Abstract: A machine learning ensemble receives input data from static analysis and dynamic analysis of binary files to output malicious/benign verdicts for the binary files. The machine learning ensemble comprises a structure aware dynamic compressor (“compressor”). The compressor receives a tree data structure generated based on Application Programming Interface calls of the binary files in various sandbox environments as input. The compressor performs various compression, tokenization, embedding, and reshaping operations to the tree data structure to generate a compressed tensor that preserves structural context from the tree data structure. The machine learning ensemble uses the compressed tensor to generate malicious/benign verdicts for the binary files.

Abstract: A multi-perspective user and entity behavior analytics (UEBA) system (“system”) builds and maintains interchangeable modules for predicting likelihoods of anomalous user behavior at the scope of an actor (i.e., a user or entity) of an organization within time periods. Each module comprises probability models and/or machine learning models as sub-modules that model actor behavior at various levels of granularity with respect to usage of Software-as-a-Service applications. The system generates anomalousness scores by decorrelating likelihoods output by each sub-module and uses the anomalousness scores to monitor and perform corrective action based on anomalous actor behavior to maintain security posture across the organization.

Abstract: A trained one-dimensional convolutional neural network (1D CNN) efficiently detects credentials that allow access to sensitive data across an organization. The 1D CNN has a lightweight architecture with one or more one-dimensional convolutional layers that capture semantic context of text data and a one-hot encoding embedding layer that takes unprocessed characters from documents as input. Lightweight architecture of the 1D CNN allows for high volume, fast detection of credentials for data loss prevention. The 1D CNN is trained on documents augmented with natural language processing techniques including token replacement, machine translation, token rearrangement, and text summarization.

Abstract: A malware detector has been designed that uses a combination of NLP techniques on dynamic malware analysis reports for malware classification of files. The malware detector aggregates text-based features identified in different pre-processing pipelines that correspond to different types of properties of a dynamic malware analysis report. From a dynamic malware analysis report, the pre-processing pipelines of the malware detector generate a first feature set based on individual text tokens and a second feature set based on n-grams. The malware detector inputs the first feature set into a trained neural network having an embedding layer. The malware detector then extracts a dense layer from the trained neural network and aggregates the extracted layer with the second feature set to form an input for a trained boosting model. The malware detector inputs the cross-pipeline feature values into the trained boosting model to generate a malware detection output.

Abstract: The present application discloses a method, system, and computer system for detecting malicious files. The method includes (a) receiving a sample for malware analysis, (b) applying a machine learning model to obtain a classification for the sample based at least in part on (i) memory artifact data associated with the sample, and (ii) at least one of dynamic execution log data for the sample and static file structures associated with the sample, and (c) determining whether the sample is malicious based at least in part on the classification.

Abstract: The present application discloses a method, system, and computer system for classifying stream data at an edge device. The method includes obtaining a stream of a file at the edge device, aligning a predetermined amount of data in chunks associated with the stream of the file, processing a plurality of aligned chunks associated with the stream of the file using a machine learning model, and classifying, at the edge device, the file based at least in part on a classification of the plurality of aligned chunks.

Abstract: The present application discloses a method, system, and computer system for classifying stream data at an edge device. The method includes obtaining a stream of a file at the edge device, processing a set of chunks associated with the stream of the file using a machine learning model, and classifying, at the edge device, the file before processing an entirety of the file.

Abstract: The present application discloses a method, system, and computer system for detecting malicious files. The method includes executing a sample in a virtual environment, and determining whether the sample is malware based at least in part on memory-use artifacts obtained in connection with execution of the sample in the virtual environment.

Abstract: Methods and systems for dynamic network link prediction include generating a dynamic graph embedding model for capturing temporal patterns of dynamic graphs, each of the graphs being an evolved representation of the dynamic network over time. The dynamic graph embedding model is configured as a neural network including nonlinear layers that learn structural patterns in the dynamic network. A dynamic graph embedding learning by the embedding model is achieved by optimizing a loss function that includes a weighting matrix for weighting reconstruction of observed edges higher than unobserved links. Graph edges representing network links at a future time step are predicted based on parameters of the neural network tuned by optimizing the loss function.

Abstract: A malware detector has been designed that uses a combination of NLP techniques on dynamic malware analysis reports for malware classification of files. The malware detector aggregates text-based features identified in different pre-processing pipelines that correspond to different types of properties of a dynamic malware analysis report. From a dynamic malware analysis report, the pre-processing pipelines of the malware detector generate a first feature set based on individual text tokens and a second feature set based on n-grams. The malware detector inputs the first feature set into a trained neural network having an embedding layer. The malware detector then extracts a dense layer from the trained neural network and aggregates the extracted layer with the second feature set to form an input for a trained boosting model. The malware detector inputs the cross-pipeline feature values into the trained boosting model to generate a malware detection output.

Abstract: A methodology as described herein allows cyber-domain tools such as computer aided-manufacturing (CAM) to be aware of the existing information leakage. Then, either machine process or product design parameters in the cyber-domain are changed to minimize the information leakage. This methodology aids the existing cyber-domain and physical-domain security solution by utilizing the cross-domain relationship.

Abstract: Methods and systems for dynamic network link prediction include generating a dynamic graph embedding model for capturing temporal patterns of dynamic graphs, each of the graphs being an evolved representation of the dynamic network over time. The dynamic graph embedding model is configured as a neural network including nonlinear layers that learn structural patterns in the dynamic network. A dynamic graph embedding learning by the embedding model is achieved by optimizing a loss function that includes a weighting matrix for weighting reconstruction of observed edges higher than unobserved links. Graph edges representing network links at a future time step are predicted based on parameters of the neural network tuned by optimizing the loss function. dynamic graph representation learning that includes receiving, by a processing device, graphs, each of the graphs having a known graph link between two vertices, each of the graphs being associated with one of a plurality of previous time steps.

Abstract: A novel methodology for providing security to maintain the confidentiality of additive manufacturing systems during the cyber-physical manufacturing process is featured. This solution is incorporated within the computer aided manufacturing tools such as slicing algorithms and the tool-path generation, which are in the cyber-domain. This effectively mitigates the cross domain physical-to-cyber domain attacks which can breach the confidentiality of the manufacturing system to leak valuable intellectual properties.

Abstract: A methodology as described herein allows cyber-domain tools such as computer aided-manufacturing (CAM) to be aware of the existing information leakage. Then, either machine process or product design parameters in the cyber-domain are changed to minimize the information leakage. This methodology aids the existing cyber-domain and physical-domain security solution by utilizing the cross-domain relationship.

Abstract: A novel methodology for providing security to maintain the confidentiality of additive manufacturing systems during the cyber-physical manufacturing process is featured. This solution is incorporated within the computer aided manufacturing tools such as slicing algorithms and the tool-path generation, which are in the cyber-domain. This effectively mitigates the cross domain physical-to-cyber domain attacks which can breach the confidentiality of the manufacturing system to leak valuable intellectual properties.

Abstract: A novel methodology for providing security to maintain the confidentiality of additive manufacturing systems during the cyber-physical manufacturing process is featured. This solution is incorporated within the computer aided manufacturing tools such as slicing algorithms and the tool-path generation, which are in the cyber-domain. This effectively mitigates the cross domain physical-to-cyber domain attacks which can breach the confidentiality of the manufacturing system to leak valuable intellectual properties.