Abstract: Web sites are crawled using multiple browser profiles to avoid malicious cloaking. Based on web page content returned from HTTP requests using the multiple browser profiles, web sites returning substantively different content to HTTP requests for different browser profiles are identified. Web sites are further filtered by common cloaking behavior, and redirect scripts are extracted from web page content that performed cloaking. Signatures comprising tokenized versions of the redirect scripts are generated and compared to a database of known cloaking signatures. URLs corresponding to signatures having approximate matches with signatures in the database are flagged for recrawling. Recrawled URLs are verified for malicious cloaking again using HTTP requests from multiple browser profiles.

Abstract: Techniques for deobfuscating and decloaking web-based malware with abstract execution is disclosed. In some embodiments, a system/process/computer program product for deobfuscating and decloaking web-based malware with abstract execution includes receiving a sample; performing an abstract execution of a script included in the sample; identifying the sample as malware based on the abstract execution of the script included in the sample; and generating a log of results from the abstract execution of the script included in the sample.

Abstract: Techniques for detecting scanning and attacking uniform resource locators in network traffic are disclosed. A system, process, and/or computer program product for detecting scanning and attacking uniform resource locators in network traffic includes monitoring egress traffic from an enterprise network, determining whether a uniform resource locator (URL) request is associated with scanning and attacking egress traffic based on one or more features, and performing an action in response to a determination that the URL request is associated with the scanning and attacking egress traffic from the enterprise network.

Abstract: Techniques for deobfuscating and decloaking web-based malware with abstract execution is disclosed. In some embodiments, a system/process/computer program product for deobfuscating and decloaking web-based malware with abstract execution includes receiving a sample; performing an abstract execution of a script included in the sample; identifying the sample as malware based on the abstract execution of the script included in the sample; and generating a log of results from the abstract execution of the script included in the sample.

Abstract: A hierarchical structure constructor constructs a hierarchical structure that comprises nodes associated with feature sets patterns of URLs. Nodes at each depth are labelled as malicious, benign, or mixed for corresponding to URLs that are malicious, benign, or malicious and benign that match the corresponding patterns. Malicious feature set patterns are extracted from malicious nodes in the hierarchical structure. A URL analyzer operates inline by logging traffic sessions, extracting URLs from the logs, and matching the extracted URLs with the malicious feature sets patterns extracted from the hierarchical structure. The hierarchical structure is periodically updated with known malicious/benign URLs to improve quality of malicious URL detection.

Abstract: An execution environment has been designed that detects likely data exfiltration by using taint tracking and abstract execution. The execution environment is instrumented to monitor for use of functions identified as having functionality for transferring data out of an execution environment. In addition, heuristics-based rules are defined to mark or “taint” objects (e.g., variables) that are likely targets for exfiltration. With taint tracking and control flow analysis, the execution environment tracks the tainted objects through multiple execution paths of a code sample. After comprehensive code coverage, logged use of the monitored functions are examined to determine whether any tainted objects were passed to the monitored functions. If so, the logged use will indicate a destination or sink for the tainted source. Each tainted source-sink association can be examined to verify whether the exfiltration was malicious.

Abstract: Techniques for providing innocent until proven guilty (IUPG) solutions for building and using adversary resistant and false positive resistant deep learning models are disclosed. In some embodiments, a system, process, and/or computer program product includes storing a set comprising one or more innocent until proven guilty (IUPG) models for static analysis of a sample; performing a static analysis of content associated with the sample, wherein performing the static analysis includes using at least one stored IUPG model; and determining that the sample is malicious based at least in part on the static analysis of the content associated with the sample, and in response to determining that the sample is malicious, performing an action based on a security policy.

Abstract: Techniques for providing innocent until proven guilty (IUPG) solutions for building and using adversary resistant and false positive resistant deep learning models are disclosed. In some embodiments, a system, process, and/or computer program product includes storing a set comprising one or more innocent until proven guilty (IUPG) models for static analysis of a sample; performing a static analysis of content associated with the sample, wherein performing the static analysis includes using at least one stored IUPG model; and determining that the sample is malicious based at least in part on the static analysis of the content associated with the sample, and in response to determining that the sample is malicious, performing an action based on a security policy.

Abstract: A system/process/computer program product for building multi-representational learning models for static analysis of source code includes receiving training data, wherein the training data includes a set of source code files for training a multi-representational learning (MRL) model for classifying malicious source code and benign source code based on a static analysis; generating a first feature vector based on a set of characters extracted from the set of source code files; generating a second feature vector based on a set of tokens extracted from the set of source code files; and performing an ensemble of the first feature vector and the second feature vector to form a target feature vector for classifying malicious source code and benign source code based on the static analysis.

Abstract: Techniques for multi-representational learning models for static analysis of source code are disclosed. In some embodiments, a system/process/computer program product for multi-representational learning models for static analysis of source code includes receiving at a networked device a set comprising one or more multi-representation learning (MRL) models for static analysis of source code; performing a static analysis of source code associated with a sample received at the network device, wherein performing the static analysis includes using at least one MRL model; and determining that the sample is malicious based at least in part on the static analysis of the source code associated with the sample and without performing dynamic analysis of the sample, and in response to determining that the sample is malicious, performing an action based on a security policy.

