Abstract: Methods and systems for fingerprinting a malicious behavior. In a first stage of training, a coarse machine learning one-class classifier is trained to detect a first dataset of events, the first dataset of events including a dataset of events representing a malicious behavior and a dataset of events representing non-malicious behavior and a benign machine learning one-class classifier is trained to detect a second dataset of events, the second dataset of events excluding the dataset of events representing malicious activity. An ensemble of models including the benign and coarse machine learning one-class classifiers is applied to the first dataset of events to create a third training set representing the malicious behavior for a second stage of training. A final machine learning one-class classifier is trained in the second stage of training using the third training set. The final machine learning one-class classifier represents a fingerprint of the malicious behavior.

Abstract: In one respect, there is provided a system for training a neural network adapted for classifying one or more scripts. The system may include at least one processor and at least one memory. The memory may include program code which when executed by the at least one memory provides operations including: receiving a disassembled binary file that includes a plurality of instructions; processing the disassembled binary file with a convolutional neural network configured to detect a presence of one or more sequences of instructions amongst the plurality of instructions and determine a classification for the disassembled binary file based at least in part on the presence of the one or more sequences of instructions; and providing, as an output, the classification of the disassembled binary file. Related computer-implemented methods are also disclosed.

Abstract: Systems and methods are described herein for computer user authentication using machine learning. Authentication for a user is initiated based on an identification confidence score of the user. The identification confidence score is based on one or more characteristics of the user. Using a machine learning model for the user, user activity of the user is monitored for anomalous activity to generate first data. Based on the monitoring, differences between the first data and historical utilization data for the user determine whether the user's utilization of the one or more resources is anomalous. When the user's utilization of the one or more resource is anomalous, the user's access to the one or more resource is removed.

Abstract: Systems, methods, and software can be used to cluster software codes in a scalable manner. In some aspects, a computer-implemented method comprises: obtaining a plurality of software samples; computing one or more first hash results for each of the plurality of software samples; computing one or more second hash results for each of the plurality of software samples based on the one or more first hash results, wherein an amount of the one or more second hash results is less than an amount of the one or more first hash results; determining a similarity output based on the one or more second hash results of two of the plurality of software samples; and clustering the plurality of software samples based on the similarity output to generate one or more software sample clusters.

Abstract: A system is provided for classifying an instruction sequence with a machine learning model. The system may include at least one processor and at least one memory. The memory may include program code that provides operations when executed by the at least one processor. The operations may include: processing an instruction sequence with a trained machine learning model configured to detect one or more interdependencies amongst a plurality of tokens in the instruction sequence and determine a classification for the instruction sequence based on the one or more interdependencies amongst the plurality of tokens; and providing, as an output, the classification of the instruction sequence. Related methods and articles of manufacture, including computer program products, are also provided.

Abstract: Data is received as part of an authentication procedure to identify a user. Such data characterizes a user-generated biometric sequence that is generated by the user interacting with at least one input device according to a desired biometric sequence. Thereafter, using the received data and at least one machine learning model trained using empirically derived historical data generated by a plurality of user-generated biometric sequences (e.g., historical user-generated biometric sequences according to the desired biometric sequence, etc.), the user is authenticated if an output of the at least one machine learning model is above a threshold. Data can be provided that characterizes the authenticating. Related apparatus, systems, techniques and articles are also described.

Abstract: Under one aspect, a computer-implemented method includes receiving a query at a query interface about whether a computer file comprises malicious code. It is determined, using at least one machine learning sub model corresponding to a type of the computer file, whether the computer file comprises malicious code. Data characterizing the determination are provided to the query interface. Generating the sub model includes receiving computer files at a collection interface. Multiple sub populations of the computer files are generated based on respective types of the computer files, and random training and testing sets are generated from each of the sub populations. At least one sub model for each random training set is generated.

Abstract: Features are extracted from an artifact so that a vector can be populated. The vector is then inputted into an anomaly detection model comprising a deep generative model to generate a first score. The first score can characterize the artifact as being malicious or benign to access, execute, or continue to execute. In addition, the vector is inputted into a machine learning-based classification model to generate a second score. The second score can also characterize the artifact as being malicious or benign to access, execute, or continue to execute. The second score is then modified based on the first score to result in a final score. The final score can then be provided to a consuming application or process. Related apparatus, systems, techniques and articles are also described.

Abstract: An artifact is received from which features are extracted and used to populate a vector. The features in the vector are then reduced using a feature reduction operation to result in a modified vector having a plurality of buckets. Features within the buckets of the modified vector above a pre-determined projected bucket clipping threshold are then identified. Using the identified features, and overflow vector is then generated. The modified vector is then input into a classification model to generate a score. This score is adjusted based on the overflow vector and can then be provided to a consuming application or process. Related apparatus, systems, techniques and articles are also described.

