Abstract: A non-transitory storage medium having stored thereon logic wherein the logic is executable by one or more processors to perform operations is disclosed. The operations may include parsing an object, detecting one or more features of a predefined feature set, evaluating each feature-condition pairing of a virtual feature using the one or more values observed of each of the one or more detected features, determining whether results of the evaluation of one or more feature-condition pairings satisfies terms of the virtual feature, and responsive to determining the results of the evaluation satisfy the virtual feature, performing one or more of a static analysis to determine whether the object is associated with anomalous characteristics or a dynamic analysis on the object to determine whether the object is associated with anomalous behaviors.

Abstract: Techniques for efficient malicious content detection in plural versions of a software application are described. According to one embodiment, the computerized method includes installing a plurality of different versions of a software application concurrently within a virtual machine and selecting a subset of the plurality of versions of the software application that are concurrently installed within the virtual machine. Next, one or more software application versions of the subset of the plurality of versions of the software application are processed to access a potentially malicious content suspect within the virtual machine, without switching to another virtual machine. The behaviors of the potentially malicious content suspect during processing by the one or more software application versions are monitored to detect behaviors associated with a malicious attack.

Abstract: Systems and methods for providing automated actions in handling security threats are disclosed. The method includes receiving input data comprising one or more entities and one or more intents. The method further includes extracting the entities and the intents from the input data. In response to determining that there exists at least one actionable entity from the extracted entities, the method further includes presenting a plurality of available security actions to a user to resolve one or more security threats associated with the input data, the available security actions being respectively selectable by the user.

Abstract: A computerized system and method to detect ransomware cyber-attacks is described. The approach entails analyzing the features associated with a file access event by a process operating on a computing device, to ascertain whether the process is associated with a ransomware cyber-attack.

Abstract: A system and method for automatically analyzing an object for malware is described. Operating one or more virtual machines, the system and method provide an analysis environment variation framework to provide a more robust analysis of an object for malware. The multi-application, multi-plugin processing framework is configured within a virtual machine, where the framework for configuring a plurality of processes for analyzing the object for malware and each of plurality of processes is configured with a different application and plug-in combination selected based in part on a type of object being analyzed and operating concurrently with each other.

Abstract: According to one embodiment, a malware detection system is integrated with at least a static analysis engine and a dynamic analysis engine. The static analysis engine is configured to automatically determine an object type of a received object. The dynamic analysis engine is configured to automatically launch the object after selecting an action profile based on the object type. The dynamic analysis engine is further configured to, provide simulated user interaction to the object based on the selected action profile either in response to detecting a request for human interaction or as a result of a lapse of time since a previous simulated human interaction was provided.

Abstract: A testing technique tests and compares malware detection capabilities of network security devices, such as those commercially available from a variety of cyber-security vendors. Testing is conducted on test samples in a “blind” fashion, where the security devices do not know beforehand whether the test samples are “live” malware or benign network traffic. The test samples are received from a remote server and potentially represent malicious attacks against a testing network. Notably, for truly blind testing, embodiments of the testing technique employ a mixture of malware and benign test samples, as well as addressing subterfuge, to prevent the security devices from being able to reliably determine maliciousness of the test samples based on a source of any of the samples.

Abstract: A computerized method for detecting malware associated with an object. The method includes operations of analyzing an object to obtain a first set of attributes, where the first set of attributes include one or more characteristics associated with the object. Furthermore, the object is processed with a virtual machine to obtain a second set of attributes. The second set of attributes corresponds to one or more monitored behaviors of the virtual machine during processing of the object. Thereafter, a threat index is determined based, at least in part, on a combination of at least one attribute of the first set of attributes and at least one attribute of the second set of attributes. The threat index represents a probability of maliciousness associated with the object.

Abstract: A computerized method for detecting malware is described. The method includes conducting a preliminary analysis of characteristics of an object to determine whether the object is suspicious. Responsive to determining the object is suspicious, context information from a plurality of information sources is received. The context information including information gathered from prior analyses of the suspicious object. One or more software profiles are generated based on the context information, where the one or more software profiles being used to provision one or more virtual machines. Thereafter, the object is analyzed where the object is processed by the one or more virtual machines and results from the processing are obtained. The results identify a susceptible software environment including a susceptible software profile and one or more anomalous behaviors of the object detected during processing. The object is classified and malware and an alert is generated.

Abstract: A system and method for automatically analyzing an object for malware is described. Operating one or more virtual machines, the system and method provide an analysis environment variation framework to provide a more robust analysis of an object for malware. The multi-application, multi-plugin processing framework is configured within a virtual machine, where the framework generates a plurality of processes for analyzing the object for malware and each of plurality of processes is configured with a different application and plug-in combination selected based in part on a type of object being analyzed.