Abstract: Techniques for automated generation of behavioral signatures for malicious web campaigns are disclosed. In some embodiments, a system/process/computer program product for automated generation of behavioral signatures for malicious web campaigns includes crawling a plurality of web sites associated with a malware campaign; determining discriminating repeating attributes (e.g., behavior related attributes, which can be determined using dynamic analysis, and static related attributes, which can be determined using static analysis) as malware campaign related footprint patterns, wherein the discriminating repeating attributes are not associated with benign web sites; and automatically generating a human-interpretable malware campaign signature based on the malware campaign related footprint patterns.

Abstract: A system/process/computer program product for building multi-representational learning models for static analysis of source code includes receiving training data, wherein the training data includes a set of source code files for training a multi-representational learning (MRL) model for classifying malicious source code and benign source code based on a static analysis; generating a first feature vector based on a set of characters extracted from the set of source code files; generating a second feature vector based on a set of tokens extracted from the set of source code files; and performing an ensemble of the first feature vector and the second feature vector to form a target feature vector for classifying malicious source code and benign source code based on the static analysis.

Abstract: A system/process/computer program product for building multi-representational learning models for static analysis of source code includes receiving training data, wherein the training data includes a set of source code files for training a multi-representational learning (MRL) model for classifying malicious source code and benign source code based on a static analysis; generating a first feature vector based on a set of characters extracted from the set of source code files; generating a second feature vector based on a set of tokens extracted from the set of source code files; and performing an ensemble of the first feature vector and the second feature vector to form a target feature vector for classifying malicious source code and benign source code based on the static analysis.

Abstract: Techniques for multi-representational learning models for static analysis of source code are disclosed. In some embodiments, a system/process/computer program product for multi-representational learning models for static analysis of source code includes receiving at a networked device a set comprising one or more multi-representation learning (MRL) models for static analysis of source code; performing a static analysis of source code associated with a sample received at the network device, wherein performing the static analysis includes using at least one MRL model; and determining that the sample is malicious based at least in part on the static analysis of the source code associated with the sample and without performing dynamic analysis of the sample, and in response to determining that the sample is malicious, performing an action based on a security policy.

Abstract: An author of a malicious websites campaign (scam or phishing) likely uses a legitimate third-party service to facilitate the malicious campaign. An example includes legitimate CAPTCHA (Completely Automated Public Turing Test to Tell Computers and Humans Apart) services to conceal the malicious campaign from automated security scanners. A security service/platform can employ a detection pipeline that leverages use of CAPTCHA keys across websites of a malicious websites campaign. Websites that use CAPTCHA keys found in known malicious websites can at least be identified as suspect and communicated to firewalls.

Abstract: Techniques for multi-representational learning models for static analysis of source code are disclosed. In some embodiments, a system/process/computer program product for multi-representational learning models for static analysis of source code includes storing on a networked device a set comprising one or more multi-representation learning (MRL) models for static analysis of source code; performing a static analysis of source code associated with a sample received at the network device, wherein performing the static analysis includes using at least one stored MRL model; and determining that the sample is malicious based at least in part on the static analysis of the source code associated with the received sample, and in response to determining that the sample is malicious, performing an action based on a security policy.

Abstract: Web sites are crawled using multiple browser profiles to avoid malicious cloaking. Based on web page content returned from HTTP requests using the multiple browser profiles, web sites returning substantively different content to HTTP requests for different browser profiles are identified. Web sites are further filtered by common cloaking behavior, and redirect scripts are extracted from web page content that performed cloaking. Signatures comprising tokenized versions of the redirect scripts are generated and compared to a database of known cloaking signatures. URLs corresponding to signatures having approximate matches with signatures in the database are flagged for recrawling. Recrawled URLs are verified for malicious cloaking again using HTTP requests from multiple browser profiles.

Abstract: Web sites are crawled using multiple browser profiles to avoid malicious cloaking. Based on web page content returned from HTTP requests using the multiple browser profiles, web sites returning substantively different content to HTTP requests for different browser profiles are identified. Web sites are further filtered by common cloaking behavior, and redirect scripts are extracted from web page content that performed cloaking. Signatures comprising tokenized versions of the redirect scripts are generated and compared to a database of known cloaking signatures. URLs corresponding to signatures having approximate matches with signatures in the database are flagged for recrawling. Recrawled URLs are verified for malicious cloaking again using HTTP requests from multiple browser profiles.

Abstract: Techniques for deobfuscating and decloaking web-based malware with abstract execution is disclosed. In some embodiments, a system/process/computer program product for deobfuscating and decloaking web-based malware with abstract execution includes receiving a sample; performing an abstract execution of a script included in the sample; identifying the sample as malware based on the abstract execution of the script included in the sample; and generating a log of results from the abstract execution of the script included in the sample.

Abstract: Techniques for providing innocent until proven guilty (IUPG) solutions for building and using adversary resistant and false positive resistant deep learning models are disclosed. In some embodiments, a system, process, and/or computer program product includes storing a set comprising one or more innocent until proven guilty (IUPG) models for static analysis of a sample; performing a static analysis of content associated with the sample, wherein performing the static analysis includes using at least one stored IUPG model; and determining that the sample is malicious based at least in part on the static analysis of the content associated with the sample, and in response to determining that the sample is malicious, performing an action based on a security policy.