Abstract: A malware detection system may be configured to enhance analysis of an object when determining whether results for a previously analyzed object may be applied to the object. The enhanced analysis may employ context factors pertaining to an environment within which the objects operate. If an object identifier (ID) of the object matches the object ID of the previously analyzed object, but one or more of the context factors differ, then the results from the previously analyzed object may not be applied to the object and the object is subjected to further analysis, e.g., behavioral analysis. Yet if the context factors do not differ, then the object may be deemed a duplicate of the previously analyzed object, such that a result (such as an alert or “no action”) of the previously analyzed object may be applied to the object.

Abstract: According to one embodiment, a computerized method comprises, accessing information associated with one or more observed events, wherein one or more of the observed events constitutes an anomalous behavior; accessing a reference model based on a first plurality of events, the reference model comprises a first event of the first plurality of events, a second event of the first plurality of events and a relationship that identifies that the second event of the first plurality of events is based on the first event of the first plurality of events, wherein at least one of the first event and the second event constitutes an anomalous behavior; and comparing the information associated with the one or more observed events with the reference model to determine whether at least one observed event of the one or more observed events matches at least one of the first event of the first plurality of events or the second event of the first plurality of events that constitutes the anomalous behavior is provided.

Abstract: A threat detection system is integrated with intrusion protection system (IPS) logic and virtual execution logic is shown. The IPS logic is configured to receive a first plurality of objects and filter the first plurality of objects by identifying a second plurality of objects as suspicious objects. The second plurality of objects is a subset of the first plurality of objects and is lesser or equal in number to the first plurality of objects. The virtual execution logic is configured to automatically verify whether any of the suspicious objects is an exploit. The virtual execution logic comprises at least one virtual machine configured to virtually process content within the suspicious objects and monitor for anomalous behaviors during the virtual processing that are indicative of exploits.

Abstract: A security system comprising a computer, a memory, a data store comprising a plurality of consensus evaluations and a plurality of cyber threat analyst ratings, and an application stored in the memory. When executed by the computer, the application generates a cyber threat report that identifies of a cyber threat intent and a cyber threat technology, receives from a cyber threat analyst an input of a cyber threat frequency score, an input of a cyber threat likelihood score, and an input of a cyber threat capability score, and generates a cyber threat intensity based on the scores and based on a cyber threat analyst rating stored in the data store and associated with the cyber threat analyst inputting the scores, whereby the cyber threat report and the cyber threat intensity are used to select cyber risk mitigation actions to economically manage the cyber risk of an enterprise or organization.

Abstract: One embodiment of an electronic device comprises a processor and a memory accessible by the processor. The memory comprises virtual execution logic and run-time classifier logic. The virtual execution logic includes at least one virtual machine that is configured to virtually process content within an object under analysis and monitor for anomalous behaviors during the virtual processing that are indicative of malware. The run-time classifier logic performs, during run-time, a first analysis on the monitored anomalous behaviors and a pre-stored identifier to determine if the monitored anomalous behaviors indicate that the object is malware belonging to a classified malware family. The pre-stored identifier is a collection of data associated with anomalous behaviors that uniquely identify the malware family.

Abstract: A security system comprising a computer, a memory, a data store comprising a cyber threat intent dictionary and a technology dictionary; and an application stored in the memory. When executed by the computer, the application generates a report that comprises an identification of a cyber threat intent and the identification of a cyber threat technology, wherein the cyber threat intent is selected from a plurality of cyber threat intents listed in the cyber threat intent dictionary and wherein the cyber threat technology is selected from the technology dictionary. The application also populates values in a cyber threat progression vector, where the cyber threat progression vector comprises elements that each corresponds to an action in a chain of actions associated with a cybercrime, where the values correspond to one of present or not present. The vector is used to manage the cyber risk of an enterprise or organization.

Abstract: A threat-aware microvisor is configured to facilitate real-time security analysis, including exploit detection and threat intelligence, of operating system processes executing on a node of a network environment. The microvisor may be embodied as a module disposed or layered beneath (underlying) an operating system kernel executing on the node to thereby control privileges (i.e., access permissions) to kernel resources, such as one or more central processing units (CPUs), network interfaces, memory, and/or devices, of the node. Illustratively, the microvisor may be configured to control access to one or more of the resources in response to a request by an operating system process to access the resource.

Abstract: According to one embodiment, an electronic device comprises a memory to store information and a processor. The processor is adapted to receive information associated with content such as network traffic, to process the stored information and to conduct operations on the content. These operations may comprise determining, by a virtual machine processed by the processor, an occurrence of an event during malware analysis of an object associated with the content, and dynamically altering a virtual machine instrumentation of the virtual machine based on information associated with the event.

Abstract: According to one embodiment, an apparatus comprises a detection engine and a classification engine. The detection engine is responsible for analyzing an object to determine if the object is malicious. The classification engine is configured to (i) receive results of the analysis of the object conducted by the detection engine and (ii) analyze, based at least in part on the results from the detection engine, whether the object is malicious in accordance with a predictive model. Responsive to the detection engine and the classification engine differing in determinations as to whether the object is malicious, information associated with at least a portion of the results of the analysis of the object by at least one of the detection engine and the classification engine is uploaded for determining whether an update of the predictive model is to occur. An update of the predictive model is subsequently received by the classification engine.

Abstract: A method to identify character strings associated with potentially malicious software items. The method includes employing a visual algorithm to translate one or more characters of a character string into corresponding characters in a visual ID for use in grouping and comparing computer items having similar visual IDs, such as a reference ID for a computer item that is known to be non-malicious. The method may, among other things, elucidate an attacker's attempt to obfuscate malicious software by using file names that are very similar to those used for harmless files.

