Abstract: Described systems and methods allow protecting a computer system from malware, such as viruses and rootkits. In some embodiments, a hypervisor configures a hardware virtualization platform hosting a set of operating systems (OS). A memory introspection engine executing at the processor privilege level of the hypervisor dynamically identifies each OS, and uses an protection priming module to change the way memory is allocated to a target software object by the memory allocation function native to the respective OS. In some embodiments, the change affects only target objects requiring malware protection, and comprises enforcing that memory pages containing data of the target object are reserved exclusively for the respective object. The memory introspection engine then write-protects the respective memory pages.

Abstract: Described systems and methods allow a classification of electronic documents such as email messages and HTML documents, according to a document-specific text fingerprint. The text fingerprint is calculated for a text block of each target document, and comprises a sequence of characters determined according to a plurality of text tokens of the respective text block. In some embodiments, the length of the text fingerprint is forced within a pre-determined range of lengths (e.g. between 129 and 256 characters) irrespective of the length of the text block, by zooming in for short text blocks, and zooming out for long ones. Classification may include, for instance, determining whether an electronic document represents unsolicited communication (spam) or online fraud such as phishing.

Abstract: Described systems and methods allow protecting a computer system from malware, such as viruses and rootkits. In some embodiments, a hypervisor configures a hardware virtualization platform hosting a set of operating systems (OS). A memory introspection engine executing at the processor privilege level of the hypervisor dynamically identifies each OS, and uses an protection priming module to change the way memory is allocated to a target software object by the memory allocation function native to the respective OS. In some embodiments, the change affects only target objects requiring malware protection, and comprises enforcing that memory pages containing data of the target object are reserved exclusively for the respective object. The memory introspection engine then write-protects the respective memory pages.

Abstract: In some embodiments, a malware detecting system is configured to conduct an iterative, collaborative scan of a target object (computer file or process), comprising a server-side scan and a client-side scan, and to assess the malware status of the target object according to the results of the client-side and server-side scans. The client-side scan comprises computationally-intensive operations such as virtual-environment emulation, decryption and data compression methods, while the server-side scan comprises database-intensive operations such as hash lookups. The information exchanged between client and server systems may be limited to relatively-compact data, such as hashes, which may amount to a few bytes per target object.

Abstract: In some embodiments, an online fraud prevention system combines the output of several distinct fraud filters, to produce an aggregate score indicative of the likelihood that a surveyed target document (e.g. webpage, email) is fraudulent. Newly implemented fraud filters can be incorporated and ageing fraud filters can be phased out without the need to recalculate individual scores or to renormalize the aggregate fraud score. Every time the output of an individual filter is calculated, the aggregate score is updated in a manner which ensures the aggregate score remains within predetermined bounds defined by a minimum allowable score and a maximum allowable score (e.g., 0 to 100).

Abstract: A client system, such as a computer or a smartphone, securely exchanges sensitive information with a remote service provider computer system such as a bank or an online retailer. The client system executes a commercially available operating system in an untrusted virtual machine (VM), which may be affected by malware. A hypervisor is configured to launch a trusted, malware-free VM from an authenticated image stored on computer-readable media used by the untrusted VM. The trusted VM executes a thin operating system with minimal functionality, to manage a secure communication channel with the remote server system, wherein sensitive communication is encrypted. Data from the trusted VM is forwarded via the hypervisor to a network interface driver of the untrusted VM for transmission to the remote service provider. The service provider may perform a remote attestation of the client system to determine whether it operates a trusted VM.

Abstract: Described systems and methods allow the detection and prevention of malware and/or malicious activity within a network comprising multiple client computer systems, such as an enterprise network with multiple endpoints. Each endpoint operates a hardware virtualization platform, including a hypervisor exposing a client virtual machine (VM) and a security VM. The security VM is configured to have exclusive use of the network adapter(s) of the respective endpoint, and to detect whether data traffic to/from the client VM comprises malware or is indicative of malicious behavior. Upon detecting malware/malicious behavior, the security VM may block access of the client VM to the network, thus preventing the spread of malware to other endpoints. The client system may further comprise a memory introspection engine configured to perform malware scanning of the client VM from the level of the hypervisor.

Abstract: In some embodiments, a phishing detection method includes computing a first phishing indicator of a target webpage; when the target webpage is considered suspicious of phishing according to the first phishing indicator, computing a second phishing indicator of the target webpage, and deciding whether the webpage is a phishing site according to the first and second phishing indicators. Computing the second phishing indicator comprises comparing a word content (semantic content) of the target webpage to a word content of each of a plurality of reference webpages. Comparing the word contents may include counting the number of visible words which are common to the target and reference webpages, and/or computing a ratio of a number of words which are common to the target and reference webpages to the total number of words in both the target and reference webpages.

Abstract: In some embodiments, an anti-malware system accounts for benign differences between non-malicious data objects, such as differences introduced by compilers and other polymorphisms. A target object is separated into a multitude of code blocks, and a hash is calculated for each code block. The obtained set of target hashes is then compared against a database of hashes corresponding to code blocks extracted from whitelisted objects. A target object may be labeled as whitelisted (trusted, non-malicious) if it has a substantial number of hashes in common with a whitelisted object. Objects which are slightly different from known whitelisted objects may still receive whitelisting status. By allowing a certain degree of mismatch between the sets of hashes of distinct objects, some embodiments of the present invention increase the efficiency of whitelisting without an unacceptable decrease in safety.