Abstract: Techniques for efficient malicious content detection in plural versions of a software application are described. According to one embodiment, the computerized method includes installing a plurality of different versions of a software application concurrently within a virtual machine and selecting a subset of the plurality of versions of the software application that are concurrently installed within the virtual machine. Next, one or more software application versions of the subset of the plurality of versions of the software application are processed to access a potentially malicious content suspect within the virtual machine, without switching to another virtual machine. The behaviors of the potentially malicious content suspect during processing by the one or more software application versions are monitored to detect behaviors associated with a malicious attack.

Abstract: A system and method for automatically analyzing an object for malware is described. Operating one or more virtual machines, the system and method provide an analysis environment variation framework to provide a more robust analysis of an object for malware. The multi-application, multi-plugin processing framework is configured within a virtual machine, where the framework generates a plurality of processes for analyzing the object for malware and each of plurality of processes is configured with a different application and plug-in combination selected based in part on a type of object being analyzed.

Abstract: According to one embodiment, a computerized method for detecting malware is described. The method includes receiving configuration information that identifies (i) at least one type of lure data and (ii) one or more locations of a system operating within a virtual machine for placement of the lure data into the system. The lure data is configured to entice interaction of the lure data by malware associated with an object under analysis. Thereafter, the lure data is placed within the system according to the configuration information and lure data information is selectively modified. The information may include a name or content within a directory including the lure data. During processing of an object within the virtual machine, a determination is made whether the object exhibits file altering behavior based on a comparison of actions performed that are associated with the lure data and one more known file activity patterns.

Abstract: According to one embodiment, a malware detection system is integrated with at least a static analysis engine and a dynamic analysis engine. The static analysis engine is configured to automatically determine an object type of a received object. The dynamic analysis engine is configured to automatically launch the object after selecting an action profile based on the object type. The dynamic analysis engine is further configured to, provide simulated user interaction to the object based on the selected action profile either in response to detecting a request for human interaction or as a result of a lapse of time since a previous simulated human interaction was provided.

Abstract: In an embodiment, a system, device and method for detecting a malicious attack is described. Herein, the system includes a security network device that conducts an analysis on received network traffic to detect a suspicious object associated with the network traffic and determine an identifier associated with a source of the suspicious object. Information associated with the suspicious object and/or ancillary data, including information that identifies a return path for analysis results to a customer, are uploaded to a detection cloud. The detection cloud includes provisioning logic and one or more virtual machines that are provisioned by the provisioning logic in accordance with at least a portion of the ancillary data. The provisioning logic to customize functionality of the detection cloud for a specific customer.

Abstract: A computerized technique wherein a received object is analyzed using a plurality of information sources to determine context information, wherein one information source comprises configuration information determined from a client device. One or more software profiles are generated based on the context information in order to provision one or more virtual machines of a dynamic analysis logic system. One or more work orders are generated based on the one or more software profiles. A priority order is assigned to the one or more software profiles. A dynamic analysis is scheduled based on the work orders and the assigned priority order to determine one or more susceptible software environments, and an alert is generated comprising information to update one or more susceptible environments in real time.

Abstract: In an embodiment, a system, device and method for detecting a malicious attack is described. Herein, the system includes a security network device that conducts an analysis on received network traffic to detect a suspicious object associated with the network traffic and determine an identifier associated with a source of the suspicious object. Both information associated with the suspicious object and ancillary data, including information that identifies a return path for analysis results to a customer, are uploaded to a detection cloud. The detection cloud includes provisioning logic and one or more virtual machines that are provisioned by the provisioning logic in accordance with at least a portion of the ancillary data. The provisioning logic to customize functionality of the detection cloud for a specific customer.

Abstract: Techniques for efficient and effective malicious content detection in plural versions of a software application are described herein. According to one embodiment, multiple versions of a software application are concurrently within a virtual machine (VM) executed within a data processing system. For each of the versions of the software application, a corresponding one of the versions is invoked to access a malicious content suspect within the VM without switching to another VM. The behaviors of each of the versions of the software application in response to the malicious content suspect is monitored to detect anomalous behavior indicative of malicious content in the malicious content suspect during execution of any of the versions of the software application. The detected anomalous behaviors, and, associated therewith, a version number corresponding to each of the versions of the software application whose execution resulted in the anomalous behavior are stored.

Abstract: According to one embodiment, a threat detection platform is integrated with at least one virtual machine that automatically performs a dynamic analysis of a received object and monitors the processing during the dynamic analysis for a change to a file system within the virtual machine wherein the change involves a lure file placed in the file system. The file system is configured based on a received configuration file. Upon detection of a change in the file system associated with a lure file, the changes associated with the lure file during processing are compared to known file activity patterns of changes caused by file altering malware to determine whether the object includes file altering malware.

Abstract: In an embodiment, a threat detection and prevention system comprises a network-traffic static analysis logic and a classification engine. The network-traffic static analysis logic is configured to conduct an analysis of a multi-flow object by analyzing characteristics of the multi-flow object and determining if the characteristics of the multi-flow object is associated with a malicious attack such as being indicative of an exploit for example. The classification engine is configured to receive results of the analysis of the multi-flow object and, based on the results of the analysis of the multi-flow object, determine whether the multi-flow object is associated with a malicious attack.