Abstract: Disclosed systems and methods for monitoring an execution system of a programming logic controller (PLC), the method comprising: accessing, by a security module, the PLC execution system and dividing the code and data of the PLC execution system into a plurality of program modules; modifying, by the security module, data exchange interfaces of the program modules used for the interaction between the program modules and the resources of the operating system such that said interaction occurs through the security module, while a format of the data being exchanged complies with a format specified by the security module; and monitoring, by the security module, the execution of the PLC execution system, including monitoring the interaction of the program modules of the PLC execution system with each other and with the resources of the operating system.

Abstract: Disclosed are systems and method for controlling access to objects of an operating system using Access Control Lists (ACLs). An exemplary method comprises: generating, by a processor, one or more ACLs for objects of the operating system based on at least one access rule specifying the access mode to the object of the operating system to one or more users based on the one or more categories to which the objects belongs; intercepting a request from a user to access an object of the operating system; determining, by the processor, one or more ACLs associated with the requested object; and applying, by the processor, the determined one or more ACLs to decide whether to allow or deny access of the user to the requested object, wherein if one of the applied ACLs denies access to the object, the access will be blocked, otherwise the access will be allowed.

Abstract: Disclosed are systems and methods for limiting access of a user profile to dangerous content in a social network service. The described system produces a social graph for a given user profile in the social network service, and identifies clusters of objects (e.g., other user profiles, contents) within the social graph. The described system analyzes whether certain objects in the social graph should be characterized as suspicious based on their clustering and on a database of known forbidden objects. The described system may further learn and add unknown objects to the database of forbidden objects.

Abstract: Disclosed are systems and methods for execution of program code by an interpreter. One exemplary method comprises: generating intermediate instructions based on a unified grammar from instructions of the program code, beginning execution of the intermediate instructions in an emulated computer environment, in response to detecting an instruction of the program code associated with an object for which a rule of interpretation is not found, halting further execution of the intermediate instructions, obtaining an auxiliary code corresponding to the object, wherein a result of execution of the auxiliary code corresponds to the result of the execution of the object, and wherein the auxiliary code contains objects for which the interpreter has a rule of interpretation, executing the instructions of the auxiliary code; and after completion of the execution of the auxiliary code, resuming the execution of the intermediate instructions.

Abstract: Disclosed are systems and methods of identifying a new device during a user's interaction with online services, such as banking services. In one aspect, a method is provided comprising collecting fingerprint for a device associated with a user, isolating, from the fingerprint, one or more key characteristics of the device which affect device security, performing clustering of previously known devices used by the user based on the one or more key characteristics, computing a difference between the one or more key characteristics of the device and one or more key characteristics of one or more devices which the user previously used to access an online service, wherein the one or more devices are from among the clustering of previously known devices and determining that the device is a new device used by the user when the difference exceeds a threshold value.

Abstract: A system and method is provided for detecting anomalous events occurring in an operating system of a computing device. An exemplary method includes detecting an event that occurs in the operating system of the computing device during execution of a software process. Moreover, the method includes determining a context of the detected event and forming a convolution of the detected event based on selected features of the determined context of the detected event. Further, the method includes determining a popularity of the formed convolution by polling a database containing data relating to a frequency of detected events occurring in client devices in a network, where the detected events of the client devices correspond to the detected event in the computing device. If the determined popularity is below a threshold value, the method determines that the detected event is an anomalous event.

Abstract: Disclosed are systems and methods for selecting a data entry mechanism for an application based on security requirements. An example method comprises: determining a plurality of activity states of an application during a creation of the application, determining, for each activity state of a subset of activity states of the plurality of activity states, whether a data entry mechanism of the application is dependent on the activity state, for each activity state of the subset of activity states for which the data entry mechanism is determined as being dependent on the activity state, determining security requirements corresponding to the activity state during the creation of the application and selecting a data entry mechanism for each of the determined security requirements corresponding to the activity state, during an activation of an activity corresponding to an activity state of the subset, activating a corresponding selected data entry mechanism.

Abstract: Disclosed are systems and methods for securely controlling a vehicle using a mobile device. An exemplary method comprises authenticating, by a mobile device, a user attempting to perform commands controlling one or more vehicle systems of a coupled vehicle, retrieving profile information related to the user's preference associated with the coupled vehicle, establishing a connection between the mobile device and a security device of the coupled vehicle, authenticating the mobile device with the security device, forming, by the mobile device, commands to control the one or more vehicle systems based on command forming algorithms, the one or more vehicle systems comprising actuating devices of the vehicle and electronic systems of the vehicle, modifying the formed commands based on the profile information and safety information related to a location of the vehicle and transmitting the formed commands to the one or more vehicle systems via the security device to securely control the vehicle.

Abstract: Disclosed are systems and methods for generating a log for conducting an antivirus scan of a file. The described technique includes opening a file in a virtual machine, which causes execution of a guest process and a thread in a (virtual) processor of the virtual machine. The technique includes identifying, during execution of the first thread, events that involve alteration of guest physical memory pages of the virtual machine. The technique determines altered guest physical memory page based on analysis of the log and identifies when a transfer of control to altered guest physical memory pages has occurred. The resultant log for analysis by a security application includes information indicating the events occurring during execution of the thread in the altered guest physical memory page, and context data of the virtual processor on which the thread is being executed.

Abstract: A system and method is provided for detecting anomalous events occurring in an operating system of a computing device. An exemplary method includes detecting an event that occurs in the operating system of the computing device during execution of a software process. Moreover, the method includes determining a context of the detected event and forming a convolution of the detected event based on selected features of the determined context of the detected event. Further, the method includes determining a popularity of the formed convolution by polling a database containing data relating to a frequency of detected events occurring in client devices in a network, where the detected events of the client devices correspond to the detected event in the computing device. If the determined popularity is below a threshold value, the method determines that the detected event is an anomalous event.

