Abstract: Synthetic training sets for machine learning are created by identifying and modifying functional features of code in an existing malware training set. By filtering the resulting synthetic code to measure malware impact and novelty, training sets can be created that predict novel malware and to seek to preemptively exhaust the space of new malware. These synthesized training sets can be used in turn to improve training of machine learning models. Furthermore, by repeating the process of new code generation, filtering and training, an iterative machine learning process may be created that continuously narrows the window of vulnerabilities to new malicious actions.

Abstract: An automated system attempts to characterize code as safe or unsafe. For intermediate code samples not placed with sufficient confidence in either category, human-readable analysis is automatically generated to assist a human reviewer in reaching a final disposition. For example, a random forest over human-interpretable features may be created and used to identify suspicious features in a manner that is understandable to, and actionable by, a human reviewer. Similarly, a k-nearest neighbor algorithm may be used to identify similar samples of known safe and unsafe code based on a model for, e.g., a file path, a URL, an executable, and so forth. Similar code may then be displayed (with other information) to a user for evaluation in a user interface. This comparative information can improve the speed and accuracy of human interventions by providing richer context for human review of potential threats.

Abstract: An enterprise security system is improved by instrumenting endpoints to explicitly label network flows with cryptographically secure labels that identify an application or other source of each network flow. Cryptographic techniques may be used, for example, to protect the encoded information in the label from interception by third parties or to support cryptographic authentication of a source of each label. A label may provide health, status, or other heartbeat information for the endpoint, and may be used to identify compromised endpoints, to make routing decisions for network traffic (e.g., allowing, blocking, rerouting, etc.), to more generally evaluate the health of an endpoint that is sourcing network traffic, or for any other useful purpose.

Abstract: An enterprise security system is improved by instrumenting endpoints to explicitly label network flows with cryptographically secure labels that identify an application or other source of each network flow. Cryptographic techniques may be used, for example, to protect the encoded information in the label from interception by third parties or to support cryptographic authentication of a source of each label. A label may provide health, status, or other heartbeat information for the endpoint, and may be used to identify compromised endpoints, to make routing decisions for network traffic (e.g., allowing, blocking, rerouting, etc.), to more generally evaluate the health of an endpoint that is sourcing network traffic, or for any other useful purpose.

Abstract: Synthetic training sets for machine learning are created by identifying and modifying functional features of code in an existing malware training set. By filtering the resulting synthetic code to measure malware impact and novelty, training sets can be created that predict novel malware and to seek to preemptively exhaust the space of new malware. These synthesized training sets can be used in turn to improve training of machine learning models. Furthermore, by repeating the process of new code generation, filtering and training, an iterative machine learning process may be created that continuously narrows the window of vulnerabilities to new malicious actions.

Abstract: An enterprise security system is improved by instrumenting endpoints to explicitly label network flows with cryptographically secure labels that identify an application or other source of each network flow. Cryptographic techniques may be used, for example, to protect the encoded information in the label from interception by third parties or to support cryptographic authentication of a source of each label. A label may provide health, status, or other heartbeat information for the endpoint, and may be used to identify compromised endpoints, to make routing decisions for network traffic (e.g., allowing, blocking, rerouting, etc.), to more generally evaluate the health of an endpoint that is sourcing network traffic, or for any other useful purpose.

Abstract: An ensemble of detection techniques are used to identify code that presents intermediate levels of threat. For example, an ensemble of machine learning techniques may be used to evaluate suspiciousness based on binaries, file paths, behaviors, reputations, and so forth, and code may be sorted into safe, unsafe, intermediate, or any similar categories. By filtering and prioritizing intermediate threats with these tools, human threat intervention can advantageously be directed toward code samples and associated contexts most appropriate for non-automated responses.

Abstract: An automated system attempts to characterize code as safe or unsafe. For intermediate code samples not placed with sufficient confidence in either category, human-readable analysis is automatically generated to assist a human reviewer in reaching a final disposition. For example, a random forest over human-interpretable features may be created and used to identify suspicious features in a manner that is understandable to, and actionable by, a human reviewer. Similarly, a k-nearest neighbor algorithm may be used to identify similar samples of known safe and unsafe code based on a model for, e.g., a file path, a URL, an executable, and so forth. Similar code may then be displayed (with other information) to a user for evaluation in a user interface. This comparative information can improve the speed and accuracy of human interventions by providing richer context for human review of potential threats.

