Abstract: Methods, apparatus, systems and articles of manufacture are disclosed for generic process chain entity mapping. An example apparatus includes at least one memory, instructions in the apparatus, and processor circuitry to execute the instructions to receive process chain input data, the input data including a system path, identify a match between a path alias and the input data, wherein the path alias includes an alias for one or more system path format patterns, extract at least one of (1) metadata information or (2) command line parameter information from the match, and output transformed data based on the at least one of the extracted metadata information or command line parameter information, the transformed data output in a generalized format.

Abstract: According to one embodiment, an non-transitory storage medium is configured to store a plurality of engines, which operate to conduct an analysis of a received object to determine if the object is associated with a malicious attack. The plurality of engines includes a first engine and a second engine. The first engine is configured to conduct a first analysis of the received object for anomalous behaviors including anomalous actions or omissions during virtual processing of the object that indicate the received object is malicious. The second engine is configured to conduct a second analysis corresponding to a classification of the object as being associated with a malicious attack. The analysis schemes conducted by the first engine and the second engine may be altered via configuration files, which adjusts (i) parameter value(s) or (ii) operation rules(s) to alter the analysis conducted by the first engine and/or second engine.

Abstract: One embodiment of the described invention is directed to a computerized method for improving detection of cybersecurity threats initiated by a script. Herein, the method is configured to analyze the script provided as part of a script object by at least (i) determining whether any functional code blocks forming the script include a critical code statement, (ii) determining whether any of the functional code blocks include an evasive code statement, (iii) modifying the script to control processing of a subset of the functional code blocks by avoiding an execution code path including the evasive code statement and processing functional code blocks forming a code path including the critical code statement, and (iv) executing of the modified script and monitoring behaviors of a virtual environment. Thereafter, the method is configured to determine whether the script including cybersecurity threats based on the monitored behaviors.

Abstract: Computerized techniques to determine and verify maliciousness of an object are described. A malware detection system intercepts in-bound network traffic at a periphery of a network to capture and analyze behaviors of content of network traffic monitored during execution in a virtual machine. One or more endpoint devices on the network also monitor for behaviors during normal processing. Correlation of the behaviors captured by the malware detection system and the one or more endpoint devices may verify a classification by the malware detection system of maliciousness of the content. The malware detection system may communicate with the one or more endpoint devices to influence detection and reporting of behaviors by those device(s).

Abstract: The presently disclosed subject matter includes an apparatus that receives a dataset with values associated with different digital resources captured from a group of compute devices. The apparatus includes a feature extractor, to generate a set of feature vectors, each feature vector from the set of feature vectors associated with a set of data included in the received dataset. The apparatus uses the set of feature vectors to validate multiple machine learning models trained to determine whether a digital resource is associated with a cyberattack. The apparatus selects at least one active machine learning model and sets the remaining trained machine learning models to operate in an inactive mode. The active machine learning model generates a signal to alert a security administrator, blocks a digital resource from loading at a compute device, or executes other remedial action, upon a determination that the digital resource is associated with a cyberattack.

Abstract: Example methods disclosed herein to determine whether a first monitored device is compromised include determining a first entropy value for the first monitored device based on a first number of unique event identifiers included in log entries obtained for the first monitored device, the log entries associated with a first time window. Disclosed example methods also include determining a second entropy value for the first monitored device based on numbers of unique event identifiers included in corresponding groups of log entries obtained for respective ones of a plurality of monitored devices including the first monitored device, the groups of log entries associated with the first time window. Disclosed example methods further include determining whether the first monitored device is compromised based on the first entropy value and the second entropy value, and performing an action in response to a determination that the first monitored device is compromised.

Abstract: Technologies for privacy-safe security policy evaluation are disclosed herein. An example apparatus includes at least one memory, and at least one processor to execute instructions to at least identify one or more non-sensitive parameters of a plurality of policy parameters and one or more sensitive parameters of the plurality of the policy parameters, the plurality of the policy parameters obtained from a computing device in response to a request from a cloud analytics server for the plurality of the policy parameters, encrypt the one or more sensitive parameters to generate encrypted parameter data in response to the identification of the one or more sensitive parameters, and transmit the encrypted parameter data to the cloud analytics server, the cloud analytics server to curry a security policy function based on one or more of the plurality of the policy parameters.

Abstract: In an example, there is disclosed a system and method for providing a service-oriented architecture, including request/response, over a publish/subscribe framework. In one embodiment, a system is disclosed for adding layers upon a publish/subscribe messaging framework for sophisticated messaging such as point-to-point (request/response) and the ability to query for available services, in a reliable, scalable manner.

Abstract: One embodiment of the described invention is directed to a key management module and a consumption quota monitoring module deployed within a cybersecurity system. The key management module is configured to assign a first key to a subscriber and generate one or more virtual keys, based at least in part on the first key, for distribution to the subscriber. A virtual key is included as part of a submission received from the subscriber to authenticate the subscriber and verify that the subscriber is authorized to perform a task associated with the submission. The consumption quota monitoring module is configured to monitor a number of submissions received from the subscriber.

Abstract: A computing system including a processor and a memory, which includes a first memory region operating as a kernel space and a second memory region operating as a user space. Maintained within the kernel space, a first logic unit receives a notification identifying a newly created thread and extracts at least meta-information associated with the newly created thread. Maintained within the user space, a second logic unit receives at least the meta-information associated with the newly created thread and conducts analytics on at least the meta-information to attempt to classify the newly created thread. An alert is generated by the second logic unit upon classifying the newly created thread as a cyberattack associated with a malicious position independent code execution based at least on results of the analytics associated with the meta-information associated with the newly created thread.

