Abstract: According to an example, a method of analyzing an output of a sequencer is provided comprising identifying genetic targets, obtaining target signature snippets responsive thereto, each target signature snippet derived from a genetic sequence of the genetic targets, receiving portions of a test sequence output by a sequencer sequencing a sample in real time, determining, in real time or near-real time with the sequencer sequencing the sample, whether a target signature snippet of the target signature snippets is in at least one portion of the test sequence, determining, for each genetic target, a probability the genetic target is in the sample based on the determination of whether the target signature snippet is present in the at least one portion of the test sequence, and outputting an analysis of the sample indicating the respective probability that each genetic target is present in the sample.

Abstract: According to at least one example, a method of filtering signature snippets is provided comprising identifying a group of genetic targets, obtaining a plurality of sets of one or more target signature snippets responsive to identifying the group of genetic targets, each set of one or more target signature snippets corresponding to a respective genetic target of the group of genetic targets and being derived from a genetic sequence of the respective genetic target, filtering the plurality of sets of one or more target signature snippets to identify a set of one or more universal target signature snippets, and outputting the set of one or more universal target signature snippets.

Abstract: A method of identifying regions of malicious organic sequences includes identifying a plurality of benign snippets derived from a first sequence obtained from at least one benign organism; extracting a plurality of candidate signature snippets from a second sequence obtained from a malicious organism; determining, for each of the plurality of candidate signature snippets, whether the candidate signature snippet matches at least one of the plurality of benign snippets; and responsive to the candidate signature snippet not matching the at least one of the plurality of benign snippets, identifying the candidate signature snippet as a malicious signature snippet.

Abstract: Disclosed techniques include generating a first set of sequence snippets from a set of nucleic acid sequences having a first trait; generating a second set of second sequence snippets from a set of nucleic acid sequences having a second trait; identifying a third set of sequence snippets categorized as being of a particular type; and filtering the first set of sequence snippets and the second set of sequence snippets to remove at least one sequence snippet in the third set of sequence snippets.

Abstract: A method of identifying regions of malicious organic sequences includes identifying a plurality of benign snippets derived from a first sequence obtained from at least one benign organism; extracting a plurality of candidate signature snippets from a second sequence obtained from a malicious organism; determining, for each of the plurality of candidate signature snippets, whether the candidate signature snippet matches at least one of the plurality of benign snippets; and responsive to the candidate signature snippet not matching the at least one of the plurality of benign snippets, identifying the candidate signature snippet as a malicious signature snippet.

Abstract: A system for determining the start of a match of a regular expression has a special state table which contains start state entries and terminal state entries; a plurality of start state registers for storing offset information indicative of the start of a match of the regular expression; a deterministic finite state automaton (DFA) next state table which, given the current state and an input character, returns the next state. The DFA next state table includes a settable indicator for any next state table entry which indicates whether to perform a lookup into the special state table. A compiler loads values into the special state table based on the regular expression.

Abstract: Systems and methods are disclosed for detecting covert DNS tunnels using n-grams. The majority of legitimate DNS requests originate from network content itself, for example, through hyperlinks in websites. So, comparing data from incoming network communications to a hostname included in a DNS request can give an indication on whether the DNS request is a legitimate request or associated with a covert DNS tunnel. This process can be made computationally efficient by extracting n-grams from incoming network content and storing the n-grams in an efficient data structure, such as a Bloom filter. The stored n-grams are compared with n-grams extracted from outgoing DNS requests. If n-grams from an outgoing DNS request are not found in the data structure, the domain associated with the DNS request is determined to be associated with a suspected covert DNS tunnel.

Abstract: Embodiments of a system and method for computer inspection of information objects, for example, executable software applications for common components that may include elements of computer viruses, items from hacker exploit libraries, or other malware components. Information objects may contain identified sequences of instructions, each of which may be identified and hierarchically grouped based on their structural relationship(s). In the software context, programming languages may include multiple components that include functional code; these components are often shared between programmers. In some embodiments, an inspection of the hierarchical relationship of components (e.g., constituent functions) in the information objects may allow for identification of common components shared between programs. In some embodiments, authorship of objects or components in the objects may be identified by comparisons between component samples.

Abstract: Embodiments of a system and method for computer inspection of information objects, for example, executable software applications for common components that may include elements of computer viruses, items from hacker exploit libraries, or other malware components. Information objects may contain identified sequences of instructions, each of which may be identified and hierarchically grouped based on their structural relationship(s). In the software context, programming languages may include multiple components that include functional code; these components are often shared between programmers. In some embodiments, an inspection of the hierarchical relationship of components (e.g., constituent functions) in the information objects may allow for identification of common components shared between programs. In some embodiments, authorship of objects or components in the objects may be identified by comparisons between component samples.

Abstract: Systems and methods are disclosed for detecting covert DNS tunnels using n-grams. The majority of legitimate DNS requests originate from network content itself, for example, through hyperlinks in websites. So, comparing data from incoming network communications to a hostname included in a DNS request can give an indication on whether the DNS request is a legitimate request or associated with a covert DNS tunnel. This process can be made computationally efficient by extracting n-grams from incoming network content and storing the n-grams in an efficient data structure, such as a Bloom filter. The stored n-grams are compared with n-grams extracted from outgoing DNS requests. If n-grams from an outgoing DNS request are not found in the data structure, the domain associated with the DNS request is determined to be associated with a suspected covert DNS tunnel.

