Abstract: Methods and systems for safeguarding against malware such as ransomware are described. In part, the disclosure relates to systems and methods for restoring user data and other data encrypted by malware or otherwise rendered inaccessible thereby. In one embodiment, the disclosure relates to a method of safeguarding user data. The method includes monitoring a plurality of processes executing on a computing device; detecting when a first process of the plurality of processes attempts to modify one or more parameters of a user data file; determining if first process is a trusted process or an untrusted process using one or more heuristics; and if the first process is determined to be an untrusted process, create a backup version of the user data file, wherein the backup version of the user data file is created with regard to an unchanged version the user data file.

Abstract: Disclosed herein are systems and method for determining a backup schedule on a computer system. In one exemplary aspect, a method may comprise collecting user behavior data on the computer system. The method may comprise analyzing the user behavior data to determine an optimal time of a backup session to create backup copies of modified data stored on a volume of the computer system and determining an optimal duration of the backup session based on the analyzed user behavior. The method may comprise determining a portion of the modified data that can be saved during the backup session within the optimal duration at the optimal time of backup, and performing the backup session comprising the portion.

Abstract: Disclosed are systems and methods for detecting malicious applications. The described techniques detect a first process has been launched on a computing device, and monitor at least one thread associated with the first process using one or more control points of the first process. An execution stack associated with the one or more control points of the first process is received from the first process. In response to detecting activity on the one or more control points of the first process, an indication that the execution of the first process is malicious is generated by applying a machine learning classifier to the received execution stack associated with the one or more control points of the first process.

Abstract: Disclosed herein are systems and method for detecting unauthorized access to computing resources for cryptomining. In one exemplary aspect, a method may detect that at least one process has been launched on a computer system. In response to the detecting, the method may collect data related to the launch of the at least one process. The method may compare the collected data with behavioral rules specifying compliant behavior on the computer system. The method may identify suspicious behavior associated with the at least one process in response to determining that the collected data does not meet the behavioral rules. The method may generate an alert indicative of the suspicious behavior. In response to identifying the suspicious behavior, the method may obtain telemetry data of the computer system, and may update the behavioral rules based on the telemetry data to improve accuracy of identifying further suspicious behavior.

Abstract: Disclosed herein are system and method for driving organization and subsequent analysis of an autonomous vehicle. In an exemplary aspect, the system and method comprise dividing a path of a vehicle into a plurality of segments based on predetermined conditions; monitoring both behavior of the vehicle and driving conditions during each of the plurality of segments; storing the behavior and the driving conditions in a plurality of records of an immutable storage; determining whether an accident has occurred involving the vehicle; in response to determining that the accident has occurred, retrieving for the plurality of segments the behavior and the driving conditions from the immutable storage; reconstructing the path using the retrieved behavior and the driving conditions and the plurality of segments; and analyzing the reconstructed path to determine a cause of the accident.

Abstract: Disclosed herein are systems and method for inspecting archived slices for malware. In one exemplary aspect, the method comprises identifying a first slice in a plurality of slices in a backup archive, wherein the first slice is an image of user data at a first time. The method comprises scanning the first slice of the plurality of slices in the backup archive and detecting at least one infected file in the first slice. The method comprises identifying a block of the first slice that corresponds to the at least one infected file. The method comprises mounting, to a disk, a second slice of the plurality of slices. The method comprises tracking the block and determining that the at least one infected file exists on the second slice and removing the infected file from the second slice by generating a respective cured slice of the second slice.

Abstract: Systems and methods for remediating vulnerabilities on a plurality of computing devices is disclosed herein. In one exemplary aspect, a method comprises classifying monitored data into a plurality of categories using a machine learning algorithm. For each respective data file of the monitored data, the method comprises retrieving one or more policies associated with a classified category of the respective data file and determining whether respective data file complies with the one or more policies. The method further comprises generating a compliance map based on compliance with policies for each respective data file of the monitored data, wherein the compliance map indicates vulnerabilities in the plurality of computing devices, determining whether the vulnerabilities are actionable, and in response to determining the vulnerabilities are actionable, requesting actions to be performed on the plurality of devices to remediate the vulnerabilities and non-compliance.

