Abstract: Systems and methods for generic and static detection of malware using machine learning are provided. According to one embodiment, a computing device receives an executable application or a part thereof. A package name associated with the received application is extracted. The received executable application is classified as being malicious or non-malicious based on evaluation of the package name using a language model. When the received executable application is classified as being non-malicious by the language model, then a further classification process is performed on the received executable application by extracting one or more icons associated with the received executable application. A set of icons of the one or more icons is evaluated using a deep neural network (DNN) model.

Abstract: Systems and methods for file encrypting malware detection are provided. According to one embodiment, a monitoring module is installed within active processes running on a computer system by a kernel mode driver. Performance of a directory traversal operation on a directory of the computer system is detected by a monitoring module of a first process of the multiple active processes in which a parameter of the traversal operation includes a wildcard character. When a number of wildcard-based directory traversal operations performed by the first process exceeds a threshold, a decoy file is deployed by the monitoring module within the directory and the driver is notified. The driver monitors for and detects an attempt by the first process to tamper with the decoy file by intercepting and evaluating file system operations. Responsive to detection of the attempt, the first process is confirmed to be a malware process and is terminated.

Abstract: Systems and methods for file encrypting malware detection are provided. According to one embodiment, a monitoring module is installed within active processes running on a computer system by a kernel mode driver. Performance of a directory traversal operation on a directory of the computer system is detected by a monitoring module of a first process of the multiple active processes in which a parameter of the traversal operation includes a wildcard character. When a number of wildcard-based directory traversal operations performed by the first process exceeds a threshold, a decoy file is deployed by the monitoring module within the directory and the driver is notified. The driver monitors for and detects an attempt by the first process to tamper with the decoy file by intercepting and evaluating file system operations. Responsive to detection of the attempt, the first process is confirmed to be a malware process and is terminated.

Abstract: The invention relates to a method for monitoring at least one message, each message being associated with an action generated by at least one element or user of an information system (1000), said message(s) being collected by at least one message collecting device of the IS. According to the invention, the method comprises the step of defining a plurality of reference event categories each associated with at least one reference action from an ontology based on an intention class that characterizes the purpose of each reference action, an activity type class that qualifies the nature of each reference action, a movement class that characterizes the means for implementing each reference action, a target class that characterizes the object of each reference action, and a gain class that characterizes the result of each reference action.

Abstract: The invention relates to a method for monitoring at least one message, each message being associated with an action generated by at least one element or user of an information system (1000), said message(s) being collected by at least one message collecting device of the IS. According to the invention, the method comprises the step of defining a plurality of reference event categories each associated with at least one reference action from an ontology based on an intention class that characterises the purpose of each reference action, an activity type class that qualifies the nature of each reference action, a movement class that characterises the means for implementing each reference action, a target class that characterises the object of each reference action, and a gain class that characterises the result of each reference action.