Abstract: Embodiments disclosed include methods and apparatus for visualization of data and models (e.g., machine learning models) used to monitor and/or detect malware to ensure data integrity and/or to prevent or detect potential attacks. Embodiments disclosed include receiving information associated with artifacts scored by one or more sources of classification (e.g., models, databases, repositories). The method includes receiving inputs indicating threshold values or criteria associated with a classification of maliciousness of an artifact and for selecting sample artifacts. The method further includes classifying and selecting the artifacts, based on the criteria, to define a sample set, and based on the sample set, generating a ground truth indication of classification of maliciousness for each sample artifact in the sample set.

Abstract: Security is improved by adding a security heartbeat for and endpoint as a factor in a multi-factor authentication system. The security heartbeat may be used directly as an authentication factor, e.g., where the heartbeat provides a reliable and verifiable indication of identity, or the security heartbeat may be used as a gating input for some other verification method, e.g., where a text message with a temporary security code can only be transmitted to a user when the user's endpoint is providing a secure heartbeat.

Abstract: A system for conducting a security recognition task, the system comprising a memory configured to store a model and training data including auxiliary information that will not be available as input to the model when the model is used as a security recognition task model for the security recognition task. The system further comprising one or more processors communicably linked to the memory and comprising a training unit and a prediction unit. The training unit is configured to receive the training data and the model from the memory and subsequently provide the training data to the model, and train the model, as the security recognition task model, using the training data to predict the auxiliary information as well as to perform the security recognition task, thereby improving performance of the security recognition task. The prediction unit is configured to use the security recognition task model output to perform the security recognition task while ignoring the auxiliary attributes in the model output.

Abstract: In some embodiments, a processor receives, via an interface, natural language data associated with a user request for performing an identified computational task associated with a cybersecurity management system. The processor is configured to provide the natural language data as input to a machine learning (ML) model. The ML model is configured to automatically infer a template query based on the natural language data. The processor is further configured to cause the template query to be displayed, via the interface. The processor is further configured to receive, via the interface, user input indicating a finalized query associated with the identified computational task, and to provide the finalized query as input to a system configured to perform the identified computational task. The processor is further configured to modify a security setting in the cybersecurity management system based on the performance of the identified computational task.

Abstract: Adapting automatic software update behavior for virtual desktop infrastructure deployed endpoints includes detecting a request for services of a threat management facility for an enterprise network that originates from a compute instance embodied as a virtual machine instantiated from a versioned software template, and updating software on the compute instance based on a determination of availability of updated software for the compute instance and an update pause parameter indicating that updating software for virtual machines instantiated from the versioned software template is permitted for the compute instance.

Abstract: An application executing on an endpoint accesses remote resources using a gateway. In response to a requested remote access, the application may be marked with a descriptor that specifies a target action and a pattern of occurrences of the target action. When a second observable action on the endpoint includes the pattern of events following the first observable action, a reportable event may be generated indicating a compromised state of the endpoint. The gateway can then regulate usage of the remote resource based on the reportable event.

Abstract: A Transport Layer Security (TLS) handshake can be terminated early—i.e., before certificate validation—to reduce server-side demand, which can be particularly advantageous in counteracting Denial-of-Service (DOS) attacks and the like. To this end, an endpoint may provide a one-time password (OTP) in the client hello message during the initial steps of a TLS handshake or similar connection protocol. A gateway, upon receiving the client hello message, may generate its own OTP for comparison with the OTP in the client hello message. The endpoint and gateway may advantageously generate the OTP based on a secret provided by a threat management facility with a preexisting secure connection to the two entities. If the OTP provided in the client hello message and the OTP generated on the gateway are the same, then the TLS handshake may continue; otherwise, the Transmission Control Protocol (TCP) connection will be terminated by the gateway.

Abstract: In some embodiments, a method includes processing at least a portion of a received file into a first set of fragments and analyzing each fragment from the first set of fragments using a machine learning model to identify within each fragment first information potentially relevant to whether the file is malicious. The method includes forming a second set of fragments by combining adjacent fragments from the first set of fragments and analyzing each fragment from the second set of fragments using the machine learning model to identify second information potentially relevant to whether the file is malicious. The method includes identifying the file as malicious based on the first information within at least one fragment from the first set of fragments and the second information within at least one fragment from the second set of fragments. The method includes performing a remedial action based on identifying the file as malicious.

Abstract: A method for prioritizing security events comprises receiving a security event that includes security event data having been generated by an endpoint agent based on a detected activity, wherein the security event data includes one or more features; applying a first computing model to the security event data to automatically determine which of the one or more features are one or more input features to a machine learning system; applying a second computing model to historical data related to the security event data to determine time pattern information of the security event data as an input to the machine learning system; combining the one or more input features from the first computing model and the input from the second computing model to generate a computed feature result; and generating an updated security level value of the security event from the computed feature result.

