Abstract: An ML (machine learning) training logs are parsed for generating a set of heterogenous graphs having embedded nodes connected with edges determined with link prediction and denoting a hierarchical relationship between nodes. Each graph represents benign behavior from executing one of the files of a training database in the sandbox, wherein the nodes are embedded in the graph using GCN (graph convolution network) to calculate a real-valued vector with fixed dimension. A runtime module to receive an untagged file in real-time for analysis from a network component, and generates a graph of runtime behavior from sandbox of the suspicious file for comparison against the training graphs.

Abstract: A file copy is executed in a virtual runtime environment that tracks behavior using RNN taking runtime behavior of at least a first time into account with current runtime behavior at a second time. This is responsive to not finding a known signature for suspicious activity during virus scanning. A behavior sequence is identified on-the-fly during file copy execution that is indicative of malware, prior to completing the execution, the behavior sequence involving at least two actions taken at different times during file copy execution. Responsive to the identification, the execution is terminated and the virtual runtime environment is returned to the pool of available virtual runtime environments.

Abstract: An ML (machine learning) training logs are parsed for generating a set of heterogenous graphs having embedded nodes connected with edges determined with link prediction and denoting a hierarchical relationship between nodes. Each graph represents benign behavior from executing one of the files of a training database in the sandbox, wherein the nodes are embedded in the graph using GCN (graph convolution network) to calculate a real-valued vector with fixed dimension. A runtime module to receive an untagged file in real-time for analysis from a network component, and generates a graph of runtime behavior from sandbox of the suspicious file for comparison against the training graphs.

Abstract: A file copy is executed in a virtual runtime environment that tracks behavior using RNN taking runtime behavior of at least a first time into account with current runtime behavior at a second time. This is responsive to not finding a known signature for suspicious activity during virus scanning. A behavior sequence is identified on-the-fly during file copy execution that is indicative of malware, prior to completing the execution, the behavior sequence involving at least two actions taken at different times during file copy execution. Responsive to the identification, the execution is terminated and the virtual runtime environment is returned to the pool of available virtual runtime environments.

Abstract: Systems and methods for adaptive filtering of malware using a machine-learning model and sandboxing are provided. According to one embodiment, a processing resource of a sandbox appliance receives a file. A feature vector associated with the file is generated by extracting multiple static features from the file. The file is classified based on the feature vector by applying a machine-learning model. When the classification of the file is unknown, representing insufficient information is available to identify the file as malicious or benign, sandbox processing is caused to be performed on the file.