Abstract: Proper functioning of an antivirus software running on an endpoint system is detected using a test data that is provided to the endpoint system. The test data is also provided to a backend system, which provides the endpoint system with an antivirus definition that includes information for detecting the test data. The antivirus software running on the endpoint system scans for the test data and reports detection of the test data to the backend system. The antivirus software is deemed to have failed the proper functioning test when the antivirus software fails to report detection of the test data. Proper functioning of the antivirus software is also detected by performing a challenge procedure, which involves sending a challenge message to the endpoint system. The endpoint system is expected to respond to the challenge message with a response that includes expected information.

Abstract: Systems and methods are presented for mitigating cyber threats. Cybersecurity-related data are stored in a semantic cybersecurity database. A user interface converts a user input to a command utterance. A command node that corresponds to the command utterance is identified in the cybersecurity database. The command node is resolved to one or more action nodes that are connected to the command node, and each action node is resolved to one or more parameter nodes that are connected to the action node. The command node has a command that implements actions indicated in the action nodes. Each action can have one or more required parameters indicated in the parameter nodes. The values of the required parameters are obtained from the command utterance, prompted from the user, or obtained from the cybersecurity database. Actions with their parameter values are executed to mitigate a cyber threat in accordance with the user input.

Abstract: In one example in accordance with the present disclosure, a method for domain classification includes sorting a set of sample domains into leaves based on syntactical features of the domains. Each sample domain belongs to a family of domains. The method also includes identifying, for each leaf, a regular expression for each family with at least one domain in the leaf. The method also includes determining, for each leaf, at least one lobe with a set of domains in the leaf that matches the regular expression for a first family with at least one domain in the leaf, and that does not match the regular expression for the other families with at least one domain in the leaf. The method also includes creating a classifier for the domains in each lobe by using the set of domains from each family in the lobe as training classes for machine learning.

Abstract: Examples relate to identifying signatures for data sets. In one example, a computing device may: for each of a plurality of first data sets, obtain a data set signature; generate a first data structure for storing each data set signature that is distinct from each other data set signature; for each of a plurality of second data sets, obtain at least one data subset; generate a second data structure for storing each data subset; remove, from the first data structure, each data set signature that matches a data subset included in the second data structure; and for each data set signature removed from the first data structure, identify each first data set from which the data set signature was obtained; and for each identified first data set, obtain a new data set signature.

Abstract: In one embodiment, a network security device monitors network communications between a computer and another computer. A periodicity of transmissions made by one computer to the other computer is determined, with the periodicity being used to identify candidate time point pairs having intervals that match the periodicity. A graph is constructed with time points of the candidate time point pairs as nodes and with intervals of time point pairs as edges. A longest path that continuously links one time point to another time point on the graph is compared to a threshold length to verify that the transmissions are periodic, and are thus potentially indicative of malicious network communications.

Abstract: Examples relate to providing hierarchical classifiers. In some examples, a superclass classifier of a hierarchy of classifiers is trained with a first type of prediction threshold, where the superclass classifier classifies data into one of a number of subclasses. At this stage, a subclass classifier is trained with a second type of prediction threshold, where the subclass classifier classifies the data into one of a number of classes. The first type of prediction threshold of the superclass classifier and the second type of prediction threshold of the subclass classifier are alternatively applied to classify data segments.

Abstract: In one embodiment, local begin and end tags are detected by a network security device to determine a local context of a network traffic flow, and a local feature vector is obtained for that local context. At least one triggering machine learning model is applied by the network security device to the local feature vector, and the result determines whether or not deeper analysis is warranted. In most cases, very substantial resources are not required because deeper analysis is not indicated. If deeper analysis is indicated, one or more deeper machine learning model may then be applied to global and local feature vectors, and regular expressions may be applied to packet data, which may include the triggering data packet and one or more subsequent data packets. Other embodiments, aspects and features are also disclosed.

Abstract: Examples relate to identifying malicious activity using data complexity anomalies. In one example, a computing device may: receive a byte stream that includes a plurality of bytes; determine, for a least one subset of the byte stream, a measure of complexity of the subset; determine that the measure of complexity meets a predetermined threshold measure of complexity for a context associated with the byte stream; and in response to determining that the measure of complexity meets the threshold, provide an indication that the byte stream complexity is anomalous.

Abstract: Examples relate to identifying randomly generated character strings. In one example, a computing device may: receive a character string that includes two or more characters; identify a number of character transitions included in the character string, each character transition being a change in character type within an n-gram of the character string, where n is a positive integer; and determine, based on the number of character transitions, whether the character string was randomly generated.

