Abstract: A method of malware detection includes performing, by a second device of a plurality of devices on a network, a fuzzy matching between a second sequence of events occurring at the second device and a first sequence of captured events that occurred at a first device of the plurality of devices on the network; determining, by the second device, that a result of the fuzzy matching reaches a first threshold; and in response to determining that the result of the fuzzy matching reaches the first threshold, initiating a detailed instrumentation at the second device. The method can further include determining, by the second device, that a first condition is satisfied; and in response to determining that the first condition is satisfied: generating a second malware behavior package including information from the detailed instrumentation; and communicating the second malware behavior package over the network.

Abstract: This disclosure describes a computer-readable medium storing instructions for detecting malicious activity by monitoring the execution of intentionally weak code paths embedded within executable code. A monitoring system receives a mapping that associates each injected weak path with a unique identifier, then observes the executable during runtime to determine whether any such abnormal path is taken. Because these paths are designed not to execute during normal operation (implemented through inhibited or dead code reachable only under adversarial manipulation) their activation serves as a signal of potential attack behavior. When the monitoring system detects execution of a mapped intentionally weak code path, it generates a notification within a secure environment, enabling rapid identification of suspicious or unauthorized activity. This technique enhances software security by providing a lightweight, observable mechanism for detecting deviations from expected execution flows.

Abstract: A computer implemented method is provided. The computer implemented method includes receiving, for execution by a processing element, a relocatable instrumented code block, the relocatable instrumented code block being code that has undergone instrumentation for a monitoring system, duplicating at least one function of the relocatable instrumented code block to produce a plurality of duplicate relocatable code blocks, allocating the instrumented code block and each duplicate relocatable code block of the plurality of duplicate relocatable code blocks to different locations in a memory on a computing device, creating a relocated mapping of the instrumented code block and each duplicate relocatable code block to their corresponding locations in the memory, and transmitting a copy of the mapping of the instrumented code block and each duplicate relocatable code block to their corresponding locations in memory to the monitoring system.

Abstract: The present disclosure relates generally to systems, devices and/or processes for scheduling machine learning models within a computing environment.

Abstract: The present disclosure relates generally to systems, devices and/or processes for scheduling machine learning models within a computing environment.

Abstract: A computer implemented method is provided. The computer implemented method includes receiving an intermediate representation of a source code, intentionally injecting a weak code path at a point within the intermediate representation to create a modified intermediate representation, performing a path profiling on the modified intermediate representation to generate a particular path identifier for each path within the modified intermediate representation, and identifying the particular path identifier of the weak code path for use by a monitoring system. A monitoring system is also provided. The monitoring system monitors an executable code during runtime for execution of a path having a particular path identifier corresponding to the injected intentionally weak code path.

Abstract: A method is provided that includes receiving a source code block of a source code and a sensor configuration associated with the source code block, performing instrumentation on the source code block at least two times to generate corresponding at least two differently instrumented code blocks from the source code block, creating a corresponding model of the sensor configuration for each differently instrumented code block, and receiving a request for an instrumented variant of the source code block for execution by a processing element and deploying the instrumented variant of the source code block to the processing element. The instrumented variant of the source code block comprises one of the at least two differently instrumented code blocks from the source code block.

Abstract: A data processing apparatus is provided that includes storage circuitry for storing a data value derived from a plurality of memory addresses associated with a stream of instructions. Membership query circuitry performs an approximate set membership query against the data value of a memory address associated with a current one of the instructions and in response to the approximate set membership query being positive, issues the memory address to confirmation circuitry. Halt circuitry halts execution of the stream of instructions by processing circuitry in response to at least one condition being met, the at least one condition including a positive indication from the confirmation circuitry that the memory address is one of the plurality of memory addresses.

Abstract: A method and apparatus to classify processor events is provided. The apparatus includes a reference generator, a warping unit, a correlation unit and a detector. The reference generator provides a self-reference for an event vector stream based on a history of the event vector stream and the warping unit dynamically aligns the event vector stream with the self-reference to generate a warped event vector stream. The correlation unit determines a window-by-window correlation of event vectors of the warped event vector stream, and the detector passes a window of event vectors of the warped event vector stream to a behavioral classifier when the window-by-window correlation achieves a threshold value. The behavioral classifier may use machine learning. A sample reservoir may be used to store dynamically selected event vectors of the event vector stream that are used, at least in part, to generate the self-reference.

Abstract: A live attack shadow replay can be performed at a shadow replay box that receives a snapshot of a computer program executed by an operating system of a device; mirrors an execution environment of the snapshot; determines a typical execution of the computer program comprising a first set of variables; performs a static analysis on the snapshot of the computer program to determine a second set of variables; determines a divergence between the first set of variables and the second set of variables; marks variables of the second set of variables that are associated with the divergence; replays a portion of the computer program corresponding to at least the snapshot; and monitors the marked variables of the second set of variables during the replaying of the portion of the computer program.

Abstract: Various implementations described herein are directed to a device having a write circuit that provides data for storage. The device may include a memory circuit that stores the data in leaky bitcells with capacitive elements that gradually discharge over a pre-determined period of time. The device may include a read circuit that enables the leaky bitcells to operate as one or more memory storage elements. The device may include a query circuit that identifies matches between a query data and output data provided by the read circuit.