Abstract: A client system, such as a computer or a smartphone, securely exchanges sensitive information with a remote service provider computer system such as a bank or an online retailer. The client system executes a commercially available operating system in an untrusted virtual machine (VM), which may be affected by malware. A hypervisor is configured to launch a trusted, malware-free VM from an authenticated image stored on computer-readable media used by the untrusted VM. The trusted VM executes a thin operating system with minimal functionality, to manage a secure communication channel with the remote server system, wherein sensitive communication is encrypted. Data from the trusted VM is forwarded via the hypervisor to a network interface driver of the untrusted VM for transmission to the remote service provider. The service provider may perform a remote attestation of the client system to determine whether it operates a trusted VM.

Abstract: In some embodiments, a graphical user interface (GUI) of a computer security application is automatically configured according to a user profile of the user. Upon installation of the computer security application, a desired GUI complexity questionnaire is displayed to the user. The application then matches the user to a user profile out of a set of predefined user profiles, according to the user's answers to the questionnaire. User profiles reflect a user's desired complexity of display and control (e.g. Novice/Intermediate/Expert, Basic/Intermediate/Advanced). The information displayed and application controls provided by the GUI window vary in detail according to the user profile. Selecting a user profile propagates multiple individually-user-configurable display and control settings of the GUI, as well as under-the-hood (non-GUI) settings of the anti-malware application.

Abstract: In some embodiments, an anti-malware system accounts for benign differences between non-malicious data objects, such as differences introduced by compilers and other polymorphisms. A target object is separated into a multitude of code blocks, and a hash is calculated for each code block. The obtained set of target hashes is then compared against a database of hashes corresponding to code blocks extracted from whitelisted objects. A target object may be labeled as whitelisted (trusted, non-malicious) if it has a substantial number of hashes in common with a whitelisted object. Objects which are slightly different from known whitelisted objects may still receive whitelisting status. By allowing a certain degree of mismatch between the sets of hashes of distinct objects, some embodiments of the present invention increase the efficiency of whitelisting without an unacceptable decrease in safety.

Abstract: In some embodiments, a spam filtering method includes computing the relevance of each of a plurality of anti-spam filters according to a relevance parameter set, and deciding whether an electronic message is spam or non-spam according to the relevancies and individual classification scores generated by the anti-spam filters. The relevance of an anti-spam filter indicates the degree to which a classification score produced by that particular filter determines the final classification of a given message. The relevance parameter set of each anti-spam filter may include, among others, a training maturity indicative of the degree of training of the filter, a filter update age indicative of the time elapsed since the latest update of the filter, a false-positive classification indicator, and a false-negative classification indicator of the anti-spam filter.

Abstract: Described systems and methods allow the reduction of noise found in a corpus used for training automatic classifiers for anti-malware applications. Some embodiments target pairs of records, which have opposing labels, e.g. one record labeled as clean/benign, while the other labeled as malware. When two such records are found to be similar, they are identified as noise and are either discarded from the corpus, or relabeled. Two records may be deemed similar when, in a simple case, they share a majority of features, or, in a more sophisticated case, they are sufficiently close in a feature space according to some distance measure.

Abstract: In some embodiments, antivirus/malware behavior-based scanning (emulation) is accelerated by identifying known code sequences and executing pre-stored native-code routines (e.g. decompression, decryption, checksum routines) implementing the functionality of the known code sequences before returning to the emulation. During emulation, target machine code instructions are compared to a set of known signatures. If a known code sequence is identified, the emulator calls a native code routine and caches the current instruction address. If the emulator subsequently reaches a cached address, a native code routine may be called without scanning the data at the address for known signatures. Signature scanning may be performed selectively for instructions following code flow changes (e.g. after jump, call or interrupt instructions).

Abstract: In some embodiments, image spam is identified by comparing color histograms of suspected spam images with color histograms of reference (known) images. The histogram comparison includes comparing a first color content in a query image with a range of similar color contents in the reference image. For example, a pixel count for a given color in the query image may be compared to pixel counts for a range of similar colors in the reference image. A histogram distance between two images may be determined according to a computed pixel count difference between the given query histogram color and a selected color in the range of similar reference histogram colors.

Abstract: In some embodiments, a streaming message classification method dynamically allocates a stream of messages to a variable number of clusters (e.g. message categories), each containing messages which share a set of similar features. Incoming messages are compared to a collection of known spam clusters. New spam types are identified, and new clusters are created automatically and dynamically in order to accommodate the new spam types. Message clustering is performed in a hyperspace of message feature vectors using a modified k-means algorithm. Triangle inequality distance comparisons may be used to accelerate hyperspace distance calculations.

Abstract: In some embodiments, a spam filtering method includes computing a pattern relevance for each of a set of message feature patterns, and using a neural network filter to classify incoming messages as spam or ham according to the pattern relevancies. Each message feature pattern is characterized by the simultaneous presence within a message of a specific set of message features (e.g., the presence of certain keywords within the message body, various message header heuristics, various message layout features, etc.). Each message feature may be spam- or ham-identifying, and may receive a tunable feature relevance weight from an external source (e.g. data file and/or human operator). The external feature relevance weights modulate the set of neuronal weights calculated through a training process of the neural network.

Abstract: In some embodiments, a layout-based electronic communication classification (e.g. spam filtering) method includes generating a layout vector characterizing a layout of a message, assigning the message to a selected cluster according to a hyperspace distance between the layout vector and a central vector of the selected cluster, and classifying the message (e.g. labeling as spam or non-spam) according to the selected cluster. The layout vector is a message representation characterizing a set of relative positions of metaword substructures of the message, as well as metaword substructure counts. Examples of metaword substructures include MIME parts and text lines. For example, a layout vector may have a first component having scalar axes defined by numerical layout feature counts (e.g. numbers of lines, blank lines, links, email addresses), and a second vector component including a line-structure list and a formatting part (e.g. MIME part) list.