Abstract: Systems and methods for detecting fraudulent activity in user transactions. An exemplary method includes, by a hardware processor, receiving user behavior data provided by an input device specifying a user interaction with graphical user interface (GUI) elements of a first application on a computing device for a transaction with a remote server, training a behavior classification algorithm using known behavior of the user, calculating an anomalous user behavior coefficient based on the user behavior data and the behavior classification algorithm, wherein the anomalous user behavior coefficient represents a likelihood that the user's interaction with the plurality of groups of elements of the graphical interface was fraudulent, detecting whether the user interaction is a software-imitated user interaction based on the anomalous user behavior coefficient, and responsive to detecting a software-imitated user interaction, blocking the transaction with the remote server.

Abstract: Disclosed are systems and method for trusted presentation of information on an untrusted user device. An exemplary system includes a secure portable device which can be connected to the untrusted user device and configured to: receive data from the untrusted user device; analyze the received data to identify therein information intended for display to the user via the untrusted user device; generate a video stream containing at least part of the information intended for display to the user; generate and insert into the video stream one or more protection elements that serve to authenticate the information being outputted in the video stream; and transmit the generated video stream to the user device.

Abstract: Disclosed are systems and methods for detection of malicious files using machine learning. An example method comprises: selecting one or more data blocks in an object being analyzed based on rules; performing a static analysis on the one or more data blocks to determine a set of features of the one or more data blocks; determining a degree of harmfulness of the object based on the set of features and a model for detection of malicious objects, wherein the model has been trained by a method for machine learning on at least one safe object and one malicious object; recognizing the object is safe when the degree of harmfulness does not exceed a predetermined threshold of harmfulness; and recognizing the object is malicious when the degree of harmfulness of the one or more data blocks exceeds the predetermined threshold of harmfulness.

Abstract: Disclosed herein are systems and methods of identifying malicious files using a learning model trained on a malicious file. In one aspect, an exemplary method comprises selecting, using a hardware processor, the malicious file from a plurality of malicious files that are known to be harmful, selecting, using the hardware processor, a plurality of safe files from a set of safe files that are known to be safe, generating, using the hardware processor, a learning model by training a neural network with the malicious file and the plurality of safe files, generating, using the hardware processor, rules for detection of malicious files from the learning model, determining, using the hardware processor, whether attributes of an unknown file fulfill the rules for detection of malicious files using the learning model and responsive to determining that the rules for detection are fulfilled, identifying, using the hardware processor, the unknown file as malicious.

Abstract: The present disclosure provides systems and methods of selecting candidates for comparison of fingerprints of devices. An exemplary method comprises calculating a digital fingerprint of a device, determining a group of digital fingerprints where the digital fingerprint occurs, calculating vectors of changed features of each digital fingerprint, calculating a probability that the digital fingerprint and each digital fingerprint within the group belong to the same chain, identifying a set of candidates from the group whose probability of belonging to the same chain of fingerprints crosses a value, comparing the calculated digital fingerprint of the device with the fingerprints in the set of candidates, determine that the device correspond to a device in the set of candidates when the comparison results in a match higher than a specified threshold and permitting the user actions, otherwise tracking the user actions with the online service as fraudulent activity.

Abstract: Disclosed are systems and methods generating a convolution function for training a malware detection model. An example method comprises selecting, by a processor, one or more commands from a log according to a set of predetermined rules, forming, by the processor, one or more behavior patterns from the one or more selected commands, determining, by the processor, a feature vector according to the one or more behavior patterns, generating, by the processor, a convolution function according to the feature vector, wherein a size of a result of the convolution function of the feature vector is less than the size of the feature vector, and computing, by the processor, one or more parameters for training a malware detection model using the convolution function on the one or more behavior patterns.

Abstract: Systems and methods for countering a cyber attack on computing devices used by users gather data about services with which users are interacting, as well as data about devices used by users for such interactions. The collected data is analyzed to detect when a cyber-attack on the devices is occurring as a result of a data breach of personal data on users from at least one service. Actions are selected for countering the cyber-attack and are sent to the devices of all users of the corresponding cluster in the event that a match is found in the characteristics of the attack vector for at least one device of another user whose devices belong to the corresponding cluster.

Abstract: Disclosed are systems and methods for training and retraining a model for detection of malicious activity from container files, which contain at least two or more objects constituting logically separate data regions. Parameters of each object chosen from at least one safe container and one malicious container are determined which uniquely characterize the functional relation of the mentioned object to at least one selected object. Convolutions are formed separately for each container on the basis of the determined parameters of the objects, which are used to train a machine learning model for detecting malicious container files.

Abstract: Systems and methods for ensuring data security. A MAC is computed sequentially for each selected message from a data log that contains at least two messages. To build a data block, a preset encryption key is used for a first message and an encryption key for the previous message is used for subsequent messages. A determination that the data log is compromised can be made based on MAC data block data and an independent calculation of a MAC.

Abstract: Disclosed herein are methods and systems for detecting malicious files using two stage file classification. An exemplary method comprises selecting, by a hardware processor, a set of attributes of a file under analysis, calculating, by the hardware processor, a hash of the file based on the selected set of attributes, selecting, by the hardware processor, a classifier for the file from a set of classifiers based on the calculated hash of the file, assigning, by the hardware processor, the file under analysis to the one or more categories based on the selected classifier, determining whether the file has been assigned to a category of malicious files and concluding that the file is malicious based on the determination.

