Abstract: Disclosed herein are methods and systems for detecting malicious files using two stage file classification. An exemplary method comprises selecting, by a hardware processor, a set of attributes of a file under analysis, calculating, by the hardware processor, a hash of the file based on the selected set of attributes, selecting, by the hardware processor, a classifier for the file from a set of classifiers based on the calculated hash of the file, assigning, by the hardware processor, the file under analysis to the one or more categories based on the selected classifier, determining whether the file has been assigned to a category of malicious files and concluding that the file is malicious based on the determination.

Abstract: Disclosed herein are systems and methods of identifying malicious files using a learning model trained on a malicious file. In one aspect, an exemplary method comprises selecting, using a hardware processor, the malicious file from a plurality of malicious files that are known to be harmful, selecting, using the hardware processor, a plurality of safe files from a set of safe files that are known to be safe, generating, using the hardware processor, a learning model by training a neural network with the malicious file and the plurality of safe files, generating, using the hardware processor, rules for detection of malicious files from the learning model, determining, using the hardware processor, whether attributes of an unknown file fulfill the rules for detection of malicious files using the learning model and responsive to determining that the rules for detection are fulfilled, identifying, using the hardware processor, the unknown file as malicious.

Abstract: Disclosed are systems and methods for countering a cyber-attack on computing devices by means of which users are interacting with services, which store personal data on the users. Data is gathered about the services with which the users are interacting by means of the devices, as well as data about the devices themselves. The collected data is analyzed to detect when a cyber-attack on the devices is occurring as a result of a data breach of personal data on users from at least one service. Actions are selected for countering the cyber-attack and are sent to the devices of all users of the corresponding cluster in the event that a match is found in the characteristics of the attack vector for at least one device of another user whose devices belong to the corresponding cluster.

Abstract: A system and method is provided for detecting anomalous events occurring in an operating system of a computing device. An exemplary method includes detecting an event that occurs in the operating system of the computing device during execution of a software process. Moreover, the method includes determining a context of the detected event and forming a convolution of the detected event based on selected features of the determined context of the detected event. Further, the method includes determining a popularity of the formed convolution by polling a database containing data relating to a frequency of detected events occurring in client devices in a network, where the detected events of the client devices correspond to the detected event in the computing device. If the determined popularity is below a threshold value, the method determines that the detected event is an anomalous event.

Abstract: Disclosed are systems and method for detecting a malicious computer system. An exemplary method comprises: collecting, via a processor, characteristics of a computer system; determining relations between collected characteristics of the computer system; determining a time dependacy of at least one state of the computer system based on determined relations; determining the at least one state of the computer system based at least on determined time dependacy; and analyzing the at least one state of the computer system in connection with selected patterns representing a legal or malicious computer system to determine a degree of harmfulness of the computer system.

Abstract: The present disclosure is directed to a system and method of detecting malicious files by using a trained machine learning model. The system may comprise a hardware processor configured to form at least one behavior pattern, calculate the convolution of all behavior patterns, select from a database of detection models at least two models for detection of malicious files on the basis of the behavior patterns, calculate the degree of harmfulness of a file being executed on the basis of an analysis of the convolution and the at least two models for detection of malicious files, form, on the basis of the degrees of harmfulness, a decision-making pattern, recognize the file being executed as malicious if the degree of similarity between the formulated decision-making pattern and at least one of a predetermined decision-making patterns from a database of decision-making patterns previously formulated on the basis of an analysis of malicious files, exceeds a predetermined threshold value.

Abstract: Disclosed are systems and methods for detection of malicious files using machine learning. An example method comprises: selecting one or more data blocks in an object being analyzed based on rules; performing a static analysis on the one or more data blocks to determine a set of features of the one or more data blocks; determining a degree of harmfulness of the object based on the set of features and a model for detection of malicious objects, wherein the model has been trained by a method for machine learning on at least one safe object and one malicious object; recognizing the object is safe when the degree of harmfulness does not exceed a predetermined threshold of harmfulness; and recognizing the object is malicious when the degree of harmfulness of the one or more data blocks exceeds the predetermined threshold of harmfulness.

