Abstract: Techniques for machine learning for prioritizing traffic in multi-purpose inline cloud analysis (MICA) to enhance malware detection are disclosed. In some embodiments, a system, a process, and/or a computer program product for machine learning for prioritizing traffic in multi-purpose inline cloud analysis (MICA) to enhance malware detection includes processing a set of data for network security analysis to extract a file; determining that the file is to be offloaded to a cloud security entity for security processing based at least in part on a prefilter model that is implemented as a machine learning model; forwarding the file to the cloud security entity using a multi-purpose inline cloud analysis (MICA) channel; and performing an action in response to receiving a verdict from the cloud security entity.

Abstract: Techniques for providing innocent until proven guilty (IUPG) solutions for building and using adversary resistant and false positive resistant deep learning models are disclosed. In some embodiments, a system, process, and/or computer program product includes storing a set comprising one or more innocent until proven guilty (IUPG) models for static analysis of a sample; performing a static analysis of content associated with the sample, wherein performing the static analysis includes using at least one stored IUPG model; and determining that the sample is malicious based at least in part on the static analysis of the content associated with the sample, and in response to determining that the sample is malicious, performing an action based on a security policy.

Abstract: Malware signature generation through combination rule mining is disclosed. A set of properties associated, collectively, with a plurality of data samples is received. A first data sample has a first set of properties and a second data sample has a second set of properties. A combination signature comprising at least a first property included in the first set of properties and a second property included in the second set of properties is generated.

Abstract: Detection of malicious files is disclosed. A firewall uses an external network to communicate with a security platform that stores a first set of signatures. A second set of signatures that is a subset of the first set of signatures is stored. At the firewall, a plurality of sample classification models is received and stored. At the firewall, a file transmitted by a remote resource to a client device is received. In response to determining that the file is malicious, propagation of the received file is prevented.

Abstract: A machine learning ensemble receives input data from static analysis and dynamic analysis of binary files to output malicious/benign verdicts for the binary files. The machine learning ensemble comprises a structure aware dynamic compressor (“compressor”). The compressor receives a tree data structure generated based on Application Programming Interface calls of the binary files in various sandbox environments as input. The compressor performs various compression, tokenization, embedding, and reshaping operations to the tree data structure to generate a compressed tensor that preserves structural context from the tree data structure. The machine learning ensemble uses the compressed tensor to generate malicious/benign verdicts for the binary files.

Abstract: Techniques for recognizing phishing URLs on Software as a Service (SaaS) platforms are disclosed. A candidate URL is received. A determination is made that the candidate URL is a SaaS hosted URL. In response to the determination, the URL is evaluated using a model trained on SaaS hosted content. A remedial action is performed in response to determining that the received URL is a phishing URL.

Abstract: A multi-perspective user and entity behavior analytics (UEBA) system (“system”) builds and maintains interchangeable modules for predicting likelihoods of anomalous user behavior at the scope of an actor (i.e., a user or entity) of an organization within time periods. Each module comprises probability models and/or machine learning models as sub-modules that model actor behavior at various levels of granularity with respect to usage of Software-as-a-Service applications. The system generates anomalousness scores by decorrelating likelihoods output by each sub-module and uses the anomalousness scores to monitor and perform corrective action based on anomalous actor behavior to maintain security posture across the organization.

Abstract: Techniques for using deep learning to identify malicious image files are disclosed. A plurality of sections of a first image are received. The received sections are used to determine a likelihood that the first image is malicious. The determination is made, at least in part, using a model trained using a set of sections extracted from a set of sample images. A verdict is provided for the first image.

Abstract: An automated software-as-a-service (SaaS) security posture management (SSPM) system disclosed herein detects and maintains security posture for SaaS applications according to correct implementation of configuration settings. Based on detecting a previously unseen SaaS application with unknown implementation of configuration settings, the SSPM system scrapes the Internet for web content for the SaaS application and preprocesses/inputs the web content into a machine learning model to obtain predictions of correct/incorrect implementation of configuration settings as output. Based on the predictions not having sufficiently high confidence, the SSPM system obtains additional application content by logging into the SaaS application and scraping locally rendered pages therein. The application content is preprocessed/input to the machine learning model to obtain additional high confidence predictions.

