Abstract: Process states of computing devices may be obtained and processed. Process event information of a computing device may be obtained. The process event information may characterize states of processes of the computing device. The process event information may be stored within a queue. Graph information may be determined based on the process event information within the queue. The graph information may characterize states of processes of the computing device using nodes and edges. The graph information may be stored within a graph database.

Abstract: Process states of computing devices may be collected for processing. Process event information of a first computing device may be determined based on an observation of process creation events and process termination events, a garbage collection, and a process scan. The process event information may be provided to a second computing device.

Abstract: Process states of computing devices may be obtained and processed. Process event information of a computing device may be obtained. The process event information may characterize states of processes of the computing device. The process event information may be stored within a queue. Graph information may be determined based on the process event information within the queue. The graph information may characterize states of processes of the computing device using nodes and edges. The graph information may be stored within a graph database.

Abstract: Process states of computing devices may be collected for processing. Process event information of a first computing device may be determined based on an observation of process creation events and process termination events, a garbage collection, and a process scan. The process event information may be provided to a second computing device.

Abstract: According to one embodiment, a computerized method comprises conducting a first static scan on content within a file. Thereafter, if the first static scan did not result in the file being classified as malicious, the file is deconstructed to gain access to one or more objects within the file. A second static scan associated with the one or more objects is performed to determine whether the one or more objects are suspected of including malware. The file may then be classified as malicious based on results of the second static scan.

Abstract: A method is provided in one example embodiment and includes initiating an execution of a compiled script, evaluating a function called in the compiled script, detecting an execution event based on at least a first criterion, and storing information associated with the execution event in an execution event queue. The method also includes verifying a correlation signature based on information associated with at least one execution event in the execution event queue. In specific embodiments, the method includes evaluating an assignment statement of a script during compilation of the script by a compiler, detecting a compilation event based on at least a second criterion, and storing information associated with the compilation event in a compilation event queue. In yet additional embodiments, the verification of the correlation signature is based in part on information associated with one or more compilation events in the compilation event queue.

Abstract: A method for determining a zero-day attack by an electronic device is described. According to one embodiment, the method comprises instantiating, by the electronic device, at least one virtual machine, the at least one virtual machine being based on a fortified software profile. The method further comprises executing content capable of behaving as an exploit on the at least one virtual machine, and determining that the exploit is associated with zero-day exploit when the exploit, upon execution of the content on the at least one virtual machine, performs an undesired behavior.

Abstract: According to one embodiment, a threat detection system is integrated with at least a dynamic analysis engine. The dynamic analysis engine is configured to automatically detect a function call by an application, responsive to detecting the function call, analyze contents located at one or more addresses located within a portion of memory allocated for the application, and, based on the analysis, determine whether one or more objects included in received network traffic is associated with a return-oriented programming (ROP) exploit.

Abstract: A method is provided in one example embodiment and includes initiating an execution of a compiled script, evaluating a function called in the compiled script, detecting an execution event based on at least a first criterion, and storing information associated with the execution event in an execution event queue. The method also includes verifying a correlation signature based on information associated with at least one execution event in the execution event queue. In specific embodiments, the method includes evaluating an assignment statement of a script during compilation of the script by a compiler, detecting a compilation event based on at least a second criterion, and storing information associated with the compilation event in a compilation event queue. In yet additional embodiments, the verification of the correlation signature is based in part on information associated with one or more compilation events in the compilation event queue.

Abstract: A method for determining a zero-day attack by an electronic device is described. According to one embodiment, the method comprises instantiating, by the electronic device, at least one virtual machine, the at least one virtual machine being based on a fortified software profile. The method further comprises executing content capable of behaving as an exploit on the at least one virtual machine, and determining that the exploit is associated with zero-day exploit when the exploit, upon execution of the content on the at least one virtual machine, performs an undesired behavior.

Abstract: A method is provided in one example embodiment that includes receiving event information associated with reports from sensors distributed throughout a network environment and correlating the event information to identify a threat. A customized security policy based on the threat may be sent to the sensors.