Abstract: A method of particle-based threat scanning may include obtaining a sample from a sample source, generating a plurality of particles from the sample, wherein each particle from the plurality of particles is an array of unique bytes generated based on one or more particle properties, and determining whether the sample is associated with a known threat by comparing the plurality of particles to particle threat signatures in a threat database.

Abstract: Techniques for detecting container threats are described. A method of detecting container threats includes receiving, by a scanning agent on a scanner container on a host in a provider network, event data from a plurality of collection agents corresponding to a plurality of customer containers on the host, determining, by the scanning agent, the event data matches at least one known threat, and generating, by the scanning agent, event findings associated with the event data.

Abstract: Techniques for particle-based threat scanning are described. A method of extracting particles from high entropy data may include obtaining a sample from a sample source, identifying an anchor particle in the sample, generating a plurality of particles following the anchor particle based on a particle limit, wherein each particle from the plurality of particles is an array of unique bytes generated based on one or more particle properties, and storing the plurality of particles following the anchor particle in a particle database.

Abstract: Techniques for hash based flexible scanning are described. A method of hash based flexible scanning may include obtaining a sample from a sample source, determining a size of the sample, generating one or more hashes of one or more blocks of the sample based on the size of the sample, and determining whether the sample is associated with a known threat by comparing the one hashes of the one or more blocks to hashes in a threat database.

Abstract: Techniques for threat scanning transplanted containers are described. A method of threat scanning transplanted containers may include generating a container map of running containers on a block storage volume mounted to a scanning instance of a threat scanning service, scanning the block storage volume by a scanning engine of the scanning instance, identifying at least one threat on the block storage volume, and identifying at least one container associated with the at least one threat using the container map.

Abstract: Method and apparatus for compressing raw event logs into smaller readable formats are described. An example includes receiving an uncompressed log file including traces of events executed on a computing system. In the uncompressed log file, a number of consecutive events are identified referencing an action performed with different parameters, and the uncompressed log file is modified by replacing the identified consecutive events with a record indicating that an event has been repeated the number of times. In the modified log file, repeated sequences of events are identified, a compressed log file is generated by replacing, in the modified log file, repeated sequences of events with a record referencing an initial repetition of events and a difference between parameters included in the initial repetition of events and a respective repeated sequence, and the generated compressed log file is output.

Abstract: Techniques for optimizing snapshot changed blocks metadata querying are described. A method of optimizing snapshot changed blocks metadata querying comprises receiving a request to identify one or more changed blocks of a block storage volume in a storage service of a provider network, identifying at least one changed cluster of blocks of the storage volume, the at least one cluster of blocks comprising a plurality of blocks of the storage volume, and identifying at least one changed block from the plurality of blocks associated with the at least one changed cluster.

Abstract: Method and apparatus for compressing raw event logs into smaller readable formats are described. An example includes receiving an uncompressed log file including traces of events executed on a computing system. In the uncompressed log file, a number of consecutive events are identified referencing an action performed with different parameters, and the uncompressed log file is modified by replacing the identified consecutive events with a record indicating that an event has been repeated the number of times. In the modified log file, repeated sequences of events are identified, a compressed log file is generated by replacing, in the modified log file, repeated sequences of events with a record referencing an initial repetition of events and a difference between parameters included in the initial repetition of events and a respective repeated sequence, and the generated compressed log file is output.

Abstract: Techniques for optimizing disk volume scanning using snapshot metadata are described. A method of optimizing disk volume scanning using snapshot metadata may include determining, by a scanning service of a provider network, a plurality of changed blocks between a current snapshot of a storage volume in a storage service of the provider network and a reference snapshot of the storage volume, determining one or more files that overlap at least one of the plurality of changed blocks, and scanning the one or more files for threats.

Abstract: A method for threat detection by identifying patterns of used memory blocks is described. In one embodiment, the method includes identifying a pattern of memory allocations from a known malware threat; tracking memory allocations of memory; identifying a plurality of memory allocations that match at least a portion of the pattern of memory allocations based at least in part on the tracking of the memory allocations; and performing a security action upon determining a quantity of the plurality of memory allocations satisfies a predetermined threshold. In some examples, the method includes determining that a sequence of wiped data strings satisfies a confidence threshold, and identifying the plurality of memory allocations is based at least in part on the confidence threshold. In some cases, the security action includes flagging the identified pattern of memory allocations, quarantining an associated application or process, or generating a notification.

Abstract: The disclosed computer-implemented method for detecting and protecting against malicious software may include loading an untrusted application having a defined entry point into an emulated computing environment, executing a first instance of the untrusted application in the emulated computing environment beginning at the defined entry point, executing a second instance of the untrusted application beginning at a second entry point downstream from the defined entry point so as to bypass at least a portion of the untrusted application executed in the first instance, identifying the untrusted application as a potential threat based on information extracted from the second instance of the untrusted application, and performing a security action to protect against the untrusted application identified as a threat. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: API calls made by a code sample executing in an emulator are analyzed. Specific ones of the analyzed API calls are classified as meeting a threshold level of suspicion of being made by malware. In response to a specific API call being classified as meeting the threshold, a range of memory before and after the return address of the classified API call is copied to a buffer that is not accessible to the code sample. The copied range of memory in the buffer that is not accessible to the code sample is scanned, and a signature corresponding to the code sample is generated. The generated signature can be used for signature based malware detection, in order to detect one or more instances of malware. In response to detecting malware, one or more security actions can be performed.

Abstract: Detecting a malicious application executing in an emulator based on a check made by the malicious application after making an API call. In one embodiment, a method may include executing an application in an emulator that emulates a real-world computing environment. The method may also include detecting, in the application, an API call configured to accept a parameter and return a variable return value to a return address in the application. The method may further include detecting, at the return address, a check to be performed on the variable return value returned by the API call. The method may also include, in response to the detecting of the check, determining that the application is malicious. The method may further include performing a security action on the malicious application to prevent the malicious application from executing in the real-world computing environment.

Abstract: Computer-implemented systems, methods, and media are provided for emulating microprocessor instructions. The computer-implemented systems, methods, and media may, for example, identify an instruction of a first software application using a second software application that emulates instructions of a type of microprocessor, add an additional bit to a length of an operation code of the instruction to create an extended operation code, wherein the extended operation code is represented in an operation code table of the second software application, and emulate execution of the instruction using the second software application and the extended operation code.

Abstract: An input dataset comprising a plurality of input items is transformed into a smaller output dataset comprising a plurality of corresponding output items. For each input item, a corresponding output item is created, wherein each input item contains some content that is not present in the corresponding output item. Creating an output item can comprise right shifting the bits of the input item by a shifting value, and performing an exclusive or operation on the input item and the results of the right shifting. The content contained in each input item that is not present in the corresponding output item is encoded in the storage address of the corresponding output item, such that the content of each input item is contained in a combination of the corresponding output item and its storage address. The output dataset comprises multiple levels.