Abstract: A framework for detecting malware, and in particular for identifying the malware families to which detected malware samples belong, is provided. In one set of embodiments, the framework receives known malware samples, builds execution chains for the samples, and clusters the execution chains using a similarity metric, resulting in execution chain clusters that correspond to malware families. The framework then uses the clusters to detect whether an unknown sample is malicious, and more specifically whether the unknown sample is part of a malware family represented by one of the clusters.

Abstract: Techniques that leverage symbolic execution to automatically analyze and understand malicious XL4 macros is provided. Using symbolic execution, these techniques can automatically infer the “correct” values for environmental inputs that are employed by advanced XL4 malware for obfuscating their malicious payloads, thereby allowing for a complete analysis of such malware.

Abstract: A system that uses machine learning (ML) models—and in particular, deep neural networks—with features extracted from memory snapshots of malware programs to automatically recognize the presence of malicious techniques in such programs is provided. In various embodiments, this system can recognize the presence of malicious techniques that are defined by the MITRE ATT&CK framework and/or other similar frameworks/taxonomies.

Abstract: The disclosure herein describes the detection of malware campaigns based on analysis of attributes of telemetry data. Telemetry data associated with malware campaign detection includes multiple attributes and is associated with a first time interval. Statistics of a target statistic set are calculated based on a composite time series of the multiple attributes of the telemetry data. The target set is compared to a historical statistic set based on a second time interval and, based on the target set exceeding a statistic threshold of the historical set, peak detection analysis of the target set is performed. Based on the analysis indicating the presence of a valid peak result, a notification of detection of a malware campaign is sent, wherein the notification includes data indicative of the valid peak result and enables a receiver of the notification to take corrective action.

Abstract: The disclosure herein describes the detection of malware campaigns based on analysis of attributes of telemetry data. Telemetry data associated with malware campaign detection includes multiple attributes and is associated with a first time interval. Statistics of a target statistic set are calculated based on a composite time series of the multiple attributes of the telemetry data. The target set is compared to a historical statistic set based on a second time interval and, based on the target set exceeding a statistic threshold of the historical set, peak detection analysis of the target set is performed. Based on the analysis indicating the presence of a valid peak result, a notification of detection of a malware campaign is sent, wherein the notification includes data indicative of the valid peak result and enables a receiver of the notification to take corrective action.

Abstract: A method for detecting a malicious network activity. The method includes extracting, based on a pre-determined criterion, a plurality of protection phase feature sequences extracted from a first plurality of network traffic sessions exchanged during a protection phase between a server device and a first plurality of client devices of a network, comparing the plurality of protection phase feature sequences and a plurality of profiling phase feature sequences to generate a comparison result, where the plurality of profiling phase feature sequences were extracted from a second plurality of network traffic sessions exchanged during a profiling phase prior to the protection phase between the server device and a second plurality of client devices of the network, and generating, in response to detecting a statistical measure of the comparison result exceeding a pre-determined threshold, an alert indicating the malicious network activity.

Abstract: A method for detecting a malicious activity in a network. The method includes obtaining file download flows from the network, analyzing, the file download flows to generate malicious indications using a pre-determined malicious behavior detection algorithm, extracting a file download attribute from a suspicious file download flow of a malicious indication, wherein the file download attribute represents one or more of the URL, the FQDN, the top-level domain name, the URL path, the URL file name, and the payload of the suspicious file download flow, determining the file download attribute as being shared by at least two suspicious file download flows, identifying related suspicious file download flows and determining a level of association between based at least on the file download attribute, computing a malicious score of the suspicious file download flow based on the level of association, and presenting the malicious score to an analyst user of the network.