Abstract: A computer-implemented method for using event-correlation graphs to detect attacks on computing systems may include (1) detecting a suspicious event involving a first actor within a computing system, (2) constructing an event-correlation graph that includes a first node that represents the first actor, a second node that represents a second actor, and an edge that interconnects the first node and the second node and represents a suspicious event involving the first actor and the second actor, (3) calculating, based at least in part on the additional suspicious event, an attack score for the event-correlation graph, (4) determining that the attack score is greater than a predetermined threshold, and (5) determining, based at least in part on the attack score being greater than the predetermined threshold, that the suspicious event may be part of an attack on the computing system. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A computer-implemented method for neutralizing file-format-specific exploits contained within electronic communications may include (1) identifying an electronic communication, (2) identifying at least one file contained within the electronic communication, and then (3) neutralizing any file-format-specific exploits contained within the file. In one example, neutralizing any file-format-specific exploits contained within the file may include applying at least one file-format-conversion operation to the file. Additionally or alternatively, neutralizing any file-format-specific exploits contained within the file may include constructing a sterile version of the file that selectively omits at least a portion of any exploitable content contained within the file. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A computer-implemented method for using event-correlation graphs to detect attacks on computing systems may include (1) detecting a suspicious event involving a first actor within a computing system, (2) constructing an event-correlation graph that includes a first node that represents the first actor, a second node that represents a second actor, and an edge that interconnects the first node and the second node and represents a suspicious event involving the first actor and the second actor, (3) calculating, based at least in part on the additional suspicious event, an attack score for the event-correlation graph, (4) determining that the attack score is greater than a predetermined threshold, and (5) determining, based at least in part on the attack score being greater than the predetermined threshold, that the suspicious event may be part of an attack on the computing system. Various other methods, systems, and computer-readable media are also disclosed.