Abstract: Techniques are disclosed relating to malware clustering based on function call graph similarity. In some embodiments, a computer system may access information corresponding to a plurality of malware samples and, based on the information, generate a function call graph for each of the malware samples. In some embodiments, generating the function call graph for a given malware sample includes identifying a plurality of function calls included in the information, assigning a label to each of the function calls, identifying relationships between the function calls, and generating the function call graph based on the relationships and the labels. Based on the function call graphs, the computer system may assign each of the plurality of malware samples into one of a plurality of clusters of related malware samples.

Abstract: Techniques are disclosed relating to malware clustering based on execution-behavior reports. In some embodiments, a computer system may access malware information that includes a plurality of reports corresponding to a plurality of malware samples. In some embodiments, each of the malware reports specifies a set of features relating to execution behavior of a corresponding malware sample. The computer system may, in various embodiments, process the plurality of reports to generate a plurality of vectors that includes, for each of the malware samples, a corresponding vector indicative of the execution behavior of the corresponding malware sample. Based on the plurality of vectors, the computer system may generate similarity values indicative of a similarity between ones of the plurality of vectors. Further, based on the similarity values, the computer system may assign each of the plurality of malware samples to one of a plurality of clusters of related malware samples.

Abstract: Techniques are disclosed relating to storage of network event information for multiple tenants. In some embodiments, one or more host computer systems are configured to maintain a plurality of containers operable to isolate network event information of a plurality of tenants from others of the plurality of tenants. The plurality of containers includes a first container that includes a first database executable to store network event information for a first of the plurality of tenants, and a second container that includes a second database executable to store network event information for a second of the plurality of tenants. In some embodiments, a management computer system is configured to receive, from the first tenant, a request to access network event information of the first tenant and route the request to a host computer system maintaining the first container to cause the first database to service the request.

Abstract: Techniques are disclosed relating to storage of network event information for multiple tenants. In some embodiments, one or more host computer systems are configured to maintain a plurality of containers operable to isolate network event information of a plurality of tenants from others of the plurality of tenants. The plurality of containers includes a first container that includes a first database executable to store network event information for a first of the plurality of tenants, and a second container that includes a second database executable to store network event information for a second of the plurality of tenants. In some embodiments, a management computer system is configured to receive, from the first tenant, a request to access network event information of the first tenant and route the request to a host computer system maintaining the first container to cause the first database to service the request.

Abstract: Techniques are disclosed relating to malware clustering based on function call graph similarity. In some embodiments, a computer system may access information corresponding to a plurality of malware samples and, based on the information, generate a function call graph for each of the malware samples. In some embodiments, generating the function call graph for a given malware sample includes identifying a plurality of function calls included in the information, assigning a label to each of the function calls, identifying relationships between the function calls, and generating the function call graph based on the relationships and the labels. Based on the function call graphs, the computer system may assign each of the plurality of malware samples into one of a plurality of clusters of related malware samples.

Abstract: Techniques are disclosed relating to malware clustering based on execution-behavior reports. In some embodiments, a computer system may access malware information that includes a plurality of reports corresponding to a plurality of malware samples. In some embodiments, each of the malware reports specifies a set of features relating to execution behavior of a corresponding malware sample. The computer system may, in various embodiments, process the plurality of reports to generate a plurality of vectors that includes, for each of the malware samples, a corresponding vector indicative of the execution behavior of the corresponding malware sample. Based on the plurality of vectors, the computer system may generate similarity values indicative of a similarity between ones of the plurality of vectors. Further, based on the similarity values, the computer system may assign each of the plurality of malware samples to one of a plurality of clusters of related malware samples.

Abstract: Techniques are disclosed relating to storage of network event information for multiple tenants. In some embodiments, one or more host computer systems are configured to maintain a plurality of containers operable to isolate network event information of a plurality of tenants from others of the plurality of tenants. The plurality of containers includes a first container that includes a first database executable to store network event information for a first of the plurality of tenants, and a second container that includes a second database executable to store network event information for a second of the plurality of tenants. In some embodiments, a management computer system is configured to receive, from the first tenant, a request to access network event information of the first tenant and route the request to a host computer system maintaining the first container to cause the first database to service the request.

Abstract: Techniques are disclosed relating to malware clustering based on function call graph similarity. In some embodiments, a computer system may access information corresponding to a plurality of malware samples and, based on the information, generate a function call graph for each of the malware samples. In some embodiments, generating the function call graph for a given malware sample includes identifying a plurality of function calls included in the information, assigning a label to each of the function calls, identifying relationships between the function calls, and generating the function call graph based on the relationships and the labels. Based on the function call graphs, the computer system may assign each of the plurality of malware samples into one of a plurality of clusters of related malware samples.

