Abstract: Methods and systems for detecting malicious attacks in a network and preventing lateral movement in the network by identity control are disclosed. According to an implementation, a security appliance may receive telemetry data from an endpoint device collected during a period of time. The security appliance may determine a threat behavior based on the telemetry data. The threat behavior may be associated with a user identity or user account. The security appliance further determines one or more additional user identities based on the user identity connected to the threat behavior. The security appliance may enforce one or more security actions on the user identity and the one or more additional user identities to prevent attacks to a plurality of computing domains from the endpoint device using the one or more additional user identities. The security appliance may be implemented on any network participants including servers, cloud device, cloud-based services/platforms, etc.

Abstract: A distributed security system includes instances of a compute engine that can receive an event stream comprising event data associated with an occurrence of one or more events on one or more client computing devices and generate new event data based on the event data in the event stream. A predictions engine coupled in communication with the compute engine(s) receives the new event data and applies at least a portion of the received new event data to one or more machine learning models of the distributed security system based to the received new event data. The one or more machine learning models generate a prediction result that indicates whether the occurrence of the one or more events from which the new event data was generated represents one or more target behaviors, based on the applying of at least the portion of the received new event data to the one or more machine learning models according to the received new event data.

Abstract: Techniques and systems for a security service system configured with a sensor component including a machine learning (ML) malware classifier to perform behavioral detection on host devices. The security service system may deploy a sensor component to monitor behavioral events on a host device. The sensor component may generate events data corresponding to monitored operations targeted by malware. The system may map individual events from events data onto a behavioral activity pattern and generate process trees. The system may extract behavioral artifacts to build a feature vector used for malware classification and generate a machine learning (ML) malware classifier. The sensor component may use the ML malware classifier to perform asynchronous behavioral detection on a host device and process system events for malware detection.

Abstract: A system, method, and computer program product are provided for enabling communication between security systems. In use, a first communication protocol of a first security system and a second communication protocol of a second security system are identified, where the first communication protocol and the second communication protocol are different such that the first security system and the second security system are incapable of communicating therebetween. Further, the first security system is updated with a first security definition and/or the second security system is updated with a second security definition for enabling communication between the first security system and the second security system.

Abstract: A system, method and computer program product are provided for detecting unwanted data. A scan for unwanted data is performed to generate results of the scan. A context of the scan is then identified. Further, the presence of unwanted data is conditionally indicated based on both the results of the scan and the context of the scan.

Abstract: A security data structure, method and computer program product are provided. In use, computer code is received. Furthermore, functions in the computer code that control a behavior of the computer code when executed are statically identified.

Abstract: A system, method, and computer program product are provided for enabling communication between security systems. In use, a first communication protocol of a first security system and a second communication protocol of a second security system are identified, where the first communication protocol and the second communication protocol are different such that the first security system and the second security system are incapable of communicating therebetween. Further, the first security system is updated with a first security definition and/or the second security system is updated with a second security definition for enabling communication between the first security system and the second security system.

Abstract: A system, method, and computer program product are provided for enabling communication between security systems. In use, a first communication protocol of a first security system and a second communication protocol of a second security system are identified, where the first communication protocol and the second communication protocol are different such that the first security system and the second security system are incapable of communicating therebetween. Further, the first security system is updated with a first security definition and/or the second security system is updated with a second security definition for enabling communication between the first security system and the second security system.

Abstract: A security data structure, method and computer program product are provided. In use, computer code is received. Furthermore, functions in the computer code that control a behavior of the computer code when executed are statically identified.

Abstract: A security data structure, method and computer program product are provided. In use, computer code is received. Furthermore, functions in the computer code that control a behavior of the computer code when executed are statically identified.

Abstract: A system, method and computer program product are provided for detecting unwanted data. A scan for unwanted data is performed to generate results of the scan. A context of the scan is then identified. Further, the presence of unwanted data is conditionally indicated based on both the results of the scan and the context of the scan.

Abstract: A system, method and computer program product are provided for detecting unwanted data. A scan for unwanted data is performed to generate results of the scan. A context of the scan is then identified. Further, the presence of unwanted data is conditionally indicated based on both the results of the scan and the context of the scan.

Abstract: The present invention relates to a proxy device, computer program product and method for performing malware scanning of files stored within a file storage device of a computer network. The computer network has a plurality of client devices arranged to issue access requests using a dedicated file access protocol to the file storage device in order to access files stored on the file storage device, with the proxy device being arranged so as to intercept access requests issued to the file storage device. The proxy device comprises a first interface for receiving an access request issued by one of the client devices to the file storage device using the dedicated file access protocol, and a second interface for communicating with the file storage device to cause the file storage device to process the access request. Further, processing logic is provided for causing selected malware scanning algorithms to be executed to determine whether the file identified by the access request is to be considered as malware.

Abstract: The present invention provides a load balancing device, computer program product, and method for balancing the load across a plurality of proxy devices arranged to perform malware scanning of files stored within a file storage device of a computer network. The computer network has a plurality of client devices arranged to issue access requests using a dedicated file access protocol to the file storage device in order to access files stored on the file storage device. The load balancing device is arranged so as to intercept access requests issued to the file storage device, and comprises a client interface for receiving an access request issued to the file storage device using the dedicated file access protocol.

Abstract: The present invention relates to a proxy device, computer program product and method for performing malware scanning of files stored within a file storage device of a computer network. The computer network has a plurality of client devices arranged to issue access requests using a dedicated file access protocol to the file storage device in order to access files stored on the file storage device, with the proxy device being arranged so as to intercept access requests issued to the file storage device. The proxy device comprises a first interface for receiving an access request issued by one of the client devices to the file storage device using the dedicated file access protocol, and a second interface for communicating with the file storage device to cause the file storage device to process the access request. Further, processing logic is provided for causing selected malware scanning algorithms to be executed to determine whether the file identified by the access request is to be considered as malware.

Abstract: The present invention provides a load balancing device, computer program product, and method for balancing the load across a plurality of proxy devices arranged to perform malware scanning of files stored within a file storage device of a computer network. The computer network has a plurality of client devices arranged to issue access requests using a dedicated file access protocol to the file storage device in order to access files stored on the file storage device. The load balancing device is arranged so as to intercept access requests issued to the file storage device, and comprises a client interface for receiving an access request issued to the file storage device using the dedicated file access protocol.