Abstract: A method and a system for analysis of executable files are provided. The method comprises: obtaining a plurality of training executable files including at least one malicious executable file and at least one benign executable file; analyzing the plurality of training executable files to extract therefrom data including a plurality of features; transforming the data organizing the plurality of features in sets of features, a given one of which includes features of a respective predetermined type; identifying, in the given set of features, informative features indicative of a given training executable file being one of malicious and benign; combining, over the plurality of training executable files, for the respective predetermined data type, the informative features to generate at least one feature vector; and training, based on the at least one feature vector, at least one of classifier to determine if an in-use executable file is one of malicious and benign.

Abstract: A method and a system for detecting harmful content on a network are provided. The method comprises: receiving a URL; obtaining, from the URL, an HTML document associated therewith; converting the HTML document into a text; normalizing the text associated with the HTML document, thereby generating a plurality of tokens associated therewith; aggregating, each one of the plurality of tokens into a token vector associated with the HTML document; and applying, one or more classifiers to the token vector associated with the HTML document to determine a likelihood parameter indicative of the URL being associated with the harmful content; in response to the likelihood parameter being equal to or greater than a predetermined likelihood parameter threshold: identifying, the URL as being associated with the harmful content; and storing, the URL in a database of harmful URLs.

Abstract: A method and system for detection of malicious network resources in a distributed computer system are provided. The method comprises: receiving, by a first computing device, disposed inside the distributed computer system, an outbound traffic, detecting, by the first computing device, a suspicious external IP address in the outbound traffic, scanning, by the first computing device, a suspicious device located at the suspicious IP address to obtain a list of services running thereon, transmitting, by the first computing device, the suspicious IP address and the list of services to a second computing device disposed outside the distributed computer system, comparing, by the second computing device, the list of services with known malicious services, and in response to a match between at least one service from the list of services and a respective one of the known malicious services: determining the suspicious device, at the suspicious IP address, as being malicious.

Abstract: A method and a computing device for clustering phishing web resources based on images of visual content thereof are provided. The method comprises: receiving references to a plurality of phishing web resources; generating, for a given phishing web resource of the plurality of phishing web resources, at least one image of a visual content of the given phishing web resource; analyzing the at least one image associated with the given phishing web resource, the analyzing comprising identifying contours of elements of the visual content of the given phishing web resource within the at least one image; conducting pairwise comparison between the contours associated with the given phishing web resource and contours of stored clusters of visual content images; and storing, in a database, data indicative of an association between the given phishing web resource and a respective cluster of the at least one image.

Abstract: A method for clustering phishing web resources based on visual content image, executed on a computer device comprising at least a processor and memory, and the method comprises the following steps: receiving references to a set of phishing web resources; retrieving at least one image of the visual content of each web resource of the set; processing the content of each visual content image associated with one of the set web resources, while contouring the elements on each image of the phishing web resource visual content; filtering the identified contours in each visual content image by removing the identical contours; combining the web resource associated with the compared contours and the cluster based on pairwise comparison of the identified contours and cluster contours, wherein, if the similarity value overrides the threshold value, otherwise, creating a new cluster for the web resource; storing references to web resources associated with corresponding contours of the content from a set of specified clust

Abstract: A method and a system for analysis of executable files are provided. The method comprises: obtaining a plurality of training executable files including at least one malicious executable file and at least one benign executable file; analyzing the plurality of training executable files to extract therefrom data including a plurality of features; transforming the data organizing the plurality of features in sets of features, a given one of which includes features of a respective predetermined type; identifying, in the given set of features, informative features indicative of a given training executable file being one of malicious and benign; combining, over the plurality of training executable files, for the respective predetermined data type, the informative features to generate at least one feature vector; and training, based on the at least one feature vector, at least one of classifier to determine if an in-use executable file is one of malicious and benign.

Abstract: A method and a system for detecting harmful content on a network are provided. The method comprises: receiving a URL; obtaining, from the URL, an HTML document associated therewith; converting the HTML document into a text; normalizing the text associated with the HTML document, thereby generating a plurality of tokens associated therewith; aggregating, each one of the plurality of tokens into a token vector associated with the HTML document; and applying, one or more classifiers to the token vector associated with the HTML document to determine a likelihood parameter indicative of the URL being associated with the harmful content; in response to the likelihood parameter being equal to or greater than a predetermined likelihood parameter threshold: identifying, the URL as being associated with the harmful content; and storing, the URL in a database of harmful URLs.