Abstract: A system and method of anti-malware analysis including iterative techniques that combine static and dynamic analysis of untrusted programs or files. These techniques are used to identify malicious files by iteratively collecting new data for static analysis through dynamic run-time analysis.

Abstract: A system and method of anti-malware analysis including iterative techniques. These techniques are used to create a file attribute tree used by a machine learning analyzer to identify malicious files.

Abstract: Disclosed herein are systems and method for repurposing a machine learning model. An exemplary method includes: receiving a first training dataset; determining an input portion and an output portion in an entry of the first training dataset; comparing the first training dataset to a second training dataset used to train a machine learning model, wherein the comparing includes determining a similarity score between the input portion and the output portion of the first training dataset and an input portion and an output portion of the second training dataset; in response to determining that the similarity score is greater than a threshold similarity score, re-training the machine learning model using the first training dataset; and executing the retrained machine learning model on an input value to generate an output value corresponding to the first training dataset.

Abstract: The present disclosure relates to a system and method for rootkit detection based on a system dump sequence analysis. The system includes a security system in communication with one or more applications of a computing system. The security system includes a system event monitor to monitor events occurring at the applications, a system dump capture driver to capture differential system dumps corresponding to each event, and a rootkit detection engine to determine if a system state is infected. The rootkit detection engine is based on a machine learning model, where the machine learning model is trained on collection of clean system dumps and infectious system dumps. Based on analysis carried out by the machine learning model, the rootkit detection engine can classify the system state as suspicious, infectious, or clean state.

Abstract: Forensic analysis on consistent system footprints relates to a system and method for rootkit detection based on forensic analysis performed on consistent system footprints, such as application events, application network communications and application files. The system includes a security system periodically monitoring one or more applications of a computing system. The security system includes a threat detection unit for collecting and storing system memory dumps, a machine learning module trained on clean and infectious memory dump, a similarity scanner to identify similarity between suspicious memory block and consistent system footprints, and a forensic analyzer to perform forensic analysis and detect infection, if any, based on the similarity found. The suspicious memory block is identified by the threat detection unit based on the analysis performed by the machine learning model. Upon rootkit detection an alert and forensic analysis report are generated.

Abstract: The present disclosure relates to a system and method for creating a backup and restoring the exact clean system state prior to malware detection. The system includes a security system, in communication with one or more applications of a computing system, and a backup unit. The security system detects malware during execution of the applications or events based on a memory dump analysis. The backup unit creates a backup copy of the system state corresponding to each event, labels each copy and creates an index. When the security system detects presence of the malware at a particular event, the backup system parses the index, and with use of the labels, retrieves the exact backup copy that belongs to the event preceding the other event that caused the malware attack.

Abstract: Disclosed herein are systems and method for provisioning artificial intelligence resources. A method may receive an input training dataset and an indication of a task to perform using the input training dataset and may determine a size of the input dataset and a content type of an entry in the input training dataset. The method may identify, from a plurality of computing resources, at least one computing resource to accommodate the size and the content type associated with the input training dataset and may identify attributes of the input training dataset. The method may select, from a plurality of artificial intelligence models, and train and execute, on the at least one computing device, an artificial intelligence model that is configured to perform the task.

Abstract: A rootkit detection system and method analyzes memory dumps to determine connections between intercepted system driver operations requested by unknown files and changes in system memory before and after those operations. Memory dump differences and I/O buffers are analyzed with machine learning models to identify clustered features associated with rootkits.

Abstract: A system and method for malware detection uses static and dynamic analysis to augment a machine learning model. At the training step, static and dynamic features are extracted from training datasets and used to train a malware classification model. The malware classification model is used to classify unknown files based on verdicts from both static and dynamic models.

Abstract: A system and method for malware classification using machine learning models trained using synthesized feature sets based on features extracted from samples of known malicious objects and known safe objects. The synthesized feature sets act as virtual samples for training a machine learning classifier to recognize new objects in the wild that are likely to be malicious.

Abstract: A system and method for malware detection uses static and dynamic analysis to train a machine learning model. At the training step, static and dynamic features are extracted from training datasets and used to train a malware classification model. The malware classification model is used to classify unknown files based on verdicts from both static and dynamic models.

