Abstract: Methods, storage systems and computer program products implement embodiments of the present invention that include identifying multiple host computers executing respective instances of a specific software application, each given instance on each given host computer including a set of program instructions loaded, by the host computer, from a respective storage device. Information on actions performed by the executing instances is collected from the host computers, and features are computed based on the information collected from the multiple host computers. The collected information for a given instance are compared to the features so as to classify the given instance as benign or suspicious, and an alert s generated for the given instance only upon classifying the given instance as suspicious.

Abstract: A method, including accessing a corpus or infrastructure as code modules including respective resource definitions for provisioning and deploying a plurality of computing resources configured to execute one or more software applications. A repository of validation rules are accessed that define respective acceptable configuration parameters for the resource definitions, and the validation rules are applied to the resource definitions so as to identify a first set of the resource definitions not in compliance with the validation rules and a second set of the resource definitions in compliance with the validation rules. A first resource definition not in compliance with a given validation rule is selected from the first set, and one or more second resource definitions are identified in the second set that are compliant with the given validation rule. Finally, the first and the second resource definitions are output together to invoke a revision of the first resource definition.

Abstract: Methods, apparatus and computer software products implement embodiments of the present invention that include protecting a computer system, by collecting information from data traffic transmitted between multiple local nodes on a private data network and public IP addresses corresponding to multiple remote nodes on a public data network. DNS resolutions are detected in the collected information, each DNS resolution identifying a local node requesting the resolution with respect to a URI and a public IP address corresponding to the URI. Transmissions from the local nodes to the public IP addresses are detected in the collected information at respective times, and the detected DNS resolutions are compared to the detected transmissions so as to identify the transmissions from the local notes to the public IP addresses that were not resolved by the DNS resolutions. Finally, a protective action is initiated with respect to at least some of the identified transmissions.

Abstract: A method, including receiving, from multiple sources, respective sets of incidents, and respective suspiciousness labels for the incidents. A set of rules are applied so as to assign training labels to respective incidents in a subset of the incidents in the received sets. For each given incident in the subset, the respective training label is compared to the respective suspiciousness label so as to compute a respective quality score for each given source. Any sources having respective label quality scores meeting a predefined criterion are identified, and a model for computing predicted labels is fit to the incidents received from the identified sources and the respective suspiciousness labels of the incidents. The model is applied to an additional incident received from one of the sources to compute a predicted label for the additional incident, and a notification of the additional incident is prioritized in response to the predicted label.

Abstract: Methods, apparatus and computer program products implement embodiments of the present invention that include collecting data packets transmitted between multiple entities over a network, and grouping the packets at least according to their source and destination entities and their times, into connections to which the packets belong. Pairs of the connections are identified having identical source and destination entities and times that are together within a specified time window, and sets of features are generated for the identified pairs of the connections. The features in the pairs are evaluated in order to detect a given pair of connections indicating malicious activity, and an alert is generated for the malicious activity.

Abstract: A method, including identifying, in network data traffic, a set of pairs of source and destination nodes, each pair having a given source node, a given destination node, and one or more ports accessed in the traffic between the nodes in each pair, and computing, for each pair, a respective baseline that indicates a first number of the ports that source nodes other than the given source node in the pair accessed on the given destination node during a first period. For each pair, a respective test score is computed that indicates a difference between a second number of the ports that the given source node in the pair accessed on the given destination node during a second period and the baseline, and a preventive action is initiated with respect to the given source node in any of the pairs for which the test score is greater than a threshold.

Abstract: A method, including identifying, in network traffic during multiple periods, scans, each scan including an access of multiple ports on a given destination node by a given source node, and computing, for each given source in the scans, an average of destinations whose ports were accessed by the given source during any scan by the given source, and a fraction of periods when the given source accessed at least one of the destinations in at least one scan performed by the given source node. A whitelist is assembled sources for which one or more of the following conditions applies: the average of destinations accessed in the scans was greater than a first threshold, and the fraction of periods during which at least one destination was accessed in at least one scan was greater than a second threshold. Upon detecting a scan by any non-whitelisted node, a preventive action is initiated.