Abstract: A method, a system, and a computer program product for performing analysis of data to detect presence of malicious code are disclosed. Reduced dimensionality vectors are generated from a plurality of original dimensionality vectors representing features in a plurality of samples. The reduced dimensionality vectors have a lower dimensionality than an original dimensionality of the plurality of original dimensionality vectors. A first plurality of clusters is determined by applying a first clustering algorithm to the reduced dimensionality vectors. A second plurality of clusters is determined by applying a second clustering algorithm to one or more clusters in the first plurality of clusters using the original dimensionality. An exemplar for a cluster in the second plurality of clusters is added to a training set, which is used to train a machine learning model for identifying a file containing malicious code.

Abstract: An artifact is received from which features are extracted so as to populate a vector. The features in the vector can be reduced using a feature reduction operations to result in a modified vector having a plurality of buckets. A presence of predetermined types of features are identified within buckets of the modified vector influencing a score above a pre-determined threshold. A contribution of the identified features within the high influence buckets of the modified vector is then attenuated. The modified vector is input into a classification model to generate a score which can be provided to a consuming application or process. Related apparatus, systems, techniques and articles are also described.

Abstract: An artefact is received. Thereafter, features are extracted from the artefact and a vector is populated. Later, one of a plurality of available classification models is selected. The classification models use different scoring paradigms while providing the same or substantially similar classifications. The vector is input into the selected classification model to generate a score. The score is later provided to a consuming application or process. The classification model can characterize the artefact as being malicious or benign to access, execute, or continue to execute so that appropriate remedial action can be taken or initiated by the consuming application or process. Related apparatus, systems, techniques and articles are also described.

Abstract: An artefact is received. Features are later extracted from the artefact and are used to populate a vector. The vector is input into a classification model to generate a score. This score is then modified using a time-based oscillation function and is provided to a consuming application or process. Related apparatus, systems, techniques and articles are also described.

Abstract: Centroids are used for improving machine learning classification and information retrieval. A plurality of files are classified as malicious or not malicious based on a function dividing a coordinate space into at least a first portion and a second portion such that the first portion includes a first subset of the plurality of files classified as malicious. One or more first centroids are defined in the first portion that classify files from the first subset as not malicious. A file is determined to be malicious based on whether the file is located within the one or more first centroids.

Abstract: An artefact is received. Features are extracted from this artefact which are, in turn, used to populate a vector. The vector is then input into a classification model to generate a score. The score is then modified to result in a modified score by interleaving the generated score or a mapping thereof into digits of a pseudo-score. Thereafter, the modified score can be provided to a consuming application or process. Related apparatus, systems, techniques and articles are also described.

Abstract: In some implementations there may be provided a system. The system may include a processor and a memory. The memory may include program code which causes operations when executed by the processor. The operations may include analyzing a series of events contained in received data. The series of events may include events that occur during the execution of a data object. The series of events may be analyzed to at least extract, from the series of events, subsequences of events. A machine learning model may determine a classification for the received data. The machine learning model may classify the received data based at least on whether the subsequences of events are malicious. The classification indicative of whether the received data is malicious may be provided. Related methods and articles of manufacture, including computer program products, are also disclosed.

Abstract: Bayesian continuous user authentication can be obtained by receiving observed behavior data that collectively characterizes interaction of an active user with at least one computing device or software application. A sequence of events within the observed behavior data can be identified and scored using a universal background model that generates first scores that characterize an extent to which each event or history of events is anomalous for a particular population of users. Further, the events are scored using a user model that generates second scores that characterizes an extent to which each event or history of events is anomalous for the particular user who owns the account. The first scores and the second scores are smoothed using a smoothing function. A probability that the active user is the account owner associated with the user model is determined based on the smoothed first scores and the smoothed second scores.

Abstract: Each of a plurality of endpoint computer systems monitors data relating to a plurality of events occurring within an operating environment of the corresponding endpoint computer system. The monitoring can include receiving and/or inferring the data using one or more sensors executing on the endpoint computer systems Thereafter, for each endpoint computer system, artifacts used in connection with the events are stored in a vault maintained on such endpoint computer system. A query is later received by at least a subset of the plurality of endpoint computer systems from a server. Such endpoint computer systems, in response, identify and retrieve artifacts within the corresponding vaults response to the query. Results responsive to the query including or characterizing the identified artifacts is then provided by the endpoint computer systems receiving the query to the server.

Abstract: An artifact is received and features are extracted therefrom to form a feature vector. Thereafter, a determination is made to alter a malware processing workflow based on a distance of one or more features in the feature vector relative to one or more indicator centroids. Each indicator centroid specifying a threshold distance to trigger an action. Based on such a determination, the malware processing workflow is altered.

Abstract: A plurality of events associated with each of a plurality of computing nodes that form part of a network topology are monitored. The network topology includes antivirus tools to detect malicious software prior to it accessing one of the computing nodes. Thereafter, it is determined that, using at least one machine learning model, at least one of the events is indicative of malicious activity that has circumvented or bypassed the antivirus tools. Data is then provided that characterizes the determination. Related apparatus, systems, techniques and articles are also described.