Abstract: A device for classifying malware including a processor, and a storage device storing a plurality of previously classified symfunc hash values and malware detection logic which attempts to classify malicious code by utilizing binary disassembler logic processed by the processor. Binary disassembler logic can be configured to receive a suspicious binary object and disassemble the binary object into disassembled code data, while symbolic analyzer logic can be configured to receive the disassembled code data and generate symbolic representation data. Generation logic can be configured to receive the symbolic representation data and generate at least one symfunc hash value based on the symbolic representation data. Finally, classification logic can be configured to receive at least one symfunc hash value, compare the symfunc hash value against previously classified symfunc hash values, and determine if the binary object comprises malicious code based on the associated symfunc hash value.

Abstract: Malicious network content is identified based on the behavior of one or more virtual environment components which process network content in a virtual environment. Network content can be monitored and analyzed using a set of heuristics. The heuristics identify suspicious network content communicated over a network. The suspicious network content can further be analyzed in a virtual environment that includes one or more virtual environment components. Each virtual environment component is configured to mimic live environment components, for example a browser application component or an operating system component. The suspicious network content is replayed in the virtual environment using one or more of the virtual environment components. The virtual environment component behavior is analyzed in view of an expected behavior to identify malicious network content. The malicious network content is then identified and processed.

Abstract: The disclosure is directed towards systems and methods for improving security in a computer network. The system can include a planner and a plurality of controllers. The controllers can be deployed within each zone of the production network. Each controller can be configured to assume the role of an attacker or a target for malicious network traffic. Simulations of malicious behavior can be performed by the controllers within the production network, and can therefore account for the complexities of the production network, such as stateful connections through switches, routers, and other intermediary devices. In some implementations, the planner can analyze data received from the controllers to provide a holistic analysis of the overall security posture of the production network.

Abstract: According to one embodiment, a computing device comprises one or more hardware processor and a memory coupled to the one or more processors. The memory comprises software that supports a virtualization software architecture including a first virtual machine operating under control of a first operating system. Responsive to determining that the first operating system has been compromised, a second operating system, which is stored in the memory in an inactive (dormant) state, is now active and controlling the first virtual machine or a second virtual machine different from the first virtual machine that now provides external network connectivity.

Abstract: A system for detecting whether a file including content s associated with a cyber-attack is described. The content may include an executable file for example. The system includes an intelligence-driven analysis subsystem and a computation analysis subsystem. The intelligence-driven analysis subsystem is configured to (i) receive the file, (ii) inspect and compute features of the file for indicators associated with a cyber-attack, and (iii) produce a first output representing the detected indicators. The computational analysis subsystem includes an artificial neural network to (i) receive a network input being a first representation of at least one section of binary code from the file as input, and (ii) process the first representation of the section to produce a second output. The first output and the second output are used in determination a classification assigned to the file.

Abstract: According to one embodiment, a threat detection system comprising an intrusion protection system (IPS) logic, a virtual execution logic and a reporting logic is shown. The IPS logic is configured to receive a first plurality of objects and analyze the first plurality of objects to identify a second plurality of objects as potential exploits, the second plurality of objects being a subset of the first plurality of objects and being lesser or equal in number to the first plurality of objects. The virtual execution logic including at least one virtual machine configured to process content within each of the second plurality of objects and monitor for anomalous behaviors during the processing that are indicative of exploits to classify that a first subset of the second plurality of objects includes one or more verified exploits. The reporting logic configured to provide a display of exploit information associated with the one or more verified exploits.

Abstract: Exemplary systems and methods for malware attack detection and identification are provided. A malware detection and identification system a controller that features an analysis environment including a virtual machine. The analysis environment to (1) receive data by the virtual machine of the analysis environment and identify a portion of the data that have been received from one or more untrusted, (2) monitor state information associated with the identified portion of the data during execution by the virtual machine, (3) identify an outcome of the state information by tracking the state information during execution of the identified portion of the data by the virtual machine, and (4) determine whether the identified outcome comprises a redirection in control flow during execution by the virtual machine of the portion of the data, the redirection in the control flow constituting an unauthorized activity.

Abstract: According to one embodiment, a system features a network security device and a cloud computing service. The network security device is configured to determine whether an object includes one or more characteristics associated with a malicious attack. The cloud computing service, communicatively coupled to and remotely located from the network security device, includes virtual execution logic that, upon execution by a processing unit deployed as part of the cloud computing service and after the network security device determining that the object includes the one or more characteristics associated with the malicious attack, processes the object and monitors for behaviors of at least the object suggesting the object is associated with a malicious attack.

Abstract: According to one embodiment, a computerized method operates by configuring a virtual machine operating within an electronic device with a first instrumentation for processing of a suspicious object. In response to detecting a type of event during processing of the suspicious object within the virtual machine, the virtual machine is automatically reconfigured with a second instrumentation that is different from the first instrumentation in efforts to achieve reduced configuration time and/or increased effectiveness in exploit detection.

Abstract: According to one embodiment, a system for detecting an email campaign includes feature extraction logic, pre-processing logic, campaign analysis logic and a reporting engine. The feature extraction logic obtains features from each of a plurality of malicious email messages received for analysis while the pre-processing logic generates a plurality of email representations that are arranged in an ordered sequence and correspond to the plurality of malicious email message. The campaign analysis logic determines the presence of an email campaign in response to a prescribed number of successive email representations being correlated to each other, where the results of the email campaign detection are provided to a security administrator via the reporting engine.

