Abstract: Techniques for searching an inverted index associating byte sequences of a fixed length and files that contain those byte sequences are described herein. Byte sequences comprising a search query are determined and searched in the inverted index. In some examples, training data for training machine learning model(s) may be created using pre-featured data from the inverted index. In various examples, training data may be used to retrain a ML model until the ML model meets a criterion. In some examples, the trained ML model may be used to perform searches on the inverted index and classify files.

Abstract: A distributed security system can include instances of a compute engine that can execute either locally in security agents on client devices or as cloud instances in a security network. Event data can be processed by elements of the distributed security system according to centrally-defined ontological definitions and/or configurations. Bounding managers of local security agents can control how much event data is sent to the security network. A storage engine in the security network can store event data received from client devices, can route event data to other elements of the security network, including cloud instances of the compute engine. An experimentation engine of the security network can also at least temporarily adjust other elements of the distributed security system during experiments or tests.

Abstract: A security agent executing in kernel mode may receive a request from the anti-malware component executing with low privileges in user mode, and, in response, the security agent may perform a security action with respect to a malicious file detected on the computing device. The security agent may then assist the anti-malware component in providing a user notification about the security action by obtaining, on behalf of the anti-malware component, a user token associated with the user session in which the malicious file was detected. The anti-malware component can use the obtained user token to request a pointer to a Component Object Model (COM) interface for outputting the notification in context of the appropriate user session, which allows for securely and efficiently providing the user notification.

Abstract: Techniques for searching an inverted index associating byte sequences of a fixed length and files that contain those byte sequences are described herein. Byte sequences comprising a search query are determined and searched in the inverted index, and an intersection of the results is determined and returned as a response to the search query. Further, search queries in the form of expressions including search terms and logical operators are searched in the inverted index and evaluated using a syntax tree constructed based on the logical operators. Also, byte sequences comprising a file are searched in the inverted index and results of the search are used to generate signatures and fuzzy hashes.

Abstract: A distributed security system can include instances of a compute engine that can execute either locally in security agents on client devices or as cloud instances in a security network. Event data can be processed by elements of the distributed security system according to centrally-defined ontological definitions and/or configurations. Bounding managers of local security agents can control how much event data is sent to the security network. A storage engine in the security network can store event data received from client devices, can route event data to other elements of the security network, including cloud instances of the compute engine. An experimentation engine of the security network can also at least temporarily adjust other elements of the distributed security system during experiments or tests.

Abstract: A computer-processor executable container application operates within an operating system, such as an Android operating system. The application is itself configured to execute applications contained within the container application. The container application may create a secure computing environment in which business applications on a computing device can be protected and monitored without affecting or interacting with other applications or data on the computing device. Such a secure computing environment may enable businesses to protect their data residing on a personal computing device and to have visibility into how the data is accessed, used, and shared, while not interfering with personal use of the personal computing device.

Abstract: A bus filter driver and security agent components configured to retrieve and analyze firmware images are described herein. The bus filter driver may attach to a bus device associated with a memory component and retrieve a firmware image of firmware stored on the memory component. The bus filter driver may also retrieve hardware metadata. A kernel-mode component of the security agent may then retrieve the firmware image and hardware metadata from the bus filter driver and provide the firmware image and hardware metadata to a user-mode component of the security agent for security analysis. The security agent components may then provide results of the analysis and/or the firmware image and hardware metadata to a remote security service to determine a security status for the firmware.

Abstract: Techniques to provide visualizations of possible malicious incidents associated with an event on a host device may include causing presentation of graphics of a process or thread in a user interface. Information about detected events may be transmitted to a computing device that generates the visualizations for presentation to an analyst to verify the malicious incidents. Based on patterns and information conveyed in the visualizations, the computer device or host device may take action to protect operation of the host device caused by the event.

Abstract: A distributed security system can include instances of a compute engine that can execute either locally in security agents on client devices or as cloud instances in a security network. Event data can be processed by elements of the distributed security system according to centrally-defined ontological definitions and/or configurations. Bounding managers of local security agents can control how much event data is sent to the security network. A storage engine in the security network can store event data received from client devices, can route event data to other elements of the security network, including cloud instances of the compute engine. An experimentation engine of the security network can also at least temporarily adjust other elements of the distributed security system during experiments or tests.

Abstract: Methods and systems for visualization of data associated with events detected on a monitored server host, and control of the host, are provided. A system may detect an incident on a remote server host. The system may present scores and activity graphs on a user interface for a human operator to review. The user interface may include animated activity graphs to show the progress of a past malicious event. The user interface may emphasize, de-emphasize, and/or hide subgraphs. The user interface may include quick-action buttons and wizards to permit users to immediately kill processes or isolate a computer from the network. The user interface may include controls to bulk-tag detected events associated with a subgraph. The user interface may present notifications/dashboards of significant malicious events in progress and update same when a new event rises in incident score into the top 10.

Abstract: The instant disclosure is directed to an attack/unwanted activity detecting firewall for use in protecting authentication-based network resources. The instant system is adapted for installation inline or in sniffer mode. In various embodiments, defined rules are applied to network traffic to determine whether certain types of attacks are occurring on the network resources. If one such attack is detected, the system provides for several potential responses, including for example disconnecting the attacking remote machine, requiring the user at that machine to re-authenticate, and/or requiring a second factor of authentication from the user at that machine. In some example embodiments, regardless of any activity required of a user at the remote machine suspected of malicious behavior, the disclosed system generates an alarm or other alert for presentation as appropriate, such as via a graphical user interface or a third-party system using an API.