Abstract: A method, including identifying, in network data traffic, multiple scans, each of the scans including an access, in the traffic, of multiple ports on a given destination node by a given source node during a time period. A group of high-traffic ports are identified in the traffic that include one or more ports that receive respective volumes of the traffic that exceed a threshold, and respective signatures are generated for the identified port scans that indicate the ports other than the high-traffic ports that were accessed in each of the port scans. A respective frequency of occurrence of each of the signatures over the set of the port scans is computed, and a whitelist of the signatures for which the respective frequency of occurrence is greater than a threshold is assembled. Upon detecting a port scan for which the respective signature is not whitelisted, a preventive action is initiated.

Abstract: Methods, apparatus and computer software products for protecting a computing system implement embodiments of the present invention that include extracting, from data traffic transmitted over a data network connecting a plurality of computing devices to multiple Internet hosting services, respective sets of transmissions from the computing devices to the Internet hosting services, and identifying, in a given set of the transmissions from a given computing device, multiple domain name system (DNS) requests for an identical second-level domain (2LD) and for different respective sub-domains within the 2LD. A number of the different sub-domains within the 2LD and a data size of the multiple DNS requests are computed, and when the number of the different sub-domains and the data size of the multiple DNS requests exceed a predefined criterion, a preventive action is initiated to inhibit DNS tunneling from at least the given computing device.

Abstract: Methods, apparatuses and computer program products implement embodiments of the present invention that include protecting a computer system coupled to a storage device by storing, to the storage device, a set of protected files and one or more decoy files, wherein any modification to the decoy file indicates a cyber-attack on the computer system. Upon receiving a request from a process executing on the computing device to enumerate files stored on the storage device, the process is analyzed so as to classify the process as benign or suspicious. The protected files are enumerated to the process whether the process was classified as benign or suspicious. However, the one or more decoy files are enumerated to the process only upon process being classified as suspicious.

Abstract: Methods, apparatuses and computer program products that implement embodiments of the present invention for protecting a computer network, include receiving, in a security server, alerts of multiple different types, indicative of potentially malicious activity in the network, that are detected by multiple different protection appliances deployed in the network. The alerts in the security server are correlated so as to identify a first alert of a first type from a first protection appliance in the network and a second alert of a second type, different from the first type from a second protection appliance in the network that are together indicative of a single attack on the network. Finally, a consolidated alert is issued responsively to the attack.

Abstract: A method, including collecting communication sessions, and generating samples from the sessions. Classifiers are applied to the samples, thereby computing a classifier prediction for each sample, and based on the classifier predictions, respective aggregated predictions are determined for the samples. Based on the classifier and the aggregated predictions, a precision and a hit rate for each classifier and a positive rate are computed, and based on the aggregated predictions, a subset of the samples are selected. Using the selected subset, a model including the classifiers is computed based on the precisions, the hit rates and the positive rate, and the model is applied to the samples, thereby updating the classifier and the aggregate predictions. The steps of computing the precision and the hit rate, selecting the subset, computing the model and applying the model are repeated until meeting a halting condition, and using the model, additional communication sessions are scanned.

Abstract: Methods, apparatuses and computer program products implement embodiments of the present invention that include protecting a computing device by specifying one or more Internet sites that are accessible by one or more computing devices that communicate over a data network and identifying process binaries that executed on the computing devices accessed and retrieved data from any of the specified one more Internet sites. The identified process binaries are classified into a plurality of classes of matching process binaries, and for a given class, a count of the computing devices that that executed one of the process binaries of the given class is computed. When determining that the count of the computing devices is less than a predefined threshold, a preventive action is initiated to inhibit command and control (C2) channel transmissions from any of the computing devices that executed any of the process binaries of the given class.