Abstract: According to one embodiment, a computerized method comprises three operations. First, an exploit is determined to have been activated on a client device to transition a state of the client device from a non-infected state to an infected state. Second, a software image is determined prior to the client device receiving the object including the exploit. Lastly, an operating state of the client device is restored by at least reinstalling the software image on the client device so that the client device reverts to an operating state of the client device prior to activation of the exploit.

Abstract: A graphical user interface provides network security administrators a tool to quickly and easily create one or more courses of action for automatic response to a network threat. The courses of action are hardware and system agnostic, which allows a common response task to be implemented by an underlying response engine for any or multiple similar-function devices regardless of brand or version. The course of action builder allows the administrator to use a simple, graphic-based, business modeling concept to craft and design security response processes rather than having to hard code response routines specific to each piece of hardware on the network. The graphic interface model allows the user of the threat response software incorporating the course of action builder to easily understand the overall flow and paths the response may take, as well as understand the data requirements and dependencies that will be evaluated.

Abstract: According to one embodiment, an electronic device features processing circuitry and memory that includes a first logic and a second logic. When executed by the processing circuitry, the first logic organizes (i) a first plurality of indicators of compromise (IOCs) received from a first source, where the first plurality of IOCs being caused by a known origin of a malicious attack, and (ii) one or more IOCs received from a second source that is different from the first source and an origin of the one or more IOCs is unknown. The second logic conducts a predictive analysis that evaluates whether the one or more IOCs have at least a degree of correlation with the first plurality of IOCs, and determines a threat level. The threat level signifies a degree of confidence that IOCs received from the second source are caused by the known origin of the first plurality of IOCs.

Abstract: A comprehensive cybersecurity platform includes a cybersecurity intelligence hub, a cybersecurity sensor and one or more endpoints communicatively coupled to the cybersecurity sensor, where the platform allows for efficient scaling, analysis, and detection of malware and/or malicious activity. An endpoint includes a local data store and an agent that monitors for one or more types of events being performed on the endpoint, and performs deduplication within the local data store to identify “distinct” events. The agent provides the collected metadata of distinct events to the cybersecurity sensor which also performs deduplication within a local data store. The cybersecurity sensor sends all distinct events and/or file objects to a cybersecurity intelligence hub for analysis. The cybersecurity intelligence hub is coupled to a data management and analytics engine (DMAE) that analyzes the event and/or object using multiple services to render a verdict (e.g., benign or malicious) and issues an alert.

Abstract: A method for generating rule recommendation utilized in a creation of malware detection rules is described. Meta-information associated with a plurality of events collected during a malware detection analysis of an object by a cybersecurity system is received and a first plurality of features is selected from the received meta-information. Machine learning (ML) models are applied to each of the first plurality of features to generate a score that represents a level of maliciousness for the feature and thereby a degree of usefulness of the feature in classifying the object as malicious or benign. Thereafter, a second plurality of features is selected as the salient features, which are used in creation of the malware detection rules in controlling subsequent operations of the cybersecurity system. The second plurality of features being lesser in number that the first plurality of features.

Abstract: A graphical user interface provides network security administrators a tool to quickly and easily create one or more courses of action for automatic response to a network threat. The courses of action are hardware and system agnostic, which allows a common response task to be implemented by an underlying response engine for any or multiple similar-function devices regardless of brand or version. The course of action builder allows the administrator to use a simple, graphic-based, business modeling concept to craft and design security response processes rather than having to hard code response routines specific to each piece of hardware on the network. The graphic interface model allows the user of the threat response software incorporating the course of action builder to easily understand the overall flow and paths the response may take, as well as understand the data requirements and dependencies that will be evaluated.

Abstract: A method for detecting a cyberattack on a network device is described. The method features receiving script text and performing a normalization operation on the script text to produce a normalized script text. The normalized script text includes a plurality of analytic tokens each being an instance of a sequence of characters grouped together as a useful semantic unit for natural language processing (NLP). Thereafter, a NLP model is applied to the normalized script text to classify a script associated with the script text as malicious or benign. Responsive to the script being classified as malicious, generating an alert message provided to an administrator to identify the malicious script.

Abstract: The disclosure is directed towards systems and methods for improving security in a computer network. The system can include a planner and a plurality of controllers. The controllers can be deployed within each zone of the production network. Each controller can be configured to assume the role of an attacker or a target for malicious network traffic. Simulations of malicious behavior can be performed by the controllers within the production network, and can therefore account for the complexities of the production network, such as stateful connections through switches, routers, and other intermediary devices. In some implementations, the planner can analyze data received from the controllers to provide a holistic analysis of the overall security posture of the production network.

Abstract: In one embodiment, a method for detecting one or more behaviors by software under test that indicate a presence of malware is described. First, an analysis of operations conducted by the software being processed by a virtual machine is performed. The analysis includes monitoring one or more behaviors conducted by the software during processing within the virtual machine. Next, a video corresponding to at least the one or more monitored behaviors, which are conducted by the software during processing of the software within the virtual machine, is generated. Also, text information associated with each of the one or more monitored behaviors is generated, where the text information being displayed on an electronic device contemporaneously with the video corresponding to the one or more monitored behaviors.

Abstract: According to one embodiment, a computerized method features monitoring behaviors of an object during processing within a guest system of a virtual machine. Within a guest system, a rule-based analysis of data associated with the monitored behaviors is conducted. The rule-based analysis includes prioritizing data associated with the monitored behaviors that correspond to an exception, and thereafter, storing the data associated with the monitored behaviors that correspond to the exception into a prescribed area of a virtual image file. The prescribed area is accessible by (i) logic within the guest system and (ii) logic within a host system of the virtual machine.