Abstract: A method and a system for detecting malicious files in non-isolated environment are provided. The method comprises, during a training phase: acquiring a plurality of executable files, analyzing a given executable file to obtain: (i) data associated with the given executable file; (ii) a control-flow graph associated with the given executable file, and (iii) a data-flow graph associated with the given executable file; determining, based on the data, parameters of the given executable file; generating, by the processor, based on the parameters, at least a first feature vector and a second feature vector; generating, by the processor, based on the control-flow graph, a third feature vector; generating, by the processor, based on the data-flow graph, a fourth feature vector; and training the each one of ensemble of classifiers based on a respective feature vector to determine if a given in-use executable file is one of malicious and non-malicious.

Abstract: A method and a system for detecting a malicious activity are provided. The method comprises: receiving, from a given host of the plurality of hosts, an event flow including data representative of events occurred at the given host; analyzing a given event sequence of the event flow to generate, for a given event thereof, a respective internal event; applying to the respective internal event, a plurality of signature-based rules to determine at least one internal state marker of the given host associated with the given event; feeding the respective internal state markers to a trained machine-learning algorithm (MLA) to determine a prediction outcome thereof of whether the given event sequence is associated with the malicious activity; in response to the prediction outcome exceeding a predetermined threshold, determining the given event sequence as being associated with the malicious activity; and generating a report including the prediction outcome.

Abstract: A method and a system for identifying malware are provided. The method comprises: during a training phase: receiving a given sample of training malware; analyzing the given sample of training malware; generating a respective behavioral report including indications of actions executed thereby in the isolated environment; determining, by analyzing the actions, for each one of the plurality of samples of training malware, a respective malware family thereof; identifying, within the respective behavioral reports associated with each one of the plurality of samples of training malware, a report group of behavioral reports associated with the samples of training malware of a given malware family; generating, for the given malware family, sets of training feature vectors; training a given classifier of an ensemble of classifiers, based on a respective set of training feature vectors to determine if a given in-use sample of malware is of the given malware family.

Abstract: A method and system for detection of malicious network resources in a distributed computer system are provided. The method comprises: receiving, by a first computing device, disposed inside the distributed computer system, an outbound traffic, detecting, by the first computing device, a suspicious external IP address in the outbound traffic, scanning, by the first computing device, a suspicious device located at the suspicious IP address to obtain a list of services running thereon, transmitting, by the first computing device, the suspicious IP address and the list of services to a second computing device disposed outside the distributed computer system, comparing, by the second computing device, the list of services with known malicious services, and in response to a match between at least one service from the list of services and a respective one of the known malicious services: determining the suspicious device, at the suspicious IP address, as being malicious.

Abstract: A method and a system for analysis of executable files are provided. The method comprises: obtaining a plurality of training executable files including at least one malicious executable file and at least one benign executable file; analyzing the plurality of training executable files to extract therefrom data including a plurality of features; transforming the data organizing the plurality of features in sets of features, a given one of which includes features of a respective predetermined type; identifying, in the given set of features, informative features indicative of a given training executable file being one of malicious and benign; combining, over the plurality of training executable files, for the respective predetermined data type, the informative features to generate at least one feature vector; and training, based on the at least one feature vector, at least one of classifier to determine if an in-use executable file is one of malicious and benign.