Abstract: A device may receive an instruction to classify software. The device may identify a group of one or more user interfaces associated with the software based on receiving the instruction to classify the software. The device may determine a group of one or more user interface signatures associated with the group of one or more user interfaces. A user interface signature may include information, associated with a user interface in the group of one or more user interfaces, that may be used to classify the software. The device may generate information that identifies a classification of the software based on the group of one or more user interface signatures and based on known signature information. The known signature information may include information that corresponds to a correct software classification. The device may output the information that identifies the classification of the software.

Abstract: A device may identify a plurality of files for a multi-file malware analysis. The device may execute the plurality of files in a malware testing environment. The device may monitor the malware testing environment for behavior indicative of malware. The device may detect the behavior indicative of malware. The device may perform a first multi-file malware analysis or a second multi-file malware analysis based on detecting the behavior indicative of malware. The first multi-file malware analysis may include a partitioning technique that partitions the plurality of files into two or more segments of files to identify a file, included in the plurality of files, that includes malware. The second multi-file malware analysis may include a scoring technique that modifies a plurality of malware scores, corresponding to the plurality of files, to identify the file, included in the plurality of files, that includes malware.

Abstract: A device may receive an instruction to automatically install a program using a click area prediction model. The click area prediction model may be associated with predicting a click area of a user interface that, when selected, causes a program installation procedure to proceed. The device may identify an installation user interface associated with installing the program. The device may determine a group of regions included in the installation user interface. The device may identify sets of features associated with the group of regions. The device may determine, based on the sets of features and the click area prediction model, a group of scores associated with the group of regions. The device may identify a particular region as a predicted click area based on the group of scores. The device may select the predicted click area to attempt to cause the program installation procedure to proceed.

Abstract: A security platform may determine, during receipt of a file, metadata associated with the file. The file may be intended for a client device. The security platform may compute, based on the metadata and during the receipt of the file, a hash associated with the file. The security platform may identify, during the receipt of the file, a stored hash that matches the hash associated with the file. The security platform may determine a security classification of the file based on information associated with a security classification corresponding to the stored hash. The security classification of the file may be determined before the receipt of the file is complete. The security platform may selectively permit, based on the security classification of the file, the client device to complete a receipt of the file.

Abstract: A security platform may determine mapped attribute information associated with a plurality of host identifiers. The mapped attribute information may include information that identifies a set of related attributes. The security platform may determine, based on the mapped attribute information, that a host device is associated with at least two host identifiers of the plurality of host identifiers. The security platform may aggregate, based on the at two least host identifiers, threat information as aggregated threat information associated with the host device. The security platform may classify the host device as an infected device or a suspicious device based on the aggregated threat information.

Abstract: A device may determine that a file of a client device is a malicious file. The device may obtain remote access to the client device using a connection tool. The connection tool may provide access and control of the client device. The remote access may include access to a file location of the malicious file. The device may determine file information associated with the malicious file using the remote access to the client device. The device may select one or more remediation actions based on the file information. The device may cause the one or more remediation actions to be executed using the remote access to the client device.

Abstract: A device may receive an instruction to classify software. The device may identify a group of one or more user interfaces associated with the software based on receiving the instruction to classify the software. The device may determine a group of one or more user interface signatures associated with the group of one or more user interfaces. A user interface signature may include information, associated with a user interface in the group of one or more user interfaces, that may be used to classify the software. The device may generate information that identifies a classification of the software based on the group of one or more user interface signatures and based on known signature information. The known signature information may include information that corresponds to a correct software classification. The device may output the information that identifies the classification of the software.

Abstract: A device may identify a set of features associated with the unknown object. The device may determine, based on inputting the set of features into a threat prediction model associated with a set of security functions, a set of predicted threat scores. The device may determine, based on the set of predicted threat scores, a set of predicted utility values. The device may determine a set of costs corresponding to the set of security functions. The device may determine a set of predicted efficiencies, associated with the set of security functions, based on the set of predicted utility values and the set of costs. The device may identify, based on the set of predicted efficiencies, a particular security function, and may cause the particular security function to be executed on the unknown object. The device may determine whether another security function is to be executed on the unknown object.

Abstract: A device may receive an instruction to classify software. The device may identify a group of one or more user interfaces associated with the software based on receiving the instruction to classify the software. The device may determine a group of one or more user interface signatures associated with the group of one or more user interfaces. A user interface signature may include information, associated with a user interface in the group of one or more user interfaces, that may be used to classify the software. The device may generate information that identifies a classification of the software based on the group of one or more user interface signatures and based on known signature information. The known signature information may include information that corresponds to a correct software classification. The device may output the information that identifies the classification of the software.

Abstract: A security device may receive an object destined for a user device. The object may be of an object type that does not describe a web page. The security device may determine that the user device is to be warned regarding the object. The security device may determine a warning object based on determining that the user device is to be warned. The warning object may include information associated with a reason for determining that the user device is to be warned regarding the object, and may include information that allows the user device to receive the object. The security device may provide the warning object. The security device may receive, after providing the warning object, an indication associated with the user device obtaining the object. The security device may allow the user device to obtain the object based on receiving the indication.

