Abstract: Systems and methods are provided for a device to obtain a query, such as from a user. The query is vectorized to obtain a numerical representation of the query and provided to a vector database to find the nearest vectors corresponding to most relevant context, such as for a particular domain or subject matter. The query, query vector, and context vectors, and optionally past query history and past query responses, are provided to an artificial intelligence, such as a large language model (LLM), to receive a response to the query without providing the context to the LLM.

Abstract: Embodiments provide systems and methods for logging events. A computer-implemented method comprises receiving input for selecting one or more event types to receive from an event collector, receiving, based on the one or more event types, a plurality of security events from the event collector, transforming each of the plurality of security events to a standard format to generate a plurality of formatted security events and transmitting the plurality of formatted security events to a security information and event management (SIEM) server.

Abstract: Examples of the present disclosure describe systems and methods for identifying anomalous network behavior. In aspects, a network event may be observed network sensors. One or more characteristics may be extracted from the network event and used to construct an evidence vector. The evidence vector may be compared to a mapping of previously-identified events and/or event characteristics. The mapping may be represented as one or more clusters of expected behaviors and anomalous behaviors. The mapping may be modeled using analytic models for direction detection and magnitude detection. One or more centroids may be identified for each of the clusters. A “best fit” may be determined and scored for each of the analytic models. The scores may be fused into single binocular score and used to determine whether the evidence vector is likely to represent an anomaly.

Abstract: Examples of the present disclosure describe systems and methods for malicious software detection based on API trust. In an example, a set of software instructions executed by a computing device may call an API. A hook may be generated on the API, such that a threat processor may receive an indication when the API is called. Accordingly, the threat processor may generate a trust metric based on the execution of the set of software instructions, which may be used to determine whether the set of software instructions poses a potential threat. For example, one or more call stack frames may be evaluated to determine whether a return address is preceded by a call instruction, whether the return address is associated with a set of software instructions or memory associated with a set of software instructions, and/or whether the set of software instructions satisfies a variety of security criteria.

Abstract: The present disclosure describes systems and methods for detection and mitigation of malicious encryption. A security agent on an infected computing device may monitor data writes to disk, memory, or network transmission buffers for strings that may represent encryption keys or moduli. The security agent may apply one or more techniques to decode and parse the string to either identify or extract the keys, or rule out the string as containing an encryption key or modulus. If a key is identified, or its presence cannot be excluded, then the security agent may generate an alert and take mitigation actions.

Abstract: The present disclosure relates to systems and methods for identifying highly sensitive modules and taking a remediation or preventative action if such modules are accessed by malicious software. For example, the likelihood that a module is used for an exploit, and is thus sensitive, is categorized as high, medium, or low. The likelihood that a module can be used for an exploit can dictate whether, and to what degree, an application accessing the module is “suspicious.” However, in some instances, a sensitive module may have legitimate reasons to load when used in certain non-malicious ways. The system may also consider a trust level when determining what actions to take, such that an application and/or user having a higher trust level may be less suspicious when accessing a sensitive module as compared to an application or user having a lower trust level.

Abstract: Systems and methods are provided for a device to obtain a query, such as from a user. The query is vectorized to obtain a numerical representation of the query and provided to a vector database to find the nearest vectors corresponding to most relevant context, such as for a particular domain or subject matter. The query, query vector, and context vectors, and optionally past query history and past query responses, are provided to an artificial intelligence, such as a large language model (LLM), to receive a response to the query without providing the context to the LLM.

Abstract: A firewall monitors network activity and stores information about that network activity in a network activity log. The network activity is analyzed to identify a potential threat. The potential threat is further analyzed to identify other potential threats that are related to the potential threat, and are likely to pose a future risk to a protected network. A block list is updated to include the potential threat and the other potential threats to protect the protected network from the potential threat and the other potential threats.

Abstract: Examples of the present disclosure describe systems and methods for behavioral threat detection definition. In an example, a behavior rule comprising a set of rule instructions is used to define one or more events indicative of a behavior. For example, a set of events from which one event must be matched may be defined or a set of events from which all events must be matched may be defined. In some examples, events are matched based on an event name or type, or may be matched based on one or more parameters. Exact and/or inexact matching may be used. The set of rule instructions ultimately specifies one or more halt instructions, thereby indicating that a determination as to the presence of the behavior has been made. Example determinations include, but are not limited to, a match determination, a non-match determination, or an indication that additional monitoring should be performed.

Abstract: In one aspect, a method of classifying a computer object as malware includes receiving at a base computer data about a computer object from each of plural remote computers on which the object or similar objects are stored. The data about the computer object received from the plural computers is compared in the base computer. The computer object is classified as malware on the basis of said comparison. In one embodiment, the data about the computer object includes one or more of: executable instructions contained within or constituted by the object; the size of the object; the name of the object; the logical storage location or path of the object on the respective remote computers; the vendor of the object; the software product and version associated with the object; and, events initiated by or involving the object when the object is created, configured or runs on the respective remote computers.

