Abstract: Systems and methods for detecting a phishing attack in an email message. The method includes intercepting and evaluating an email, and generating a reputation score based on the evaluation of the email message. If the malicious component is detected, the email is blocked, if not, a trust score is generated. A determination is made whether the email is generated by AI, based on LLM. A certainty score is generated which is indicative of intentions and context of the email message being malicious. When the certainty score is higher than a threshold, a combined score by combining the reputation score, the trust score, and the certainty score. When the combined reputation score is higher than a threshold, the email is blocked, and if lower, a summary is generated by a summary AI engine. Based on a comparison with known malware summaries, the email is flagged or blocked.

Abstract: Systems and methods implement artificial intelligence to automatically generate malware detection rules. In a first phase, an AI model is trained on large amounts of data, so the AI model can learn to distinguish between benign applications and different malware families.

Abstract: Disclosed herein are systems and method for detecting malicious activity using a tuned machine learning model. In one aspect, a method includes receiving a plurality of logs indicative of software behavior from a plurality of endpoint devices and generating a plurality of event sequences from the plurality of logs. The method includes training a global machine learning model using the plurality of event sequences to predict resultant events for a sequence of lead up events and classify whether the resultant events indicate malicious activity. The method includes, for each respective endpoint device of the plurality of endpoint devices, generating a testing dataset comprising a plurality of benign event sequences that occurred on the respective endpoint device. The method includes generating a tuned machine learning model for the respective endpoint device by retraining the global machine learning model using the testing dataset. The method includes executing the tuned machine learning model.

Abstract: Disclosed herein are systems and method for detecting malicious activity. A method may receive a plurality of logs indicative of software behavior from an endpoint device and generate, based on the plurality of logs, a provenance graph that represents relationships between different types of data objects on the endpoint device. The method may detect a plurality of trigger actions in the provenance graph and generate, for each respective trigger action of the plurality of trigger actions, a sequence of events that contributed to an occurrence of the respective trigger action. The method may train, using sequences of events generated for the plurality of trigger actions, a foundational language model to predict resultant events for a sequence of lead up events and classify whether the resultant events indicate malicious activity. The method may detect the malicious activity by applying the foundational language model on an input sequence of events.

Abstract: Disclosed herein are systems and method for detecting malicious activity on a web server. A method may include: retrieving a first backup and a second backup of a web server from a backup archive that stores a plurality of backups of the web server, wherein the first backup was generated at a first time and the second backup was generated at a second time; detecting at least one change between the first backup and the second backup; determining whether the at least one change is associated with malicious activity based on a plurality of security rules and a plurality of machine learning models and a severity of the malicious activity; and in response to determining that the severity is greater than a threshold severity, executing a rollback function of the web server to a backup that does not include the malicious activity.

Abstract: Disclosed herein are systems and method for reference-based detection of phishing webpages. In one aspect, a method includes inputting, for a webpage with a first domain, (1) textual data into a machine learning model (MLM) that outputs a first vector with probabilities of the textual data being associated with known brands, (2) HTML data into an MLM that outputs a second vector with probabilities of the HTML data being associated with the known brands, (3) at least one image into an MLM that outputs a third vector with probabilities of the at least one image being associated with the known brands. The model may input the first, second, and third vectors into an MLM that outputs a brand of the webpage. The method may block the webpage in response to determining that the first domain of the webpage does not match at least one domain corresponding to the brand.

Abstract: Systems and methods for simplified software backup. Generative artificial intelligence (AI) based on a large language model (LLM) is utilized to determine a backup restore operation for a backup request for a target system using a metadata tracked during a previous backup of the target system, and execute the backup restore operation to satisfy the backup request.

Abstract: Systems and methods for safeguarding the authenticity and integrity of a real-time video feed generated by a webcam. A video frame includes a sequence of frame images and key frames within the sequence. A method includes generating the video feed by the webcam at a first computing device, identifying a key frame [kf] in the video feed, digitally signing the key frame [kf] using a private key of a private key-public key pair, embedding the digitally signed key frame [kf] in the video feed, transmitting the video feed to second computing device, identifying the next key frame [kf+1] in the video feed, and determining a similarity value of the next key frame [kf+1] and the key frame [kf] to determine whether to digitally sign and embed the digitally signed key frame [kf+1] in the video feed.

Abstract: Systems and methods for mitigating potential security incidents. A system includes a data ingestion module, a graphical user interface (GUI), a generative AI model, an enrichment module, and a mitigation module. The generative AI model is pretrained on a large language model (LLM) using a dataset of known security incidents and the computer system's infrastructure, and analyses potential security incidents and generates incident overviews, leveraging its understanding of attack frameworks and previous incident data. The enrichment module incorporates user interactions, enhancing the incident overviews with accurate information. The mitigation module proposes mitigation actions based on the generative AI model's insights gained from prior incidents. The system enables natural language interaction through the GUI and provides graphical representations of the incidents.