Abstract: Techniques for providing deep learning for malicious URL classification (URLC) using the innocent until proven guilty (IUPG) learning framework are disclosed. In some embodiments, a system, process, and/or computer program product includes storing a set comprising one or more innocent until proven guilty (IUPG) models for static analysis of a sample; performing a static analysis of one or more URLs associated with the sample, wherein performing the static analysis includes using at least one stored IUPG model; and determining that the sample is malicious based at least in part on the static analysis of the one or more URLs associated with the sample, and in response to determining that the sample is malicious, performing an action based on a security policy.

Abstract: A malware detector has been designed that uses a combination of NLP techniques on dynamic malware analysis reports for malware classification of files. The malware detector aggregates text-based features identified in different pre-processing pipelines that correspond to different types of properties of a dynamic malware analysis report. From a dynamic malware analysis report, the pre-processing pipelines of the malware detector generate a first feature set based on individual text tokens and a second feature set based on n-grams. The malware detector inputs the first feature set into a trained neural network having an embedding layer. The malware detector then extracts a dense layer from the trained neural network and aggregates the extracted layer with the second feature set to form an input for a trained boosting model. The malware detector inputs the cross-pipeline feature values into the trained boosting model to generate a malware detection output.

Abstract: A named-entity recognition (NER) model detects named entities with types that correspond to protected health information (PHI) in potentially sensitive documents. The NER model is trained to detect named entities corresponding to both personally identifiable information (PII) and medical terms. Output of the NER model is preprocessed as input to a random forest classifier that outputs a verdict that documents comprise sensitive data. The verdict is interpretable via high confidence named entities detected by the NER model that led to the verdict.

Abstract: The present application discloses a method, system, and computer system for detecting malicious files. The method includes (a) receiving a sample for malware analysis, (b) applying a machine learning model to obtain a classification for the sample based at least in part on (i) memory artifact data associated with the sample, and (ii) at least one of dynamic execution log data for the sample and static file structures associated with the sample, and (c) determining whether the sample is malicious based at least in part on the classification.

Abstract: Automated attribute scraping for security feature implementation with a single trained machine model across security features improves prediction quality and efficiency of predictions. A security feature implementation prediction system (system) generates search engine queries for each security feature based on high importance tokens for the security feature. The system ranks URLs returned from each search engine query for relevance, then preprocess and inputs content for top-ranked URLs into the trained machine learning models. The system identifies implemented security features output based on confidence values output by the trained machine learning model and identifies sentences that describe the implementations in corresponding content for top-ranked URLs.

Abstract: Techniques for providing deep learning for malicious URL classification (URLC) using the innocent until proven guilty (IUPG) learning framework are disclosed. In some embodiments, a system, process, and/or computer program product includes storing a set comprising one or more innocent until proven guilty (IUPG) models for static analysis of a sample; performing a static analysis of one or more URLs associated with the sample, wherein performing the static analysis includes using at least one stored IUPG model; and determining that the sample is malicious based at least in part on the static analysis of the one or more URLs associated with the sample, and in response to determining that the sample is malicious, performing an action based on a security policy.

Abstract: The present application discloses a method, system, and computer system for classifying stream data at an edge device. The method includes obtaining a stream of a file at the edge device, aligning a predetermined amount of data in chunks associated with the stream of the file, processing a plurality of aligned chunks associated with the stream of the file using a machine learning model, and classifying, at the edge device, the file based at least in part on a classification of the plurality of aligned chunks.

Abstract: The present application discloses a method, system, and computer system for classifying stream data at an edge device. The method includes obtaining a stream of a file at the edge device, processing a set of chunks associated with the stream of the file using a machine learning model, and classifying, at the edge device, the file before processing an entirety of the file.

Abstract: An identification of an item that was misclassified by a classification model constructed in accordance with a machine learning technique is received. One example of such a machine learning technique is a random forest. A subset of training data, previously used to construct the model, and that is associated with the item is identified. At least a portion of the identified subset is provided as output.

Abstract: A contrastive credibility propagation trainer (“trainer”) trains a representation neural network to learn credibility vectors for partially labeled data samples that represent certainty of samples belonging to each of a set of classes. The representation neural network is trained according to a loss function that accounts for both the credibility vectors and similarity of representations generated by the neural network itself. Using the credibility vectors as soft labels, the trainer trains a classifier neural network to generate labels for unlabeled samples in the partially labeled samples.

Abstract: A copy of a model comprising a plurality of trees is received, as is a copy of training set data comprising a plurality of training set examples. For each tree included in the plurality of trees, the training set data is used to determine which training set examples are classified as a given leaf. A blame forest is generated at least in part by mapping each training set item to the respective leaves at which it arrives.