Abstract: A method of generating a baseline of expected behavior on a single machine or endpoint to accurately fingerprint the native behavior of the NTLM protocol on that particular endpoint in a network. By limiting the scope of a baseline to a single endpoint, the scope of the baseline can consist of expected behavior (including supported hash functions, version strings and various feature flags). Deviations from these behaviors are considered evidence of a redundant implementation of NTLM utilized by an attacker and thus as evidence of an attempted PTH attack. Using this method it is possible to accurately detect PTH attacks originating from all publicly known non-standard implementations of NTLM existing in tools such as Impacket, Metasploit, and Invoke-TheHash.

Abstract: A method, computer program product, system and apparatus for the prevention of RGA and DGA malware over an existing internet service is disclosed. The invention exploits the fact that when malware rapidly attempts to access many contact points, a malware is likely to need several attempts to find a current server. Software is installed on the individual endpoints in a network of internet services. The software monitors the websites or services and collects information about access attempts. The invention detects a series of failed attempts by the malware to access the service/website. These attempts can be accrued by being temporally linked (e.g., many attempts in a short time, many attempts consecutively), conceptually linked (e.g., similar addresses, similar attempts across multiple machines or time scales), higher than normal prevalence or other methods. The invention provides an indication of a malware attempt if enough failed attempts have accrued.

Abstract: A method, computer program product, and apparatus for performing baseline calculations for firewalling in a computer network is disclosed. The method involves defining a reference group for an executed software program, measuring signals in the reference group, measuring signals of the program, computing a distance between the signals of the program and the signals of the reference group, and taking an action if the computed distance deviates from a norm mode. The distance can be computed using a similarity matrix or other method. Measuring the program comprises observing behaviors of the program, collecting and analyzing data, comparing the data to baselines of the reference group, and comparing the behaviors of the program across a previous execution of the program. In cases where a program is known to be malicious, a reference group is not needed and a sandbox can be tailored just by copying the environment of the actual system.

Abstract: A method, computer program product, and apparatus for implementing a distributed sandbox is disclosed. The method comprises discovering a machine with sufficient resources to run a virtual machine for a process, starting the process in a virtual machine on the discovered machine, if the virtual machine terminates, discovering another machine with sufficient resources to run a virtual machine for a process, and deciding if the process is benign when the virtual machine is finished. Control of the distributed sandbox is done by utilizing a broadcast network.

Abstract: A method and apparatus for classifying and combining computer attack information identifying as malicious events, events in a network that cause organizationally or functionally distant entities to become closer to each other, the method comprising identifying as malicious events, events in a network that cause organizationally or functionally distant entities to become closer to each other.

Abstract: A method and apparatus for intrusion detection, the method comprising: receiving a description of a computerized system, the description comprising two or more entities, one or more attribute for each entity and one or more statistical rule related to relationship between the entities; receiving data related to activity of the computerized system, the data comprising two or more events; grouping the events into two or more groups associated with the entities; comparing the groups in accordance with the statistical rule, to identify a group not complying with any of the statistical rules.

Abstract: A computer-implemented method and apparatus for identifying attacks, comprising: receiving information related to a computerized network, the information comprising description of the network and events occurring within the network; processing the events, comprising determining whether additional data is required; responsive to determining that additional information is required, collecting the additional information and processing the additional information; and providing attack information based on the information and on the additional information, wherein the additional information is more resource consuming to obtain or process than the information.

Abstract: A method and apparatus for classifying and combining computer attack information identifying as malicious events, events in a network that cause organizationally or functionally distant entities to become closer to each other, the method comprising identifying as malicious events, events in a network that cause organizationally or functionally distant entities to become closer to each other.

Abstract: A method and apparatus for classifying and combining computer attack information identifying as malicious events, events in a network that cause organizationally or functionally distant entities to become closer to each other, the method comprising identifying as malicious events, events in a network that cause organizationally or functionally distant entities to become closer to each other.

Abstract: A computer-implemented method and apparatus for identifying attacks, comprising: receiving information related to a computerized network, the information comprising description of the network and events occurring within the network; processing the events, comprising determining whether additional data is required; responsive to determining that additional information is required, collecting the additional information and processing the additional information; and providing attack information based on the information and on the additional information, wherein the additional information is more resource consuming to obtain or process than the information.

Abstract: A method and apparatus for intrusion detection, the method comprising: receiving a description of a computerized system, the description comprising two or more entities, one or more attribute for each entity and one or more statistical rule related to relationship between the entities; receiving data related to activity of the computerized system, the data comprising two or more events; grouping the events into two or more groups associated with the entities; comparing the groups in accordance with the statistical rule, to identify a group not complying with any of the statistical rules.