patterns, verifying the trained detection model using a test selection of files to test determinations of harmfulness of the test selection of files, and when the verification fails, retraining the detection model using a different set of files from the database, otherwise applying the detection model to a new set of files to determine maliciousness.

Abstract: Disclosed herein are methods and systems for automated testing of hardware and software systems. An exemplary method comprises receiving a formalized architecture description describing an architecture of a system being designed, receiving a formalized threat description describing threats to systems similar to the system being designed, building, by a processor, a use model based on the formalized description, building, by a processor, a threat model based on the formalized threat description, determining, by a processor, kinds of use of the system by comparing the threat model to the use model and determining, by a processor, components of the system based on the kinds of use.

Abstract: Disclosed systems and methods for enabling data to be transmitted between program modules based on compliance with rules, the method comprising: monitoring, by a security module executable by a processor, an interaction between a first program module and a second program module to determine whether the interaction complies with at least one rule, wherein the first program module is a source of data being exchanged with the second program module which is a recipient of the data, when the interaction does not comply with the at least one rule, modifying the data being exchanged between the source and the recipient of the data, and when the interaction complies with the at least one rule, allowing the data to be transmitted to the recipient.

Abstract: Disclosed are a system, method, and computer readable storage medium having instructions for applying a plurality of interconnected filters to protect a computing device from a DDoS attack. The method includes, responsive to detecting the computing device is subject to the DDoS attack, intercepting data from a network node to the computing device, determining data transmission parameters, assigning an initial danger rating to the network node, identifying a subset of the plurality of the interconnected filters which are concurrently triggered, changing the danger rating of the network node based on an application of the subset of the plurality of interconnected filters that are triggered and the data transmission parameters, and responsive to determining that the danger rating of the network node exceeds a threshold value, limiting a transmittal of data from the network node to the computing device by limiting channel capacity between the network node and the computing device.

Abstract: Disclosed are systems and methods for determining dangerousness of devices for a banking service. In one aspect, the method comprises detecting an interaction between a user device and the banking service, acquiring characteristics of the user device including one or more of: an operating system under whose control the user device is running, a location of the user device, a regional characteristic of a firmware of the user device, an account identifier associated with the user device, acquiring data related to a threat risk state of the user device, and determining a dangerousness of the user device based on the acquired characteristics and the acquired data related to the threat risk of the user device.

Abstract: Disclosed are systems and methods for adapting a pattern of dangerous behavior of programs. A teaching module may load into an activity monitor the pattern and establish a first usage mode for it, during which the activity monitor detects threats that correspond to that pattern, but does not perform actions for their removal. Later, in the course of a teaching period, the activity monitor detects threats based on the detection of events from the mentioned pattern. If the events have occurred as a result of user actions, and the events have a recurring nature or are regular in nature, the teaching module adds parameters to the pattern which exclude from subsequent detection those events or similar events. Upon expiration of the teaching period, the teaching module converts the pattern of dangerous behavior of programs to the second usage mode, during which threats are detected using the modified pattern and removed.

Abstract: Systems and methods are presented for identifying and addressing anomalies in a system. An exemplary method comprises collecting parameters of one or more components of the system, assessing conformity of a state of the system by comparing the collected parameters to one or more state models, wherein the one or more state models describe normal and anomalous states, identifying one or more anomalies based on the assessment of conformity, obtaining a database of third party information for the one or more components, replacing the collected parameters with the third party information and interrogating the one or more state models using the third party information, responsive to identifying no further anomalies in the interrogation, identifying one or more components that are compatible with the system from the obtained database, and selecting a single component from the one or more components to address the identified anomalies, based on one or more criteria.

Abstract: Disclosed are systems and methods for detecting and blocking attacks on electronics systems of a means of transportation. A protection module intercepts messages being transmitted on the buses of the means of transportation and saves the intercepted messages, and also for each intercepted message at least one ECU of the means of transportation which is the recipient of that message. The protection module detects computer attacks on the electronics systems by applying one or more rules, which can be received from a security server, to the saved data in the log. The rules may depend on one or more indicators of compromise that include malicious messages used in a computer attack and information on at least one ECU that is a recipient of the malicious messages. The described system further blocks the computer attacks by blocking, modifying, or changing communications within the communications bus of the vehicle.

Abstract: Disclosed are systems and methods for routing personal data when executing queries, in a client-server architecture. A data structure intended for dispatching to the server is divided at the client side into at least two substructures. These data substructures are dispatched from the client to the server by different routes. One of the routes includes a network node with anonymization module, said node being situated in a regional network different from the regional network in which the server is located and not being in the same intranet as the server or the client. The anonymization module of the node transforms each data substructure dispatched by this route. The data substructures are combined into a structure at the server after being obtained.

Abstract: Systems and methods are provided for detecting system anomalies and detecting compatible modules for replacing computing systems. The described technique includes receiving system parameters specifying functionality of a first computing system, and interrogating a state model using the received system parameters to detect an anomaly within the first computing system. Responsive to detecting an anomaly in the first computing system based on the state model, the system re-interrogates the state model based on at least one candidate module such that the system parameters of the first computing system are replaced by equivalent system parameters of the candidate module. The system then selects the at least one candidate module based on a determination that the candidate module is compatible with the first computing system, and that no anomaly was detected during the repeat interrogation of the state model using the system parameters of the candidate module.

Abstract: Disclosed is a system and method of updating active and passive agents in a network. The system includes a hardware processor configured to designate a unique identifier for each of a plurality of terminal node in a network of computing devices, broadcast the identifiers, collect criteria from the nodes, the criteria characterizing each node and a set of unique identifiers for other nodes in a same broadcast domain as the terminal node, generate a list of nodes that are active update agents and a list of nodes that are passive update agents based on the collected criteria, transmit one or more updates of a security application installed on the each terminal node to each terminal node that is an active update agent, and transmit from each terminal node that is an active update agent, the one or more updates to each terminal node that is a passive update agent.

Abstract: The present disclosure is directed towards systems and methods for detecting hidden behavior in browser extensions. In one aspect, a method is provided including launching a browser in a protected environment, performing one or more actions in the browser, tracking events occurring during the performing of the one or more actions, identifying extension events from the events that are initiated by a browser extension, analyzing the extension events for indications of change that correspond to behavior not previously declared by the browser extension, and determining that the browser extension is performing hidden behavior when indications of change are found.