Abstract: Methods and systems are described for developing a malicious content detector to identify new malicious text content, such as phishing messages, malicious documents, and/or malicious web content. A computing device is used to generate input data which contains an instruction, examples of content, and content to be analyzed. The examples include malicious and benign content samples, designed to recognize similar malicious content. The computing device feeds this input into a generative language model, which produces text labels that indicate the maliciousness of the content to be analyzed. The methods and systems enable rapid development of security protection by leveraging a small number of malicious samples, instead of training with a large dataset of new training samples.

Abstract: In example embodiments, techniques are provided to detect LOLBin attacks using a trained machine learning model that classifies command lines as benign or malicious. The machine learning model may be trained using a dataset of command line data that describes executed binary executable files, sourced from the log of events of compute instances. The dataset may be sampled using an approximate content-based logarithmic sampling algorithm (e.g., an algorithm that employs logarithmic sampling based on a locality sensitive hash, for example, a MinHash). The dataset may be labeled and featurized. The featurized labeled dataset may be used to train the machine learning model, which is then deployed to detect LOLBin attacks on a compute instance. In response to detection of a LOLBin attack, a remedial action may be performed on the compute instance.

Abstract: Secure hashing of large files to verify file identity. In some implementations, a method includes determining a size of a particular file received by an endpoint device, and searching for a record indexed in a data structure based on the size. In response to finding the record, a sequence of multiple records is accessed in the data structure. For each record of the sequence, a particular data portion is hashed that has a location in the particular file that corresponds to a location in the record to obtain a particular hash result. In response to the particular hash result matching a corresponding previous hash result stored in the record based on an associated data portion in an associated file, the particular file is determined to be the same as the associated file, and characteristics of the particular file are determined using file information for the associated file.

Abstract: A compute instance stores a programmable feature extractor associated with a machine learning model maintained by a server-based computing system configured to communicate with the compute instance by way of a network. The machine learning model is based on a feature set that includes a plurality of features. The compute instance executes the programmable feature extractor to generate a feature vector corresponding to a data instance accessed by the compute instance, where the feature vector includes a feature value specific to the data instance for each feature included in the feature set. The compute instance transmits the feature vector corresponding to the data instance to the server-based computing system for use as a training input to the machine learning model.

Abstract: A data set can be analyzed for the presence of sensitive data using type-specific validation mechanisms to test data within the data set that superficially matches a corresponding data type format. In general, a type-specific validation mechanism may be applied to data segments within the data set when they match the data type format, and used to cumulatively build a statistical inference about whether the data set contains the corresponding data type. This technique may usefully be applied in a range of security contexts, such as characterizing data at rest or detecting leakage of sensitive data during a data transmission.

Abstract: A threat management facility for an enterprise provides security services to a number of virtual compute instances executing on a remote cloud computing platform. In order to prevent or reduce an accumulation of records for abandoned compute instances, each new virtual compute instance is explicitly identified by a user (and optionally a template), and then compared to existing records to identify possible redundancies, which can be deleted or otherwise managed.

Abstract: Systems and methods for configuring a network security device. The methods include deploying a network security device on a network, wherein the network security device includes a network security device interface; accessing, via the network security device interface, a first cloud-based computing platform configured to request from a first library metadata associated with a first network resource on the first cloud-based computing platform; receiving at the network security device interface the metadata associated with the first network resource; and configuring the network security device in accord with the metadata associated with the first network resource.

Abstract: An automated system attempts to characterize code as safe or unsafe. For intermediate code samples not placed with sufficient confidence in either category, human-readable analysis is automatically generated to assist a human reviewer in reaching a final disposition. For example, a random forest over human-interpretable features may be created and used to identify suspicious features in a manner that is understandable to, and actionable by, a human reviewer. Similarly, a k-nearest neighbor algorithm may be used to identify similar samples of known safe and unsafe code based on a model for, e.g., a file path, a URL, an executable, and so forth. Similar code may then be displayed (with other information) to a user for evaluation in a user interface. This comparative information can improve the speed and accuracy of human interventions by providing richer context for human review of potential threats.

Abstract: Possible Denial of Service (DOS) activity is detected and remediated based on an initial heartbeat failure from a network asset, followed by externally directed network traffic from the network asset. In general, an interruption of the heartbeat can signal the possible presence of malware on the network asset, and the externally directed network traffic, and particularly certain patterns of traffic such as a high volume of traffic toward an address with a known, good reputation, can signal the possible presence of a DoS bot on the network asset that is sourcing the network traffic.

