Abstract: An endpoint protection system is provided. The system comprises: an endpoint agent deployed to an endpoint device, wherein the endpoint agent is built-into one or more existing applications running on the endpoint device and is configured to capture network session activity between the endpoint device and one or more internet servers to detect a phishing attack using a set of machine learning algorithm trained classifiers, and block the phishing attack; and an endpoint management system in remote communication with the endpoint agent, wherein the endpoint management system is configured to train and develop the set of classifiers, and receive information about the detected phishing attack and an incident report from the endpoint agent, the endpoint agent provides a graphical user interface running on the endpoint device allowing an end user to configure one or more protections provided by the endpoint agent.

Abstract: An Active Intelligence method and system are provided for detecting malicious servers using an automated machine-learning active intelligence manager. The Active Intelligence method and system automatically and covertly extract forensic data and intelligence related to a selected server in real time to determine whether the server is part of a cybercrime infrastructure. An automated machine-learning active intelligence manager is provided that collects or gathers one or more types of forensic intelligence related to the operation of the server under investigation. The active intelligence manager combines the collected one or more types of forensic intelligence, extracts features from the combined forensic intelligence, and classifies the server as malicious or benign based on the extracted features.

Abstract: An Active Vision detection method and system for detecting credential stealing attacks using an automated machine-learning page examination engine is provided that may be used to detect both brand-based and custom credential stealing attacks. The approach employs similarity analysis in a two stage process that may be achieved through supervised or self learning machine learning techniques and is comparable to human analysis. The Active Vision System is capable of self-learning; every new attack detected by the system becomes part of system's long term memory making it incrementally more accurate in future predictions using its past experience.

Abstract: An Active Vision detection method and system for detecting credential stealing attacks using an automated machine-learning page examination engine is provided that may be used to detect both brand-based and custom credential stealing attacks. The approach employs similarity analysis in a two-stage process that may be achieved through supervised or self-learning machine learning techniques and is comparable to human analysis. The Active Vision System is capable of self-learning; every new attack detected by the system becomes part of system's long-term memory making it incrementally more accurate in future predictions using its past experience.

Abstract: An Active Cyber Defense method and system is provided for detecting and stopping malicious cyber activity including for example Drive-By Exploits, Malicious Binaries, Data Exfiltration, Social Engineering and Credential Stealing Attacks. The system disclosed herein can be configured to detect and block multi protocol network-based cyber attacks targeting different platforms or operating systems. The system can also be configured to be scalable. The system as disclosed herein can conduct real time inspection of network traffic and can self-learn and adapt as needed to a changing cyber threat landscape.

Abstract: An Active Intelligence method and system are provided for detecting malicious servers using an automated machine-learning active intelligence manager. The Active Intelligence method and system automatically and covertly extract forensic data and intelligence related to a selected server in real time to determine whether the server is part of a cybercrime infrastructure. An automated machine-learning active intelligence manager is provided that collects or gathers one or more types of forensic intelligence related to the operation of the server under investigation. The active intelligence manager combines the collected one or more types of forensic intelligence, extracts features from the combined forensic intelligence, and classifies the server as malicious or benign based on the extracted features.

Abstract: An Active Vision detection method and system for detecting credential stealing attacks using an automated machine-learning page examination engine is provided that may be used to detect both brand-based and custom credential stealing attacks. The approach employs similarity analysis in a two stage process that may be achieved through supervised or self learning machine learning techniques and is comparable to human analysis. The Active Vision System is capable of self-learning; every new attack detected by the system becomes part of system's long term memory making it incrementally more accurate in future predictions using its past experience.

Abstract: An Active Vision detection method and system for detecting credential stealing attacks using an automated machine-learning page examination engine is provided that may be used to detect both brand-based and custom credential stealing attacks. The approach employs similarity analysis in a two stage process that may be achieved through supervised or self learning machine learning techniques and is comparable to human analysis. The Active Vision System is capable of self-learning; every new attack detected by the system becomes part of system's long term memory making it incrementally more accurate in future predictions using its past experience.

Abstract: A system and method for detecting malicious activity through one or more local analyzers and a central analyzer. The local analyzer captures packets that are part of communications over a network, generates a signature from information obtained from one or more of the captured packets, and determines whether the signature matches any signature of a first plurality of signatures stored in a first storage device that is accessible to the first local analyzer. The central analyzer remotely receives a portion of the information and the signature from the first local analyzer in response to the signature failing to match any of the signatures stored in the first storage device. The central analyzer determines whether the signature matches any global signature stored within a second storage device that is accessible to the central analyzer.

Abstract: Techniques may automatically detect bots or botnets running in a computer or other digital device by detecting command and control communications, called “call-backs,” from malicious code that has previously gained entry into the digital device. Callbacks are detected using a distributed approach employing one or more local analyzers and a central analyzer. The local analyzers capture packets of outbound communications, generate header signatures, and analyze the captured packets using various techniques. The techniques may include packet header signature matching against verified callback signatures, deep packet inspection. The central analyzer receives the header signatures and related header information from the local analyzers, may perform further analysis (for example, on-line host reputation analysis); determines using a heuristics analysis whether the signatures correspond to callbacks; and generally coordinates among the local analyzers.