Abstract: The present disclosure is directed to a method of detecting anomalous behaviors based on a temporal profile. The method can include collecting, by a control system comprising a processor and memory, a set of network data communicated by a plurality of network nodes over a network during a time duration. The method can include identifying, by the control system, one or more seasonalities from the set of network data. The method can include generating, by the control system, a temporal profile based on the one or more identified seasonalities. The method can include detecting, by the control system and based on the temporal profile, an anomalous behavior performed by one of the plurality of network nodes. The method can include identifying, by the control system and based on the temporal profile, a root cause for the anomalous behavior.

Abstract: The present disclosure is directed to a method of identifying an infected network node. The method includes identifying a first network node as infected. The method includes collecting a first set of network data from the first network node including anomalous activities performed by the first network node. The method includes generating an anomalous behavior model using the first set of network data. The method includes collecting a second set of network data from a second network node including anomalous activities performed by the second network node. The method includes comparing the second set of data to the generated anomalous behavior model. The method includes determining, from the comparison, that a similarity between first characteristics and second characteristics exceeds a predefined threshold. The method includes ascertaining, based on the determination, the second network node as an infected network node.

Abstract: A shadow sandbox is maintained for malware detection. The shadow sandbox is a virtual machine replica of a target computing environment from a protected computing system. The shadow sandbox is maintained through all change events that occur to the target computing environment. The described systems and methods of detecting or preventing malware execution include maintaining a virtual machine replica of a target computing system by monitoring the target computing system for a plurality of possible events, the plurality of possible events including change events and risk events, detecting a change event on the target computing system, and updating the virtual machine based on the detected change event. The described systems and methods detect a risk event on the target computing system, execute the risk event on the virtual machine, and determine whether the risk event is malicious based on observation of execution of the risk event on the virtual machine.

Abstract: The present disclosure is directed to methods and systems for malware detection based on environment-dependent behavior. Generally, an analysis environment is used to determine how input collected from an execution environment is used by suspicious software. The methods and systems described identify use of environmental information to decide between execution paths leading to malicious behavior or benign activity. In one aspect, one embodiment of the invention relates to a method comprising monitoring execution of suspect computer instructions; recognizing access by the instructions of an item of environmental information; identifying a plurality of execution paths in the instructions dependant on a branch in the instructions based on a value of the accessed item of environmental information; and determining that a first execution path results in benign behavior and that a second execution path results in malicious behavior.

Abstract: The present disclosure is directed to methods and systems for reciprocal generation of watch-lists and traffic models characteristic of malicious network activity. In some aspects, the described methods and systems relate to maintaining data for recognition of malicious network activity. In general, the methods include monitoring network traffic; comparing endpoint data from monitored data packets to endpoints in a watch-list of network endpoints and comparing packet data from monitored data packets to traffic models in a catalog of traffic models characterizing malicious network activity; and determining, based on the comparisons, that a set of data packets comprise suspect network activity. The methods include adding a network endpoint to the watch-list when the determination is based on comparing packet data to a traffic model or adding a traffic model to the catalog when the determination is based on comparing endpoint data.

Abstract: The present disclosure is directed to methods and systems for reciprocal generation of watch-lists and traffic models characteristic of malicious network activity. In some aspects, the described methods and systems relate to maintaining data for recognition of malicious network activity. In general, the methods include monitoring network traffic; comparing endpoint data from monitored data packets to endpoints in a watch-list of network endpoints and comparing packet data from monitored data packets to traffic models in a catalog of traffic models characterizing malicious network activity; and determining, based on the comparisons, that a set of data packets comprise suspect network activity. The methods include adding a network endpoint to the watch-list when the determination is based on comparing packet data to a traffic model or adding a traffic model to the catalog when the determination is based on comparing endpoint data.

Abstract: The present disclosure is directed to methods and systems for malware detection based on environment-dependent behavior. Generally, an analysis environment is used to determine how input collected from an execution environment is used by suspicious software. The methods and systems described identify use of environmental information to decide between execution paths leading to malicious behavior or benign activity. In one aspect, one embodiment of the invention relates to a method comprising monitoring execution of suspect computer instructions; recognizing access by the instructions of an item of environmental information; identifying a plurality of execution paths in the instructions dependant on a branch in the instructions based on a value of the accessed item of environmental information; and determining that a first execution path results in benign behavior and that a second execution path results in malicious behavior.