Abstract: Disclosed herein are systems and method for blocking novel attack vectors. In one aspect, a detected security incident and a consequential event are correlated such that the combination of the security incident and the consequential event are identified as an attack vector. A method may comprise generating and executing a rule that blocks the consequential event in response to detecting the security incident.

Abstract: Disclosed herein are systems and methods for selective patching processes. In one exemplary aspect, the method includes: identifying, via a user space patching service, a patch that modifies at least one function included in a process, wherein the process is executed on a computing device; generating a list of target pages in virtual memory of the computing device, wherein the list of target pages includes code associated with the at least one function; marking the target pages as non-executable based on file identification; intercepting, using an amended page-fault event handler, an attempt to execute the code associated with the at least one function by the process; and applying the patch to modify the at least one function.

Abstract: Disclosed herein are systems and method for adjusting storage volume size of an application instance. A method may include: identifying a first application instance running on a computing device, wherein the first application instance has an assigned first storage volume on a device storage of the computing device; collecting, over a period of time, usage data of the device storage; determining, based on the collected usage data, whether a usage capacity of the first storage volume of the first application instance is reaching a maximum capacity of the first storage volume; in response to determining that the usage capacity of the first storage volume is reaching the maximum capacity of the first storage volume, adjusting a size of the first storage volume by a first amount to accommodate usage of the first application instance.

Abstract: Disclosed herein are systems and method for protecting core files in a content management system (CMS). In one aspect, a method includes detecting execution of a script on a computing device. In response to determining that the script is located in the core folder and is not included in an exclude list that includes paths of scripts and files that are marked as not malicious, the method includes blocking the execution of the script. If the script is not in the core folder, the method includes determining whether the script will upload, to the core folder, a file that is not in the exclude list. In response to determining that the script will upload the file to the core folder, the method includes blocking write functions in the script during the execution.

Abstract: Systems and methods are provided for data randomization using live patching. A method may comprise generating a plurality of randomization live patches, wherein each randomization live patch comprises a respective technique for swapping data values within a data structure. The method may comprise identifying software comprising at least one of: an operating system and an application, identifying a first data structure associated with the software, and selecting a first randomization live patch from the plurality of randomization live patches. The method may comprise modifying, during runtime and without restarting the software, the software using the first randomization live patch such that data values within the first data structure are swapped or shifted in accordance with a first technique.

Abstract: Disclosed herein are systems and method for detecting coroutines. A method may include: identifying an application running on a computing device, wherein the application includes a plurality of coroutines; determining an address of a common entry point for coroutines, wherein the common entry point is found in a memory of the application; identifying, using an injected code, at least one stack trace entry for the common entry point; detecting coroutine context data based on the at least one stack trace entry; adding an identifier of a coroutine associated with the coroutine context data to a list of detected coroutines; and storing the list of detected coroutines in target process memory associated with the application.

Abstract: Disclosed herein are systems and method for blocking malicious script execution. In one exemplary aspect, the method may comprise detecting an execution of a script that creates or modifies a file on a computing device and recording a first report comprising a list of operations involved in the execution of the script, an identifier of the script, and an identifier of the file. The method may comprise determining that the file includes malicious code using a malware scanner and recording a second report comprising an indication that the file includes malicious code and an identifier of the file. In response to determining that identifier of the file is present in both the first report and the second report, the method may comprise generating and storing a first rule that prevents complete execution of any script that shares at least one operation in the list of operations with the script.

Abstract: Systems and methods are provided for reducing attack surface of a software environment by removing code of an unused functionality. A security hardening module may identify a portion of code of a software, the software comprising at least one of: an operating system and an application. The security hardening module may determine whether the portion is being utilized, and in response to determining that the process is not being utilized, the security hardening module may generate a live patch that removes the portion from the code and may modify, during runtime, the software using the live patch without restarting the software.

Abstract: A variety of methods are provided for an application or operating system (OS) kernel intrusion detection and prevention, based on verification of security invariants and legitimacy of security state transitions from the past historical state. Methods are provided for an application or OS kernel intrusion detection and prevention for unknown attack vectors and vulnerabilities based on additional security checks added to the software by means of live patching.

Abstract: A variety of methods are provided for an application or operating system (OS) kernel intrusion detection and prevention, based on usage of existing vulnerability fixes and their transformation into honeypot detectors. A honeypot patch may be generated for a computing system associated with a software vulnerability in software installed on the computing system. The honeypot patch, when used to modify the installed software, can convert the computing system into a honeypot system configured to detect attempts to exploit the software vulnerability of the software, and in response, generate a security event associated with the software vulnerability.