Abstract: Methods, apparatuses and systems for automatic binary file segmentation include receiving binary content, applying a first machine learning process to the binary content to determine data segments in the binary content by identifying at least one of a respective starting point or end point of different data types in the binary content, examining the determined data segments of the binary content to identify data segments that are resistant to analysis, and applying respective techniques to the identified, analysis-resistant data segments to render the content of the identified, analysis-resistant data segments. In some embodiments, the rendering of the content of the identified, analysis-resistant data segments enables the identified, analysis-resistant segments to be analyzed, for example, to determine if the identified, analysis-resistant segments contain malicious content.

Abstract: A method and apparatus for generating a content detection dataset using file creation dates. The method accesses a database comprising data files. The files are analyzed by a machine learning model to determine file creation dates. The creation dates are used to identify relevant content files. The most relevant files are included into a content detection dataset as content samples. The dataset may be used for training machine learning based content detectors.

Abstract: A method and apparatus for generating a dataset for training a content detection machine learning model. The method applies one or more transforms to a content containing bitstream that produce feature tensors representing the content, labels the feature tensors by type of content, stores feature tensors and labels in a dataset. The dataset my be used to train a content detection machine learning model. The model may be exported to content detectors to identify and classify bitstream content contained in other bitstreams.

Abstract: Systems and methods for optimal load distribution and data processing of a plurality of files in anti-malware solutions are provided herein. In some embodiments, the system includes: a plurality of node processors; a control processor programmed to: receiving a plurality of files used for malware analysis and training of anti-malware ML models; separating the plurality of files into a plurality of subsets of files based on byte size of each of the files, such that processing of each subset of files produces similar workloads amongst all available node processors; distributing the plurality of subsets of files amongst all available node processors such that each node processor processes its respective subset of files in parallel and within a similar timeframe as the other node processors; and receiving, by the control processor, a report of performance and/or anti-malware processing results of the subset of files performed from each node processor.

Abstract: A method and apparatus for testing a malware detection machine learning model. The method trains a malware detection model using a first dataset containing malware samples from a particular time period. The trained model is then tested using a second dataset that is a time shifted version of the first dataset.

Abstract: Systems and methods for malware filtering are provided herein. In some embodiments, a system having one or more processors is configured to: retrieve a file downloaded to a user device; break the downloaded file into a plurality of chunks; scan the plurality of chunks to identify potentially malicious chunks; predict whether the downloaded file is malicious based on the scan of the plurality of chunks; and determine whether the downloaded file is malicious based on the prediction.

Abstract: In an embodiment, systems and methods for detecting malware are provided. A server trains a static malware model and a dynamic malware model to detect malware in files. The models are distributed to a plurality of user devices for use by antimalware software executing on the user devices. When a user device receives a file, the static malware model is used to determine whether the file contains malware. If the static malware model is unable to make the determination, when the file is later executed, the dynamic malware model is used to determine whether the file contains malware. The file along with the determination made by the dynamic malware model are then provided to the server. The server then retrains the static malware model using the received files and the received determinations. The server then distributes the updated static malware model to each of the devices.

Abstract: In an embodiment, systems and methods for detecting malware are provided. A server trains a static malware model and a dynamic malware model to detect malware in files. The models are distributed to a plurality of user devices for use by antimalware software executing on the user devices. When a user device receives a file, the static malware model is used to determine whether the file contains malware. If the static malware model is unable to make the determination, when the file is later executed, the dynamic malware model is used to determine whether the file contains malware. The file along with the determination made by the dynamic malware model are then provided to the server. The server then retrains the static malware model using the received files and the received determinations. The server then distributes the updated static malware model to each of the devices.

Abstract: In an embodiment, systems and methods for detecting malware are provided. A server trains a static malware model and a dynamic malware model to detect malware in files. The models are distributed to a plurality of user devices for use by antimalware software executing on the user devices. When a user device receives a file, the static malware model is used to determine whether the file contains malware. If the static malware model is unable to make the determination, when the file is later executed, the dynamic malware model is used to determine whether the file contains malware. The file along with the determination made by the dynamic malware model are then provided to the server. The server then retrains the static malware model using the received files and the received determinations. The server then distributes the updated static malware model to each of the devices.

Abstract: In an embodiment, systems and methods for detecting malware are provided. A server trains a static malware model and a dynamic malware model to detect malware in files. The models are distributed to a plurality of user devices for use by antimalware software executing on the user devices. When a user device receives a file, the static malware model is used to determine whether the file contains malware. If the static malware model is unable to make the determination, when the file is later executed, the dynamic malware model is used to determine whether the file contains malware. The file along with the determination made by the dynamic malware model are then provided to the server. The server then retrains the static malware model using the received files and the received determinations. The server then distributes the updated static malware model to each of the devices.