Abstract: The present disclosure provides for systems and methods for detecting a modification of a web resource. An exemplary method comprises generating a script for verifying the integrity of the web resource, wherein the script is a description of the process of calculating characteristics of objects of that web resource, embedding the script in the web resource, receiving a convolution of the web resource after execution, generating an image of the web resource on the basis of the at least one calculated convolution, the image of the web resource being a vector representation of the content of the web resource and making, by a processor, a decision as to the modification of the web resource on the basis of the determined characteristics of modification of the web resource.

Abstract: Disclosed herein are methods and systems of identifying vulnerabilities of an application. An exemplary method comprises identifying at least one function in executable code of the application according to at least one rule for modification of functions, adding an interception code to the executable code of the application upon launching of the application, executing the application with the added interception code, collecting, by the interception code, data relating to function calls performed by the application during execution, analyzing the collected data based on criteria for safe execution of applications, wherein the criteria comprises a range of permissible values of arguments of intercepted function calls and identifying inconsistencies between the analyzed data and the criteria for safe execution of applications, wherein the inconsistencies indicate vulnerabilities in the application.

Abstract: The present disclosure is directed to a system and method of detecting malicious files by using a trained machine learning model. The system may comprise a hardware processor configured to form at least one behavior pattern, calculate the convolution of all behavior patterns, select from a database of detection models at least two models for detection of malicious files on the basis of the behavior patterns, calculate the degree of harmfulness of a file being executed on the basis of an analysis of the convolution and the at least two models for detection of malicious files, form, on the basis of the degrees of harmfulness, a decision-making pattern, recognize the file being executed as malicious if the degree of similarity between the formulated decision-making pattern and at least one of a predetermined decision-making patterns from a database of decision-making patterns previously formulated on the basis of an analysis of malicious files, exceeds a predetermined threshold value.

Abstract: Disclosed are systems and methods for cloud detection, investigation and elimination of targeted attacks. In one exemplary aspect, the system comprises a computer protection module configured to: gather information on an object in a computer in a network; and save a security notification with the object in an object database in the network; and a module for protection against targeted attacks configured to: search for the object in a threat database in the network; add one or more tags to the object when the object is found in the threat database and adding a correspondence between a record in the object database and the threat database; and determine that a computer attack has occurred when the one or more tags correspond to signatures in a database of computer attacks.

Abstract: Systems and methods for controlling access to a cyber-physical system (CPS). A security tool can perform access authorization by analyzing messages sent through the CPS, creating a plurality of fictitious messages, sending the plurality of fictitious messages though the CPS, and checking whether correct authorization data is included in the analyzed messages to determine authorized or unauthorized access to the CPS. An access monitoring tool can detect a change in a functional CPS module related to unauthorized access to the CPS, and responsive to the detection of a change in a functional CPS module related to unauthorized access to the CPS, change a state of a functional CPS module using a monitoring rule.

Abstract: Disclosed herein are methods and systems of detecting malicious files. According to one aspect, a method comprises receiving one or more call logs from respectively one or more computers, each call log comprising function calls made from a file executing on a respective computer, combining the one or more call logs into a combined call log, searching the combined call log to find a match for one or more behavioral rules stored in a threat database, determining, when the behavioral rules are found in the call log, a verdict about the file being investigated and transmitting information regarding the verdict to the one or more computers.

Abstract: Techniques are provided for downloading of filtering rules from a remote server onto a mobile device. A priority list is determined from lists of filtering rules, the priority list having a highest indicator of frequency of actuation of the filtering rules from the lists. The filtering rules are designated for use by a first application on the mobile device. The priority list is transmitted to the mobile device with the aid of a second application, the second application on the mobile device being a provider of the filtering rules for the first application. Each of the remaining lists of filtering rules are divided into parts. Groups of filtering rules are generated based on frequency of actuation within each of the remaining lists of filtering rules, each group having not more than one part of each remaining list of filtering rules.

Abstract: The present disclosure is directed to methods and systems for automated design of a system of hardware and software. In an exemplary embodiment, such a method comprises constructing, by a hardware processor, a model of use based on an architecture description of the system, constructing, by the hardware processor, threat model based on a threat description indicating known threats to the system, determining use of the system based on a comparison between the model of use and the threat model and selecting a configuration for realizing the system based on a result of the comparison.

Abstract: Disclosed herein are systems and methods for identifying images containing a personal identifying document. In one aspect, an exemplary method comprises obtaining a first set of images by selecting images from a stream of images in an arbitrary sequence, determining images in the first set of images that contain documents, generating a second set of images by excluding from the first set of images those images that do not contain documents, determining images in the second set of images that contain basic structural elements of an identification document, generating a third set of images by excluding from the second set of images those images which do not contain basic structural elements of an identification document and identifying from the generated third set of images, at least one image containing at least one identification document based on rules of determination.

Abstract: Disclosed herein are systems and methods for generating a request for information on a file to perform an antivirus scan. In one aspect, an exemplary method comprises, intercepting the file, synchronously calculating a first hash of a portion of the file, searching in a verdict cache, when the hash is found, determining whether the hash belongs to a list of malicious files, when it belongs to the list of malicious files, synchronously calculating a second hash, searching for the second hash in the verdict cache, and pronouncing a final decision as to harmfulness of the file, when the first hash does not belong to the list of malicious files, granting access to the file, asynchronously generating a request for information about the file, calculating a second hash, searching for the information in a verdict cache, and pronouncing a decision as to harmfulness of the file.