Abstract: As described, a cloud-based enrollment service is configured to advertise features and capabilities of clusters performing malware analyses within a cloud-based malware detection system. Upon receiving an enrollment request message, including tenant credentials associated with a sensor having an object to be analyzed for malware, the cloud-based enrollment service is configured to use the tenant credentials to authenticate the sensor and determine a type of subscription assigned to the sensor. Thereafter, the cloud-based enrollment service is further configured to transmit an enrollment response message including a portion of the advertised features and capabilities of a selected cluster of the cloud-based malware detection system. The advertised features and capabilities includes information to enable the sensor to establish direct communications with the selected cluster.

Abstract: A system for detecting artifacts associated with a cyber-attack features a cybersecurity intelligence hub remotely located from and communicatively coupled to one or more network devices via a network. The hub includes a data store and retroactive reclassification logic. The data store includes stored meta-information associated with each prior evaluated artifact of a plurality of prior evaluated artifacts. Each meta-information associated with a prior evaluated artifact of the plurality of prior evaluated artifacts includes a verdict classifying the prior evaluated artifact as a malicious classification or a benign classification. The retroactive reclassification logic is configured to analyze the stored meta-information associated with the prior evaluated artifact and either (a) identify whether the verdict associated with the prior evaluated artifact is in conflict with trusted cybersecurity intelligence or (b) identify inconsistent verdicts for the same prior evaluated artifact.

Abstract: A network device for collecting and distributing cybersecurity intelligence, which features analytics logic and a plurality of plug-ins. The analytics logic is configured to (i) receive a request message to conduct a cybersecurity analysis and (ii) select one of a first set or second set of plug-ins to conduct the cybersecurity analysis. Responsive to selecting a first plug-in of the first set of plug-ins by the analytics logic, the system conducts and completes the cybersecurity analysis while a communication session between the first plug-in and a network device initiating the request message remains open. Responsive to selecting a second plug-in by the analytics logic, the system conducts and completes the cybersecurity analysis while allowing the cybersecurity intelligence to be provided in response to the request message during a different and subsequent communication session than the communication session during which the request message is received.

Abstract: A cyber-threat detection system that maintains consistency in local configurations of one or more computing nodes forming a cluster for cyber-threat detection is described. The system features a distributed data store for storage of at least a reference configuration and a management engine deployed within each computing node, including the first computing node and configured to obtain data associated with the reference configuration from the distributed data store, From such data, the management engine is configured to detect when the shared local configuration is non-compliant with the reference configuration, and upload information associated with the non-compliant shared local configuration into the distributed data store. Upon notification, the security administrator may initiate administrative controls to allow the non-compliant shared local configuration or modify the shared local configuration to be compliant with the reference configuration.

Abstract: According to one embodiment, a system featuring one or more processors and memory that includes monitoring logic. During operation, the monitoring logic is configured to monitor for and detect a notification message that is directed to a destination other than the monitoring logic and identify an event associated with a change in state of a data store associated with the file system to occur. The notification message, at least in part, triggers a malware analysis to be conducted on an object associated with the state change event.

Abstract: A scalable, malware detection system features at least one sensor and a cluster including at least one computing node. The computing node includes an analysis coordination system and an object analysis system. The analysis coordination system, when activated as a broker computing node, (i) receives metadata from a sensor, (ii) analyzes the metadata, and (iii) places at least a portion of the metadata into a data store for subsequent use in retrieval of the suspicious object by the object analysis system from the sensor. The object analysis system is configured to (i) retrieve the portion of the metadata, which includes at least a sensor identifier, from the data store, (ii) retrieve the suspicious object from the sensor using at least part of the portion of the metadata retrieved from the data store, and (iii) analyze the suspicious object for malware.

Abstract: A scalable, threat detection system features computing nodes including a first computing node and a second computing node operating as a cluster. Each computing node features an analysis coordinator and an object analyzer. The analysis coordinator is configured to conduct an analysis of metadata associated with a suspicious object that is to be analyzed for malware, where the metadata being received from a remotely located network device and to store a portion of the metadata within a data store. The object analyzer is configured to retrieve the portion of the metadata from the data store, monitor a duration of retention of the metadata in the data store, and determine whether a timeout event has occurred for the object associated with the metadata based on retention of the metadata within the data store that exceeds a timeout value included as part of the metadata associated with the suspicious object for malware.