Abstract: Disclosed are systems and methods generating a convolution function for training a malware detection model. An example method comprises selecting, by a processor, one or more commands from a log according to a set of predetermined rules, forming, by the processor, one or more behavior patterns from the one or more selected commands, determining, by the processor, a feature vector according to the one or more behavior patterns, generating, by the processor, a convolution function according to the feature vector, wherein a size of a result of the convolution function of the feature vector is less than the size of the feature vector, and computing, by the processor, one or more parameters for training a malware detection model using the convolution function on the one or more behavior patterns.

Abstract: Disclosed are systems and methods generating a convolution function for training a malware detection model. An example method comprises generating, by a processor, a plurality of behavior patterns based on one or more logs of commands executed on a computing device, calculating, by the processor, an effectiveness of each of a plurality of methods for machine learning based on the plurality of behavior patterns, determining, by the processor, a preferred method for machine learning from the plurality of methods for machine learning by selecting the preferred method as a method with the greatest effectiveness from the plurality of methods for machine learning, obtaining, by the processor, parameters of the malware detection model by applying convolution functions to the plurality of behavior patterns, training, by the processor, the malware detection model to detect malicious files using the preferred method for machine learning.

Abstract: The present disclosure provides a system for managing computer resources for detection of malicious files based on machine learning model. In one aspect, the system may comprise: a hardware processor configured to: form at least one behavior pattern on the basis of commands and parameters, calculate the convolution of the formed behavior pattern, calculate the degree of harmfulness the convolution and a model for detection of malicious files, manage the computing resources used to ensure the security of that computing device, based on the degree of harmfulness, wherein the degree of harmfulness is within a predetermined range of values and if the obtained degree of harmfulness of applications exceeds the predetermined threshold value, send a request to allocate additional resources of the computing device, otherwise send a request to free up previously allocated resources of the computing device.

Abstract: Disclosed are systems and methods for machine learning of a model for detecting malicious files. The described system samples files from a database of files and trains a detection model for detecting malicious files on the basis of an analysis of the sampled files. The described system forms behavior logs based on executable commands intercepted during execution of the sampled files, and generates behavior patterns based on the behavior log. The described system determines a convolution function based on the behavior patterns, and trains a detection model for detecting malicious files by calculating parameters of the detection model using the convolution function on the behavior patterns. The trained detection model may be used to detect malicious files by utilizing the detection model on a system behavior log generated during execution of suspicious files.

Abstract: A system and method is provided for detecting anomalous events occurring in an operating system of a computing device. An exemplary method includes detecting an event that occurs in the operating system of the computing device during execution of a software process. Moreover, the method includes determining a context of the detected event and forming a convolution of the detected event based on selected features of the determined context of the detected event. Further, the method includes determining a popularity of the formed convolution by polling a database containing data relating to a frequency of detected events occurring in client devices in a network, where the detected events of the client devices correspond to the detected event in the computing device.

Abstract: A system and method is provided for detecting anomalous events occurring in an operating system of a computing device. An exemplary method includes detecting an event that occurs in the operating system of the computing device during execution of a software process. Moreover, the method includes determining a context of the detected event and forming a convolution of the detected event based on selected features of the determined context of the detected event. Further, the method includes determining a popularity of the formed convolution by polling a database containing data relating to a frequency of detected events occurring in client devices in a network, where the detected events of the client devices correspond to the detected event in the computing device.

Abstract: A system and method is provided for detecting anomalous events occurring in an operating system of a computing device. An exemplary method includes detecting an event that occurs in the operating system of the computing device during execution of a software process. Moreover, the method includes determining a context of the detected event and forming a convolution of the detected event based on selected features of the determined context of the detected event. Further, the method includes determining a popularity of the formed convolution by polling a database containing data relating to a frequency of detected events occurring in client devices in a network, where the detected events of the client devices correspond to the detected event in the computing device.