Abstract: A system and method is provided for detecting a suspicious process in an operating system environment. In an exemplary aspect, a method comprises generating, by a hardware processor, a file honeypot in a directory in a file system and receiving a directory enumeration request from a process executing in the operating system environment. The method comprises determining whether the process is identified in a list of trusted processes and in response to determining that the process is not in the list of trusted processes, providing, to the process by the file system, a file list including the file honeypot responsive to the directory enumeration request. The method further comprises intercepting, by a file system filter driver, a file modification request for the file honeypot from the process, and identifying the process as a suspicious object responsive to intercepting the file modification request from the process.

Abstract: Disclosed herein are systems and method for malicious behavior detection in processing chains comprising identifying and monitoring events generated by a first process executing on a computing device; storing snapshots of data modified by any of the events; determining a level of suspicion for the first process, wherein the level of suspicion is a likelihood of the first process being attributed to malware based on the data modified by any of the events; in response to determining that the first process is not trusted based on the determined level of suspicion, identifying at least one sub-process of the first process; and restoring, from the snapshots, objects affected by the first process and the at least one sub-process.

Abstract: Disclosed are systems and methods for detecting malicious applications. An exemplary method may comprise detecting that a first process has been launched on a computing device. The method may comprise receiving, from the first process, an execution stack associated with one or more control points of the first process. The method may comprise applying a machine learning classifier on the execution stack, wherein the machine learning classifier is configured to classify whether a process is malicious based on activity on control points captured on a given execution stack, and wherein a feature of a malicious process is detection of a system call to create a remote thread that runs in a virtual address space of a shared-service process configured to import third-party processes to be embedded as separate threads. The method may comprise generating an indication that the execution of the first process is malicious/non-malicious.

Abstract: Methods for file archiving using machine learning are disclosed herein. An exemplary method comprises archiving a first file of a plurality of files from a storage server to a tiered storage system, training a machine learning module based on file access operations for the plurality of files, determining one or more rules for predicting access to the archived files using the machine learning module, determining a prediction of access of the archived file based on the one or more rules and retrieving the archived file from the tiered storage system into a file cache in the storage server based on the prediction of access.

Abstract: Disclosed herein are methods and systems for providing data recovery recommendations. In an exemplary aspect, a method may comprise identifying a plurality of storage devices. For each respective device of the plurality of storage devices, the method may comprise extracting a respective input parameter indicative of a technical attribute of the respective device, inputting the respective input parameter into a machine learning algorithm configured to output both a first likelihood of the respective device needing a data recovery and a second likelihood that the data recovery will fail, and determining a respective priority level of the respective device based on the first likelihood and the second likelihood. The method may comprise normalizing each respective priority level, and recommending a device of the plurality of storage devices for a test data recovery procedure based on each normalized priority level.

Abstract: A system and method of anti-malware analysis including iterative techniques that combine static and dynamic analysis of untrusted programs or files. These techniques are used to identify malicious files by iteratively collecting new data for static analysis through dynamic run-time analysis.

Abstract: A system and method of anti-malware analysis including iterative techniques. These techniques are used to create a file attribute tree used by a machine learning analyzer to identify malicious files.

Abstract: Disclosed herein are systems and method for classifying objects in an image using a color-based neural network. A method may include: training a neural network to classify an object in a given image into a color class from a set of color classes; determining, from the set of color classes, a subset of color classes that are anticipated to be in a received input image based on image metadata; generating a matched mask input indicating the subset; inputting both the input image and the matched mask input into the neural network, wherein the neural network is configured to: determine a first semantic embedding of the input image and the matched mask input; outputting a color class associated with a second semantic embedding with a least amount of distance to the first semantic embedding from a plurality of semantic embeddings.

Abstract: Disclosed herein are systems and method for determining environment dimensions based on environment pose. In one aspect, the method may include training, with a dataset including a plurality of images featuring an environment and labelled landmarks in the environment, a neural network to identify a pose of an environment. The method may comprise receiving an input image depicting the environment, generating an input tensor based on the input image, and inputting the input tensor into the neural network, which may be configured to generate an output tensor including a position of each identified landmark, a confidence level associated with each position, and a pose confidence score. The method may include calculating a homography matrix between each position in the output tensor along a camera plane and a corresponding position in an environment plane in order to output an image that visually connects each landmark along the environment plane.