Abstract: Disclosed herein are systems and method for multiplexing data of an underlying index. In an exemplary aspect, an index handler may: search for a data file in a plurality of data buckets associated with an index, wherein at least one respective data bucket of a plurality of data buckets is attached to a respective slot of a plurality of slots; identify, based on the searching, a first data bucket of the plurality of data buckets that comprises the data file; in response to determining that the first data bucket is not attached to any of the plurality of slots, attach the first data bucket to a first slot of the plurality of slots; and enable access to the data file via the first data bucket attached to the first slot.

Abstract: Disclosed herein are systems and method for optimizing artificial intelligence (A.I)-based malware analysis on offline endpoints in a network. In one aspect, a method includes identifying a file that has not been executed on an endpoint system and scanning the endpoint system to detect malicious behavior using a machine learning algorithm. In response to determining that the endpoint system does not exhibit malicious behavior based on the machine learning algorithm, the method includes enabling execution of the file. Subsequent to the execution of the file, the method includes rescanning the endpoint system to detect malicious behavior using the machine learning algorithm. In response to determining that the endpoint system does exhibit malicious behavior subsequent to the execution, the method includes extracting attributes of the file and retraining the machine learning algorithm using the extracted attributes to detect malicious behavior associated with the file without having to execute the file.

Abstract: Disclosed herein are systems and method for detecting usage anomalies based on environmental sensor data. A method may include: receiving a physical user input at a computing device located in an environment; determining whether the physical user input was received from an authorized user of the computing device by: retrieving environmental sensor data from at least one sensor located in the environment; identifying a window of time during which the physical user input was received; and verifying a presence of the authorized user at the environment during the window of time based on the environmental sensor data; and in response to determining that the authorized user was not present in the environment during the window of time, detecting a usage anomaly and not executing the physical user input.

Abstract: Disclosed herein are systems and methods for securing cloud meetings using containers. In one aspect, an exemplary system comprises, a device comprising a processor, an OS operable in a user mode and a kernel mode, and a kernel driver for performing operations while in kernel mode, the kernel driver having a kernel driver interceptor configured to: register for a process notification callback for user applications used for web-based meetings, monitor to determine when a process notification callback is received, receive a process notification callback and a command line in the callback, and analyze and transmit the command line to a service that secures the meeting, wherein the securing is performed by: configuring a container for executing the user application in an isolated virtual environment, transferring, to the container, all resources needed to run the user application, and executing the user application in the container.

Abstract: Disclosed herein are systems and methods for preventing malicious injections. In one aspect, a method includes monitoring active processes that are running in suspended mode. For each active process being monitored, the method includes injecting a dynamic link library (DLL) into the active process to hook an application programming interface (API) of an application corresponding to the active process, wherein the DLL is injected for tracking commands for suspension and resumption of the active process. The method includes monitoring file inputs and outputs of the application for anomalies while the active process is in the suspended mode, and when a command for resuming the active process is detected using the DLL, determining, based on the monitoring, whether a malicious process is inserted into the active process. The method includes allowing the suspended process to resume execution in response to determining that no malicious process is inserted in the active process.

Abstract: Disclosed herein are systems and method for adjusting data protection levels based on system metadata. A method may include monitoring a computing device for a cyberattack, wherein a kernel driver of the computing device is configured to allow access to kernel control paths and hash tables in accordance with a first protection level, and detecting that the cyberattack is in progress. While the cyberattack is in progress, the method may include identifying kernel control paths and hashes of software objects that will be affected by the cyberattack, and configuring the kernel driver to disable access to the identified kernel control paths and hashes of the software objects in accordance with a second protection level, wherein the second protection level includes greater access restrictions to the computing device than the first protection level.

