Abstract: Disclosed herein are systems and method for automated malicious code replacement. In one exemplary aspect, a method may comprise scanning for malicious content in a file comprising a script written in an interpretable programming language, wherein the malicious content triggers malicious activity on a computing device that stores the file. The method may comprise detecting a malware injection in the file based on the scanning, wherein the malware injection comprises at least one operator that enables the malicious activity. The method may comprise identifying a benign operator that can replace the at least one operator to prevent execution of the malicious activity without causing a syntax error. The method may comprise updating the file by replacing the at least one operator with the benign operator.

Abstract: Aspects of the disclosure describe methods and systems for detecting malicious entities using weak passwords for unauthorized access. In one exemplary aspect, a method may comprise intercepting, using a WAF, a password input during a login attempt to a web application by an entity. In response to determining that the password is in a database of weak passwords, the method may comprise generating for display, using the WAF, a web page prompting for a password reset for the web application, storing, in a database, an IP address of the entity and information about the login attempt, retrieving information about a first plurality of login attempts made by the entity in the web application for different user profiles. In response to determining that at least a first threshold number of login attempts have been performed by the entity, the method may comprise storing the IP address in a black list.

Abstract: Disclosed herein are a system and method for caching shortcodes and database queries, a method including: detecting a request to load a webpage from a web browsing application on a first computing device, wherein the webpage includes a shortcode; determining a first amount of time spent executing the shortcode to load the webpage; determining whether the first amount of time is greater than a threshold amount of time; in response to determining that the first amount of time is greater than the threshold amount of time, identifying the shortcode as a cache candidate; determining a time-to-live (TTL) value for the shortcode; and storing content of the shortcode in a cache of a server hosting the webpage until the TTL value expires.

Abstract: Disclosed herein are systems and methods for rapid password evaluation. A method may include: configuring a web application firewall (WAF) to monitor login credentials for one or more web applications; intercepting, using the WAF, a password input during a login attempt to a web application by an entity; calculating a hash value of the password input; transmitting the hash value to a dedicated server configured to: determine whether the hash value is in a database of hashes corresponding to weak passwords; and in response to determining that the hash value is in the database of hashes, transmit a message to the WAF indicating that the password input corresponds to a weak password; and generating for display, using the WAF, a web page prompting for a password reset for the web application.

Abstract: Disclosed herein are systems and methods for automated conversion and management of web server configuration files using a conversion application. In one aspect, an exemplary method comprises receiving an input configuration file for conversion from an Apache configuration file to an NGINX configuration file, parsing the input configuration file into tokens for processing to construct an Apache configuration tree in memory, building a structured Apache configuration tree from the tokens and storing in memory, traversing the Apache configuration tree examining each element of the Apache configuration tree, and for each Apache directive or block that is encountered during the examination, invoking a directive conversion plugin for handling requirements of the respective Apache directive or block, building an NGINX configuration tree corresponding to the Apache configuration tree, and writing the NGINX configuration depicted in the NGINX configuration tree to an NGINX configuration file.

Abstract: Disclosed herein are systems and method for detecting malware signatures in databases. In one exemplary aspect, a method may comprise identifying a plurality of entries of the database, wherein each entry represents a record stored on a computing device and selecting at least one suspicious entry in the plurality of entries. The method may comprise retrieving a record associated with the suspicious entry and applying a transformation to original contents of the record. The method may comprise scanning the transformed contents of the record for a malware signature. In response to detecting a portion of the transformed contents that matches the malware signature, the method may comprise executing a remediation action that removes a corresponding portion from the original contents of the record and updating the database by replacing the at least one suspicious entry with an entry of the record on which the remediation action was executed.

Abstract: Disclosed herein are systems and method for preventing zero-day attacks. A method may include receiving a first report including information about an execution of a first script of an application that modifies a file on a first computing device, and receiving a second report including an indication that the file includes malicious code. In response to determining that an identifier of the file is present in both the first report and the second report, the method may include generating and transmitting, to the first computing device, a first rule that prevents execution of any script that shares at least one operation of the first script. The method may include, in response to determining that a vulnerability detected by the first rule is not present in a vulnerability database, generating an entry in the vulnerability database for the vulnerability as a zero-day vulnerability and transmitting an alert to the application developer.

Abstract: Disclosed herein are systems and method for blocking novel attack vectors. In one aspect, a detected security incident and a consequential event are correlated such that the combination of the security incident and the consequential event are identified as an attack vector. A method may comprise generating and executing a rule that blocks the consequential event in response to detecting the security incident.

