Abstract: In one embodiment, a device obtains execution records regarding executions of a plurality of binaries. The execution records comprise command line arguments used during the execution. The device determines measures of similarity between the executions of the binaries based on their command line arguments. The device clusters the executions into clusters based on the determined measures of similarity. The device flags the command line arguments for a particular one of the clusters as an indicator of compromise for malware, based on at least one of the binaries associated with the particular cluster being malware.

Abstract: In one embodiment, a service receives a plurality of process hashes for processes executed by a plurality of devices. The service receives traffic data indicative of traffic between the plurality of devices and a plurality of remote server domains. The service forms a bipartite graph based on the processes hashes and the traffic data. A node of the graph represents a particular process hash or server domain and an edge between nodes in the graph represents network traffic between a process and a server domain. The service identifies, based on the bipartite graph, a subset of the plurality of processes as exhibiting polymorphic malware behavior. The service causes performance of a mitigation action in the network based on the identified subset of processes identified as exhibiting polymorphic malware behavior.

Abstract: In one embodiment, a device obtains execution records regarding executions of a plurality of binaries. The execution records comprise command line arguments used during the execution. The device determines measures of similarity between the executions of the binaries based on their command line arguments. The device clusters the executions into clusters based on the determined measures of similarity. The device flags the command line arguments for a particular one of the clusters as an indicator of compromise for malware, based on at least one of the binaries associated with the particular cluster being malware.

Abstract: In one embodiment, a service receives a plurality of process hashes for processes executed by a plurality of devices. The service receives traffic data indicative of traffic between the plurality of devices and a plurality of remote server domains. The service forms a bipartite graph based on the processes hashes and the traffic data. A node of the graph represents a particular process hash or server domain and an edge between nodes in the graph represents network traffic between a process and a server domain. The service identifies, based on the bipartite graph, a subset of the plurality of processes as exhibiting polymorphic malware behavior. The service causes performance of a mitigation action in the network based on the identified subset of processes identified as exhibiting polymorphic malware behavior.