Abstract: Disclosed herein are systems and method for performing failover during a cyberattack. In one exemplary aspect, a method comprises monitoring a computing device for the cyberattack and detecting that the cyberattack is in progress. While the cyberattack is in progress, the method comprises identifying a failover device that corresponds to the computing device, hardening the failover device to prevent the cyberattack from affecting the failover device, and performing failover by switching from the computing device to the failover device.

Abstract: Disclosed herein are systems and methods for providing network protection for web-based conferencing services. In one aspect, an exemplary system comprises, a device comprising a processor, an operating system (OS) operable in a user mode and a kernel mode, and a kernel driver for performing operations while the OS is in kernel mode, the kernel driver configured to: monitor file operations that involve objects belonging to a web conferencing service, receive a request from an application executing in a user mode, the request being for an operation to be executed in the kernel mode, when the operation involves at least one object belonging to the web conferencing service, request for an authorization from a protection service executing in the user mode, and allow the operation to be performed only when the authorization is received from the protection service.

Abstract: Aspects of the disclosure describe methods and systems for cross-referencing forensic snapshots over time. In one exemplary aspect, a method may comprise receiving a first snapshot of a computing device at a first time and a second snapshot of the computing device at a second time and applying a pre-defined filter to the first snapshot and the second snapshot, wherein the pre-defined filter includes a list of files that are to be extracted from each snapshot. The method may comprise subsequent to applying the pre-defined filter, identifying differences in the list of files extracted from the first snapshot and the second snapshot. The method may comprise creating a change map for the computing device that comprises the differences in the list of files over a period of time, wherein the period of time comprises the first time and the second time, and outputting the change map in a user interface.

Abstract: Disclosed herein are systems and method for determining a backup schedule on a computer system. In one exemplary aspect, a method may comprise collecting user behavior data on the computer system and analyzing the user behavior data to determine an optimal time of a backup session to create backup copies of modified data stored on a volume of the computer system. The method may comprise determining an optimal duration of the backup session based on the analyzed user behavior and prioritizing portions of the modified data based on priority rules. The method may comprise determining a prioritized portion of the modified data that can be saved during the backup session based on the duration, computer system hardware and network bandwidth at the optimal time of backup, and performing the backup session comprising the prioritized portion.

Abstract: Aspects of the disclosure describe methods and systems for transmitting data via a satellite to a ground node. In one exemplary aspect, a method comprises splitting, on a satellite, a data segment into a plurality of data chunks, wherein an amount of the data chunks equals a number of ground nodes that the data chunks will be transmitted to. For each respective data chunk, the method comprises determining whether the satellite has a stable connection with the respective ground node. When the satellite has the stable connection with the respective ground node, the method comprises transmitting, by the satellite, the respective data chunk to the respective ground node, and when the satellite does not have the stable connection with the respective ground node, the method comprises transmitting, by the satellite, the respective data chunk to a neighboring satellite for storage until the stable connection is established.

Abstract: Disclosed herein are systems and methods for managing access to data objects in cloud storage. In one aspect, an exemplary method comprises storing, by a processor, a data object in a storage device of a cloud storage service for a duration of time, wherein the data object is accessible to a plurality of user accounts. The method comprises extending the duration of time for retaining the data object on the storage device to a first extended duration when a degree of access of the data object by the plurality of user accounts meets a target threshold value during the duration of time. The method further comprises extending the duration of time for retaining the data object on the storage device to a second extended duration when the degree of access does not meet the target threshold value during the duration of time.

Abstract: Disclosed herein are systems and method for de-duplicating blocks of data. In one aspect, an exemplary method comprises receiving a block of data at a de-duplication engine that comprises a first block node and a first page node, wherein the first block node stores a single block descriptor for at least two identical blocks previously received and wherein the first page node stores single instances of identical pages in the at least two identical blocks. The method comprises comparing the received block with the at least two identical blocks. In response to determining that the received block partially matches the at least two identical blocks, the method comprises storing a block descriptor of the received block in a second block node and storing at least one page that matches between the received block and the at least two identical blocks in a second page node of the de-duplication engine.