Abstract: Malicious redirects in a redirect chain as a result of loading a web address are detected and blocked. A suspicion score is determined for a subject redirection domain based at least in part on the subject redirection domain's web address, and a rate of occurrence of the subject redirection domain in redirect chains leading to a malicious landing domain is calculated. Loading the subject redirection domain is blocked if the suspicion score exceeds a suspicion threshold or the rate of occurrence of the subject redirection domain exceeds a rate of occurrence threshold.

Abstract: Redundancy in a malware signature list is reduced by processing a plurality of pairs of records in a known malware signature list, where each pair of records comprises a file identifier and an associated malware detection. At least one of the file identifiers and the associated malware detections are mapped to symbols representing the file identifiers and the associated malware detections, the symbols taking less memory than the file identifiers and the associated malware detections. The mapped symbols representing the file identifiers and the associated malware detections are processed to remove at least some malware detections that are not needed to provide a desired degree of representation of each file identifier in the processed known malware signature list, and a processed known malware signature list is stored.

Abstract: Systems and methods use negative feedback to create generic rules for a high dimensional sparse feature space. A system receives a set of fingerprints, where a fingerprint can be a set of features of a file. The fingerprints can be clustered according to similarity. For each cluster, a proto-rule is created that has a condition for each feature. The proto-rule is simplified using negative feedback to create a well-formed rule having a comparatively small subset of the conditions in the proto-rule that are useful in determining malware. The well-formed rule can be added to a set of rules used in a malware detection system.

Abstract: A method of generating a similarity hash for an executable includes extracting a plurality of characteristics for one or more classes in the executable, and transforming the plurality of characteristics into a set of one or more class fingerprint strings corresponding to the one or more classes. The set of class fingerprint strings is transformed into a hash string using minwise hashing, such that a difference between hash strings for different executables is representative of the degree of difference between the executables. The hash of a target executable is compared with hashes of known malicious executables to determine whether the target executable is likely malicious.

Abstract: A method of generating a similarity hash for an executable includes extracting a plurality of characteristics for one or more classes in the executable, and transforming the plurality of characteristics into a set of one or more class fingerprint strings corresponding to the one or more classes. The set of class fingerprint strings is transformed into a hash string using minwise hashing, such that a difference between hash strings for different executables is representative of the degree of difference between the executables. The hash of a target executable is compared with hashes of known malicious executables to determine whether the target executable is likely malicious.

Abstract: Systems and methods use negative feedback to create generic rules for a high dimensional sparse feature space. A system receives a set of fingerprints, where a fingerprint can be a set of features of a file. The fingerprints can be clustered according to similarity. For each cluster, a proto-rule is created that has a condition for each feature. The proto-rule is simplified using negative feedback to create a well-formed rule having a comparatively small subset of the conditions in the proto-rule that are useful in determining malware. The well-formed rule can be added to a set of rules used in a malware detection system.

Abstract: Analyzing a large number of files to identify malicious software including evaluating a multigraph including determining a graph having a plurality of nodes, including a source node and target nodes from a data set and merging the graph into a multigraph in response to a node score above a threshold level, for each target node; determining one or more specificity indexes for target node and determining a node score for the target node based, at least in part, on a specificity index

Abstract: Systems and methods automatically determine rules for detecting malware. A fingerprint representing a file is received. A set of nearest neighbor fingerprints from at least a set of malware fingerprints that are nearest neighbors are determined. The set of malware fingerprints are analyzed to determine a representative fingerprint. A malicious file detection rule is generated based, at least in part, on the representative fingerprint.