Abstract: A method for identifying a malicious connection between a client device and a server includes obtaining handshake parameters for the client device and the server responsive to the client device initiating a connection with the server, generating a feature set by extracting features from the handshake parameters, predicting a maliciousness of the connection using a machine learning model, where the extracted features are provided as inputs to the machine learning model, and automatically initiating a corrective action if the connection is predicted to be malicious.

Abstract: A method for identifying a malicious connection between a client device and a server includes obtaining handshake parameters for the client device and the server responsive to the client device initiating a connection with the server, generating a feature set by extracting features from the handshake parameters, predicting a maliciousness of the connection using a machine learning model, where the extracted features are provided as inputs to the machine learning model, and automatically initiating a corrective action if the connection is predicted to be malicious.

Abstract: A method of generating a machine learning model for detecting malicious connections between two or more computing devices includes executing, within a secure operating environment, a plurality of known malicious software applications and a plurality of known non-malicious software applications, generating a dataset of known handshake parameters by monitoring connections between the plurality of known malicious software applications and one or more target servers, and the plurality of known non-malicious software applications and the one or more target servers, training a machine learning model using the dataset of known handshake parameters to predict a maliciousness of a connection between two or more computing devices based on handshake parameters between the two or more computing devices, and distributing the machine learning model to one or more client devices.

Abstract: A method including analyzing affected data known to include harmful content, and clean data known to be free of the harmful content; determining, based on analyzing the affected data and the clean data, harmful traits that appear in the affected data with a frequency that satisfies a threshold frequency, and clean traits that appear in the clean data with the frequency that satisfies the threshold frequency; mixing the harmful traits and the clean traits to determine a mixed set; analyzing the affected data based on utilizing the mixed set to determine a harmful pattern that indicates characteristics associated with the harmful traits and the clean traits; and transmitting pattern information indicating the harmful pattern to enable the user device to determine whether given data includes the harmful content is disclosed. Various other aspects are contemplated.

Abstract: Systems and methods for malware detection are provided herein. In some embodiments, a system having one or more processors is configured to: perform, on a plurality of user devices, at least one of a static analysis or a behavioral analysis of a file downloaded to a user device; receive a plurality of features extracted from the downloaded file; train at least one machine learning model, on a central server in communication with the plurality of user device, based on the plurality of features; distribute the at least one trained machine learning model to the plurality of user devices; and update at least one of a machine learning model used for the static analysis or behavioral analysis with the distributed at least one trained machine learning model.

Abstract: Systems and method for URL filtering are provided herein. In some embodiments, a system includes a processor programmed to receive a URL request to access a resource associated with the URL; perform a first layer of URL filtering by comparing the URL to a blocklist of malicious URLs; determine that the URL does not match a URL on the blocklist; perform a second layer of filtering by applying a machine learning algorithm to analyze the URL to predict whether the URL is malicious; and generate and transmit a URL filter determination that the URL is malicious and update the blocklist to include the URL.

Abstract: Systems and methods to intelligently optimize data collection requests are disclosed. In one embodiment, systems are configured to identify and select a complete set of suitable parameters to execute the data collection requests. In another embodiment, systems are configured to identify and select a partial set of suitable parameters to execute the data collection requests. The present embodiments can implement machine learning algorithms to identify and select the suitable parameters according to the nature of the data collection requests and the targets. Moreover, the embodiments provide systems and methods to generate feedback data based upon the effectiveness of the data collection parameters. Furthermore, the embodiments provide systems and methods to score the set of suitable parameters based on the feedback data and the overall cost, which are then stored in an internal database.

Abstract: Systems and methods for malware filtering are provided herein. In some embodiments, a system having one or more processors is configured to: retrieve a file downloaded to a user device; break the downloaded file into a plurality of chunks; scan the plurality of chunks to identify potentially malicious chunks; predict whether the downloaded file is malicious based on the scan of the plurality of chunks; and determine whether the downloaded file is malicious based on the prediction.

Abstract: A method including configuring, by an infrastructure device, a user device to receive harmful patterns indicating characteristics of harmful traits included in affected data known to include malicious content and clean patterns indicating characteristics of clean traits included in clean data known to be free of the malicious content; configuring the user device to receive a first portion of given data; configuring the user device to determine a pattern associated with traits included in the first portion of the given data; configuring the user device to determine whether the first portion of the given data includes the malicious content based on comparing the determined pattern with the harmful patterns and the clean patterns; and configuring the user device to selectively receive a second portion of the given data based determining whether the first portion of the given data includes the malicious content is disclosed. Various other aspects are contemplated.

Abstract: A method including receiving, by a user device, harmful patterns indicating characteristics of harmful traits included in affected data known to include malicious content and clean patterns indicating characteristics of clean traits included in clean data known to be free of the malicious content; determining, by the user device, a pattern associated with traits included in given data; and determining, by the user device, whether the given data includes the malicious content based at least in part on comparing the determined pattern with the harmful patterns and the clean patterns. Various other aspects are contemplated.