Abstract: A malware family identification engine constructs a graph data structure of direct relationships between malware instances and malware families, direct relationships between malware instances and detected tags, and indirect relationships between detected tags and malware families. The engine builds a dictionary data structure comprising detected tag entries linking each detected tag to one or more malware family nodes based on the graph data structure. The engine identifies significant indirect entities (SIEs) within the detected tag entries of the dictionary data structure and selects a SIE with a highest number of out-going links (OGLs) as a root node in a family tree data structure, recursively connects SIEs with a number of OGLs less than the highest number of OGLs to the root node in the family tree data structure, and converts each SIE name in the family tree data structure to a chained family entity name in the family tree data structure.

Abstract: A malware family identification engine constructs a graph data structure of direct relationships between malware instances and malware families, direct relationships between malware instances and detected tags, and indirect relationships between detected tags and malware families. The engine builds a dictionary data structure comprising detected tag entries linking each detected tag to one or more malware family nodes based on the graph data structure. The engine identifies significant indirect entities (SIEs) within the detected tag entries of the dictionary data structure and selects a SIE with a highest number of out-going links (OGLs) as a root node in a family tree data structure, recursively connects SIEs with a number of OGLs less than the highest number of OGLs to the root node in the family tree data structure, and converts each SIE name in the family tree data structure to a chained family entity name in the family tree data structure.

Abstract: A malware family identification engine constructs a graph data structure of direct relationships between malware instances and malware families, direct relationships between malware instances and detected tags, and indirect relationships between detected tags and malware families. The engine builds a dictionary data structure comprising detected tag entries linking each detected tag to one or more malware family nodes based on the graph data structure. The engine identifies significant indirect entities (SIEs) within the detected tag entries of the dictionary data structure and selects a SIE with a highest number of out-going links (OGLs) as a root node in a family tree data structure, recursively connects SIEs with a number of OGLs less than the highest number of OGLs to the root node in the family tree data structure, and converts each SIE name in the family tree data structure to a chained family entity name in the family tree data structure.

Abstract: An approach to workflow management in response to a detected security incident in a computer system. The approach may include an inference driven response based on prior artifacts. The inference driven response may predict the condition of the system and the outcomes of actions in response to the security incident. The predictions made by the inference drive response may be based on a machine learning model. The inference driven response may pause or prevent scheduled actions of the system based on the predictions. The inference driven response may continue to monitor the system and dynamically update its predictions for the condition of the system. In response to the updated predictions, the inference driven response may cancel or execute the previously scheduled actions of the system.

Abstract: An approach for a fast and accurate word embedding model, “desc2vec,” for out-of-dictionary (OOD) words with a model learning from the dictionary descriptions of the word is disclosed. The approach includes determining that a target text element is not in a set of reference text elements, information describing the target text element is obtained. The information comprises a set of descriptive text elements. A set of vectorized representations for the set of descriptive text elements is determined. A target vectorized representation for the target text element is determined based on the set of vectorized representations using a machine learning model. The machine learning model is trained to represent a predetermined association between the set of vectorized representations for the set of descriptive text elements describing the target text element and the target vectorized representation.

Abstract: A malware family identification engine constructs a graph data structure of direct relationships between malware instances and malware families, direct relationships between malware instances and detected tags, and indirect relationships between detected tags and malware families. The engine builds a dictionary data structure comprising detected tag entries linking each detected tag to one or more malware family nodes based on the graph data structure. The engine identifies significant indirect entities (SIEs) within the detected tag entries of the dictionary data structure and selects a SIE with a highest number of out-going links (OGLs) as a root node in a family tree data structure, recursively connects SIEs with a number of OGLs less than the highest number of OGLs to the root node in the family tree data structure, and converts each SIE name in the family tree data structure to a chained family entity name in the family tree data structure.

Abstract: Graph computing over micro and macro views includes expanding, with a processor at run-time, a set of nodes to include a node generated in response to received data corresponding to an event query. A first inference of an inference ensemble is determined by traversing a base graph whose nodes are associated with a discriminant power that exceeds a predetermined entity threshold. A second inference of the inference ensemble is determined by traversing a micro-view graph whose nodes are selected based on a number of references that exceeds a predetermined reference threshold. A third inference of the inference ensemble is determined by traversing a macro-view graph having one or more committee nodes and computing for each committee node a macro-node vote and generating a response to the event query based on the inference ensemble.

