Abstract: The present application discloses a method, system, and computer system for detecting malicious files. The method includes receiving a sample, extracting an embedded script from the sample, applying a malicious script detector in connection with determining whether the sample is malicious, and in response to determining that the sample is malicious sending, to a security entity, an indication that the sample is malicious.

Abstract: Automatic generation of a malware signature is disclosed. Code of a sample including packages and function names is parsed. Standard type packages and vendor type packages are filtered from the code of the sample to obtain main type packages. A signature using a fuzzy hash for the sample is generated based on the main type packages. A determination of whether the sample is malware is performed using the signature and a similarity score threshold.

Abstract: Execution of an application in an application-level sandbox is disclosed. A request to launch an application is received by an operating system executing on a device. A determination is made that a stored copy of the application should be executed within an application-level sandbox. The stored copy of the application is executed in the application-level sandbox.

Abstract: A set of metadata associated with a plurality of samples is received. The samples are clustered. For members of a first cluster, a set of similarities shared among at least a portion of the members of the first cluster is determined. A cluster member is identified within the first cluster, and in response, additional analysis is caused to be performed on the outlier cluster member.

Abstract: Automated fuzzy hash based signature collection is disclosed. A set of candidate fuzzy hashes corresponding to a set of false negative samples is received. A false positive reduction analysis is performed on the received set of candidate fuzzy hashes to generate a reduced set of fuzzy hashes. At least a portion of the reduced set of fuzzy hashes is clustered into a fuzzy hash cluster. A signature for a family of malware is generated based at least in part on the fuzzy hash cluster.

Abstract: Techniques for automatically detecting unknown packers are disclosed. In some embodiments, a system/process/computer program product for automatically detecting unknown packers includes receiving a plurality of samples for malware packer detection analysis; performing a packer filter to determine whether each of the plurality of samples is packed; emulating each of the packed samples to extract a plurality of features; and clustering the packed samples based on the extracted features.

Abstract: Techniques for using deep learning to identify malicious image files are disclosed. A plurality of sections of a first image are received. The received sections are used to determine a likelihood that the first image is malicious. The determination is made, at least in part, using a model trained using a set of sections extracted from a set of sample images. A verdict is provided for the first image.

Abstract: Automated fuzzy hash based signature collection is disclosed. A set of candidate fuzzy hashes corresponding to a set of false negative samples is received. A false positive reduction analysis is performed on the received set of candidate fuzzy hashes to generate a reduced set of fuzzy hashes. At least a portion of the reduced set of fuzzy hashes is clustered into a fuzzy hash cluster. A signature for a family of malware is generated based at least in part on the fuzzy hash cluster.

Abstract: Systems and computer-implemented method for evaluating programs are disclosed. A computer-implemented method includes determining a propensity score, using a propensity score model, for each patient among multiple patients. The multiple patients include treatment patients and control patients, and the propensity score represents a probability of assignment to a treatment group. The method includes assigning a random value to each patient in an assignment group. The assignment group includes at least one of the treatment patients or the control patients. The method includes sorting the patients based on the assigned random values and matching, based on the sorted patients and the determined propensity scores, each treatment patient to a control patient to create multiple matches. Each match includes one treatment patient and at least one control patient. The method includes performing, based on the multiple matches, one or more actions related to the multiple patients.

Abstract: A system has been created that represents a binary file with a combination of signatures that account for both structure as expressed by control flow and an abstraction of functionality as expressed by import behavior. The system analyses intra-subroutine control flow and calls to import code units. The system generates structure signatures for the subroutines based on the intra-subroutine control flows. The system also generates an import behavior signature based on calls to import code units and caller-callee relationships between the subroutines and the import code units. The system uses the structure signatures to identify the caller subroutines in generating the import behavior signature. The combination of structure signatures and import behavior signature allows for accurate determination of code similarity without the noise of superficial variations in code organization and other mutations or alterations that facilitate avoiding malware detection.

Abstract: A sample is analyzed to determine a set of events that should be selected for performing by a dynamic analyzer executing the sample in an instrumented, emulated environment. The set of selected events is performed. In some cases, at least one emulator detection resistance action is performed. A maliciousness verdict is determined for the sample based at least in part on one or more responses taken by the sample in response to the set of selected events being performed by the dynamic analyzer.

Abstract: A fish school detection method and a system thereof, an electronic device and a storage medium are provided, the method includes inputting a to-be-detected fish school image into a fish school detection model; the fish school detection model including a feature extraction layer, a feature fusion layer and a feature recognition layer; extracting feature information of the to-be-detected fish school image based on the feature extraction layer, and determining a fish school feature map and an attention feature map based on an attention mechanism; fusing the fish school feature map and the attention feature map based on the feature fusion layer to determine a target fusion feature map; and determining a target fish school detection result based on the feature recognition layer and the target fusion feature map. Interference from environmental factors on detection results is eliminated, so as to effectively improve accuracy of the fish detection.

Abstract: Techniques for automatically detecting unknown packers are disclosed. In some embodiments, a system/process/computer program product for automatically detecting unknown packers includes receiving a plurality of samples for malware packer detection analysis; performing a packer filter to determine whether each of the plurality of samples is packed; emulating each of the packed samples to extract a plurality of features; and clustering the packed samples based on the extracted features.

Abstract: A sample is analyzed to determine a set of events that should be selected for performing by a dynamic analyzer executing the sample in an instrumented, emulated environment. The set of selected events is performed. In some cases, at least one emulator detection resistance action is performed. A maliciousness verdict is determined for the sample based at least in part on one or more responses taken by the sample in response to the set of selected events being performed by the dynamic analyzer.

Abstract: The detection of malicious documents using knowledge distillation assisted learning is disclosed. A document is received for maliciousness determination. A likelihood that the received document represents a threat is determined. The determination is made, at least in part, using a raw bytes model that was trained, at least in part, using image model prediction probabilities. A verdict for the document is provided as output based at least in part on the determined likelihood.

Abstract: The detection of malicious documents using deep mutual learning is disclosed. A document is received for maliciousness determination. A likelihood that the received document represents a threat is determined. The determination is made, at least in part, using a raw bytes model that was trained, at least in part, using a mutual learning process in conjunction with training an image based model. A verdict for the document is provided as output based at least in part on the determined likelihood.

Abstract: Execution of an application in an application-level sandbox is disclosed. A request to launch an application is received by an operating system executing on a device. A determination is made that a stored copy of the application should be executed within an application-level sandbox. The stored copy of the application is executed in the application-level sandbox.

Abstract: The detection of phishing Portable Document Format (PDF) files using an image-based deep learning approach is disclosed. A PDF document that includes a Universal Resource Locator is received. A likelihood that the received PDF document represents a phishing threat is determined, at least in part, by using an image based model. A verdict for the PDF document is provided as output based at least in part on the determined likelihood.

Abstract: Malware signature generation through combination rule mining is disclosed. A set of properties associated, collectively, with a plurality of data samples is received. A first data sample has a first set of properties and a second data sample has a second set of properties. A combination signature comprising at least a first property included in the first set of properties and a second property included in the second set of properties is generated.

Abstract: Automatic generation of a malware signature is disclosed. Code of a sample including packages and function names is parsed. Standard type packages and vendor type packages are filtered from the code of the sample to obtain main type packages. A signature using a fuzzy hash for the sample is generated based on the main type packages. A determination of whether the sample is malware is performed using the signature and a similarity score threshold.