Abstract: A system for processing regular expressions containing one or more sub-expressions. Information regarding one or more regular expressions, each containing one or more sub-expressions, is stored. Data is compared to the stored information regarding expressions in only a single pass through the data. From the comparison, for any stored expression, the location within the data of the beginning and end of each sub-expression, and the end of the regular expression, are determined. From such determination, the presence within the data of any one or more stored regular expressions containing one or more sub-expressions is identified.

Abstract: A system for determining the start of a match of a regular expression has a special state table which contains start state entries and terminal state entries; a plurality of start state registers for storing offset information indicative of the start of a match of the regular expression; a deterministic finite state automaton (DFA) next state table which, given the current state and an input character, returns the next state. The DFA next state table includes a settable indicator for any next state table entry which indicates whether to perform a lookup into the special state table. A compiler loads values into the special state table based on the regular expression.

Abstract: A method for determining the start of a match of a regular expression using the special state table, the set of start state registers and the DFA next state table, includes the step of determining from the regular expression each start-of-match start state and each end-of-match terminal state. For each start state, a start state entry is loaded into the special state table. For each terminal state, a terminal state entry is loaded into each special state table. The next state table is used to return the next state from the current state and an input character. When a start state is encountered, the current offset from the beginning of the input character string is loaded into the start state register. When a terminal state is encountered, the terminal state entry is retrieved from the special state table, and the value of the start state register corresponding to the rule number of the terminal entry in the special state table is further retrieved.

Abstract: A method for generating look-up tables for a high speed multi-bit Real-time Deterministic Finite state Automaton (hereinafter RDFA). The method begins with a DFA generated in accordance with the prior art. For each state in the DFA, and for each of the bytes recognized in parallel the following occurs. First an n-closure list is generated. An n-closure list is a list of states reachable in n-transitions from the current state. Next an alphabet transition list is generated for each state. An “alphabet transition list” is a list of the transitions out of a particular state for each of the characters in an alphabet. Finally, the transitions are grouped into classes. That is, the transitions that go to the same state are grouped into the same class. Each class is used to identify the next state. The result is a state machine that has less states than the original DFA.

Abstract: A system and method in accordance with the present invention determines in real-time the portions of a set of characters from a data or character stream which satisfies one or more predetermined regular expressions. A Real-time Deterministic Finite state Automaton (RDFA) ensures that the set of characters is processed at high speeds with relatively small memory requirements. An optimized state machine models the regular expression(s) and state related alphabet lookup and next state tables are generated. Characters from the data stream are processed in parallel using the alphabet lookup and next state tables, to determine whether to transition to a next state or a terminal state, until the regular expression is satisfied or processing is terminated. Additional means may be implemented to determine a next action from satisfaction of the regular expression.

Abstract: A system for determining the start of a match of a regular expression includes a special state table that contains start entries and terminal entries, and a set of start state registers for holding offset information. The system further includes a DFA next state table that, given the current state and an input character, returns the next state. A settable indicator is included in the DFA next state table corresponding to each next state table entry which indicates whether to perform a lookup in the special state table. A compiler loads values into the special state table based on the regular expression. A method for determining the start of a match of a regular expression using the special state table, the set of start state registers and the DFA next state table, includes the step of determining from the regular expression each start-of-match start state and each end-of-match terminal state. For each start state, a start state entry is loaded into the special state table.

Abstract: A system for processing regular expressions containing one or more sub-expressions. Information regarding one or more regular expressions, each containing one or more sub-expressions, is stored. Data is compared to the stored information regarding expressions in only a single pass through the data. From the comparison, for any stored expression, the location within the data of the beginning and end of each sub-expression, and the end of the regular expression, are determined. From such determination, the presence within the data of any one or more stored regular expressions containing one or more sub-expressions is identified.

Abstract: Data that spans multiple packets is processes. A finite state machine is used to process the data in each packet and the “state” of a finite state machine is saved after processing a packet. The saved state is stored with information that identifies the particular data stream from which the packet originated. This means that a state machine engine (hardware implementation of the finite state machine) is not tied to a particular data stream. The present invention makes it possible to utilize state machine co-processors very efficiently in a multiple engine/multiple data stream system.

Abstract: A method for generating look-up tables for a high speed multi-bit Real-time Deterministic Finite state Automaton (hereinafter RDFA). The method begins with a DFA generated in accordance with the prior art. For each state in the DFA, and for each of the bytes recognized in parallel the following occurs. First an n-closure list is generated. An n-closure list is a list of states reachable in n-transitions from the current state. Next an alphabet transition list is generated for each state. An “alphabet transition list” is a list of the transitions out of a particular state for each of the characters in an alphabet. Finally, the transitions are grouped into classes. That is, the transitions that go to the same state are grouped into the same class. Each class is used to identify the next state. The result is a state machine that has less states than the original DFA.

Abstract: A system and method in accordance with the present invention determines in real-time the portions of a set of characters from a data or character stream which satisfies one or more predetermined regular expressions. A Real-time Deterministic Einite state Automaton (RDFA) ensures that the set of characters is processed at high speeds with relatively small memory requirements. An optimized state machine models the regular expression(s) and state related alphabet lookup and next state tables are generated. Characters from the data stream are processed in parallel using the alphabet lookup and next state tables, to determine whether to transition to a next state or a terminal state, until the regular expression is satisfied or processing is terminated. Additional means may be implemented to determine a next action from satisfaction of the regular expression.