Abstract: An approach to workflow management in response to a detected security incident in a computer system. The approach may include an inference driven response based on prior artifacts. The inference driven response may predict the condition of the system and the outcomes of actions in response to the security incident. The predictions made by the inference drive response may be based on a machine learning model. The inference driven response may pause or prevent scheduled actions of the system based on the predictions. The inference driven response may continue to monitor the system and dynamically update its predictions for the condition of the system. In response to the updated predictions, the inference driven response may cancel or execute the previously scheduled actions of the system.

Abstract: An approach for a fast and accurate word embedding model, “desc2vec,” for out-of-dictionary (OOD) words with a model learning from the dictionary descriptions of the word is disclosed. The approach includes determining that a target text element is not in a set of reference text elements, information describing the target text element is obtained. The information comprises a set of descriptive text elements. A set of vectorized representations for the set of descriptive text elements is determined. A target vectorized representation for the target text element is determined based on the set of vectorized representations using a machine learning model. The machine learning model is trained to represent a predetermined association between the set of vectorized representations for the set of descriptive text elements describing the target text element and the target vectorized representation.

Abstract: Provided are systems, methods, and media for multiphase graph partitioning for malware entity detection. An example method includes receiving an input string associated with the malware entity. A determination is made as to whether the input string includes a symbolic word, a non-symbolic word, a symbolic phrase, or a non-symbolic phrase. A branching graph is formed based on a combination of the input string and a plurality of stored strings that are each associated with the malware entity to determine whether the input string is a valid detection name of the malware entity, in which the branching graph is formed by at least performing a first graph partitioning stage and a second graph partitioning stage. The input string is then labeled based on the formed branching graph and then outputted to a malware detection engine.

Abstract: A method, computer system, and a computer program product for crawling and extracting main content from a web page is provided. The present invention may include retrieving a HTML document associated with a web page. The present invention may then include identifying at least one entry point located in the retrieved HTML document by utilizing a self-adaptive entry point locator. The present invention may also include extracting a main content article associated with the retrieved HTML document based on the identified at least one entry point. The present invention may further include presenting the extracted main content associated with the retrieved HTML document to the user.

Abstract: A method, computer program product, and computing system device for receiving, on a computing device, a plurality of webpages. At least one webpage may be filtered from the plurality of webpages into at least one set of webpages using a decision tree algorithm. At least one remaining webpage may be filtered from the plurality of webpages into the at least one set of webpages using a supported vector machine (SVM) algorithm.

Abstract: Provided are systems, methods, and media for multiphase graph partitioning for malware entity detection. An example method includes receiving an input string associated with the malware entity. A determination is made as to whether the input string includes a symbolic word, a non-symbolic word, a symbolic phrase, or a non-symbolic phrase. A branching graph is formed based on a combination of the input string and a plurality of stored strings that are each associated with the malware entity to determine whether the input string is a valid detection name of the malware entity, in which the branching graph is formed by at least performing a first graph partitioning stage and a second graph partitioning stage. The input string is then labeled based on the formed branching graph and then outputted to a malware detection engine.

Abstract: A method, computer program product, and computing system device for receiving, on a computing device, a plurality of webpages. At least one webpage may be filtered from the plurality of webpages into at least one set of webpages using a decision tree algorithm. At least one remaining webpage may be filtered from the plurality of webpages into the at least one set of webpages using a supported vector machine (SVM) algorithm.

Abstract: A method, computer system, and a computer program product for crawling and extracting main content from a web page is provided. The present invention may include retrieving a HTML document associated with a web page. The present invention may then include identifying at least one entry point located in the retrieved HTML document by utilizing a self-adaptive entry point locator. The present invention may also include extracting a main content article associated with the retrieved HTML document based on the identified at least one entry point. The present invention may further include presenting the extracted main content associated with the retrieved HTML document to the user.