Abstract: Core entities are each defined as a subset of base entities that satisfy one or more core entity connection relationships. Base stories are each defined as a subset of core entities that satisfy one or more story connection relationships. A risk score of each core entity is calculated based on previously calculated risk scores of the base entities. A risk score of each base story is calculated based on the calculated risk score of each core entity of the base story. Selected base stories are extended with external content to generate corresponding extended stories.

Abstract: Core entities are each defined as a subset of base entities that satisfy one or more core entity connection relationships. Base stories are each defined as a subset of core entities that satisfy one or more story connection relationships. A risk score of each core entity is calculated based on previously calculated risk scores of the base entities. A risk score of each base story is calculated based on the calculated risk score of each core entity of the base story. Selected base stories are extended with external content to generate corresponding extended stories.

Abstract: Domain-specific images used for training an optical character recognition (OCR) machine learning model are generated as follows. Universal resource locator (URL) addresses of web pages associated with a particular domain are retrieved. Words in the web pages associated with the particular domain are determined. Domain-relevant n-grams of the words are identified for the particular domain. Corresponding domain-specific images of each domain-relevant n gram for the particular domain are generated.

Abstract: A computer system comprising a processor and a memory storing instructions that, when executed by the processor, cause the computer system to perform a set of operations. The set of operations comprises collecting domain attribute data comprising one or more domain attribute features for a domain, collecting sampled domain profile data comprising one or more domain profile features for the domain and generating, using the domain attribute data and the sampled domain profile data, a domain reputation assignment utilizing a neural network.

Abstract: A firewall monitors network activity and stores information about that network activity in a network activity log. The network activity is analyzed to identify a potential threat. The potential threat is further analyzed to identify other potential threats that are related to the potential threat, and are likely to pose a future risk to a protected network. A block list is updated to include the potential threat and the other potential threats to protect the protected network from the potential threat and the other potential threats.

Abstract: The present disclosure describes systems and methods for aggregation and management of cloud storage among a plurality of providers via file fragmenting to provide increased reliability and security. In one implementation, fragments or blocks may be distributed among a plurality of cloud storage providers, such that no provider retains a complete copy of a file. Accordingly, even if an individual service is compromised, a malicious actor cannot access the data. In another implementation, file fragmenting may be performed in a non-standard method such that file headers and metadata are divided across separate fragments, obfuscating the original file metadata.

Abstract: Examples of the present disclosure describe systems and methods for exploit detection via induced exceptions. One embodiment of a method can include generating an inspection point, the inspection point causing an exception when a set of software instructions encounters the inspection point during an execution of the set of software instructions by a processor, registering an exception handler to handle the exception associated with by the inspection point; receiving, in response to the set of software instructions encountering the inspection point, an indication of an exception, accessing a context record associated with the execution of the set of software instructions, evaluating the context record to determine if an exploit is present using the first reputation information, and based on a determination that an exploit is present, performing a corrective action for the exploit.

Abstract: The present disclosure describes systems and methods for remote management of appliances. The appliance may be configured to periodically check in a predetermined online location for the presence of a trigger file identifying one or more appliances directed to contact a management server for maintenance. If the file is present at the predetermined location and the file includes the identifier of the appliance, the appliance may initiate a connection to the management server. If the file is not found, then the appliance may reset a call timer and attempt to retrieve the file at a later time. To avoid having to configure addresses on the appliance, link local IPv6 addresses may be configured for use over a virtual private network, allowing administration, regardless of the network configuration or local IP address of the appliance.

Abstract: Embodiments disclosed herein relate to systems and methods for providing a smart cache. In embodiments, a variable time to live (TTL) may be calculated and associated with data as it is stored in a cache. The variable TTL may be calculated based upon reputation and/or category information related to the source of the data. The reputation and/or category information may include TTL modifiers for adjusting the TTL for data from a particular data source that is stored in the cache. In further embodiments, a feedback method may be employed to update reputation and/or category information for a particular data source.

Abstract: The present disclosure describes systems and methods for aggregation and management of cloud storage among a plurality of providers via file fragmenting to provide increased reliability and security. In one implementation, fragments or blocks may be distributed among a plurality of cloud storage providers, such that no provider retains a complete copy of a file. Accordingly, even if an individual service is compromised, a malicious actor cannot access the data. In another implementation, fragments may be duplicated and distributed to multiple providers, such that loss of communications to any one provider does not result in inability to access the data. This implementation may be combined with error correction techniques to allow recovery, even with loss of multiple providers. File synchronization may also be faster in these implementations by dividing reading and writing operations among multiple providers.