Abstract: A non-transitory computer readable storage medium, comprising executable instructions to collect network traffic data, produce a Fourier signature from the network traffic data, associate the Fourier signature with a known pattern, collect new network traffic data, produce a new Fourier signature from the new network traffic data, compare the new Fourier signature with the Fourier signature to selectively identify a match and associate the new network traffic data with the known pattern upon a match.

Abstract: An interface for a threat management facility of an enterprise network supports the use of third-party security products within the enterprise network by providing access to relevant internal instrumentation and/or a programmatic interface for direct or indirect access to local security agents on compute instances within the enterprise network.

Abstract: A threat management facility stores a number of entity models that characterize reportable events from one or more entities. A stream of events from compute instances within an enterprise network can then be analyzed using these entity models to detect behavior that is inconsistent or anomalous for one or more of the entities that are currently active within the enterprise network.

Abstract: An authentication model dynamically adjusts authentication factors required for access to a remote resource based on changes to a risk score for a user, a device, or some combination of these. For example, the authentication model may conditionally specify the number and type of authentication factors required by a user/device pair, and may dynamically alter authentication requirements based on changes to a current risk assessment for the user/device while the remote resource is in use.

Abstract: A security platform uses a sensor-event-analysis-response methodology to iteratively adapt to a changing security environment by continuously creating and updating entity models based on observed activities and detecting patterns of events that deviate from these entity models.

Abstract: Entity models are used to evaluate potential risk of entities, either individually or in groups, in order to evaluate suspiciousness within an enterprise network. These individual or aggregated risk assessments can be used to adjust the security policy for compute instances within the enterprise network. A security policy may specify security settings such as network speed, filtering levels, network isolation, levels of privilege, and the like.

Abstract: A method and apparatus for resource locator identifier rewrite have been presented. A security device receives from a resource host over a non-secure hypertext transfer protocol (HTTP) session a response to a request received from a client over a secure HTTP session. The response includes a uniform resource locator (URL) that is supposed to be for a resource host, but the URL does not designate a secure resource access protocol and the resource host requires the secure resource access protocol. The URL is located in the response and modified to designate the secure resource access protocol. After modification, the response is transmitted via the secure resource access protocol session to the client.

Abstract: An enterprise security system is improved by instrumenting endpoints to explicitly label network flows with cryptographically secure labels that identify an application or other source of each network flow. Cryptographic techniques may be used, for example, to protect the encoded information in the label from interception by third parties or to support cryptographic authentication of a source of each label. A label may provide health, status, or other heartbeat information for the endpoint, and may be used to identify compromised endpoints, to make routing decisions for network traffic (e.g., allowing, blocking, rerouting, etc.), to more generally evaluate the health of an endpoint that is sourcing network traffic, or for any other useful purpose.

Abstract: Synthetic training sets for machine learning are created by identifying and modifying functional features of code in an existing malware training set. By filtering the resulting synthetic code to measure malware impact and novelty, training sets can be created that predict novel malware and to seek to preemptively exhaust the space of new malware. These synthesized training sets can be used in turn to improve training of machine learning models. Furthermore, by repeating the process of new code generation, filtering and training, an iterative machine learning process may be created that continuously narrows the window of vulnerabilities to new malicious actions.

Abstract: A non-transitory computer readable storage medium includes executable instructions to identify specified network interactions initiated by a client machine. The specified network interactions are compared to normative values to produce a promiscuity score indicative of the risk of the client machine contracting malicious software. Depending upon the promiscuity score, prophylactic actions are optionally applied to the client machine.

Abstract: An apparatus includes a processor and a memory storing instructions executed by the processor to receive a first communication session using a first key, where the first communication session is between a client and a server. A second communication session is initiated using a second key, where the second communication session is between the apparatus and the server. An active communication session is negotiated between the client and the server using the first key and the second key. The active communication session is decrypted using the first key and the second key. The active communication session is re-encrypted using a third key to form re-encrypted data.

Abstract: An enterprise security system is improved by instrumenting endpoints to explicitly label network flows with cryptographically secure labels that identify an application or other source of each network flow. Cryptographic techniques may be used, for example, to protect the encoded information in the label from interception by third parties or to support cryptographic authentication of a source of each label. A label may provide health, status, or other heartbeat information for the endpoint, and may be used to identify compromised endpoints, to make routing decisions for network traffic (e.g., allowing, blocking, rerouting, etc.), to more generally evaluate the health of an endpoint that is sourcing network traffic, or for any other useful purpose.