Abstract: Disclosed herein are systems and methods for selective patching processes. In one exemplary aspect, the method includes: identifying, via a user space patching service, a patch that modifies at least one function included in a process, wherein the process is executed on a computing device; generating a list of target pages in virtual memory of the computing device, wherein the list of target pages includes code associated with the at least one function; marking the target pages as non-executable based on file identification; intercepting, using an amended page-fault event handler, an attempt to execute the code associated with the at least one function by the process; and applying the patch to modify the at least one function.

Abstract: Disclosed herein are systems and method for adjusting storage volume size of an application instance. A method may include: identifying a first application instance running on a computing device, wherein the first application instance has an assigned first storage volume on a device storage of the computing device; collecting, over a period of time, usage data of the device storage; determining, based on the collected usage data, whether a usage capacity of the first storage volume of the first application instance is reaching a maximum capacity of the first storage volume; in response to determining that the usage capacity of the first storage volume is reaching the maximum capacity of the first storage volume, adjusting a size of the first storage volume by a first amount to accommodate usage of the first application instance.

Abstract: Disclosed herein are systems and method for protecting core files in a content management system (CMS). In one aspect, a method includes detecting execution of a script on a computing device. In response to determining that the script is located in the core folder and is not included in an exclude list that includes paths of scripts and files that are marked as not malicious, the method includes blocking the execution of the script. If the script is not in the core folder, the method includes determining whether the script will upload, to the core folder, a file that is not in the exclude list. In response to determining that the script will upload the file to the core folder, the method includes blocking write functions in the script during the execution.

Abstract: Systems and methods are provided for data randomization using live patching. A method may comprise generating a plurality of randomization live patches, wherein each randomization live patch comprises a respective technique for swapping data values within a data structure. The method may comprise identifying software comprising at least one of: an operating system and an application, identifying a first data structure associated with the software, and selecting a first randomization live patch from the plurality of randomization live patches. The method may comprise modifying, during runtime and without restarting the software, the software using the first randomization live patch such that data values within the first data structure are swapped or shifted in accordance with a first technique.

Abstract: Disclosed herein are systems and method for detecting coroutines. A method may include: identifying an application running on a computing device, wherein the application includes a plurality of coroutines; determining an address of a common entry point for coroutines, wherein the common entry point is found in a memory of the application; identifying, using an injected code, at least one stack trace entry for the common entry point; detecting coroutine context data based on the at least one stack trace entry; adding an identifier of a coroutine associated with the coroutine context data to a list of detected coroutines; and storing the list of detected coroutines in target process memory associated with the application.

Abstract: Disclosed herein are systems and method for blocking malicious script execution. In one exemplary aspect, the method may comprise detecting an execution of a script that creates or modifies a file on a computing device and recording a first report comprising a list of operations involved in the execution of the script, an identifier of the script, and an identifier of the file. The method may comprise determining that the file includes malicious code using a malware scanner and recording a second report comprising an indication that the file includes malicious code and an identifier of the file. In response to determining that identifier of the file is present in both the first report and the second report, the method may comprise generating and storing a first rule that prevents complete execution of any script that shares at least one operation in the list of operations with the script.

Abstract: Systems and methods are provided for reducing attack surface of a software environment by removing code of an unused functionality. A security hardening module may identify a portion of code of a software, the software comprising at least one of: an operating system and an application. The security hardening module may determine whether the portion is being utilized, and in response to determining that the process is not being utilized, the security hardening module may generate a live patch that removes the portion from the code and may modify, during runtime, the software using the live patch without restarting the software.

Abstract: A variety of methods are provided for an application or operating system (OS) kernel intrusion detection and prevention, based on verification of security invariants and legitimacy of security state transitions from the past historical state. Methods are provided for an application or OS kernel intrusion detection and prevention for unknown attack vectors and vulnerabilities based on additional security checks added to the software by means of live patching.

Abstract: A variety of methods are provided for an application or operating system (OS) kernel intrusion detection and prevention, based on usage of existing vulnerability fixes and their transformation into honeypot detectors. A honeypot patch may be generated for a computing system associated with a software vulnerability in software installed on the computing system. The honeypot patch, when used to modify the installed software, can convert the computing system into a honeypot system configured to detect attempts to exploit the software vulnerability of the software, and in response, generate a security event associated with the software vulnerability.