Abstract: Systems and methods for detecting malicious activity on an endpoint, the endpoint having executing processes, including tracking behavior of executing processes, generating a provenance graph to group the behavior events, transforming the provenance graph into a sequence of behavior events, training a sequence classification machine learning model based on the sequence of behavior events, processing a sequence of test behavior events using the sequence classification machine learning model to generate a probability of maliciousness, and alerting for malicious activity when the probability of maliciousness for the sequence of test behavior events is greater than a threshold.

Abstract: Systems and methods for generating synthetic test data for testing a software solution. Systems and methods include receiving a testing task from a user, identifying test properties of the testing task, gathering initial information based on the test properties of the testing task, forming a training dataset based on the initial information and the test properties, pretraining a generative AI model based on a large language model (LLM) using the training dataset, configuring synthetic test data based on the test properties, and generating synthetic test data according to the testing task using the generative AI model.

Abstract: The present disclosure relates to a system and method of automatically updating the set of security controls in the production environment using AI based on historical data generated in the test management system TMS during the system's testing in the testing environment including information about its elements, their properties, testing environment, its characteristics, and security controls with their settings. Once the AI has sufficient historical data from a testing environment, every time a change is detected to the system in the production environment, its elements, their properties, or at least one characteristic of the production environment, the AI system makes a recommendation to update the set of security controls in the production environment.

Abstract: Systems and methods for simplified software backup. Generative artificial intelligence (AI) based on a large language model (LLM) is utilized to determine a backup restore operation for a backup request for a target system using a metadata tracked during a previous backup of the target system, and execute the backup restore operation to satisfy the backup request.

Abstract: Systems and methods for the protection of information systems utilize business impact analysis (BIA) data to assess the risk of security mitigation operations. A detected security incident is enriched using BIA data. A proposed mitigation action and a risk of implementing the proposed mitigation action are determined using the enriched data so that an administrator user can understand the impact or risk to the business for the proposed mitigation action.

Abstract: Systems and methods for detecting a phishing attack in an email message. The method includes intercepting and evaluating an email, and generating a reputation score based on the evaluation of the email message. If the malicious component is detected, the email is blocked, if not, a trust score is generated. A determination is made whether the email is generated by AI, based on LLM. A certainty score is generated which is indicative of intentions and context of the email message being malicious. When the certainty score is higher than a threshold, a combined score by combining the reputation score, the trust score, and the certainty score. When the combined reputation score is higher than a threshold, the email is blocked, and if lower, a summary is generated by a summary AI engine. Based on a comparison with known malware summaries, the email is flagged or blocked.

Abstract: Systems and methods for verifying a production system automatically by testing a mirror copy of the production system on a testing computer. The system includes a mirror update transporter to deliver a mirror update from the production system to the mirror system, a mounting module to apply the mirror update to the mirror system, a testing computer on which the mirror system is running, a testing module to automatically execute a set of tests on the mirror system, and a communication module to communicate the results of the tests.

Abstract: Systems and methods for verifying a production system automatically by testing a backup copy of the production system. The system comprises a backup transporter configured to copy or move a set of backup files from the backup generated of the production system and replicate the set of files on a testing computer, a mounting module configured to instantiate a copy of the production system on the testing computer, and a testing module configured to apply a set of automatic pre-defined tests to the application on the testing computer to analyze the application for vulnerabilities and defects, and generate a list of results of execution of each of the pre-defined tests on the testing computer, the list of results indicative of the vulnerabilities and defects.

Abstract: Disclosed herein are systems and methods for detecting anomalous behavior (e.g., attacks) in devices within a network. In an exemplary aspect, a method includes intercepting a first plurality of packets being transmitted in a network with a plurality of devices; identifying, from the first plurality of packets, a subset of packets corresponding to a device of the network; extracting a plurality of deterministic features from the subset of packets; calculating, based on the subset of packets, a risk score associated with the device based on a deviation of the features from a deterministic profile of the device, a first probability of the subset of packets exhibiting anomalous behavior based on a per-device model, and a second probability of the plurality of packets exhibiting anomalous behavior based on a network model; classifying anomalies into attack categories, and executing a remediation action to resolve anomalous behavior in the device.

Abstract: Disclosed herein are systems and method for detecting usage anomalies based on environmental sensor data. A method may include: receiving a physical user input at a computing device located in an environment; determining whether the physical user input was received from an authorized user of the computing device by: retrieving environmental sensor data from at least one sensor located in the environment; identifying a window of time during which the physical user input was received; and verifying a presence of the authorized user at the environment during the window of time based on the environmental sensor data; and in response to determining that the authorized user was not present in the environment during the window of time, detecting a usage anomaly and not executing the physical user input.

Abstract: Disclosed herein are systems and methods for selecting files for malware analysis. In one aspect, a method may include identifying, in a cloud network, a backup of a client machine; extracting, from the backup, at least one file of a given file type; determining whether to include the at least one file in a sandbox of the cloud network by performing a static analysis of the at least one file; selecting the at least one file for inclusion in the sandbox based on the static analysis; monitoring, for a period of time, a behavior of the at least one file in the sandbox by performing a dynamic analysis of the at least one file; and in response to determining that the at least one file is malicious based on the dynamic analysis, performing a remediation action on the at least one file.