Abstract: A submission process for a malware detection system including one or more sensors and a cluster including one or more computing nodes is described. The process includes the sensor that determines whether a prior malware analysis has been conducted on any previously submitted object matching the object under analysis. If not, the process determines whether the object is suspicious, namely a first probability of the first object being associated with malware. If suspicious, metadata associated with the suspicious object is sent to an analysis coordinator of a first computing node of the cluster. The metadata is used in determining whether a prior malware analysis has been previously conducted within the cluster on any object that matches the suspicious object. The metadata is also used in fetching, by an object analyzer of the same or a different computing node of the cluster, the suspicious object from the sensor for malware analysis.

Abstract: A computerized method for detecting malware associated with an object. The method includes operations of analyzing an object to obtain a first set of attributes, where the first set of attributes include one or more characteristics associated with the object. Furthermore, the object is processed with a virtual machine to obtain a second set of attributes. The second set of attributes corresponds to one or more monitored behaviors of the virtual machine during processing of the object. Thereafter, a threat index is determined based, at least in part, on a combination of at least one attribute of the first set of attributes and at least one attribute of the second set of attributes. The threat index represents a probability of maliciousness associated with the object.

Abstract: A computerized method for enforcing compliance to a subscription for object evaluation service by a malware detection system is described. Enforcement logic receives operational metadata from the malware detection system. The operational metadata includes metadata associated with operations performed on objects submitted to the malware detection system by the one or more customers. For each customer, the operational metadata associated with operations performed on data submitted by the customer is analyzed for comparison with a plurality of service attributes associated with the subscription for the customer.

Abstract: A system for detecting artifacts associated with a cyber-attack features a cybersecurity intelligence hub that includes a data store with stored meta-information associated with each artifact of a plurality of artifacts and each stored meta-information includes a verdict classifying an artifact corresponding to the stored meta-information as a malicious classification or a benign classification. The hub is configured to (i) receive meta-information associated with a first artifact from a cybersecurity sensor, and (ii) determine a verdict for the first artifact based on an analysis of meta-information associated with the first artifact stored meta-information associated with each of the plurality of artifacts. A verdict for the first artifact is returned to the cybersecurity sensor in response to a detected match between a portion of stored meta-information and a portion of the meta-information associated with the first artifact.

Abstract: A system for detecting artifacts associated with a cyber-attack features a cybersecurity intelligence hub remotely located from and communicatively coupled to one or more network devices via a network. The hub includes a data store and retroactive reclassification logic. The data store includes stored meta-information associated with each prior evaluated artifact of a plurality of prior evaluated artifacts. Each meta-information associated with a prior evaluated artifact of the plurality of prior evaluated artifacts includes a verdict classifying the prior evaluated artifact as a malicious classification or a benign classification. The retroactive reclassification logic is configured to analyze the stored meta-information associated with the prior evaluated artifact and either (a) identify whether the verdict associated with the prior evaluated artifact is in conflict with trusted cybersecurity intelligence or (b) identify inconsistent verdicts for the same prior evaluated artifact.

Abstract: According to one embodiment, a system featuring one or more processors and memory that includes monitoring logic. In operation, the monitoring logic monitors for a notification message that identifies a state change event that represents an activity has caused a change in state of a data store associated with a storage system. The notification message triggers a malware analysis to be conducted on an object associated with the state change event.

Abstract: A modularized architecture using vertical partitioning of a database is configured to store object metadata and processing results of one or more objects analyzed by a state machine, such as an analysis engine of a malware detection system. The database may include data structures, such as one or more master blocks, state sub-blocks, and state co-tables, as well as state transition queues. The modularized architecture may organize the database as one or more stages of the state machine, such that each stage corresponds to a module of the state machine, wherein the module generates results that are stored in its associated state co-table, which then provides information for a next stage. Each next stage may have a dependency on the one or more prior stages that provide input for execution of the next stage module.

Abstract: A malware detection system may be configured to enhance analysis of an object when determining whether results for a previously analyzed object may be applied to the object. The enhanced analysis may employ context factors pertaining to an environment within which the objects operate. If an object identifier (ID) of the object matches the object ID of the previously analyzed object, but one or more of the context factors differ, then the results from the previously analyzed object may not be applied to the object and the object is subjected to further analysis, e.g., behavioral analysis. Yet if the context factors do not differ, then the object may be deemed a duplicate of the previously analyzed object, such that a result (such as an alert or “no action”) of the previously analyzed object may be applied to the object.

Abstract: A modularized architecture using vertical partitioning of a database is configured to store object metadata and processing results of one or more objects analyzed by a state machine, such as an analysis engine of a malware detection system. The database may include a plurality of data structures, such as one or more master blocks, state sub-blocks, and state co-tables, as well as state transition queues. The modularized architecture may organize the database as one or more stages of a state machine, wherein each stage includes a state sub-block, a state co-table and a state transition queue. The modularized architecture may further organize the database such that each stage corresponds to an action, i.e., module, of the state machine on the object.