Abstract: A malware detection system configured to detect suspiciousness in obfuscated content. A multi-stage static detection logic is utilized to detect obfuscation, make the obfuscated content accessible, identify suspiciousness in the accessible content and filter non-suspicious non-obfuscated content from further analysis. The system is configured to identify obfuscated content, de-obfuscate obfuscated content, identify suspicious characteristics in the de-obfuscated content, execute a virtual machine to process the suspicious network content and detect malicious network content while removing from further analysis non-suspicious network content.

Abstract: According to one embodiment of the invention, a computerized method is described for improved efficiency in malware detection. The method comprises detecting a system call initiated by a virtual machine and determining a class assigned to the detected system call. In response to determining that the system call is associated with a first class of system calls, providing information associated with the system call to virtualized device hardware. In contrast, in response to determining that the system call is associated with a second class of system calls, which is different from the first class of system calls, the virtual machine resumes virtual processing of an object without providing information to the virtualized device hardware.

Abstract: A trusted threat-aware microvisor may be deployed as a module of a trusted computing base (TCB) that also includes a root task module configured to cooperate with the microvisor to load and initialize one or more other modules executing on a node of a network environment. The root task may cooperate with the microvisor to allocate one or more kernel resources of the node to those other modules. As a trusted module of the TCB, the microvisor may be configured to enforce a security policy of the TCB that, e.g., prevents alteration of a state related to security of the microvisor by a module of or external to the TCB. The security policy of the TCB may be implemented by a plurality of security properties of the microvisor. Trusted (or trustedness) may therefore denote a predetermined level of confidence that the security property is demonstrated by the microvisor.

Abstract: A secondary indexing technique cooperates with primary indices of an indexing arrangement to enable efficient storage and access of metadata used to retrieve packets persistently stored in data files of a data repository. Efficient storage and access of the metadata used to retrieve the persistently stored packets may be based on a target value of the packets over a search time window. The metadata is illustratively organized as a metadata repository of primary index files that store the primary indices containing hash values of network flows of the packets, as well as offsets and paths to those packets stored in the data files. The technique includes one or more secondary indices having a plurality of present bits arranged in a binary format (i.e., a bit array) to indicate the presence of the target value in one or more packets stored in the data files over the search time window. Notably, the present bits may be used to reduce (i.e., “prune”) a relatively large search space of the stored packets (e.g.

Abstract: In an embodiment, a system, device and method for detecting a malicious attack is described. Herein, the system includes a security network device that conducts an analysis on received network traffic to detect a suspicious object associated with the network traffic and determine an identifier associated with a source of the suspicious object. Both information associated with the suspicious object and ancillary data, including information that identifies a return path for analysis results to a customer, are uploaded to a detection cloud. The detection cloud includes provisioning logic and one or more virtual machines that are provisioned by the provisioning logic in accordance with at least a portion of the ancillary data. The provisioning logic to customize functionality of the detection cloud for a specific customer.

Abstract: A network device for detecting malware is described. The network device features a memory storage device and a controller. The controller operating in cooperation with one or more virtual machines that are based on software modules stored within the memory storage device. The controller is configured to (i) monitor behaviors of at least a first virtual machine of the one or more virtual machines processing data received over a network, (ii) identify at least one anomalous behavior that includes either a communication anomaly or an execution anomaly, and (iii) detect, based on the identified at least one anomalous behavior, a presence of malware in the first virtual machine in response to identifying the at least one anomalous behavior.

Abstract: An analytics-based security monitoring system includes instructions that may be executed by a computing system to receive data in the form of event logs from one or more network devices transferred through a computing environment, detect a plurality of behavioral characteristics from the received event logs, identify behavioral fragments composed of related behavioral characteristics, and identify an attack by correlating the behavioral fragments against patterns of known malicious attacks. The analytics-based security monitoring system may then perform a learning process to enhance further detection of attacks and perform one or more remedial actions when an attack is identified.

Abstract: In communication with security appliances, an electronic device for providing a holistic view of a malware attack is described. The electronic device features one or more processors and a storage device. The storage device includes aggregation logic, correlation logic, consolidation logic, and display logic: The aggregation logic is configured to receive input attributes and analysis attributes from each of the security appliances. The correlation logic attempts to find relationships between analysis attributes provided from each security appliance. The consolidation logic receives at least (i) a first analysis attribute from a first security appliance and (ii) a second analysis attribute from a second security appliance in response to the first analysis attribute corresponding to the second analysis attribute. The display logic generates display information including the consolidated input attributes.

Abstract: Techniques may automatically detect bots or botnets running in a computer or other digital device by detecting command and control communications, called “call-backs,” from malicious code that has previously gained entry into the digital device. Callbacks are detected using an approach employing both a set of high quality indicators and a set of supplemental indicators. The high quality indicators are selected since they provide a strong correlation with callbacks, and may be sufficient for the techniques to determine that the network outbound communications actually constitute callbacks. If not, the supplemental indicators may be used in conjunction with the high quality indicators to declare the outbound communications as callbacks.

Abstract: A method for organizing event data by identifying a primary timeline containing event data, extracting a first timestamp from a first item of the primary timeline, setting a radius around the first timestamp, identifying a second timestamp within the radius, determining whether the second timestamp is already in a wrinkle timeline, and, if not, incorporating the second timestamp into the wrinkle timeline. Event data associated with the first item may be marked and emphasized in the wrinkle timeline. The system may also create one or more indexes of the event data.