Abstract: Techniques are disclosed relating to malware clustering based on execution-behavior reports. In some embodiments, a computer system may access malware information that includes a plurality of reports corresponding to a plurality of malware samples. In some embodiments, each of the malware reports specifies a set of features relating to execution behavior of a corresponding malware sample. The computer system may, in various embodiments, process the plurality of reports to generate a plurality of vectors that includes, for each of the malware samples, a corresponding vector indicative of the execution behavior of the corresponding malware sample. Based on the plurality of vectors, the computer system may generate similarity values indicative of a similarity between ones of the plurality of vectors. Further, based on the similarity values, the computer system may assign each of the plurality of malware samples to one of a plurality of clusters of related malware samples.

Abstract: Techniques are disclosed relating to detection of network security threats. In some embodiments, a computer system receives network event information from network devices in a network. The computer system stores a set of received network event information in a first data store and performs analysis to identify a subset of the network event information. The computer system uses the subset of network event information to create, in a second data store, a model of a state of the network, and runs stored threat detection routines to query the second data store to detect threats to the network. The computer system provides an indication of threats detected in response to running the plurality of stored threat detection routines and, in response to receiving an indication of a user query regarding the network, provides query results determined based on accessing information in the first data store, but not the second data store.

Abstract: Techniques are disclosed relating to malware clustering based on execution-behavior reports. In some embodiments, a computer system may access malware information that includes a plurality of reports corresponding to a plurality of malware samples. In some embodiments, each of the malware reports specifies a set of features relating to execution behavior of a corresponding malware sample. The computer system may, in various embodiments, process the plurality of reports to generate a plurality of vectors that includes, for each of the malware samples, a corresponding vector indicative of the execution behavior of the corresponding malware sample. Based on the plurality of vectors, the computer system may generate similarity values indicative of a similarity between ones of the plurality of vectors. Further, based on the similarity values, the computer system may assign each of the plurality of malware samples to one of a plurality of clusters of related malware samples.

Abstract: Techniques are disclosed relating to malware clustering based on function call graph similarity. In some embodiments, a computer system may access information corresponding to a plurality of malware samples and, based on the information, generate a function call graph for each of the malware samples. In some embodiments, generating the function call graph for a given malware sample includes identifying a plurality of function calls included in the information, assigning a label to each of the function calls, identifying relationships between the function calls, and generating the function call graph based on the relationships and the labels. Based on the function call graphs, the computer system may assign each of the plurality of malware samples into one of a plurality of clusters of related malware samples.

Abstract: Techniques are disclosed relating to malware clustering based on execution-behavior reports. In some embodiments, a computer system may access malware information that includes a plurality of reports corresponding to a plurality of malware samples. In some embodiments, each of the malware reports specifies a set of features relating to execution behavior of a corresponding malware sample. The computer system may, in various embodiments, process the plurality of reports to generate a plurality of vectors that includes, for each of the malware samples, a corresponding vector indicative of the execution behavior of the corresponding malware sample. Based on the plurality of vectors, the computer system may generate similarity values indicative of a similarity between ones of the plurality of vectors. Further, based on the similarity values, the computer system may assign each of the plurality of malware samples to one of a plurality of clusters of related malware samples.

Abstract: Techniques are disclosed relating to storage of network event information for multiple tenants. In some embodiments, one or more host computer systems are configured to maintain a plurality of containers operable to isolate network event information of a plurality of tenants from others of the plurality of tenants. The plurality of containers includes a first container that includes a first database executable to store network event information for a first of the plurality of tenants, and a second container that includes a second database executable to store network event information for a second of the plurality of tenants. In some embodiments, a management computer system is configured to receive, from the first tenant, a request to access network event information of the first tenant and route the request to a host computer system maintaining the first container to cause the first database to service the request.

Abstract: Techniques are disclosed relating to detection of network security threats. In some embodiments, a computer system receives network event information from network devices in a network. The computer system stores a set of received network event information in a first data store and performs analysis to identify a subset of the network event information. The computer system uses the subset of network event information to create, in a second data store, a model of a state of the network, and runs stored threat detection routines to query the second data store to detect threats to the network. The computer system provides an indication of threats detected in response to running the plurality of stored threat detection routines and, in response to receiving an indication of a user query regarding the network, provides query results determined based on accessing information in the first data store, but not the second data store.