Abstract: An apparatus for detecting malicious files includes a memory and a processor communicatively coupled to the memory. The processor receives multiple potentially malicious files. A first potentially malicious file has a first file format, and a second potentially malicious file has a second file format different than the first file format. The processor extracts a first set of strings from the first potentially malicious file, and extracts a second set of strings from the second potentially malicious file. First and second feature vectors are defined based on lengths of each string from the associated set of strings. The processor provides the first feature vector as an input to a machine learning model to produce a maliciousness classification of the first potentially malicious file, and provides the second feature vector as an input to the machine learning model to produce a maliciousness classification of the second potentially malicious file.

Abstract: Systems and methods for monitoring network activity. The methods include receiving at an interface a first logging parameter for a first network device, wherein the first logging parameter specifies how the first network device is to record data associated with the first network device; communicating the first logging parameter to the first network device; and indicating to the first network device a first network-accessible location to where the first network device is to transmit its recorded data, wherein the first network device is configured to record data in accord with the first logging parameter and transmit the recorded data to the first network-accessible location.

Abstract: In a cluster of network devices using a consensus protocol for cluster synchronization, a full software rollback is performed by backing up a cluster state on a primary instance for the cluster, and then restarting all devices at the same time from a prior partition. The primary instance can then start a cluster management service and other devices can join the cluster using the consensus state stored by the primary instance.

Abstract: Embodiments disclosed herein include an apparatus with a processor configured to receive an indication of a function call to an identified shared library and configured to perform an identified function. The processor is configured to insert a function hook in the shared library. The function hook is configured to pause the execution of the shared library when called. In response to the function hook, the processor is configured to identify a source location in one or more memories associated with an origin of the function call to the shared library. The processor is configured to scan a range of memory addresses associated with the source location in the one or more memories, and identify, based on the scanning, a potentially malicious process within the range of memory addresses.

Abstract: A cloud-based platform for zero trust network access (ZTNA) services provides zero trust network access as a service for multiple customers in a multi-tenant architecture. In this context, the configuration for a new ZTNA application is validated with a service proxy in a sandbox or similar environment before release by the cloud-based platform for access through a public network. As a significant advantage, this approach mitigates inadvertent conflicts or instability in a service proxy that supports other applications and customers.

Abstract: A policy created through an administrative user interface is converted into an intermediate representation that can be compiled for execution by a gateway or converted into a human-readable form for modifications by the administrator.

Abstract: Statistical properties of known malware distributions may be used to improve estimates of malware detection metrics such as a base rate of malicious events in a target environment or missed detections (also referred to as false negatives). In particular, numerous synthetic sample distributions may be generated based on the statistical properties of a base data set and/or additional observed data, and used to identify malware distributions that produce overall detection statistics corresponding to model output for live target data. The malware detection metrics for the live target data can then be characterized using the observed distributions of malware (and malware detections) for the synthetic sample distributions.

Abstract: In a system and method for processing computer system events asynchronously for software security operations, a computer memory is configured for a read operation by a computer process. The computer process loads, based on a first event occurring during the read operation, at least one file in the computer memory. At least one thread of the computer process is generated. An execution of the at least one thread of the computer process is delayed based on a second event occurring after the first event. A security operation is performed on the process contemporaneously with the loading of the file in the computer memory and the blocking of the execution of the at least one thread of the computer process. The process is either un-delayed on completion of the previous security operation or other security operations performed on that process.

Abstract: Embodiments disclosed include methods and apparatus for visualization of data and models (e.g., machine learning models) used to monitor and/or detect malware to ensure data integrity and/or to prevent or detect potential attacks. Embodiments disclosed include receiving information associated with artifacts scored by one or more sources of classification (e.g., models, databases, repositories). The method includes receiving inputs indicating threshold values or criteria associated with a classification of maliciousness of an artifact and for selecting sample artifacts. The method further includes classifying and selecting the artifacts, based on the criteria, to define a sample set, and based on the sample set, generating a ground truth indication of classification of maliciousness for each sample artifact in the sample set.

Abstract: Security is improved by adding a security heartbeat for and endpoint as a factor in a multi-factor authentication system. The security heartbeat may be used directly as an authentication factor, e.g., where the heartbeat provides a reliable and verifiable indication of identity, or the security heartbeat may be used as a gating input for some other verification method, e.g., where a text message with a temporary security code can only be transmitted to a user when the user's endpoint is providing a secure heartbeat.

Abstract: A system for conducting a security recognition task, the system comprising a memory configured to store a model and training data including auxiliary information that will not be available as input to the model when the model is used as a security recognition task model for the security recognition task. The system further comprising one or more processors communicably linked to the memory and comprising a training unit and a prediction unit. The training unit is configured to receive the training data and the model from the memory and subsequently provide the training data to the model, and train the model, as the security recognition task model, using the training data to predict the auxiliary information as well as to perform the security recognition task, thereby improving performance of the security recognition task. The prediction unit is configured to use the security recognition task model output to perform the security recognition task while ignoring the auxiliary attributes in the model output.