Abstract: Disclosed are systems and methods for identifying potentially dangerous devices during the interaction of a user with banking services. When there are interactions between a user's device(s) and banking services, the described technique acquires a digital fingerprint of the user device. That digital fingerprint indicates at least one characteristic of the user device. Clusters associated with the user device are created based on the at least one characteristic of the user device. Each cluster is associated with a corresponding threat degree. In response to determining that the user device is a threat risk based on the one or more generated clusters, transactions being carried out between the user device and the banking services may be blocked.

Abstract: Disclosed are system and method for detecting anomalous or malicious elements of a web page. One exemplary method comprises: obtaining data about elements of a tested web page; generating at least one N-dimensional vector characterizing elements of the tested web page; retrieving a statistical model of known malicious web page elements; comparing the at least one N-dimensional vector with clusters of the statistical model of known malicious web page elements, by measuring the distance of the N-dimensional vector of the element and centers of all clusters of the statistical model; and identifying at least one malicious element of the tested web page based on results of the comparison.

Abstract: A method and system is provided for detecting malicious files in a distributed network having a plurality of virtual machines. An example method includes: determining and obtaining, by a virtual machine, at least one file for performing an antivirus scan; collecting data relating to characteristics of computing resources of each virtual machine and parameters relating to the antivirus scan; determining an approximation time function of the characteristics of the computing resources and an approximation function of the one or more parameters for determining an approximation time function of effectiveness of the antivirus scan; and beased at least on the approximation time function of effectiveness of the antivirus scan, selecting one virtual machine to perform the antivirus scan in order to determine whether the at least one file is malicious.

Abstract: A system and method is provided for detecting anomalous events occurring in an operating system of a computing device. An exemplary method includes detecting an event that occurs in the operating system of the computing device during execution of a software process. Moreover, the method includes determining a context of the detected event and forming a convolution of the detected event based on selected features of the determined context of the detected event. Further, the method includes determining a popularity of the formed convolution by polling a database containing data relating to a frequency of detected events occurring in client devices in a network, where the detected events of the client devices correspond to the detected event in the computing device. If the determined popularity is below a threshold value, the method determines that the detected event is an anomalous event.

Abstract: Disclosed are systems and methods for activating a data entry mechanism for an application based on security requirements. An example method comprises detecting, by a hardware processor, an activity state of the application during an execution of the application on a user device, determining the security requirements associated with the detected activity state, wherein the determined security requirements comprise properties for the data entry mechanism, activating the data entry mechanism for receiving user input for the application, wherein the data entry mechanism is based on the determined security requirements, and receiving the user input in accordance with the activated data entry mechanism.

Abstract: Disclosed are systems and methods for receiving user input using a data entry mechanism activated for an application. An example method comprises detecting, by a hardware processor, an activity state of the application during an execution of the application on a user device, determining security requirements associated with the activity state, wherein the security requirements comprise properties for the data entry mechanism, selecting a data entry mechanism corresponding to the determined security requirements associated with the activity state, activating the selected data entry mechanism for receiving user input for the application, wherein the selected data entry mechanism is governed according to the properties of the security requirements associated with the activity state, receiving the user input in accordance with the activated data entry mechanism, and displaying a modified version of the user input according to the properties of the security requirements.

Abstract: Disclosed are systems and methods for repairing vulnerabilities of objects connected to a data network. An example method includes transmitting a request throughout the data network, obtaining responses from a plurality of accessible objects in the data network, attempting to obtain access to the plurality of accessible objects using a plurality of access methods, when access to an object is obtained, obtaining a list of resources of the accessed object, comparing the list of resources with a database of vulnerabilities to determine to identify one or more resources from the list of resources that have a similar vulnerable status as a vulnerable resource in the database of vulnerabilities and repairing vulnerabilities associated with the accessed object by applying repairs associated with the vulnerable resource to the accessed object.

Abstract: Disclosed are a system and method for secure execution of script files. An example method includes providing a security container associated with a script interpreter, wherein the security container includes at least action limiting policies for the interpreter; detecting an attempt by the script interpreter to execute a script file; determining using the security container whether the script file is a trusted script file; allowing the script interpreter to execute a trusted script file; intercepting actions of the interpreter during execution of the script file; determining using the security container whether an intercepted action is permitted; when the intercepted action is permitted, determining using the security container whether any limitations are associated with the intercepted action; and when a limitation is associated with the intercepted action, applying the limitation to the intercepted action during the execution of the script file.

Abstract: Disclosed are systems and methods for protection of a technological system (TS) from cyber attacks. An exemplary method comprises: obtaining a real state of the TS; initializing a cybernetic control system (CCS) by synchronizing the CCS with the TS; comparing, by the CCS, the real state of the TS with an ideal state of the TS; based on the comparison, identifying a deviation of the real state of the TS from the ideal state of the TS; when the deviation is identified, checking an integrity of at least functional interconnections of the states of one or more elements of the TS; determining whether the ideal state of the TS is a modeling error based on one or more confirmed sustained functional interconnections between elements of the TS; and identifying anomalies in the TS based on one or more disturbed functional interconnections between elements of the TS.

Abstract: Disclosed are system and method for detecting malicious code in files. One exemplary method comprises: intercepting, by a processor, one or more application program interface (API) calls during an execution of a process launched from a file of a computing device; determining and detecting, by the processor, a presence of an exit condition of the process; in response to detecting the exit condition, identifying one or more signatures of a first type and transferring one or more saved memory dumps of the computing device to an emulator for execution; and determining and identifying a malicious code in the file in response to detecting one or more signatures of a second type based at least upon execution results of the transferred memory dumps of the computing device.