Abstract: Methods are provided for building and tuning a correlation data structure. The correlation data structure includes relationship correlations with relationship scores that reflect the level of correlation between alert conditions and feature set events that occurred in a machine. Each relationship correlation further includes a time of influence associated with the times of occurrence for each alert condition and corresponding feature set event. The correlation data structure is built and tuned using sourcing to leverage the alert conditions and feature set events on each machine for all machines in the network. Methods are also provided to use the correlation data structure to monitor the machines in a network, detect feature set events, and detect if alert conditions correlated with those feature set events are likely to occur. The methods further provide for mitigating those alert conditions.

Abstract: Controlling device security includes obtaining a set of device activity data indicating current device activity on a device and a set of user activity data indicating a current activity state of one or more legitimate users of the device. It is determined whether the indicated current activity state of the users indicates that a legitimate user is in an active state on the device, or that none of the legitimate users is in an active state on the device. A statistical fit of the indicated current device activity on the device, with the indicated current activity state of the one or more legitimate users, is determined, by a comparison with at least one of the models that are generated via supervised learning. A security alert action may be initiated, based on a result of the determination of the statistical fit indicating a compromised state of the device.

Abstract: In one example, a system includes a processor, memory, and a botnet detection application stored in memory and executed by the processor and configured to: obtain (i) Netflow data indicating one or more IP addresses accessed by a computer and (ii) passive Domain Name System (DNS) data indicating respective one or more domains associated with each of the one or more IP addresses; generate features associated with the computer based on the Netflow data and passive DNS data; generate probability data based on the Netflow data and passive DNS data, wherein the probability data indicates a probability that the computer accessed the one or more domains; assign weights to the features based on the probability data to provide weighted features; and determine whether the computer is likely to be part of a botnet based on the weighted features.

Abstract: Detecting a volumetric attack on a computer network with fewer false positives and while also requiring fewer processing resources is provided. The systems and methods described herein use observations taken at the network level to observe network traffic to form a predictive model for future traffic. When the network's future traffic sufficiently exceeds the predictive model, the monitoring systems and methods will indicate to the network to take security measures. The traffic to the network may be observed in subsets, corresponding to various groupings of sources, destinations, and protocols so that security measures may be targeted to that subset without affecting other machines in the network.

Abstract: One embodiment illustrated herein includes a computer implemented method. The method includes acts for training an amplification attack detection system. The method includes obtaining a plurality of samples of IPFIX data. The method further includes using the IPFIX data to create a plurality of time-based, server samples on a per server basis such that each sample corresponds to a server and a period of time over which IPFIX data in the sample corresponds. The method further includes identifying a plurality of the server samples that are labeled positive for amplification attacks. The method further includes identifying a plurality of server samples that are labeled negative for amplification attacks. The method further includes automatically labeling at least some of the remaining server samples as positive or negative based on the previously identified labeled samples. The method further includes using the automatically labeled samples to train an amplification attack detection system.

Abstract: Methods are provided for building and tuning a correlation data structure. The correlation data structure includes relationship correlations with relationship scores that reflect the level of correlation between alert conditions and feature set events that occurred in a machine. Each relationship correlation further includes a time of influence associated with the times of occurrence for each alert condition and corresponding feature set event. The correlation data structure is built and tuned using sourcing to leverage the alert conditions and feature set events on each machine for all machines in the network. Methods are also provided to use the correlation data structure to monitor the machines in a network, detect feature set events, and detect if alert conditions correlated with those feature set events are likely to occur. The methods further provide for mitigating those alert conditions.

Abstract: In one example, a system includes a processor, memory, and a botnet detection application stored in memory and executed by the processor and configured to: obtain (i) Netflow data indicating one or more IP addresses accessed by a computer and (ii) passive Domain Name System (DNS) data indicating respective one or more domains associated with each of the one or more IP addresses; generate features associated with the computer based on the Netflow data and passive DNS data; generate probability data based on the Netflow data and passive DNS data, wherein the probability data indicates a probability that the computer accessed the one or more domains; assign weights to the features based on the probability data to provide weighted features; and determine whether the computer is likely to be part of a botnet based on the weighted features.

