Abstract: A method for creating a collection with optimized family-specific signatures for protecting from malware includes collecting statistics of potential signatures for chosen sample attribute vectors, the statistics of potential signatures being collected for clean files and malware files, estimating a probability to find a potential signature in the clean files, grouping malware files with the same signature in clusters (families), choosing the most optimal signature for the malware family files based on a predefined target function, and exporting a collection with optimized family-specific signatures configured to be implemented by scan engines.

Abstract: The present disclosure relates to a system and method for creating a backup and restoring the exact clean system state prior to malware detection. The system includes a security system, in communication with one or more applications of a computing system, and a backup unit. The security system detects malware during execution of the applications or events based on a memory dump analysis. The backup unit creates a backup copy of the system state corresponding to each event, labels each copy and creates an index. When the security system detects presence of the malware at a particular event, the backup system parses the index, and with use of the labels, retrieves the exact backup copy that belongs to the event preceding the other event that caused the malware attack.

Abstract: Disclosed herein are systems and methods for updating select files in an image backup. In an exemplary aspect, a method comprises performing an image backup of a storage device comprising a plurality of files. The method comprises selecting a file of the plurality of files based on file selection rules and subsequent to the image backup, detecting that the file has exited a full consistency state. The method comprises monitoring the file to detect a return to the full consistency state. In response to detecting that the file has returned to the full consistency state, the method comprises identifying a physical address of at least one sector comprising the file on the storage device, and updating a version of the file previously captured in the image backup with a version of the file after returning to the full consistency state.

Abstract: A rootkit detection system and method analyzes memory dumps to determine connections between intercepted system driver operations requested by unknown files and changes in system memory before and after those operations. Memory dump differences and I/O buffers are analyzed with machine learning models to identify clustered features associated with rootkits.

Abstract: Disclosed herein are systems and method for forming and executing a backup strategy. In one aspect, an exemplary method comprises forming a respective backup strategy for each respective file of a plurality of files stored in a data source based on a frequency of occurrence, a desired recovery time, and a criticality of data loss for the respective file. The method further comprises executing the respective backup strategy for the respective file.

Abstract: In a multi-tenant hierarchical data storage system, tenant nodes are organized into trees and subtrees including virtual shards and with tenant data on single shards. The system is configured to allow scalable parallel access by a plurality of tenant-users.

Abstract: A multi-layer path-planning system and method calculates trajectories for autonomous vehicles using a global planner, a fast local planner, and an optimizing local planner. The calculated trajectories are used to guide the autonomous vehicle along a bounded path between a starting point and a destination.

Abstract: A system and method for firewall policy control in a system comprising endpoints, including functionality for isolating network elements on endpoints under management. An endpoint management agent cooperates with a remote management service to carry out policy management and synchronization, implement isolation mode when required, and perform related supporting tasks.

Abstract: Disclosed herein are systems and method for securely providing access to data. In one exemplary aspect, a method may comprise receiving a request to access data on a computing device of a user and identifying a location of the computing device. The method may comprise determining whether access to the data is allowed in the location based on a location-based rule of a plurality of location-based rule. The method may comprise, in response to determining that access to the data is allowed in the location, detecting, via sensors of the computing device, (1) at least one other person different from the user or (2) a surveillance device in the location, and determining whether the at least one other person or the surveillance device can view the data without direct access to the computing device. If not, the method may comprise providing access to the data on the computing device.

Abstract: A rootkit detection system and method analyzes memory dumps to determine connections between intercepted system driver operations requested by unknown files and changes in system memory before and after those operations. Memory dump differences and I/O buffers are analyzed with machine learning models to identify clustered features associated with rootkits.

Abstract: The invention relates to data recovery technology. An archive connection driver creates a virtual storage medium that is readable by an operating system, with the operating system running antivirus scanning algorithms on the connected virtual storage medium. Corrupted data and malware are deleted and the relevant data blocks repaired in a connected backup. Corrupted data and infected files are restored in marked invalid data in the backup.