Abstract: A firewall uses information about an application that originates a network request to determine whether and how to forward the request over a network. The firewall may more generally rely on the identity of the originating application, the security state of the originating application, the security state of the endpoint, and any other information that might provide an indication of malicious activity, to make routing and forwarding decisions for endpoint-originated network traffic.

Abstract: Embodiments disclosed herein include an apparatus with a processor configured to receive an indication of a function call to an identified shared library and configured to perform an identified function. The processor is configured to insert a function hook in the shared library. The function hook is configured to pause the execution of the shared library when called. In response to the function hook, the processor is configured to identify a source location in one or more memories associated with an origin of the function call to the shared library. The processor is configured to scan a range of memory addresses associated with the source location in the one or more memories, and identify, based on the scanning, a potentially malicious process within the range of memory addresses.

Abstract: A computer-implemented method includes generating behavior patterns based on historical behavior of a plurality of emails. The method further includes receiving an email message from a sender, wherein the email message is withheld from delivery to a recipient. The method further includes extracting a plurality of features from the email message. The method further includes determining whether content of the email message matches at least one criterion for suspicious content. The method further includes determining a reputation score associated with the sender based on a comparison of the extracted features with the behavior patterns, wherein the extracted features include an identity of the sender. The method further includes responsive to the content of the email message not matching the at least one criterion for suspicious content and the reputation score meeting a reputation threshold, delivering the email message to the recipient.

Abstract: A threat management facility detects a device on an enterprise network and determines whether the device is one of a set of managed devices for the enterprise network. When the device is not one of the set of managed devices, the threat management facility may selectively direct the device to a portal that provides support to the user of the device while the device awaits admission to the enterprise network. As the user interacts with the portal, the portal may manage admission of unrecognized devices onto the enterprise network while making efficient use of network administrator resources.

Abstract: A compute instance is instrumented to detect certain kernel memory allocation functions, in particular functions that allocate heap memory and/or make allocated memory executable. Dynamic shell code exploits can then be detected when code executing from heap memory allocates additional heap memory and makes that additional heap memory executable.

Abstract: An administrator can initiate an automatic software update to a network appliance that is configured as a cluster of nodes. The update is performed sequentially on a node-by-node basis in order to maintain availability and performance of the network appliance during the update.

Abstract: In one or more embodiments, a command is repeatedly input a predetermined number of times into a machine learning model to generate a plurality of different natural language (NL) descriptions. The plurality of different NL descriptions are input into the machine learning model to generate a plurality of different check commands. A plurality of similarity metrics are determined by comparing each check command from the plurality of different check commands to the command. A check command from the plurality of different check commands that is most similar to the command is identified based on the plurality of similarity metrics. An NL description from the plurality of different NL descriptions is caused to be displayed, the NL description previously input into the machine learning model to generate the check command.

Abstract: Methods, systems and computer readable media for rogue device detection are described. The method may include automatically generating one or more dummy network identifiers associated with a wireless network, advertising the one or more dummy network identifiers, and identifying a device as a suspect device based on receiving a connection attempt to at least one of the one or more dummy network identifiers by the device. The method can also include allocating a virtual local area network within the wireless network to process traffic associated with the at least one of the one or more dummy network identifiers, and monitoring network traffic of the suspect device on the virtual local area network. The method can further include, if the monitored network traffic meets an abnormality threshold, determining that the suspect device is a rogue device, and performing an action to protect the wireless network from the rogue device.

Abstract: A method includes monitoring a plurality of packets received by a network sensor associated with a port of a network, determining a ratio of unicast, multicast or broadcast packets to a total number of packets for the plurality of packets, determining that the ratio is outside the bounds of a threshold range, detecting that a port is misconfigured based on the determination that the ratio is outside the bounds of a threshold range, and automatically notifying a network administrator that the port is misconfigured based on the determination that the ratio is outside the bounds of a threshold range. Further disclosed is a computer system and computer program product configured to perform the method.

Abstract: An enterprise security system is improved by taking remedial actions responsive to detecting attempts at tampering with computing resources. When a tamper detection instrument detects an attempt at tampering, information about the attempt at tampering may be used to identify one or more candidate types of threats and/or candidate threats. One or more remedial actions associated with the threat or type of threat can be identified and applied in ten enterprise network environment.

Abstract: A system, method and computer program for a scanning service is presented. A scanning service compatible with a cloud storage system is configured to receive notifications from a cloud storage service about storage event activity and to access data in the cloud storage service. The scanning service receives a notification regarding storage activity related to a file in the data. After the completion of the storage activity, the scanning service receives the file from the cloud storage service and scans the file. When a determination is made based on the scan that at least a portion of the file should not be distributed then an action is taken with respect to the cloud storage service based on the determination that at least a portion of the file should not be distributed.