Abstract: Techniques for machine learning for prioritizing traffic in multi-purpose inline cloud analysis (MICA) to enhance malware detection are disclosed. In some embodiments, a system, a process, and/or a computer program product for machine learning for prioritizing traffic in multi-purpose inline cloud analysis (MICA) to enhance malware detection includes processing a set of data for network security analysis to extract a file; determining that the file is to be offloaded to a cloud security entity for security processing based at least in part on a prefilter model that is implemented as a machine learning model; forwarding the file to the cloud security entity using a multi-purpose inline cloud analysis (MICA) channel; and performing an action in response to receiving a verdict from the cloud security entity.

Abstract: Assessments of guardrails of LLMs, whether used by an application or within an AI/LM stack, must be dynamic to protect against the ongoing engineering of jailbreaking prompts. An assessment framework has been created that facilitates assessment of language model guardrails. The assessment framework includes a prompt generator and has access to sensitive data (e.g., source code, trade secret, confidential documents, etc.) that occurs in training data of a model being assessed. The framework provides the prompt generator jailbreaking strategies and categories of the sensitive data (e.g., program code, trade secret, confidential document.). With the data categories and the strategies, the prompt generator generates different prompts and submits them to the AI-powered application or LM stack being assessed. The assessment framework then analyzes the outputs/responses from the AI-powered application or LM stack to determine whether guardrails have been subverted and any of the sensitive data has been exfiltrated.

Abstract: Techniques for machine learning for prioritizing traffic in multi-purpose inline cloud analysis (MICA) to enhance malware detection are disclosed. In some embodiments, a system, a process, and/or a computer program product for machine learning for prioritizing traffic in multi-purpose inline cloud analysis (MICA) to enhance malware detection includes processing a set of data for network security analysis to extract a file; determining that the file is to be offloaded to a cloud security entity for security processing based at least in part on a prefilter model that is implemented as a machine learning model; forwarding the file to the cloud security entity using a multi-purpose inline cloud analysis (MICA) channel; and performing an action in response to receiving a verdict from the cloud security entity.

Abstract: Techniques for machine learning for prioritizing traffic in multi-purpose inline cloud analysis (MICA) to enhance malware detection are disclosed. In some embodiments, a system, a process, and/or a computer program product for machine learning for prioritizing traffic in multi-purpose inline cloud analysis (MICA) to enhance malware detection includes processing a set of data for network security analysis to extract a file; determining that the file is to be offloaded to a cloud security entity for security processing based at least in part on a prefilter model that is implemented as a machine learning model; forwarding the file to the cloud security entity using a multi-purpose inline cloud analysis (MICA) channel; and performing an action in response to receiving a verdict from the cloud security entity.

Abstract: A method for detecting a cyber-attack by performing a first analysis on content within a first portion of a communication to determine whether the content includes a first high quality indicator. The first high quality indicator identifies a correlation of the content with a malicious activity. Subsequent to the first analysis, performing a second analysis on a second portion of the communication to determine one or more supplemental indicators. Thereafter, the communication is classified as part of a cyber-attack when (i) a value associated with the first high quality indicator exceeds a first threshold without consideration of the one or more supplemental indicators, or (ii) upon failing to exceed the first threshold and being greater than a second threshold, using the values representing the one or more supplemental indicators with the first value to classify the communication as being part of the cyber-attack.

Abstract: A system and method for detecting malicious activity through one or more local analyzers and a central analyzer. The local analyzer captures packets that are part of communications over a network, generates a signature from information obtained from one or more of the captured packets, and determines whether the signature matches any signature of a first plurality of signatures stored in a first storage device that is accessible to the first local analyzer. The central analyzer remotely receives a portion of the information and the signature from the first local analyzer in response to the signature failing to match any of the signatures stored in the first storage device. The central analyzer determines whether the signature matches any global signature stored within a second storage device that is accessible to the central analyzer.

Abstract: One embodiment of a method for detecting a cyber-attack features first and second analyzes. The first analysis is conducted on content of a communication to determine at least a first high quality indicator. The first high quality indicator represents a first probative value for classification. The second analysis is conducted on metadata related to the content to determine supplemental indicator(s). Each of the supplemental indicator(s) is represented by a probative value for classification. The communication is classified as being part of the cyber-attack when the first probative value exceeds a predetermined threshold without consideration of the corresponding probative values for the supplemental indicator(s).

Abstract: Techniques may automatically detect bots or botnets running in a computer or other digital device by detecting command and control communications, called “call-backs,” from malicious code that has previously gained entry into the digital device. Callbacks are detected using an approach employing both a set of high quality indicators and a set of supplemental indicators. The high quality indicators are selected since they provide a strong correlation with callbacks, and may be sufficient for the techniques to determine that the network outbound communications actually constitute callbacks. If not, the supplemental indicators may be used in conjunction with the high quality indicators to declare the outbound communications as callbacks.