Abstract: Some example computing systems herein include two modules, e.g., drivers. A first can instantiate an interface associated with a service routine, receive, by the service routine, a verification message; and send, in response, a confirmation message via the interface. A second can locate the interface; open a handle to the interface; send the verification message via the handle, the verification message identifying at least an interface type or a version; and receive, via the handle, the confirmation message associated with the verification message. In some examples, the first driver is a Plug and Play driver. In some examples, the first module can receive, by the service routine, a command associated with the interface; determine that the command is a valid command based at least in part on stored command data; and send, via the interface, a response to the command.

Abstract: Event vectors can be determined for respective events based on respective command-line records and a trained representation mapping. Respective coordinate vectors can be determined, each having fewer elements than the respective event vector. Respective representations of at least some of the events can be presented via an electronic display at the respective coordinate vectors. A selection of a first representation can be received via a user interface. The events can be clustered based on the event vectors. A first cluster can be selected based on the selection. An indication of a tag can be received via the user interface. Each event of the first cluster can be associated with the tag. Some examples include transmitting a security command to cause a monitored computing device associated with an event in the first cluster to perform a mitigation action.

Abstract: Techniques are described herein for, without rebooting a computing device, unloading at least a component of a kernel-mode component of the computing device and loading an updated version of the component of the kernel-mode component. The techniques may be performed by an integrity manager associated with the kernel-mode component. The integrity manager may also determine integrity of the kernel-mode component by causing the kernel-mode component to perform an action associated with a known reaction, determining whether the known reaction occurred, and in response, performing a remediation action or notifying a remote security service. Further, the integrity manager may determine whether any computing device lists include representations of components or connections associated with the kernel-mode component. The integrity manager may then remove the representations from the lists or remove the representations from responses to requests for contents of the computing device lists.

Abstract: Example techniques herein filter and classify security-relevant events from monitored computing devices. A control unit can receive event records of various types, each event record associated with a monitored device. The control unit can provide, for each event record matching a corresponding pattern of a pattern set associated with the respective event type, a respective match record. Each match record can include an identifier of the corresponding pattern and data of the respective event record. The control unit can provide, for each match record satisfying a corresponding condition of a condition set, a respective candidate record including a tag associated with the corresponding condition. The control unit can provide, for each candidate record satisfying a tag criterion, a result record. Some examples can receive a modification record and use it to provide an updated condition set used for determining candidate records.

Abstract: Example techniques detect incidents based on events from or at monitored computing devices. A control unit can detect events of various types within a time interval and aggregate the detected events into an incident. The control unit can detect patterns within the events based at least in part on predetermined criterion. In examples, the control unit can determine pattern scores for the patterns based on the probability of occurrence for the patterns and determine a composite score based on the pattern scores. The control unit can determine that an incident indicating malicious activity has been detected based in part determining that the composite score is above a predetermined threshold score. In some examples, the control unit can classify and rank the incidents. The control unit can determine if an incident indicates malicious activity including malware or targeted attack.

Abstract: Methods and systems for detecting and preventing malicious software activity are presented. In one embodiment, a method is presented that includes monitoring network communications on a network. The method may also include detect a suspect network communication associated with a suspect network activity and, in response, determine an originating machine based on the suspect network activity. The method may further suspend network communications for the originating machine. A forensics software agent may then be selected based on the suspect network activity. Then, the forensics software agent may be deployed on the originating machine. After deployment, the forensics software agent may fetch computer forensics data from the originating machine. Once the computer forensics data is fetched, a response action may be selected and executed based on said computer forensics data.

Abstract: An event can be associated with a monitored computing device and a command-line record. An event vector can be determined for each of a plurality of events based at least in part on at least a portion of the respective command-line record and on a trained representation mapping. A respective reduced event vector can be determined having fewer elements. The reduced event vectors can be clustered to determine cluster identifiers. A first event can be determined to be associated with a security violation based on a corresponding cluster identifier matching a cluster identifier of a second event that is associated with a security violation. In some examples, a cluster can include a relatively larger first group of events and a relatively smaller second group of events. That cluster can be determined to satisfy a criterion based on the numbers of events in at least one of the groups.

Abstract: A security agent configured to initiate a security agent component as a hypervisor for a computing device is described herein. The security agent is further configured to determine a subset of memory locations in memory of the computing device to be intercepted. The security agent component may then set intercepts for the determined memory locations. Setting such intercepts may include setting privilege attributes for pages which include the determined memory locations so as to prevent specific operations in association with those memory locations. In response to one of those specific operations, the security agent component may return a false indication of success or allow the operation to enable monitoring of the actor associated with the operation. When an operation affects another memory location associated with one of the pages, the security agent component may temporarily reset the privilege attribute for that page to allow the operation.

Abstract: A security agent for a host computing device may be implemented with multiple levels of indirection from an operating system (OS) kernel of the computing device in order to facilitate software upgrades for the security agent. An unserviceable kernel-mode component of the security agent may directly interface with the OS kernel and hook into a function (e.g., a security callback function) of the OS kernel in a first level of indirection, while a serviceable kernel-mode component of the security agent, which is upgradable, may indirectly interface with the OS kernel via the unserviceable kernel-mode component in a second level of indirection. The serviceable kernel-mode component may be configured to process events, and/or data related thereto, received from the OS kernel via the unserviceable kernel-mode component in order to monitor activity on the computing device for malware attacks.