Abstract: One embodiment illustrated herein includes a computer implemented method. The method includes acts for training an amplification attack detection system. The method includes obtaining a plurality of samples of IPFIX data. The method further includes using the IPFIX data to create a plurality of time-based, server samples on a per server basis such that each sample corresponds to a server and a period of time over which IPFIX data in the sample corresponds. The method further includes identifying a plurality of the server samples that are labeled positive for amplification attacks. The method further includes identifying a plurality of server samples that are labeled negative for amplification attacks. The method further includes automatically labeling at least some of the remaining server samples as positive or negative based on the previously identified labeled samples. The method further includes using the automatically labeled samples to train an amplification attack detection system.

Abstract: Client-less methods and systems destroy/break the predictive layout of, for example, a client computer memory. The methods and systems operate by injecting a library that manipulates the client computer memory during exploitation attempts.

Abstract: Controlling device security includes obtaining a set of device activity data indicating current device activity on a device and a set of user activity data indicating a current activity state of one or more legitimate users of the device. It is determined whether the indicated current activity state of the users indicates that a legitimate user is in an active state on the device, or that none of the legitimate users is in an active state on the device. A statistical fit of the indicated current device activity on the device, with the indicated current activity state of the one or more legitimate users, is determined, by a comparison with at least one of the models that are generated via supervised learning. A security alert action may be initiated, based on a result of the determination of the statistical fit indicating a compromised state of the device.

Abstract: Detecting a volumetric attack on a computer network with fewer false positives and while also requiring fewer processing resources is provided. The systems and methods described herein use observations taken at the network level to observe network traffic to form a predictive model for future traffic. When the network's future traffic sufficiently exceeds the predictive model, the monitoring systems and methods will indicate to the network to take security measures. The traffic to the network may be observed in subsets, corresponding to various groupings of sources, destinations, and protocols so that security measures may be targeted to that subset without affecting other machines in the network.

Abstract: Client-less methods and systems destroy/break the predictive layout of, for example, a client computer memory. The methods and systems operate by injecting a library that manipulates the client computer memory during exploitation attempts.

Abstract: Client-less methods and systems destroy/break the predictive layout of, for example, a client computer memory. The methods and systems operate by injecting a library that manipulates the client computer memory during exploitation attempts.

Abstract: To defend a computer against malware, first executable code, of the computer, that includes a signature that identifies an address, in the computer's memory, of a respective data structure that is potentially vulnerable to tampering, is identified. The first executable code is copied to provide second executable code that emulates the first executable code using its own respective data structure. The first executable code is modified to jump to the second executable code before accessing the data structure, and also so that the signature identifies the address of a guard page.

Abstract: Client-less methods and systems destroy/break the predictive layout of, for example, a client computer memory. The methods and systems operate by injecting a library that manipulates the client computer memory during exploitation attempts.

Abstract: To defend a computer against malware, first executable code, of the computer, that includes a signature that identifies an address, in the computer's memory, of a respective data structure that is potentially vulnerable to tampering, is identified. The first executable code is copied to provide second executable code that emulates the first executable code using its own respective data structure. The first executable code is modified to jump to the second executable code before accessing the data structure, and also so that the signature identifies the address of a guard page.

Abstract: The present invention discloses methods and media for hooking applications to monitor and prevent execution of security-sensitive operations, the method including the steps of: reading at least one configuration parameter list from a configuration module; hooking, by a hooking engine, a hooking point in an application, wherein the hooking point is defined in the configuration module; calling, by the application, the hooking point during operation of the application; matching at least one hooking parameter in the hooking point to at least one configuration parameter in at least one configuration parameter list; and upon detecting a match between the hooking parameter and at least one configuration parameter, performing at least one configuration-defined action. Preferably, the method further includes the step of: updating a state of the hooking engine. Preferably, the hooking engine is operative to prevent malicious operations by obfuscated code.

Abstract: The present invention discloses methods and media for hooking applications to monitor and prevent execution of security-sensitive operations, the method including the steps of: reading at least one configuration parameter list from a configuration module; hooking, by a hooking engine, a hooking point in an application, wherein the hooking point is defined in the configuration module; calling, by the application, the hooking point during operation of the application; matching at least one hooking parameter in the hooking point to at least one configuration parameter in at least one configuration parameter list; and upon detecting a match between the hooking parameter and at least one configuration parameter, performing at least one configuration-defined action. Preferably, the method further includes the step of: updating a state of the hooking engine. Preferably, the hooking engine is operative to prevent malicious operations by obfuscated code.