Abstract: The detection of malicious documents using knowledge distillation assisted learning is disclosed. A document is received for maliciousness determination. A likelihood that the received document represents a threat is determined. The determination is made, at least in part, using a raw bytes model that was trained, at least in part, using image model prediction probabilities. A verdict for the document is provided as output based at least in part on the determined likelihood.

Abstract: The detection of malicious documents using deep mutual learning is disclosed. A document is received for maliciousness determination. A likelihood that the received document represents a threat is determined. The determination is made, at least in part, using a raw bytes model that was trained, at least in part, using a mutual learning process in conjunction with training an image based model. A verdict for the document is provided as output based at least in part on the determined likelihood.

Abstract: Malware signature generation through combination rule mining is disclosed. A set of properties associated, collectively, with a plurality of data samples is received. A first data sample has a first set of properties and a second data sample has a second set of properties. A combination signature comprising at least a first property included in the first set of properties and a second property included in the second set of properties is generated.

Abstract: Execution of an application in an application-level sandbox is disclosed. A request to launch an application is received by an operating system executing on a device. A determination is made that a stored copy of the application should be executed within an application-level sandbox. The stored copy of the application is executed in the application-level sandbox.

Abstract: Automatic generation of a malware signature is disclosed. Code of a sample including packages and function names is parsed. Standard type packages and vendor type packages are filtered from the code of the sample to obtain main type packages. A signature using a fuzzy hash for the sample is generated based on the main type packages. A determination of whether the sample is malware is performed using the signature and a similarity score threshold.

Abstract: Malware signature generation through combination rule mining is disclosed. A set of properties associated, collectively, with a plurality of data samples is received. A first data sample has a first set of properties and a second data sample has a second set of properties. A combination signature comprising at least a first property included in the first set of properties and a second property included in the second set of properties is generated.

Abstract: A set of metadata associated with a plurality of samples is received. The samples are clustered. For members of a first cluster, a set of similarities shared among at least a portion of the members of the first cluster is determined. A cluster member is identified within the first cluster, and in response, additional analysis is caused to be performed on the outlier cluster member.

Abstract: Execution of an application in an application-level sandbox is disclosed. A request to launch an application is received by an operating system executing on a device. A determination is made that a stored copy of the application should be executed within an application-level sandbox. The stored copy of the application is executed in the application-level sandbox.

Abstract: The present application discloses a method, system, and computer system for detecting malicious files. The method includes receiving a sample, extracting an embedded script from the sample, applying a malicious script detector in connection with determining whether the sample is malicious, and in response to determining that the sample is malicious sending, to a security entity, an indication that the sample is malicious.

Abstract: The automatic generation of malware family signatures is disclosed. A set of metadata associated with a plurality of samples is received. The samples are clustered. For members of a first cluster, a set of similarities shared among at least a portion of the members of the first cluster is determined. The similarities are evaluated for suitability as a malware family signature. Suitability is evaluated based on how well the similarities uniquely identify the members of the first cluster. In the event the similarities are determined to be suitable as a malware family signature, a signature is generated.

Abstract: A sample is analyzed to determine a set of events that should be selected for performing by a dynamic analyzer executing the sample in an instrumented, emulated environment. In some cases, analyzing the sample includes extracting the sample's user interface layout into a tree hierarchy of user interface elements. The set of selected events is performed. In some cases, at least one emulator detection resistance action is performed. A maliciousness verdict is determined for the sample based at least in part on one or more responses taken by the sample in response to the set of selected events being performed by the dynamic analyzer.

Abstract: A sample is analyzed to determine a set of events that should be selected for performing by a dynamic analyzer executing the sample in an instrumented, emulated environment. The set of selected events is performed. In some cases, at least one emulator detection resistance action is performed. A maliciousness verdict is determined for the sample based at least in part on one or more responses taken by the sample in response to the set of selected events being performed by the dynamic analyzer.

