Abstract: Systems and methods are provided to determine a maliciousness level of an element using a hypergraph of neighbors. The method can include receiving the element; generating a hypergraph of neighbor target elements found in a database, the hypergraph comprising a set of nodes and a set of edges, wherein the set of nodes represents the neighbor target elements, and the set of edges represents connections between the neighbor target elements; classifying nodes and edges in the hypergraph; generating a maliciousness level profile for the element based on aggregation of nodes and edges in the hypergraph; linking information related to the element with the maliciousness level profile for the element; and performing an action based on a type of the element.

Abstract: A method and system for adaptively securing a protected entity against a potential advanced persistent threat (APT) are provided. The method includes probing a plurality of resources in a network prone to be exploited by an APT attacker; operating at least one security service configured to output signals indicative of APT related activity of each of the plurality of probed resources; generating at least one security event respective of the output signals; determining if the at least one security event satisfies at least one workflow rule; and upon determining that the at least one security event satisfies the at least one workflow rule, generating at least one action with respect to the potential APT attack.

Abstract: A method of monitoring and reporting of packets including their attribution to their origin processes from a user space application without installing proprietary drivers, rather using only infrastructures and capabilities supplied by the operating system (OS). The method relies on correlation between packets received from a packet capture library and a kernel monitoring mechanism that supplies an event with the process ID which is executed on the same time frame for transmitting or receiving of that traffic. The attribution between the event and the packet is based on the 4-tuple (or other exemplar) that exists on both the event and the packet where the “4-tuple” is a set of: source address, source port, destination address, destination port.

Abstract: A method of generating a baseline of expected behavior on a single machine or endpoint to accurately fingerprint the native behavior of the NTLM protocol on that particular endpoint in a network. By limiting the scope of a baseline to a single endpoint, the scope of the baseline can consist of expected behavior (including supported hash functions, version strings and various feature flags). Deviations from these behaviors are considered evidence of a redundant implementation of NTLM utilized by an attacker and thus as evidence of an attempted PTH attack. Using this method it is possible to accurately detect PTH attacks originating from all publicly known non-standard implementations of NTLM existing in tools such as Impacket, Metasploit, and Invoke-TheHash.

Abstract: A method, computer program product, system and apparatus for the prevention of RGA and DGA malware over an existing internet service is disclosed. The invention exploits the fact that when malware rapidly attempts to access many contact points, a malware is likely to need several attempts to find a current server. Software is installed on the individual endpoints in a network of internet services. The software monitors the websites or services and collects information about access attempts. The invention detects a series of failed attempts by the malware to access the service/website. These attempts can be accrued by being temporally linked (e.g., many attempts in a short time, many attempts consecutively), conceptually linked (e.g., similar addresses, similar attempts across multiple machines or time scales), higher than normal prevalence or other methods. The invention provides an indication of a malware attempt if enough failed attempts have accrued.

Abstract: A method, computer program product, and apparatus for performing baseline calculations for firewalling in a computer network is disclosed. The method involves defining a reference group for an executed software program, measuring signals in the reference group, measuring signals of the program, computing a distance between the signals of the program and the signals of the reference group, and taking an action if the computed distance deviates from a norm mode. The distance can be computed using a similarity matrix or other method. Measuring the program comprises observing behaviors of the program, collecting and analyzing data, comparing the data to baselines of the reference group, and comparing the behaviors of the program across a previous execution of the program. In cases where a program is known to be malicious, a reference group is not needed and a sandbox can be tailored just by copying the environment of the actual system.

Abstract: A method, computer program product, and apparatus for implementing a distributed sandbox is disclosed. The method comprises discovering a machine with sufficient resources to run a virtual machine for a process, starting the process in a virtual machine on the discovered machine, if the virtual machine terminates, discovering another machine with sufficient resources to run a virtual machine for a process, and deciding if the process is benign when the virtual machine is finished. Control of the distributed sandbox is done by utilizing a broadcast network.

Abstract: A method and apparatus for classifying and combining computer attack information identifying as malicious events, events in a network that cause organizationally or functionally distant entities to become closer to each other, the method comprising identifying as malicious events, events in a network that cause organizationally or functionally distant entities to become closer to each other.

Abstract: A method and apparatus for intrusion detection, the method comprising: receiving a description of a computerized system, the description comprising two or more entities, one or more attribute for each entity and one or more statistical rule related to relationship between the entities; receiving data related to activity of the computerized system, the data comprising two or more events; grouping the events into two or more groups associated with the entities; comparing the groups in accordance with the statistical rule, to identify a group not complying with any of the statistical rules.

Abstract: A computer-implemented method and apparatus for identifying attacks, comprising: receiving information related to a computerized network, the information comprising description of the network and events occurring within the network; processing the events, comprising determining whether additional data is required; responsive to determining that additional information is required, collecting the additional information and processing the additional information; and providing attack information based on the information and on the additional information, wherein the additional information is more resource consuming to obtain or process than the information.

Abstract: A method and apparatus for classifying and combining computer attack information identifying as malicious events, events in a network that cause organizationally or functionally distant entities to become closer to each other, the method comprising identifying as malicious events, events in a network that cause organizationally or functionally distant entities to become closer to each other.

Abstract: A method and apparatus for classifying and combining computer attack information identifying as malicious events, events in a network that cause organizationally or functionally distant entities to become closer to each other, the method comprising identifying as malicious events, events in a network that cause organizationally or functionally distant entities to become closer to each other.

Abstract: A computer-implemented method and apparatus for identifying attacks, comprising: receiving information related to a computerized network, the information comprising description of the network and events occurring within the network; processing the events, comprising determining whether additional data is required; responsive to determining that additional information is required, collecting the additional information and processing the additional information; and providing attack information based on the information and on the additional information, wherein the additional information is more resource consuming to obtain or process than the information.

Abstract: A method and apparatus for intrusion detection, the method comprising: receiving a description of a computerized system, the description comprising two or more entities, one or more attribute for each entity and one or more statistical rule related to relationship between the entities; receiving data related to activity of the computerized system, the data comprising two or more events; grouping the events into two or more groups associated with the entities; comparing the groups in accordance with the statistical rule, to identify a group not complying with any of the statistical rules.