Abstract: According to one embodiment, a system for detecting an email campaign includes feature extraction logic, pre-processing logic, campaign analysis logic and a reporting engine. The feature extraction logic obtains features from each of a plurality of malicious email messages received for analysis while the pre-processing logic generates a plurality of email representations that are arranged in an ordered sequence and correspond to the plurality of malicious email message. The campaign analysis logic determines the presence of an email campaign in response to a prescribed number of successive email representations being correlated to each other, where the results of the email campaign detection are provided to a security administrator via the reporting engine.

Abstract: A system and computerized method for generating an improved cyber-security rule ordering for cyber-security threat detection or post-processing activities conducted by a rules-based cyber-security engine deployed within a network device is described. Herein, historical metadata associated with analytics conducted on incoming data by a rule-based cyber-security engine and in accordance with a plurality of rules is described. These rules are arranged in a first ordered rule sequence. The historical metadata is analyzed to determine one or more salient rules from the plurality of rules. The plurality of rules are reprioritized by at least rearranging an order to a second ordered rule sequence with the one or more salient rules being positioned toward a start of the second ordered rule sequence. Thereafter, the rule-based cyber-security engine operates in accordance with the reprioritized rule set that is arranged in the second ordered rule sequence to achieve improved performance.

Abstract: Selective virtualization of resources is provided, where the resources may be intercepted and services or the resources may be intercepted and redirected. Virtualization logic monitors for one or more activities that are performed in connection with one or more resources and conducted during processing of an object within the virtual machine. The first virtualization logic further selectively virtualizes resources associated with the one or more activities that are initiated during the processing of the object within the virtual machine by at least redirecting a first request of a plurality of requests to a different resource than requesting by a monitored activity of the one or more activities.

Abstract: An apparatus includes a network interface and a processing unit. The network interface transmits a security payload. The processing unit determines a first partition of a queuing service for the security payload at a first time, at least in part based on a determination that an initial attempt to transmit the security payload failed. The processing unit also instructs a retrieval of the security payload from the first partition to perform a first retry attempt to transmit the security payload, at least in part based on a determination that a first retry interval since the first time has elapsed.

Abstract: A computerized method is described for authenticating access to a subscription-based service to detect an attempted cyber-attack. More specifically, service policy level information is received by a cloud broker. The service policy level information includes an identifier of a sensor operating as a source of one or more objects for analysis and an identifier assigned to a customer associated with the sensor. Thereafter, a cluster of a plurality of clusters is selected by the cloud broker. The cloud broker is configured to (i) analyze whether one or more objects are associated with an attempted cyber-attack by at least analyzing the sensor identifier to select the cluster based on at least a geographical location of the sensor determined by the sensor identifier and (ii) establish a communication session between the sensor and the cluster via the cloud broker until termination of the communication session.

Abstract: A computerized method for analyzing an object is disclosed. The computerized method includes obtaining, by a cybersecurity system, an object and context information generated during a first malware analysis of the object conducted prior to obtaining the object. Thereafter, the cybersecurity system performs a second malware analysis of the object to determine a verdict indicating maliciousness of the object. The scrutiny of the second malware analysis is adjusted based, at least in part, the context information, which may include (i) activating additional or different monitors, (ii) adjusting thresholds for determining maliciousness, or (iii) applying a modified rule set during the second malware analysis based on the context information.

Abstract: A system for conducting cyberthreat analytics on a submitted object to determine whether the object is malicious is described. The system features a cybersecurity system operating with a cloud platform, which is configured to host resources including cloud processing resources and cloud storage resources. The cybersecurity system is configured to analyze one or more received objects included as part of a submission received from a subscriber after authentication of the subscriber and verification that the subscriber is authorized to perform one or more tasks associated with the submission. The cybersecurity system is configured to operate as a multi-tenant Security-as-a-Service (SaaS) that relies upon the cloud processing resources and the cloud storage resources provided by the cloud platform in performing the cybersecurity operations.

Abstract: Methods, apparatus, systems, and articles of manufacture are disclosed to securely audit communications. An example apparatus includes a participant list generator to, responsive to a command to provision a secured group of devices in a network to prevent malicious activity, generate a participant device list including one or more endpoint devices and a control plane server; a privilege controller to, based on a policy indicated in the command, set read and write privileges for the one or more endpoint devices and the control plane server; a command controller to, based on the command, determine whether to generate a shared communication key using a shared system key; and a communication processor to encrypt communications between the one or more endpoint devices and the control plane server using the shared communication key.

Abstract: There is disclosed a system and method of detecting security threats for an enterprise, including: filtering a first set of endpoint metadata records to identify a subset of metadata records, wherein filtering includes identifying endpoint security metadata records that are uncommon in context of the enterprise; and designating the subset of metadata records as indicating a potential security threat including designating the subset of metadata records for human analysis.

Abstract: There is disclosed in one example a method of a work node synchronously load balancing to a multi-node service having an expected maximum of n work nodes, including: provisioning a flow table having m bucket groups, m?1, the bucket groups including n slots each; enumerating a static integer self-identification id0; initializing the flow table with id0 in each slot; performing a discovery iteration, including: discovering a peer device; enumerating a static integer identification idx for the peer device; assigning idx to each slot corresponding to a home position for the peer device; and load balancing slots not assigned to a home position according to a deterministic algorithm; and discovering additional nodes and performing discovery iteration for the additional nodes.