Abstract: Methods, apparatus and computer software products implement embodiments of the present invention that include defining, for a given software category, respective, disjoint sets of communication ports that are used by each of a plurality of software systems in the given software category, including at least first and second disjoint sets. A set of port scans are identified in data traffic transmitted between multiple nodes that communicate over a network, each of the port scans including an access, in the data traffic, of a plurality of the communication ports on a given destination node by a given source node during a predefined time period. Upon detecting a port scan by one of the nodes including accesses of at least one of the communication ports in the first set and at least one of the communication ports in the second set, a preventive action is initiated.

Abstract: A method, including identifying, in network traffic during multiple periods, scans, each scan including an access of multiple ports on a given destination node by a given source node, and computing, for each given source in the scans, an average of destinations whose ports were accessed by the given source during any scan by the given source, and a fraction of periods when the given source accessed at least one of the destinations in at least one scan performed by the given source node. A whitelist is assembled sources for which one or more of the following conditions applies: the average of destinations accessed in the scans was greater than a first threshold, and the fraction of periods during which at least one destination was accessed in at least one scan was greater than a second threshold. Upon detecting a scan by any non-whitelisted node, a preventive action is initiated.

Abstract: A method, including identifying, in network data traffic, multiple scans, each of the scans including an access, in the traffic, of multiple ports on a given destination node by a given source node during a time period. A group of high-traffic ports are identified in the traffic that include one or more ports that receive respective volumes of the traffic that exceed a threshold, and respective signatures are generated for the identified port scans that indicate the ports other than the high-traffic ports that were accessed in each of the port scans. A respective frequency of occurrence of each of the signatures over the set of the port scans is computed, and a whitelist of the signatures for which the respective frequency of occurrence is greater than a threshold is assembled. Upon detecting a port scan for which the respective signature is not whitelisted, a preventive action is initiated.

Abstract: A method, including identifying, in network data traffic, a set of pairs of source and destination nodes, each pair having a given source node, a given destination node, and one or more ports accessed in the traffic between the nodes in each pair, and computing, for each pair, a respective baseline that indicates a first number of the ports that source nodes other than the given source node in the pair accessed on the given destination node during a first period. For each pair, a respective test score is computed that indicates a difference between a second number of the ports that the given source node in the pair accessed on the given destination node during a second period and the baseline, and a preventive action is initiated with respect to the given source node in any of the pairs for which the test score is greater than a threshold.

Abstract: A method, including identifying, in network data traffic, multiple scans, each of the scans including an access, in the traffic, of a plurality of ports on a given destination node by a given source node during a predefined period. Respective first probabilities of being accessed during any given scan computed for the communication ports that were accessed in the identified scans, and a respective second probability that both of the ports in the pair were accessed during any given scan are computed for each pair of the ports in the identified scans. Upon detecting a scan by one of the nodes including accesses of first and second ports on a given destination node for which the respective second probability for the pair of the first and second ports is lower than a threshold dependent upon the respective first probabilities of the first and second ports, a preventive action is initiated.

Abstract: Methods, apparatus and computer software products implement embodiments of the present invention that include protecting a computing system by defining a list of network access messages that are indicative of human use of computing devices, and extracting, from data traffic transmitted over a data network connecting a plurality of the computing devices to multiple Internet sites, respective transmissions from the computing devices to the Internet sites. A given transmission including one of the network access messages in the list is detected in the transmissions from a given computing device, and the given computing device is classified as being operated by a human in response to detecting the given transmission. Upon identifying suspicious content in the transmissions from a subset of the computing devices that includes the given computing device, any suspicious transmissions from the given computing device are ignored in response to the classification.

Abstract: Methods, apparatus and computer program products implement embodiments of the present invention that include collecting data packets transmitted between multiple entities over a network, and grouping the packets at least according to their source and destination entities and their times, into connections to which the packets belong. Pairs of the connections are identified having identical source and destination entities and times that are together within a specified time window, and sets of features are generated for the identified pairs of the connections. The features in the pairs are evaluated in order to detect a given pair of connections indicating malicious activity, and an alert is generated for the malicious activity.