Abstract: Systems and methods include performing inline monitoring of production traffic between users, the Internet, and cloud services via a cloud-based system; utilizing a trained machine learning model to inspect static properties of files in the production traffic; and classifying the traffic as one of malicious or benign based on the trained machine learning model.

Abstract: Systems and methods include receiving a trained machine learning model that has been processed with training information removed therefrom, wherein the training information is utilized in training of the trained machine learning model; monitoring traffic, inline at the node, including processing the traffic with the trained machine learning model; obtaining a verdict on the traffic based on the trained machine learning model; and performing an action on the traffic based on the verdict.

Abstract: Systems and methods of sandboxing a file include responsive to receiving a file associated with a user, obtaining policy for the user; analyzing the file with a machine learning model; and based on a combination of the policy for the user and a verdict of the machine learning model, one of quarantining the file for analysis in a sandbox and allowing the file to the user. The present disclosure presents a smart quarantine with a goal of minimizing the number of files quarantined, the number of malicious files passed through to an end user, and a number of files scanned by a sandbox.

Abstract: Systems and methods include receiving network transaction data for a plurality of users monitored by a cloud-based system; creating a relationship graph based on the plurality of user's recent network transactions for a time period, wherein the relationship graph includes vertices for domains and edges for transactions by users between the domains having some number of transaction in the time period; and analyzing the relationship graph to detect previously undetected suspicious anomalies. The weights on each edge are based on a relationship between two domains where the relationship includes any of malware, Internet Protocol (IP) addresses, Autonomous System Number (ASN), registration, and redirects.

Abstract: Systems and methods include determining a plurality of features associated with executable files, wherein the plurality of features are each based on static properties in predefined structure of the executable files; obtaining training data that includes samples of benign executable files and malicious executable files; extracting the plurality of features from the training data; and utilizing the extracted plurality of features to train a machine learning model to detect malicious executable files.

Abstract: Systems and methods include obtaining a file associated with a user for processing; utilizing a combination of policy for the user and machine learning to determine whether to i) quarantine the file and scan the file in a sandbox, ii) allow the file to the user and scan the file in the sandbox, and iii) allow the file to the user without the scan; responsive to the quarantine of the file and the sandbox determining the file is malicious, blocking the file; and, responsive to the quarantine of the file and the sandbox determining the file is benign, allowing the file.

Abstract: Systems and methods include receiving a trained machine learning model that has been processed with training information removed therefrom, wherein the training information is utilized in training of the trained machine learning model; monitoring traffic, inline at the node, including processing the traffic with the trained machine learning model; obtaining a verdict on the traffic based on the trained machine learning model; and performing an action on the traffic based on the verdict.

Abstract: Systems and methods include training a machine learning model with data for identifying features in monitored traffic in a network; analyzing the trained machine learning model to identify information overhead therein, wherein the information overhead is utilized in part for the training; removing the information overhead in the machine learning model; and providing the machine learning model for runtime use for identifying the features in the monitored traffic, with the removed information overhead from the machine learning model.

Abstract: Systems and methods include determining a plurality of features associated with executable files, wherein the plurality of features are each based on static properties in predefined structure of the executable files; obtaining training data that includes samples of benign executable files and malicious executable files; extracting the plurality of features from the training data; and utilizing the extracted plurality of features to train a machine learning model to detect malicious executable files.

Abstract: Systems and methods include, based on monitoring of content including Office documents, determining distribution of malicious Office documents between documents having malicious macros and documents having malicious embedded objects; determining features for the documents having malicious macros and for the documents having malicious embedded objects; selecting training data for a machine learning model based on the distribution and the features; and training the machine learning model with the selected training data.

Abstract: Systems and methods include receiving a domain for a determination of a likelihood the domain is a command and control site; analyzing the domain with an ensemble of a plurality of trained machine learning models including a Uniform Resource Locator (URL) model that analyzes lexical features of a hostname of the domain and an artifact model that analyzes content features of a webpage associated with the domain; and combining results of the ensemble to predict the likelihood the domain is a command and control site.

Abstract: Systems and methods include training a machine learning model with data for identifying features in monitored traffic in a network; analyzing the trained machine learning model to identify information overhead therein, wherein the information overhead is utilized in part for the training; removing the information overhead in the machine learning model; and providing the machine learning model for runtime use for identifying the features in the monitored traffic, with the removed information overhead from the machine learning model.

Abstract: Systems and methods include obtaining a file associated with a user for processing; utilizing a combination of policy for the user and machine learning to determine whether to i) quarantine the file and scan the file in a sandbox, ii) allow the file to the user and scan the file in the sandbox, and iii) allow the file to the user without the scan; responsive to the quarantine of the file and the sandbox determining the file is malicious, blocking the file; and, responsive to the quarantine of the file and the sandbox determining the file is benign, allowing the file.