Abstract: According to an example, network traffic pattern based identification may include analyzing each packet of a plurality of packets that are outgoing from and/or incoming to an entity to respectively determine features within a sequence of outgoing packets and/or a sequence of incoming packets of the plurality of packets. Network traffic pattern based identification may further include analyzing the determined features by respectively using an outgoing packet classification model and/or an incoming packet classification model, and classifying, based on the analysis of the features.

Abstract: In one embodiment, local begin and end tags are detected by a network security device to determine a local context of a network traffic flow, and a local feature vector is obtained for that local context. At least one triggering machine learning model is applied by the network security device to the local feature vector, and the result determines whether or not deeper analysis is warranted. In most cases, very substantial resources are not required because deeper analysis is not indicated. If deeper analysis is indicated, one or more deeper machine learning model may then be applied to global and local feature vectors, and regular expressions may be applied to packet data, which may include the triggering data packet and one or more subsequent data packets. Other embodiments, aspects and features are also disclosed.

Abstract: Examples relate to identifying algorithmically generated domains. In one example, a computing device may: receive a query domain name; split the query domain name into an ordered plurality of portions of the query domain name, the ordered plurality of portions beginning with a first portion and ending with a last portion, the last portion including a top level domain of the query domain name; provide, in reverse order beginning with the last portion, the portions of the query domain name as input to a predictive model that has been trained to determine whether the query domain name is an algorithmically generated domain name, the determination being based on syntactic features of the query domain name; and receive, as output from the predictive model, data indicating whether the query domain name is algorithmically generated.

Abstract: Examples relate to identifying a signature for a data set. In one example, a computing device may: receive a data set that includes a plurality of data units; iteratively determine a measure of complexity for windows of data units included in the data set, each window including a distinct portion of the plurality of data units; identify, based on the iterative determinations, a most complex window of data units for the data set; and identify the most complex window as a data unit signature for the data set.

Abstract: Examples relate to identifying malicious activity using data complexity anomalies. In one example, a computing device may: receive a byte stream that includes a plurality of bytes; determine, for a least one subset of the byte stream, a measure of complexity of the subset; determine that the measure of complexity meets a predetermined threshold measure of complexity for a context associated with the byte stream; and in response to determining that the measure of complexity meets the threshold, provide an indication that the byte stream complexity is anomalous.

Abstract: Examples relate to identifying signatures for data sets. In one example, a computing device may: for each of a plurality of first data sets, obtain a data set signature; generate a first data structure for storing each data set signature that is distinct from each other data set signature; for each of a plurality of second data sets, obtain at least one data subset; generate a second data structure for storing each data subset; remove, from the first data structure, each data set signature that matches a data subset included in the second data structure; and for each data set signature removed from the first data structure, identify each first data set from which the data set signature was obtained; and for each identified first data set, obtain a new data set signature.

Abstract: Examples relate to identifying a signature for a data set. In one example, a computing device may: receive a data set that includes a plurality of data units; iteratively determine a measure of complexity for windows of data units included in the data set, each window including a distinct portion of the plurality of data units; identify, based on the iterative determinations, a most complex window of data units for the data set; and identify the most complex window as a data unit signature for the data set.

Abstract: Examples disclosed herein relate to confidence levels in reputable entities. Some of the examples enable identifying a particular reputable entity that is originated from a plurality of sources including a first source and a second source; determining a first level of confidence associated with the first source; determining a second level of confidence associated with the second source; determining an aggregate level of confidence associated with the plurality of sources based on the first and second levels of confidence, wherein the aggregate level confidence is higher than the first and second levels of confidence; and determining an entity score for the particular reputable entity based on the aggregate level of confidence.

Abstract: Examples relate to identifying randomly generated character strings. In one example, a computing device may: receive a character string that includes two or more characters; identify a number of character transitions included in the character string, each character transition being a change in character type within an n-gram of the character string, where n is a positive integer; and determine, based on the number of character transitions, whether the character string was randomly generated.

Abstract: In one example in accordance with the present disclosure, a method for domain classification includes sorting a set of sample domains into leaves based on syntactical features of the domains. Each sample domain belongs to a family of domains. The method also includes identifying, for each leaf, a regular expression for each family with at least one domain in the leaf. The method also includes determining, for each leaf, at least one lobe with a set of domains in the leaf that matches the regular expression for a first family with at least one domain in the leaf, and that does not match the regular expression for the other families with at least one domain in the leaf. The method also includes creating a classifier for the domains in each lobe by using the set of domains from each family in the lobe as training classes for machine learning.

Abstract: According to an example, network traffic pattern based identification may include analyzing each packet of a plurality of packets that are outgoing from and/or incoming to an entity to respectively determine features within a sequence of outgoing packets and/or a sequence of incoming packets of the plurality of packets. Network traffic pattern based identification may further include analyzing the determined features by respectively using an outgoing packet classification model and/or an incoming packet classification model, and classifying, based on the analysis of the features.