Abstract: Disclosed are a system and method for protecting computers from unauthorized remote administration. One exemplary method includes: intercepting events occurring in the computer system including a first event and a second event associated with data transfer with an application executing in the computer system; determining that the first intercepted event is dependent on the second intercepted event based on parameters of the first intercepted event and the second intercepted event; generating a rule defining a dependency of at least one parameter of the first intercepted event on at least one parameter of the second intercepted event; responsive to determining a degree of similarity of the generated rule and a previously created rule exceeds a threshold value, identifying at least one application as a remote administration application that created the first and second identified intercepted events; and blocking the identified remote administration application from exchanging data with the computer system.

Abstract: Disclosed are a system and method for protecting computers from unauthorized remote administration. One exemplary method includes: intercepting events occurring in the computer system including a first event and a second event associated with data transfer with an application executing in the computer system; determining that the first intercepted event is dependent on the second intercepted event based on parameters of the first intercepted event and the second intercepted event; generating a rule defining a dependency of at least one parameter of the first intercepted event on at least one parameter of the second intercepted event; responsive to determining a degree of similarity of the generated rule and a previously created rule exceeds a threshold value, identifying at least one application as a remote administration application that created the first and second identified intercepted events; and blocking the identified remote administration application from exchanging data with the computer system.

Abstract: Disclosed are systems and method for detecting a malicious computer system. An exemplary method comprises: collecting, via a processor, characteristics of a computer system; determining relations between collected characteristics of the computer system; determining a time dependacy of at least one state of the computer system based on determined relations; determining the at least one state of the computer system based at least on determined time dependacy; and analyzing the at least one state of the computer system in connection with selected patterns representing a legal or malicious computer system to determine a degree of harmfulness of the computer system.

Abstract: Disclosed are system and method for distributing most effective antivirus records to user devices. An exemplary method includes: collecting, by a server, statistics on the use of a plurality of antivirus records deployed on a plurality of user devices; calculating, by the server, a coefficient of effectiveness of each antivirus record based on the collected statistics on the use of the plurality of antivirus records by the plurality of user devices; identifying, by the server, a group of the plurality of antivirus records having the largest coefficients of effectiveness, wherein the group is a number of the plurality of antivirus records not exceeding a threshold value; and transmitting, by the server, the group of antivirus records to at least one of the plurality of user devices for storage in an antivirus database for use by an antivirus application of the at least one user device.

Abstract: Disclosed are system and method for protecting computers from unauthorized remote administration. One exemplary method comprises: intercepting events occurred in a computer system; determining parameters of each intercepted event for identifying each intercepted event as being relating to a first data transfer by an application in a computer network or a second data transfer to an application from a peripheral data input device of the computer system; determining two intercepted events as being dependent on each other; determining a rule defining a dependency of the parameters of the two intercepted events; determining a degree of similarity of the rule and a previously created rule; if the degree of similarity exceeding a selected threshold value, identifying at least one application based at least on the rule and the previously created rule; and analyzing the at least one application for detecting a remote administration application.

Abstract: Disclosed are system and method for distributing most effective antivirus records to user devices. An exemplary method includes: collecting, by a server, statistics on the use of a plurality of antivirus records deployed on a plurality of user devices; calculating, by the server, a coefficient of effectiveness of each antivirus record based on the collected statistics on the use of the plurality of antivirus records by the plurality of user devices; identifying, by the server, a group of the plurality of antivirus records having the largest coefficients of effectiveness, wherein the group is a number of the plurality of antivirus records not exceeding a threshold value; and transmitting, by the server, the group of antivirus records to at least one of the plurality of user devices for storage in an antivirus database for use by an antivirus application of the at least one user device.