Abstract: Boot status markers record historical boot processes performed by a computer system. Each time the computer system boots, an operating system performs a boot process and interfaces with an antimalware driver. The antimalware driver determines the boot status markers that were set during previous boot processes. The antimalware driver may then classify other drivers based on the boot status markers set during the previous boot processes. The antimalware driver may then report driver classifications to the operating system. The operating system may then block, or allow, the drivers based on the driver classifications.

Abstract: A method of placing an ad in a video in an original format may include producing a transcoded video in a proxy format which is a representation of frames of the video in the original format. The transcoded video in the proxy format is convertible to other formats for output. The method may include selecting the ad from a set of ads, selecting a location within a frame of the transcoded video where the ad is to be placed, selecting frames of the transcoded video where the ad is to be placed, placing a placeholder in the transcoded video in the selected frames at the selected location, and storing the transcoded video in the proxy format. When the transcoded video is presented to a user on a display device, the selected ad is inserted in place of the placeholder.

Abstract: Systems, methods, and computer program products for smart upload automation in which actions are automatically performed on a set of digital assets against a target item. In one embodiment, a system includes a network, a server machine, a client machine and a data storage device, each of which is coupled to the network. The client machine designates digital assets and a target item against which the assets will be uploaded. The digital assets are uploaded by the client machine to the data storage device via the network. The server machine automatically performs actions on the digital assets without intervention by the client machine, where the actions are associated with or in some way defined by the target item. The actions may include setting metadata values of the digital assets based upon metadata associated with the target item, or generating different renditions of the digital assets.

Abstract: A plurality of memory image data is obtained. Respective ones of the memory image data may include captured memory contents from an executing process. Training data including feature vectors and classification values are provided to a machine learning (ML) training model executing on a processing device. The feature vectors may include indications of patterns within the memory image data. The ML training model is trained based on the training data to generate an ML production model. The training may include computing a plurality of model parameters that relate the feature vectors of the training data to the classification values of the training data.

Abstract: Interpolant pattern matching reflects a runtime environment. Any interpolant finite automata (such as a DFA) using a regular expression may be modified with an interpolant string to create an interpolant finite automata (such as an IDFA). The interpolant string incorporates a placeholder that is then modified according to the runtime environment. An environmental variable or a directory path, for example, may be inserted into the placeholder at runtime. An input string may be pattern matched to the IDFA that reflects the runtime environment.

Abstract: Deception-based techniques for responding to security attacks are described herein. The techniques include transitioning a security attack to a monitored computing device posing as a computing device impacted by the security attack and enabling the adversary to obtain deceptive information from the monitored computing device. Also, the adversary may obtain a document configured to report identifying information of an entity opening the document, thereby identifying the adversary associated with the attack. Further, the techniques include determining that a domain specified in a domain name request is associated with malicious activity and responding to the request with a network address of a monitored computing device to cause the requesting process to communicate with the monitored computing device in place of an adversary server. Additionally, a service may monitor dormant domains names associated with malicious activity and, in response to a change, respond with an alert or a configuration update.

Abstract: Cloud-delivered hooks are injected as binary instrumentation into a software application. The cloud-delivered hooks are specified by a cloud computing environment. The cloud-delivered hooks may be set up, and torn down, by software updates from the cloud computing environment. The cloud-delivered hooks monitor and intercept functions, APIs, and system calls in both user space and kernel space. Moreover, the cloud-delivered hooks may utilize a polymorphic universal hooking mechanism that eliminates strict signature requirements between target functions and detour functions. Because the cloud-delivered hooks are commanded by, and received from, the cloud computing environment, the cloud-delivered hooks may be easily and nearly instantaneously distributed to clients in the field for near real time software instrumentation and reporting. The cloud-delivered hooks can thus greatly simplify and quicken software development, software debugging, malware detection, and software monitoring.

Abstract: An interwoven approximate membership query (AMQ) data structure interweaves multiple AMQ data sets. The interwoven AMQ data structure collapses the AMQ data sets into a composite membership representation. The interwoven AMQ data structure still represents a computer database, but the interwoven AMQ data structure yields far faster membership results. The interwoven AMQ data structure requires orders of magnitude less data reads. Memory allocation is reduced, processor cycles are reduced, input/output operations are reduced, and translations from kernel space to user space are reduced. The interwoven AMQ data structure greatly improves computer functioning.

Abstract: A file format identification system can predict file formats associated with binary data. The file format identification system can extract n-grams, such as byte 4-grams, from the binary data. A trained neural network with at least one embedding layer can generate embedding arrays that correspond to the extracted n-grams. A trained file format classifier can compare values in the embedding arrays with patterns of values associated with known file formats. The trained file format classifier can accordingly determine which of the known file formats are most likely to be associated with the binary data.

Abstract: An artificial intelligence (AI) monitoring service detects, in real time or in near real time, misbehaving AI. The AI monitoring service monitors any of inputs to the AI, incoming/outgoing communications, API calls, inter-service/inter-container activities associated with the AI, and/or an output generated by the AI. Any activity conducted by, or associated with, the AI may be compared to an AI behavior profile defining permissible/impermissible activities. If any activity fails to conform to the AI behavior profile, alerts are sent and threat procedures are implemented. Very early stages of abnormal AI behavior are detected, thus quickly exposing abnormal AI behavior before the artificial intelligence can implement undesirable, or even harmful, actions.

