Abstract: Some embodiments help protect an organization against ransomware attacks by combining incrimination logics. An organizational-level incrimination logic helps detect alert spikes across many machines, which collectively indicate an attack. Graph-based incrimination logics help detect infestations of even a few machines, and local incrimination logics focus on protecting respective individual machines. Graph-based incrimination logics may compare monitored system graphs to known ransomware attack graphs. Graphs may have devices as nodes and device network connectivity, repeated files, repeated processes or actions, or other connections as edges. Statistical analyses and machine learning models may be employed as incrimination logics. Search logics may find additional incrimination candidates that would otherwise evade detection, based on files, processes, IP addresses, devices, accounts, or other computational entities previously incriminated.

Abstract: Embodiments of the present disclosure provide systems, methods, and non-transitory computer storage media for identifying malicious behavior using a trained deep learning model. At a high level, embodiments of the present disclosure utilize a trained deep learning model that takes a sequence of ordered signals as input to generate a score that indicates whether the sequence is malicious or benign. Initially, process data is collected from a client. After the data is collected, a virtual process tree is generated based on parent and child relationships associated with the process data. Subsequently, embodiments of the present disclosure aggregate signal data with the process data such that each signal is associated with a corresponding process in a chronologically ordered sequence of events. The ordered sequence of events is vectorized and fed into the trained deep learning model to generate a score indicating the level of maliciousness of the sequence of events.

Abstract: Embodiments of the present disclosure provide systems, methods, and non-transitory computer storage media for detecting abnormal behavior of device in an enterprise network based on an analysis of behavioral information of the device's neighbors in network. At a high level, embodiments of the present disclosure employ a hive-mind approach to determine anomalous behavior of a device in a network based on analyzing behavior information reported by neighboring devices within the network. Embodiments identify that a device is alive and connected within the network based on multiple neighboring devices reporting behavioral information about the device; however, the device may be dysfunctional and failing to report its own information. By aggregating and analyzing behavioral information of a device based on the reporting information of its neighboring devices, embodiments of the present disclosure are able to determine whether a device is healthy even when the device is unable to report its own information.

Abstract: Embodiments of the present disclosure provide systems, methods, and non-transitory computer storage media for detecting abnormal behavior of device in an enterprise network based on an analysis of behavioral information of the device's neighbors in network. At a high level, embodiments of the present disclosure employ a hive-mind approach to determine anomalous behavior of a device in a network based on analyzing behavior information reported by neighboring devices within the network. Embodiments identify that a device is alive and connected within the network based on multiple neighboring devices reporting behavioral information about the device; however, the device may be dysfunctional and failing to report its own information. By aggregating and analyzing behavioral information of a device based on the reporting information of its neighboring devices, embodiments of the present disclosure are able to determine whether a device is healthy even when the device is unable to report its own information.

Abstract: Disclosed herein is a system and method for automatically identifying potential malware files or benign files in files that are not known to be malware. Vector distances for select features of the files are compared to vectors both known malware files and benign files. Based on the distance measures a malware score is obtained for the unknown file. If the malware score exceeds a threshold a researcher may be notified of the potential malware, or the file may be automatically classified as malware if the score is significantly high.

Abstract: Disclosed herein is a system and method for automatically identifying potential malware files or benign files in files that are not known to be malware. Vector distances for select features of the files are compared to vectors both known malware files and benign files. Based on the distance measures a malware score is obtained for the unknown file. If the malware score exceeds a threshold a researcher may be notified of the potential malware, or the file may be automatically classified as malware if the score is significantly high.