Abstract: Methods, systems, and computer program products for insider threat detection are provided. Embodiments detect insiders who act on documents and/or files to which they have access but whose activity is inappropriate or uncharacteristic of them based on their identity, past activity, and/or organizational context. Embodiments work by monitoring the network to detect network activity associated with a set of network protocols; processing the detected activity to generate information-use events; generating contextual information associated with users of the network; and processing the information-use events based on the generated contextual information to generate alerts and threat scores for users of the network. Embodiments provide several information-misuse detectors that are used to examine generated information-use events in view of collected contextual information to detect volumetric anomalies, suspicious and/or evasive behavior.

Abstract: Methods and systems are provided for a proactive approach for computer forensic investigations. The invention allows organizations anticipating the need for forensic analysis to prepare in advance. Forensic signatures are created including a digital fingerprint and other information associated with a file. In one aspect, informational signatures are created, which may assist in determining what information is included in a file. In another aspect, the digital fingerprint may represent contents of the file and is resistant to minor modification of the file. In another aspect, fingerprints can be compared in parallel on different computers.

Abstract: Methods and systems are provided for a proactive approach for computer forensic investigations. The invention allows organizations anticipating the need for forensic analysis to prepare in advance. Digital representations are generated proactively for a specified target. A digital representation is a digest of the content of the target. Digital representations of a collection of targets indexed and organized in a data structure, such as an inverted index. The searching and comparison of digital representations of a collection of targets allows quick and accurate identification of targets having identical or similar content. Computational and storage costs are expended in advance, which allows more efficient computer forensic investigations. The present invention can be applied to numerous applications, such as computer forensic evidence gathering, misuse detection, network intrusion detection, and unauthorized network traffic detection and prevention.

Abstract: Methods and systems are provided for a proactive approach for computer forensic investigations. The invention allows organizations anticipating the need for forensic analysis to prepare in advance. Digital signatures are generated proactively for a specified target. The digital signature represents a digest of the content of the target, and can be readily stored. Searching and comparing digital signatures allows quick and accurate identification of targets having identical or similar content. Computational and storage costs are expended in advance, which allow more efficient computer forensic investigations. The present invention can be applied to numerous applications, such as computer forensic evidence gathering, misuse detection, network intrusion detection, and unauthorized network traffic detection and prevention.

Abstract: A system and method for detecting malicious executable software code. Benign and malicious executables are gathered; and each are encoded as a training example using n-grams of byte codes as features. After selecting the most relevant n-grams for prediction, a plurality of inductive methods, including naive Bayes, decision trees, support vector machines, and boosting, are evaluated.

Abstract: Methods and systems are provided for a proactive approach for computer forensic investigations. The invention allows organizations anticipating the need for forensic analysis to prepare in advance. Forensic signatures are created including a digital fingerprint and other information associated with a file. In one aspect, informational signatures are created, which may assist in determining what information is included in a file. In another aspect, the digital fingerprint may represent contents of the file and is resistant to minor modification of the file. In another aspect, fingerprints can be compared in parallel on different computers.

Abstract: Methods and systems are provided for a proactive approach for computer forensic investigations. The invention allows organizations anticipating the need for forensic analysis to prepare in advance. Digital signatures are generated proactively for a specified target. The digital signature represents a digest of the content of the target, and can be readily stored. Searching and comparing digital signatures allows quick and accurate identification of targets having identical or similar content. Computational and storage costs are expended in advance, which allow more efficient computer forensic investigations. The present invention can be applied to numerous applications, such as computer forensic evidence gathering, misuse detection, network intrusion detection, and unauthorized network traffic detection and prevention.

Abstract: Methods and systems are provided for a proactive approach for computer forensic investigations. The invention allows organizations anticipating the need for forensic analysis to prepare in advance. Digital representations are generated proactively for a specified target. A digital representation is a digest of the content of the target. Digital representations of a collection of targets indexed and organized in a data structure, such as an inverted index. The searching and comparison of digital representations of a collection of targets allows quick and accurate identification of targets having identical or similar content. Computational and storage costs are expended in advance, which allows more efficient computer forensic investigations. The present invention can be applied to numerous applications, such as computer forensic evidence gathering, misuse detection, network intrusion detection, and unauthorized network traffic detection and prevention.

Abstract: Methods, systems, and computer program products for insider threat detection are provided. Embodiments detect insiders who act on documents and/or files to which they have access but whose activity is inappropriate or uncharacteristic of them based on their identity, past activity, and/or organizational context. Embodiments work by monitoring the network to detect network activity associated with a set of network protocols; processing the detected activity to generate information-use events; generating contextual information associated with users of the network; and processing the information-use events based on the generated contextual information to generate alerts and threat scores for users of the network. Embodiments provide several information-misuse detectors that are used to examine generated information-use events in view of collected contextual information to detect volumetric anomalies, suspicious and/or evasive behavior.

Abstract: A system and method for detecting malicious executable software code. Benign and malicious executables are gathered; and each are encoded as a training example using n-grams of byte codes as features. After selecting the most relevant n-grams for prediction, a plurality of inductive methods, including naive Bayes, decision trees, support vector machines, and boosting, are evaluated.