Abstract: An execution environment has been designed that detects likely data exfiltration by using taint tracking and abstract execution. The execution environment is instrumented to monitor for use of functions identified as having functionality for transferring data out of an execution environment. In addition, heuristics-based rules are defined to mark or “taint” objects (e.g., variables) that are likely targets for exfiltration. With taint tracking and control flow analysis, the execution environment tracks the tainted objects through multiple execution paths of a code sample. After comprehensive code coverage, logged use of the monitored functions are examined to determine whether any tainted objects were passed to the monitored functions. If so, the logged use will indicate a destination or sink for the tainted source. Each tainted source-sink association can be examined to verify whether the exfiltration was malicious.

Abstract: The present disclosure provides new and innovative systems and methods for filtering encrypted messages. In an example, a computer-implemented method includes obtaining a message, determining sender profiling features of the message, determining enterprise graph features of the message, determining header features of the message, determining a message flag based on the sender profiling features, the enterprise graph features, and the header features, and processing the message based on the message flag.

Abstract: Generating high-quality threat intelligence from aggregated threat reports is provided via developing a generative model that identifies relationships between a plurality of threat assessment scanners; pre-training a plurality of individual encoders based on a corresponding plurality of pretext tasks and the generative model; combining the individual encoders into a pre-trained encoder; fine-tuning the pre-trained encoder using threat data; and marking a candidate threat, as evaluated via the pre-trained encoder as fine-tuned, as one of benign or malicious.

Abstract: The present disclosure provides new and innovative systems and methods for filtering encrypted messages. In an example, a computer-implemented method includes obtaining a message, determining sender profiling features of the message, determining enterprise graph features of the message, determining header features of the message, determining a message flag based on the sender profiling features, the enterprise graph features, and the header features, and processing the message based on the message flag.

Abstract: The present disclosure provides new and innovative systems and methods for filtering encrypted messages. In an example, a computer-implemented method includes obtaining a message, determining sender profiling features of the message, determining enterprise graph features of the message, determining header features of the message, determining a message flag based on the sender profiling features, the enterprise graph features, and the header features, and processing the message based on the message flag.

Abstract: The main objective of Certificate Transparency (CT) is to detect mis-issued certificates or rouge certificate authorities. It has been observed that phishing sites have been increasingly acquiring certificates to look more legitimate and reach more victims, thus providing an opportunity to predict phishing domains early. The present disclosure provides systems and methods for early detection of phishing and benign domain traces in CT logs. The provided system may predict phishing domains early even before content is available via time-, issuer-, and certificate-based characteristics that are used to identify sets of CT-based inexpensive and novel features. The CT-features are augmented with other features including passive DNS (pDNS) and domain-based lexical features.

Abstract: The present application provides a system for detecting brand squatting domains with a three-stage detection pipeline having three different classifiers. The provided system helps predict whether an unknown domain will be malicious. The first classifier detects abusive brand squatting domains, such as those that impersonate exact popular brand names, as soon as the domains are registered. The second classifier detects abusive brand squatting domains when hosting information becomes available, in combination with the information available for the first classifier. The third classifier detects abusive brand squatting domains when certificate information associated with domains is available, in combination with the information available for the first and second classifiers. The performance of each classifier improves from the first to the second to the third with the first classifier making determinations with the least information and the third classifier making determinations with the most information.

Abstract: A system is provided for identifying compromised mobile devices from a network administrator's point of view. The provided system utilizes a graph-based inference approach that leverages an assumed correlation that devices sharing a similar set of installed applications will have a similar probability of being compromised. Stated differently, the provided system determines whether a given unknown device is compromised or not by analyzing its connections to known devices. Such connections are generated from a small set of known compromised mobile devices and the network traffic data of mobile devices collected by a service provider or network administrator. The proposed system is accordingly able to reliably detect unknown compromised devices without relying on device-specific features.

