Abstract: A network device comprises one or more processors coupled to a memory, and a dynamic services module configured for execution by the one or more processors to receive, from a client device, a service request specifying a service. The dynamic service module is further configured for execution by the one or more processors to, in response to obtaining a negative indication for the service, send a representation of the service request to a honeypot to cause the honeypot to offer the service to the client device.

Abstract: A device may receive an instruction to classify software. The device may identify a group of one or more user interfaces associated with the software based on receiving the instruction to classify the software. The device may determine a group of one or more user interface signatures associated with the group of one or more user interfaces. A user interface signature may include information, associated with a user interface in the group of one or more user interfaces, that may be used to classify the software. The device may generate information that identifies a classification of the software based on the group of one or more user interface signatures and based on known signature information. The known signature information may include information that corresponds to a correct software classification. The device may output the information that identifies the classification of the software.

Abstract: A device may receive an instruction to automatically install a program using a click area prediction model. The click area prediction model may be associated with predicting a click area of a user interface that, when selected, causes a program installation procedure to proceed. The device may identify an installation user interface associated with installing the program. The device may determine a group of regions included in the installation user interface. The device may identify sets of features associated with the group of regions. The device may determine, based on the sets of features and the click area prediction model, a group of scores associated with the group of regions. The device may identify a particular region as a predicted click area based on the group of scores. The device may select the predicted click area to attempt to cause the program installation procedure to proceed.

Abstract: A device may receive a file to be analyzed in a sandbox environment, and may determine configuration information for configuring the sandbox environment. The configuration information may be determined based on at least one of: file information associated with the file to be analyzed, or client device information associated with a client device for which the file is intended. The device may configure the sandbox environment using the configuration information. The configuration information may identify a system configuration for the sandbox environment. The device may analyze the file in the sandbox environment based on configuring the sandbox environment using the configuration information.

Abstract: A security device may receive actual behavior information associated with an object. The actual behavior information may identify a first set of behaviors associated with executing the object in a live environment. The security device may determine test behavior information associated with the object. The test behavior information may identify a second set of behaviors associated with testing the object in a test environment. The security device may compare the first set of behaviors and the second set of behaviors to determine a difference between the first set of behaviors and the second set of behaviors. The security device may identify whether the object is an evasive malicious object based on the difference between the first set of behaviors and the second set of behaviors. The security device may an indication of whether the object is an evasive malicious object.

Abstract: This disclosure describes techniques for proactively identifying possible attackers based on a profile of a device. For example, a device includes one or more processors and network interface cards to receive, from a remote device, network traffic directed to one or more computing devices protected by the device, determine, based on content of the network traffic, a first set of data points for the device, send a response to the remote device to ascertain a second set of data points for the device, and receive, from the remote device, at least a portion of the second set of data points. The device also includes a security module operable by the processors to determine a maliciousness rating, and selectively manage, based on the maliciousness rating, additional network traffic directed to the one or more computing devices protected by the security device and received from the remote device.

Abstract: A network device comprises one or more processors coupled to a memory, and a dynamic services module configured for execution by the one or more processors to receive, from a client device, a service request specifying a service. The dynamic service module is further configured for execution by the one or more processors to, in response to obtaining a negative indication for the service, send a representation of the service request to a honeypot to cause the honeypot to offer the service to the client device.

Abstract: A device may detect an attack. The device may receive, from a client device, a request for a resource. The device may determine, based on detecting the attack, a computationally expensive problem to be provided to the client device, where the computationally expensive problem requires a computation by the client device to solve the computationally expensive problem. The device may instruct the client device to provide a solution to the computationally expensive problem. The device may receive, from the client device, the solution to the computationally expensive problem. The device may selectively provide the client device with access to the resource based on the solution.

Abstract: A device may receive an instruction to automatically install a program using a click area prediction model. The click area prediction model may be associated with predicting a click area of a user interface that, when selected, causes a program installation procedure to proceed. The device may identify an installation user interface associated with installing the program. The device may determine a group of regions included in the installation user interface. The device may identify sets of features associated with the group of regions. The device may determine, based on the sets of features and the click area prediction model, a group of scores associated with the group of regions. The device may identify a particular region as a predicted click area based on the group of scores. The device may select the predicted click area to attempt to cause the program installation procedure to proceed.

Abstract: A device may receive a file to be analyzed in a sandbox environment, and may determine configuration information for configuring the sandbox environment. The configuration information may be determined based on at least one of: file information associated with the file to be analyzed, or client device information associated with a client device for which the file is intended. The device may configure the sandbox environment using the configuration information. The configuration information may identify a system configuration for the sandbox environment. The device may analyze the file in the sandbox environment based on configuring the sandbox environment using the configuration information.