Abstract: A method is provided that includes receiving a computer program comprising regions of code, each region of code including at least one function, pruning a search space of the received computer program by applying a high-level model recognizing potential software vulnerabilities to the computer program to determine a region of the code of the regions of code that includes a potential software vulnerability, performing a localized static analysis on the region of the code that include the potential software vulnerability to determine a local condition that causes the potential software vulnerability to be expressed in the computer program, and generating a report that includes the region of the code that includes the potential software vulnerability including a location of the region of the code within the computer program and the local condition that causes the potential software vulnerability to be expressed in the computer program.

Abstract: A method includes receiving precursor alerts from a precursor detector that detects events from a processing unit, wherein each precursor alert comprises information of an event from the processing unit, the information of an event from the processing unit, detecting a first event in the precursor alerts indicating undesirable behavior and including a first score that is above a first value, setting a first timer for a first period of time, accumulating a score update with the first score of the first event. Upon the score update reaching or exceeding a first threshold value within the first period of time, generating a refined alert.

Abstract: A method is provided that includes receiving a source code block of a source code and a sensor configuration associated with the source code block, performing instrumentation on the source code block at least two times to generate corresponding at least two differently instrumented code blocks from the source code block, creating a corresponding model of the sensor configuration for each differently instrumented code block, and receiving a request for an instrumented variant of the source code block for execution by a processing element and deploying the instrumented variant of the source code block to the processing element. The instrumented variant of the source code block comprises one of the at least two differently instrumented code blocks from the source code block.

Abstract: A computer implemented method is provided. The computer implemented method includes receiving, for execution by a processing element, a relocatable instrumented code block, the relocatable instrumented code block being code that has undergone instrumentation for a monitoring system, duplicating at least one function of the relocatable instrumented code block to produce a plurality of duplicate relocatable code blocks, allocating the instrumented code block and each duplicate relocatable code block of the plurality of duplicate relocatable code blocks to different locations in a memory on a computing device, creating a relocated mapping of the instrumented code block and each duplicate relocatable code block to their corresponding locations in the memory, and transmitting a copy of the mapping of the instrumented code block and each duplicate relocatable code block to their corresponding locations in memory to the monitoring system.

Abstract: A behavioral sensor for creating consumable events can include: a feature extractor coupled to receive an event stream of events performed by a circuit, wherein the feature extractor identifies features of a particular event of the event stream and associates the particular event with a time; and a classifier coupled to receive the features of the particular event from the feature extractor, wherein the classifier classifies the particular event into a classified event associated with the time using predefined categories based on the received features of the particular event; whereby the classified event and subsequent classified events extracted from the event stream within a time frame are appended in a time series forming the consumable events.

Abstract: There is provided an apparatus and method, the apparatus comprising storage circuitry to store event information associated with instructions occurring between instrumentation points. The event information indicates a plurality of different types of events expected to occur during execution of the instructions. The event information comprises, for each event, type information indicating a type of that event and an expected number of occurrences of that event. The apparatus is also provided with monitoring circuitry comprising a plurality of programmable counters. The monitoring circuitry is responsive to a start instrumentation point, to assign at least a subset of the plurality of programmable counters to measure, during execution of the program instructions, occurrences of the plurality of different types of events identified in the event information.

Abstract: A method to mitigate an attack initiated by a malicious actor by migration of the attacked process is provided. The method includes monitoring a process being executed from a first computing location on a computing device for a trigger indicating a potential attack and detecting the trigger indicating the potential attack. Responsive to detecting the trigger indicating the potential attack, initiating an attack countermeasure by migrating the process to execute in a second computing location isolated from the first computing location, thereby breaking access to information at the first computing location. A computing device is also provided that includes a processor, a memory, and instructions stored on the memory that when executed by the processor direct the computing device to monitor a process being executed from a first computing location on the computing device for a trigger indicating a potential attack and detect the trigger indicating the potential attack.

Abstract: A method of malware detection includes performing, by a second device of a plurality of devices on a network, a fuzzy matching between a second sequence of events occurring at the second device and a first sequence of captured events that occurred at a first device of the plurality of devices on the network; determining, by the second device, that a result of the fuzzy matching reaches a first threshold; and in response to determining that the result of the fuzzy matching reaches the first threshold, initiating a detailed instrumentation at the second device. The method can further include determining, by the second device, that a first condition is satisfied; and in response to determining that the first condition is satisfied: generating a second malware behavior package including information from the detailed instrumentation; and communicating the second malware behavior package over the network.

Abstract: A live attack shadow replay can be performed at a shadow replay box that receives a snapshot of a computer program executed by an operating system of a device; mirrors an execution environment of the snapshot; determines a typical execution of the computer program comprising a first set of variables; performs a static analysis on the snapshot of the computer program to determine a second set of variables; determines a divergence between the first set of variables and the second set of variables; marks variables of the second set of variables that are associated with the divergence; replays a portion of the computer program corresponding to at least the snapshot; and monitors the marked variables of the second set of variables during the replaying of the portion of the computer program.