Abstract: The present disclosure provides new and innovative systems and methods for filtering encrypted messages. In an example, a computer-implemented method includes obtaining a message, determining sender profiling features of the message, determining enterprise graph features of the message, determining header features of the message, determining a message flag based on the sender profiling features, the enterprise graph features, and the header features, and processing the message based on the message flag.

Abstract: The presently disclosed method and system exploits information and traces contained in DNS data to determine the maliciousness of a domain based on the relationship it has with other domains. A method may comprise providing data to a machine learning module that was previously trained on domain and IP address attributes or classifiers. The method then may comprise classifying apex domains and IP addresses based on the IP address and domain attributes or classifiers. Additionally, the method may comprise associated each of the domains and IP addresses based on the corresponding classification. The method may further comprise building a weighted domain graph at real-time utilizing the DNS data based on the aforementioned associations among domains. The method may then comprise assessing the maliciousness of a domain based on the weighted domain graph that was built.

Abstract: The main objective of Certificate Transparency (CT) is to detect mis-issued certificates or rouge certificate authorities. It has been observed that phishing sites have been increasingly acquiring certificates to look more legitimate and reach more victims, thus providing an opportunity to predict phishing domains early. The present disclosure provides systems and methods for early detection of phishing and benign domain traces in CT logs. The provided system may predict phishing domains early even before content is available via time-, issuer-, and certificate-based characteristics that are used to identify sets of CT-based inexpensive and novel features. The CT-features are augmented with other features including passive DNS (pDNS) and domain-based lexical features.

Abstract: The presently disclosed method and system exploits information and traces contained in DNS data to determine the maliciousness of a domain based on the relationship it has with other domains. A method may comprise providing data to a machine learning module that was previously trained on domain and IP address attributes or classifiers. The method then may comprise classifying apex domains and IP addresses based on the IP address and domain attributes or classifiers. Additionally, the method may comprise associated each of the domains and IP addresses based on the corresponding classification. The method may further comprise building a weighted domain graph at real-time utilizing the DNS data based on the aforementioned associations among domains. The method may then comprise assessing the maliciousness of a domain based on the weighted domain graph that was built.

Abstract: Methods of providing policy based access to master keys, enabling keys to be distributed to groups of users in a secure manner while minimizing disruptions to the user in the event of changes to group membership or changes to user attributes. User attributes are identified. Policies are rewritten in terms of user attributes. New unique user attribute keys are generated for each attribute for each user. An access tree is constructed with user attribute keys as leaf nodes and Boolean algebra operations as internal nodes. Shamir polynomials are used for AND nodes, and broadcast polynomials are used for OR nodes. Master keys are accessible by traversing the access tree from the leaf nodes to the root node constructing the polynomials attached to all the nodes along the access path.

Abstract: Methods of providing policy based access to master keys, enabling keys to be distributed to groups of users in a secure manner while minimizing disruptions to the user in the event of changes to group membership or changes to user attributes. User attributes are identified. Policies are rewritten in terms of user attributes. New unique user attribute keys are generated for each attribute for each user. An access tree is constructed with user attribute keys as leaf nodes and Boolean algebra operations as internal nodes. Shamir polynomials are used for AND nodes, and broadcast polynomials are used for OR nodes. Master keys are accessible by traversing the access tree from the leaf nodes to the root node constructing the polynomials attached to all the nodes along the access path.

Abstract: A method and apparatus are disclosed herein for classification. In one embodiment, the method comprises performing tree-based classification of a user input by a classifier with a classification tree at a first location, including exchanging data with a second location, different from the first location, to obtain the user input and provide results of classification to a user using singly homomorphic encryption so that the user input is not revealed to the classifier, the classification tree is not revealed to the user and the classifier's output is not revealed to the classifier.

Abstract: A method and apparatus are disclosed herein for classification. In one embodiment, the method comprises performing tree-based classification of a user input by a classifier with a classification tree at a first location, including exchanging data with a second location, different from the first location, to obtain the user input and provide results of classification to a user using singly homomorphic encryption so that the user input is not revealed to the classifier, the classification tree is not revealed to the user and the classifier's output is not revealed to the classifier.