Abstract: A system and method for retrieval and analysis of stored objects for malware is described. The method involves receiving a scan request message from a customer to conduct analytics on one or more objects stored within a third-party controlled service. In response to receipt of the scan request message, the system generates a redirect message. The redirect message redirects the customer to an authentication portal of the third-party controlled service operating as a logon page and configures receipt by the system of access credentials for the third-party controlled service upon verification of the customer. Using the access credentials, the system is able to retrieve the one or more objects using the access credentials and performing analytics on each object of the one or more objects to classify each object as malicious or benign.

Abstract: Selective virtualization of resources is provided, where the resources may be intercepted and services or the resources may be intercepted and redirected. Virtualization logic monitors for one or more activities that are performed in connection with one or more resources and conducted during processing of an object within the virtual machine. The first virtualization logic further selectively virtualizes resources associated with the one or more activities that are initiated during the processing of the object within the virtual machine by at least redirecting a first request of a plurality of requests to a different resource than requesting by a monitored activity of the one or more activities.

Abstract: A system for detecting artifacts associated with a cyber-attack features a cybersecurity intelligence hub remotely located from and communicatively coupled to one or more network devices via a network. The hub includes a data store and retroactive reclassification logic. The data store includes stored meta-information associated with each prior evaluated artifact of a plurality of prior evaluated artifacts. Each meta-information associated with a prior evaluated artifact of the plurality of prior evaluated artifacts includes a verdict classifying the prior evaluated artifact as a malicious classification or a benign classification. The retroactive reclassification logic is configured to analyze the stored meta-information associated with the prior evaluated artifact and either (a) identify whether the verdict associated with the prior evaluated artifact is in conflict with trusted cybersecurity intelligence or (b) identify inconsistent verdicts for the same prior evaluated artifact.

Abstract: According to one embodiment, a malware detection software being loaded into non-transitory computer readable medium for execution by a processor. The malware detection software comprises exploit detection logic, rule-matching logic, reporting logic and user interface logic. The exploit detection logic is configured to execute certain event logic with respect to a loaded module. The rule-matching logic includes detection logic that is configured to determine whether an access source is attempting to access a protected region and determine whether the access source is from a dynamically allocated memory. The reporting logic includes alert generating logic that is configured to generate an alert while the user interface logic is configured to notify a user or a network administrator of a potential cybersecurity attack.

Abstract: A trusted threat-aware microvisor may be deployed as a module of a trusted computing base (TCB). The microvisor is illustratively configured to enforce a security policy of the TCB, which may be implemented as a security property of the microvisor. The microvisor may manifest (i.e., demonstrate) the security property in a manner that enforces the security policy. Trustedness denotes a predetermined level of confidence that the security property is demonstrated by the microvisor. The predetermined level of confidence is based on an assurance (i.e., grounds) that the microvisor demonstrates the security property. Trustedness of the microvisor may be verified by subjecting the TCB to enhanced verification analysis configured to ensure that the TCB conforms to an operational model with an appropriate level of confidence over an appropriate range of activity. The operational model may then be configured to analyze conformance of the microvisor to the security property.

Abstract: A network device for collecting and distributing cybersecurity intelligence, which features analytics logic and a plurality of plug-ins. The analytics logic is configured to (i) receive a request message to conduct a cybersecurity analysis and (ii) select one of a first set or second set of plug-ins to conduct the cybersecurity analysis. Responsive to selecting a first plug-in of the first set of plug-ins by the analytics logic, the system conducts and completes the cybersecurity analysis while a communication session between the first plug-in and a network device initiating the request message remains open. Responsive to selecting a second plug-in by the analytics logic, the system conducts and completes the cybersecurity analysis while allowing the cybersecurity intelligence to be provided in response to the request message during a different and subsequent communication session than the communication session during which the request message is received.

Abstract: Computerized techniques to determine and verify maliciousness of an object by a security logic engine are described. A method features receiving information pertaining to a first set of events associated with a first object (first information) from an endpoint and information pertaining to a second set of events associated with a second object (second information) from an analysis system. Thereafter, the likelihood of the cyber-attack being conducted on the network is determined by at least correlating the first information and the second information with at least events associated with known malicious objects. Any endpoint vulnerable to the cyber-attack are identified based on a configuration of each of the plurality of endpoints and requesting the analysis system to conduct one or more further analyses in accordance with at least a software profile identified in a configuration of the first endpoint of the plurality of endpoints identified as vulnerable.

Abstract: The presently disclosed subject matter includes an apparatus that receives a dataset with values associated with different digital resources captured from a group of compute devices. The apparatus includes a feature extractor, to generate a set of feature vectors, each feature vector from the set of feature vectors associated with a set of data included in the received dataset. The apparatus uses the set of feature vectors to validate multiple machine learning models trained to determine whether a digital resource is associated with a cyberattack. The apparatus selects at least one active machine learning model and sets the remaining trained machine learning models to operate in an inactive mode. The active machine learning model generates a signal to alert a security administrator, blocks a digital resource from loading at a compute device, or executes other remedial action, upon a determination that the digital resource is associated with a cyberattack.

Abstract: A cyber-threat detection system that maintains consistency in local configurations of one or more computing nodes forming a cluster for cyber-threat detection is described. The system features a distributed data store for storage of at least a reference configuration and a management engine deployed within each computing node, including the first computing node and configured to obtain data associated with the reference configuration from the distributed data store, From such data, the management engine is configured to detect when the shared local configuration is non-compliant with the reference configuration, and upload information associated with the non-compliant shared local configuration into the distributed data store. Upon notification, the security administrator may initiate administrative controls to allow the non-compliant shared local configuration or modify the shared local configuration to be compliant with the reference configuration.

Abstract: Techniques for efficient malicious content detection in plural versions of a software application are described. According to one embodiment, the computerized method includes installing a plurality of different versions of a software application concurrently within a virtual machine and selecting a subset of the plurality of versions of the software application that are concurrently installed within the virtual machine. Next, one or more software application versions of the subset of the plurality of versions of the software application are processed to access a potentially malicious content suspect within the virtual machine, without switching to another virtual machine. The behaviors of the potentially malicious content suspect during processing by the one or more software application versions are monitored to detect behaviors associated with a malicious attack.

Abstract: A technique deploys a virtualization layer underneath an operating system executing on a node of a network environment to enable the virtualization layer to control the operating system is described. One or more executables (binaries) for the virtualization layer may be included in a kernel module loaded in memory of the node with a first privilege level (e.g., highest privilege level) needed to control the guest operating system. The kernel module may be configured to suspend the guest operating system and one or more hardware resources to a quiescent state. Furthermore, the kernel module is configured to (i) capture and save states of the hardware resource(s) and (ii) bootstrap the virtualization layer to create a virtual machine with an initial state that corresponds to a state of the system prior to deployment of the virtualization layer.

Abstract: According to one embodiment of the disclosure, a method for reassigning execution of certain instructions directed to a speculative execution task or a reserved instruction, attempted by a guess process, to be handled by a host process is described herein. The method involves detecting whether a software component, operating within a virtual machine deployed within a guest environment of the network device, is attempting to execute an instruction associated with a speculative execution task. If so, the speculative execution task is prevented from being performed by the software component without the virtual machine detecting that speculative execution by the software component has been reassigned.