Abstract: A decryption scheme for recover of a decrypted object without a cryptographic key is described. First, logical operation(s) are conducted on data associated with a first data string expected at a first location within an object having the predetermined format and data within the encrypted object at the first location to recover data associated with a portion of a cryptographic key from the encrypted object. Thereafter, logical operation(s) are conducted on that data and a first portion of the encrypted object at a second location to produce a result. Responsive to the result including data associated with the plaintext version of the second data string, logical operation(s) are conducted on a second portion of the encrypted object and the data associated with the plaintext version of the second data string to recover data associated with the cryptographic key. Thereafter, the encrypted object may be decrypted using the cryptographic key.

Abstract: Techniques may automatically detect bots or botnets running in a computer or other digital device by detecting command and control communications, called “call-backs,” from malicious code that has previously gained entry into the digital device. Callbacks are detected using a distributed approach employing one or more local analyzers and a central analyzer. The local analyzers capture packets of outbound communications, generate header signatures, and analyze the captured packets using various techniques. The techniques may include packet header signature matching against verified callback signatures, deep packet inspection. The central analyzer receives the header signatures and related header information from the local analyzers, may perform further analysis (for example, on-line host reputation analysis); determines using a heuristics analysis whether the signatures correspond to callbacks; and generally coordinates among the local analyzers.

Abstract: Methods and apparatus to estimate ventricular volumes are disclosed. An example computer-implemented method includes preparing a sample set using a prior probability model for a left ventricle and a right ventricle and using a likelihood function to assign a weight to each sample within the sample set. The example method also includes, based on the weighted sample set, determining an area of the right ventricle and the left ventricle.

Abstract: According to one embodiment, a computerized method comprises receiving an encrypted object and conducting a first static scanning operation on the encrypted object to decrypt the encrypted object in real-time. Thereafter, a second static scanning operation is conducted on the decrypted object to determine whether the decrypted object is suspected of including malware. Based on the results of the second static scanning operation, the decrypted object may be classified to identify a suspected presence of malware.

Abstract: Methods and apparatus to estimate ventricular volumes are disclosed. An example computer-implemented method includes preparing a sample set using a prior probability model for a left ventricle and a right ventricle and using a likelihood function to assign a weight to each sample within the sample set. The example method also includes, based on the weighted sample set, determining an area of the right ventricle and the left ventricle.

Abstract: Example methods, apparatus and articles of manufacture to process cardiac images to detect heart motion abnormalities are disclosed. A disclosed example method includes using a filter coefficient based on a plurality of cardiac images to characterize motion of a heart; computing an information-theoretic metric from the filter coefficient; and comparing the information-theoretic metric to a threshold to determine whether the motion of the heart is abnormal.

Abstract: Example methods, apparatus and articles of manufacture to track endocardial motion are disclosed. A disclosed example method includes segmenting a plurality of cardiac images of a left ventricle to form respective ones of a plurality of segmented images, updating a plurality of models based on the plurality of segmented images to form respective ones of a plurality of motion estimates for the left ventricle, computing a plurality of probabilities for respective ones of the plurality of models, and computing a weighted sum of the plurality of motion estimates based on the plurality of probabilities, the weighted sum representing a predicted motion of the left ventricle.

Abstract: Example methods, apparatus and articles of manufacture to process cardiac images to detect heart motion abnormalities are disclosed. A disclosed example method includes using a filter coefficient based on a plurality of cardiac images to characterize motion of a heart; computing an information-theoretic metric from the filter coefficient; and comparing the information-theoretic metric to a threshold to determine whether the motion of the heart is abnormal.

Abstract: Example methods, apparatus and articles of manufacture to process cardiac images to detect heart motion abnormalities are disclosed. A disclosed example method includes adapting a state of a state-space model based on a plurality of cardiac images to characterize motion of a heart, computing an information-theoretic metric from the state of the state-space model, and comparing the information-theoretic metric to a threshold to determine whether the motion of the heart is abnormal.

Abstract: Example methods, apparatus and articles of manufacture to track endocardial motion are disclosed. A disclosed example method includes segmenting a plurality of cardiac images of a left ventricle to form respective ones of a plurality of segmented images, updating a plurality of models based on the plurality of segmented images to form respective ones of a plurality of motion estimates for the left ventricle, computing a plurality of probabilities for respective ones of the plurality of models, and computing a weighted sum of the plurality of motion estimates based on the plurality of probabilities, the weighted sum representing a predicted motion of the left ventricle.

Abstract: Example methods, apparatus and articles of manufacture to process cardiac images to detect heart motion abnormalities are disclosed. A disclosed example method includes adapting a state of a state-space model based on a plurality of cardiac images to characterize motion of a heart, computing an information-theoretic metric from the state of the state-space model, and comparing the information-theoretic metric to a threshold to determine whether the motion of the heart is abnormal.