Abstract: Automated fuzzy hash based signature collection is disclosed. A set of candidate fuzzy hashes corresponding to a set of false negative samples is received. A false positive reduction analysis is performed on the received set of candidate fuzzy hashes to generate a reduced set of fuzzy hashes. At least a portion of the reduced set of fuzzy hashes is clustered into a fuzzy hash cluster. A signature for a family of malware is generated based at least in part on the fuzzy hash cluster.

Abstract: A virtualized storage for use in performing dynamic analysis on a sample is configured, at least in part by copying the sample to the virtualized storage. A virtual machine emulator is launched using a snapshot of a virtualized platform. The virtualized platform is previously configured to use the virtualized storage, and the snapshot is configured to use a placeholder file to occupy space for later use when installing the sample. A location of the copied sample in an image corresponding to the virtualized storage is determined. The copied sample is installed and dynamic analysis is performed on the sample.

Abstract: Provided is a method for preparing isavuconazonium sulfate. Specifically, the preparation method involved comprises: reacting a compound of formula V in the presence of a provided compound having a bisulfate ion so as to obtain isavuconazonium sulfate as shown in formula VI. The preparation method has the advantages of stable intermediate, easy separation and purification, simple operation, high reaction yield, and easy industrial production.

Abstract: A harmless low-consumption on-orbit continuous launch system includes a satellite platform, a launch apparatus and a plurality of CubeSats. The satellite platform carries the launch apparatus and dozens or hundreds of CubeSats, and is launched from a ground into an orbit for on-orbit operation. The launch apparatus is configured to store the plurality of CubeSats and provide power for on-orbit launching of each of the CubeSats. A solid working medium in the launch apparatus is activated by heating to undergo a phase change, and the activated solid working medium expands instantly and is converted into a high-pressure gaseous working medium. The high-pressure gaseous working medium does work to eject the CubeSats, such that the CubeSats obtain a speed increment. The CubeSats enter a transfer orbit towards different target spacecraft through the speed increment applied by the launch apparatus to perform a plurality of different on-orbit serving missions.

Abstract: A harmless low-consumption on-orbit continuous launch system includes a satellite platform, a launch apparatus and a plurality of CubeSats. The satellite platform carries the launch apparatus and dozens or hundreds of CubeSats, and is launched from a ground into an orbit for on-orbit operation. The launch apparatus is configured to store the plurality of CubeSats and provide power for on-orbit launching of each of the CubeSats. A solid working medium in the launch apparatus is activated by heating to undergo a phase change, and the activated solid working medium expands instantly and is converted into a high-pressure gaseous working medium. The high-pressure gaseous working medium does work to eject the CubeSats, such that the CubeSats obtain a speed increment. The CubeSats enter a transfer orbit towards different target spacecraft through the speed increment applied by the launch apparatus to perform a plurality of different on-orbit serving missions.

Abstract: Malware signature generation through combination rule mining is disclosed. A set of properties associated, collectively, with a plurality of data samples is received. A first data sample has a first set of properties and a second data sample has a second set of properties. A combination signature comprising at least a first property included in the first set of properties and a second property included in the second set of properties is generated.

Abstract: Execution of an application in an application-level sandbox is disclosed. A request to launch an application is received by an operating system executing on a device. A determination is made that a stored copy of the application should be executed within an application-level sandbox. The stored copy of the application is executed in the application-level sandbox.

Abstract: To leverage the higher detection rate of a supplemental model and manage the higher false positive rate of that model, an activation range is tuned for the candidate model to operate in conjunction with an incumbent model. The activation range is a range of output values for the incumbent model that activates the supplemental model. Inputs having benign output values from the incumbent model that are within the activation range are fed into the supplemental model. Thus, the lower threshold of the activation range corresponds to the malware detection threshold of the incumbent model and the upper threshold determines how many benign classified outputs from the incumbent model activate the supplemental model. This conjoining of models with a tuned activation range manages overall false positive rate of the conjoined detection models while the malware detection rate increases over the incumbent detection model alone.