Abstract: Training and use of a byte n-gram embedding model is described herein. A neural network is trained to determine a probability of occurrence associated with a byte n-gram. The neural network includes one or more embedding model layers, at least one of which is configured to output an embedding array of values. The byte n-gram embedding model may be used to generate a hash of received data, to classify the received data with no knowledge of a data structure associated with the received data, to compare the received data to files having a known classification, and/or to generate a signature for the received data.

Abstract: Methods and systems for detecting forged Kerberos protocol tickets are presented. In one embodiment, a method is presented that includes receiving and decrypting an authentication request including a ticket. A validity start time and a validity end time may then be extracted from the ticket and a validity period may be calculated based on the validity start time and the validity end time. The method may then include retrieving a domain validity period from a domain controller and comparing the validity period to the domain validity period. If the validity period differs from the domain validity period, the authentication request may be blocked.

Abstract: Malware is detected using an embedding-based machine learning model. The model generates embeddings using byte n-grams. A feature importance operation reveals that only a subset of the embeddings is required to detect malware. In some cases, even a single embedding is adequate and retains 99% detection capabilities. An aggressive embedding dropout operation is implemented that ignores lesser-important embeddings. Because perhaps only one, or a few, embeddings need be determined, malware detection is greatly simplified. Malware detection is greatly simplified and need not calculate full-sized embeddings. A malware detection service runs quicker, and just as capably, while consuming less resources.

Abstract: A distributed security system can include instances of a compute engine that can execute either locally in security agents on client devices or as cloud instances in a security network. Event data can be processed by elements of the distributed security system according to centrally-defined ontological definitions and/or configurations. Bounding managers of local security agents can control how much event data is sent to the security network. A storage engine in the security network can store event data received from client devices, can route event data to other elements of the security network, including cloud instances of the compute engine. An experimentation engine of the security network can also at least temporarily adjust other elements of the distributed security system during experiments or tests.

Abstract: One or more identifiers respectively corresponding to a one or more logical blocks in an electronic file system volume is selected. One or more logical blocks respectively corresponding to the selected one or more identifiers is analyzed according to one or more criteria. A value is assigned to one or more indicators associated with each of the one or more logical blocks and corresponding to the one or more criteria, in response to the analyses of the corresponding one or more logical blocks. A representation of the one or more indicators, and their respective assigned values, associated with each of the one or more logical blocks that was analyzed according to the one or more criteria, is generated. In some embodiments, an action to be performed on or with an electronic file mapped to the logical blocks is controlled based on one or more of the values assigned to the one or more indicators associated with the one or more logical blocks.

Abstract: A distributed security system can include instances of a compute engine that can execute either locally in security agents on client devices or as cloud instances in a security network. Event data can be processed by elements of the distributed security system according to centrally-defined ontological definitions and/or configurations. Bounding managers of local security agents can control how much event data is sent to the security network. A storage engine in the security network can store event data received from client devices, can route event data to other elements of the security network, including cloud instances of the compute engine. An experimentation engine of the security network can also at least temporarily adjust other elements of the distributed security system during experiments or tests.

Abstract: A bus filter driver and security agent components configured to retrieve and analyze firmware images are described herein. The bus filter driver may attach to a bus device associated with a memory component and retrieve a firmware image of firmware stored on the memory component. The bus filter driver may also retrieve hardware metadata. A kernel-mode component of the security agent may then retrieve the firmware image and hardware metadata from the bus filter driver and provide the firmware image and hardware metadata to a user-mode component of the security agent for security analysis. The security agent components may then provide results of the analysis and/or the firmware image and hardware metadata to a remote security service to determine a security status for the firmware.

Abstract: A security service can determine a synthetic context based at least in part on context data associated with a first malware sample, and detonate the first malware sample in the synthetic context to provide one or more first event records representing events performed by the first malware sample and detected during detonation. Additionally or alternatively, the security service can detonate the first malware sample and locate a second malware sample in a corpus based at least in part on the one or more first event records. Additionally or alternatively, the security service can receive event records representing events detected during a detonation of a first malware sample, the detonation based at least in part on context data, and locate a second malware sample in the corpus based at least in part on the one or more reference event records.

Abstract: A cloud-service malware detection application detects, in real time or in near real time, malware infecting cloud services. The cloud-service malware detection application monitors incoming communications, outgoing communications, API calls, and other inter-service activities conducted between different cloud services in a cloud-computing environment. Because the cloud-computing environment may have many different cloud services, the cloud-service malware detection application detects a malware attack that spans multiple hosts and cloud services. The cloud-service malware detection application adaptively profiles each individual cloud service using machine learning, thus providing quicker, more accurate, and more scalable malware detection.

Abstract: A plug-and-play (PnP) driver associated with a security agent is described herein. The PnP driver attaches to device stacks of enumerated bus devices of a computing device as upper-device or lower-device filters based on the device classes of the enumerated bus devices. For example, the PnP driver may attach to the device stack of a hub or controller device as an upper-device filter and to device stacks of other devices as lower-device filters. Either while attaching or after attachment, the PnP driver may take action to alter, limit, or otherwise block functionality of an enumerated bus device. The PnP driver may also perform a system inventory of enumerated bus devices connected to the computing device and create fingerprints for one or more of the computing devices. Additionally, the PnP driver may create and remove control device objects (CDOs) to enable communication with user-mode processes or threads.