Abstract: A device may receive a trigger to determine whether a malicious file is operating on a client device. The device may determine a network activity profile associated with the malicious file based on receiving the trigger to determine whether the malicious file is operating on the client device. The network activity profile may include information regarding network activity associated with the malicious file when the malicious file is executed in a testing environment. The device may monitor network activity associated with the client device. The device may determine that the network activity associated with the client device matches the network activity profile associated with the malicious file based on monitoring the network activity associated with the client device. The device may provide information indicating that the network activity associated with the client device matches the network activity profile associated with the malicious file.

Abstract: A system may determine to perform an internal and an external malware detection operation to detect a malware infection associated with a client device. The system may perform the internal operation by modifying an environment, executing on a particular device, to form a modified environment. The system may perform the external operation by performing a communication from the particular device. The system may monitor the modified environment for a first behavior indicative of the malware infection, and may monitor a result of performing the communication for a second behavior indicative of the malware infection. The system may detect that the first or second behavior has occurred. The system may provide a notification that the client device is infected with malware based on detecting that the first or second behavior has occurred. The notification may cause one or more network devices to block network traffic to or from the client device.

Abstract: A device may receive a file to be analyzed in a sandbox environment, and may determine configuration information for configuring the sandbox environment. The configuration information may be determined based on at least one of: file information associated with the file to be analyzed, or client device information associated with a client device for which the file is intended. The device may configure the sandbox environment using the configuration information. The configuration information may identify a system configuration for the sandbox environment. The device may analyze the file in the sandbox environment based on configuring the sandbox environment using the configuration information.

Abstract: A security device may receive actual behavior information associated with an object. The actual behavior information may identify a first set of behaviors associated with executing the object in a live environment. The security device may determine test behavior information associated with the object. The test behavior information may identify a second set of behaviors associated with testing the object in a test environment. The security device may compare the first set of behaviors and the second set of behaviors to determine a difference between the first set of behaviors and the second set of behaviors. The security device may identify whether the object is an evasive malicious object based on the difference between the first set of behaviors and the second set of behaviors. The security device may provide an indication of whether the object is an evasive malicious object.

Abstract: A device may identify exfiltration information to be used to detect data exfiltration. The exfiltration information may be associated with a file being tested to determine whether the file exfiltrates data. The exfiltration information may include a resource identifier that identifies a resource to be used to detect the data exfiltration. The device may determine that the resource, to be used to detect the data exfiltration, has been accessed. The device may identify, based on determining that the resource has been accessed, the file associated with the exfiltration information. The device may perform an action, associated with the file, to counteract the data exfiltration based on determining that the resource has been accessed and based on identifying the file.

Abstract: A security platform may determine, during receipt of a file, metadata associated with the file. The file may be intended for a client device. The security platform may compute, based on the metadata and during the receipt of the file, a hash associated with the file. The security platform may identify, during the receipt of the file, a stored hash that matches the hash associated with the file. The security platform may determine a security classification of the file based on information associated with a security classification corresponding to the stored hash. The security classification of the file may be determined before the receipt of the file is complete. The security platform may selectively permit, based on the security classification of the file, the client device to complete a receipt of the file.

Abstract: A device may receive or generate a message for routing to a destination on a communication channel. The communication channel may have been established between a source and the destination. The device may perform a first determination of policy information related to at least one of the message, the destination, or the source of the message. The policy information may describe an action for a network device to perform. The device may associate a policy token with the message. The policy token may describe or identify the policy information. The device may provide the message with the associated policy token to the network device on the communication channel to cause the network device to perform a second determination of the policy information based on the policy token, to perform the action described by the policy information, and to provide the message on the communication channel.

Abstract: A device may receive an object. The device may determine object information for the object. The device may cause an internet search, based on the object information, to be performed to determine Internet search results. The object information may be provided as one or more Internet search queries for the Internet search. The device may receive the Internet search results based on causing the Internet search to be performed. The Internet search results may be related to the object information. The device may analyze the Internet search results to determine Internet-based object information. The device may store or provide the Internet-based object information to permit a determination as to whether the object is malicious.

Abstract: A security platform may determine mapped attribute information associated with a plurality of host identifiers. The mapped attribute information may include information that identifies a set of related attributes. The security platform may determine, based on the mapped attribute information, that a host device is associated with at least two host identifiers of the plurality of host identifiers. The security platform may aggregate, based on the at two least host identifiers, threat information as aggregated threat information associated with the host device. The security platform may classify the host device as an infected device or a suspicious device based on the aggregated threat information.

Abstract: A device may identify exfiltration information to be used to detect data exfiltration. The exfiltration information may be associated with a file being tested to determine whether the file exfiltrates data. The exfiltration information may include a resource identifier that identifies a resource to be used to detect the data exfiltration. The device may determine that the resource, to be used to detect the data exfiltration, has been accessed. The device may identify, based on determining that the resource has been accessed, the file associated with the exfiltration information. The device may perform an action, associated with the file, to counteract the data exfiltration based on determining that the resource has been accessed and based on identifying the file.