Abstract: Disclosed herein are systems and method for seamlessly migrating from an existing software to a new software. In one exemplary aspect, a method may comprise retrieving usage activity information of the existing software from the at least one computing device and identifying settings from the existing software to migrate. The method may further comprise converting, based on an internal database with metadata information about the new software, the settings in the existing software to corresponding settings in the new software, and determining, based on the usage activity information, a migration plan indicative of a sequence of tasks for installing the new software and removing the existing software such that a quality of service associated with accessing the plurality of features on the at least one computing device does not decrease to less than a threshold quality of service. The method may further comprise executing the migration plan.

Abstract: Disclosed herein are systems and method for verifying user identity. In one exemplary aspect, a method comprises receiving sensor data from at least one sensor and parsing the sensor data to determine a plurality of identifiers of a user authorized to access data via a computing device. The method comprises generating, for each identifier, an event including the user. The method comprises intercepting, on the computing device, a data access request including an identifier of the user. The method comprises verifying whether the data access request is from the user authorized to access data by generating a chain of events including the user for a period of time preceding the data access request, determining a deviation of the chain of events from a target chain of events, and in response to determining the deviation is less than a threshold deviation value, granting the data access request.

Abstract: A system and method for malware classification using machine learning models trained using synthesized feature sets based on features extracted from samples of known malicious objects and known safe objects. The synthesized feature sets act as virtual samples for training a machine learning classifier to recognize new objects in the wild that are likely to be malicious.

Abstract: The invention relates to data recovery technology. Each created backup is checked for the integrity of the placed files, while calculating the checksums of each block of data that can be restored from the backup. The computer system is restored from a backup copy by connecting it using the archive copy connection driver, which creates a virtual disk that is readable by standard means of the operating system of the computer system being restored. The booting of the operating system is performed from the virtual disk and, after restoring the functioning of the computer system, the system volume that has been damaged is restored from the backup copy to the local storage medium.

Abstract: Disclosed herein are systems and method efficiently executing a program operation on a cloud-based service. In an exemplary aspect, a method comprises receiving a request to perform a program operation on a cloud-based service and at least one user constraint for performing the program operation, and determining a plurality of sub-operations that are comprised in the program operation. The method comprises identifying a plurality of service component combinations offered by the service provider that can execute the program operation, and identifying at least one processing constraint of each service component. The method comprises determining a service component combination from the plurality of service component combinations for executing the program operation based on the at least one user constraint and processing constraints. The method comprises executing the program operation by the determined service component combination.

Abstract: In a multi-tenant hierarchical data storage system, tenant nodes are organized into trees and subtrees including virtual shards and with tenant data on single shards. The system is configured to allow scalable parallel access by a plurality of tenant-users.

Abstract: Disclosed herein are systems and method efficiently executing a program operation on a cloud-based service. In an exemplary aspect, a method comprises receiving a request to perform a program operation on a cloud-based service and at least one user constraint for performing the program operation, and determining a plurality of sub-operations that are comprised in the program operation. The method comprises identifying a plurality of service component combinations offered by the service provider that can execute the program operation, and identifying at least one processing constraint of each service component. The method comprises determining a service component combination from the plurality of service component combinations for executing the program operation based on the at least one user constraint and processing constraints. The method comprises executing the program operation by the determined service component combination.

Abstract: Disclosed herein are systems and methods for providing network protection for web-based conferencing services. In one aspect, an exemplary system comprises, a device comprising a processor, an operating system (OS) operable in a user mode and a kernel mode, and a kernel driver for performing operations while the OS is in kernel mode, the kernel driver configured to: monitor file operations that involve objects belonging to a web conferencing service, receive a request from an application executing in a user mode, the request being for an operation to be executed in the kernel mode, when the operation involves at least one object belonging to the web conferencing service, request for an authorization from a protection service executing in the user mode, and allow the operation to be performed only when the authorization is received from the protection service.

Abstract: Disclosed herein are systems and method for detecting usage anomalies based on environmental sensor data. A method may include: receiving a physical user input at a computing device located in an environment; determining whether the physical user input was received from an authorized user of the computing device by: retrieving environmental sensor data from at least one sensor located in the environment; identifying a window of time during which the physical user input was received; and verifying a presence of the authorized user at the environment during the window of time based on the environmental sensor data; and in response to determining that the authorized user was not present in the environment during the window of time, detecting a usage anomaly and not executing the physical user input.