Abstract: A device may identify a set of features associated with the unknown object. The device may determine, based on inputting the set of features into a threat prediction model associated with a set of security functions, a set of predicted threat scores. The device may determine, based on the set of predicted threat scores, a set of predicted utility values. The device may determine a set of costs corresponding to the set of security functions. The device may determine a set of predicted efficiencies, associated with the set of security functions, based on the set of predicted utility values and the set of costs. The device may identify, based on the set of predicted efficiencies, a particular security function, and may cause the particular security function to be executed on the unknown object. The device may determine whether another security function is to be executed on the unknown object.

Abstract: A device may receive an object. The device may determine object information for the object. The device may cause an internet search, based on the object information, to be performed to determine Internet search results. The object information may be provided as one or more Internet search queries for the Internet search. The device may receive the Internet search results based on causing the Internet search to be performed. The Internet search results may be related to the object information. The device may analyze the Internet search results to determine Internet-based object information. The device may store or provide the Internet-based object information to permit a determination as to whether the object is malicious.

Abstract: A device may detect or emulate a sequence of keystrokes to be used to detect a keystroke logger application. The device may determine a sequence of characters associated with the sequence of keystrokes. The sequence of characters may correspond to the sequence of keystrokes or a portion of the sequence of keystrokes. The device may search a memory for the sequence of characters. The device may determine that the sequence of characters is stored in the memory based on searching the memory for the sequence of characters. The device may perform an action to counteract the keystroke logger application based on determining that the sequence of characters is stored in the memory.

Abstract: A device may receive a file to be analyzed in a sandbox environment, and may determine configuration information for configuring the sandbox environment. The configuration information may be determined based on at least one of: file information associated with the file to be analyzed, or client device information associated with a client device for which the file is intended. The device may configure the sandbox environment using the configuration information. The configuration information may identify a system configuration for the sandbox environment. The device may analyze the file in the sandbox environment based on configuring the sandbox environment using the configuration information.

Abstract: A device may determine a first set of hash values corresponding to a first set of files stored by a plurality of client devices. The device may analyze information associated with the first set of hash values to determine a second set of hash values corresponding to a second set of files to be analyzed. The second set of hash values may be different from the first set of hash values. The device may prioritize the second set of hash values to form a prioritized set of hash values corresponding to a prioritized set of files, of the second set of files, to be analyzed. The device may request the prioritized set of files from one or more client devices of the plurality of client devices. The device may receive the prioritized set of files, and may cause the prioritized set of files to be analyzed.

Abstract: A device may receive a trigger to determine whether a malicious file is operating on a client device. The device may determine a network activity profile associated with the malicious file based on receiving the trigger to determine whether the malicious file is operating on the client device. The network activity profile may include information regarding network activity associated with the malicious file when the malicious file is executed in a testing environment. The device may monitor network activity associated with the client device. The device may determine that the network activity associated with the client device matches the network activity profile associated with the malicious file based on monitoring the network activity associated with the client device. The device may provide information indicating that the network activity associated with the client device matches the network activity profile associated with the malicious file.

Abstract: A device may identify a plurality of files for a multi-file malware analysis. The device may execute the plurality of files in a malware testing environment. The device may monitor the malware testing environment for behavior indicative of malware. The device may detect the behavior indicative of malware. The device may perform a first multi-file malware analysis or a second multi-file malware analysis based on detecting the behavior indicative of malware. The first multi-file malware analysis may include a partitioning technique that partitions the plurality of files into two or more segments of files to identify a file, included in the plurality of files, that includes malware. The second multi-file malware analysis may include a scoring technique that modifies a plurality of malware scores, corresponding to the plurality of files, to identify the file, included in the plurality of files, that includes malware.

Abstract: A device may receive a password-protected file to be accessed for analysis. The device may identify a contextual term, associated with the password-protected file, to be used as a password to attempt to access the password-protected file. The contextual term may be identified based on at least one of: metadata associated with the password-protected file, metadata associated with a source from which the password-protected file is received, or text associated with the source from which the password-protected file is received. The device may apply the contextual term as the password to attempt to access the password-protected file.

Abstract: A device may receive or generate a message for routing to a destination on a communication channel. The communication channel may have been established between a source and the destination. The device may perform a first determination of policy information related to at least one of the message, the destination, or the source of the message. The policy information may describe an action for a network device to perform. The device may associate a policy token with the message. The policy token may describe or identify the policy information. The device may provide the message with the associated policy token to the network device on the communication channel to cause the network device to perform a second determination of the policy information based on the policy token, to perform the action described by the policy information, and to provide the message on the communication channel.

Abstract: A system may determine to perform an internal malware detection operation to detect malware executing on a client device. The system may perform the internal malware detection operation. The internal malware detection operation may be performed locally on a particular device without requiring communication with another device. The system may modify an environment executing on the particular device, to form a modified environment, based on performing the internal malware detection operation. The system may monitor the modified environment for a particular behavior indicative of a malware infection. The system may detect that the particular behavior has occurred. The system may provide a notification that the client device is infected with malware based on detecting that the particular behavior has occurred. The notification may cause one or more network devices to block network traffic to or from the client device.