Abstract: Systems and methods are described for transmitting broadcasts by Peripherals, receiving the broadcasts by Centrals, and communicating with a Backend by Centrals. Specifically, a Peripheral may generate and transmit an encrypted broadcast packet to a Central, the Central may transmit the encrypted observation information to the Backend, which may decrypt the broadcast packet. Additionally, a Central may transmit a request for authorization to connect to a Peripheral to the Backend. If authorized by the Backend, the Central may connect to the Peripheral. Further, a Central may receive a plurality of broadcasts over a period of time. The Central may store information about the broadcasts and, at the conclusion of the period of time, transmit the information about the broadcasts and the last-received broadcast to the Backend.

Abstract: A system and a method are disclosed for verifying a suspicious electronic communication. To this end, a secure communications service may detect an electronic communication comprising an identifier of a purported originator of the electronic communication and an identifier of an intended recipient, and determine that an attribute of the electronic communication corresponds to a suspicious attribute. Responsively, the service may intercept the electronic communication and storing the electronic communication in purgatory memory, so as to prevent the electronic communication from being populated in a private repository of the intended recipient, transmit a verification message, and receive a reply to the verification message that verifies the authenticity of the electronic communication.

Abstract: Systems and methods are provided herein for scheduling a season recording. A series is provided to a user device, the series having a plurality of sequential seasons, and each season having a plurality of episodes. A request for recording the series is received from the user. In response, a last episode of the series watched by the user is identified. A relevant season of the plurality of seasons is then determined, such that the relevant season precedes another season of the plurality of seasons and includes the last episode watched by the user. Then, episodes of the relevant season that follow the last episode watched by the user are scheduled for recording, such that episodes of a season that precedes the relevant season are not scheduled for recording.

Abstract: Provided is an on-device Android malware detection method based on an adaptive model through transfer learning, including: determining whether an application is malicious or unfavorable from a list of applications installed on a device; decompiling, in the device, an Android package (APK) of the application installed on the device; transmitting the determined list and the decompiled APK file to a server in order to generate a head model in the server and use the generated head model for the transfer learning with a base model; performing malware analysis in the device using a transfer learning model received from the server for an application newly installed on the device; and providing a malware analysis result to a user through the device as a result, and since the malware analysis is performed on the device, it is possible to ensure the availability and real-time performance of enabling analysis outside of a network range.

Abstract: This disclosure describes techniques for identifying the criticality of an asset in a network. In an example method, a first security metric of a first asset in a network, as well as network data that identifies data flows associated with a second asset in the network are identified. The second asset is a nearest neighbor of the first asset in the network. The method includes determining, based on the network data, a number of hosts in the network that exchanged data traffic with the second asset during a time period and generating a second security metric of the second asset based on the first security metric and the number of hosts. A security policy of the second asset is adjusted based on the security metric.

Abstract: A method includes scanning a plurality of hosts in a network to obtain risk information of each instance of vulnerability associated with each host during a period, calculating a vulnerability risk score (VRS) for each instance of the vulnerability based on the associated risk information, determining a number of vulnerabilities associated with each of the plurality of hosts during the period, obtaining a criticality score of each of the plurality of hosts, obtaining for each host, a representative VRS based at least in part on the VRS for each instance of vulnerability associated with the host, calculating a host risk score (HRS) for each host based on the representative VRS, the number of vulnerabilities and the criticality score of the host, calculating a network risk score (NRS) for the network based on the HRSs, and facilitating a security action based on the HRS for each host and the NRS.

Abstract: Systems and methods for recent file malware scanning are provided herein. In some embodiments, a security system may include a processor programmed to download one or more files; filter, by a first driver, the one or more downloaded files using a security zone identifier; scan, by the first driver, the filtered subset of one or more files for malware; store, by a second driver, a first set of information associated with each of the scanned files to indicate that each the filtered subset of one or more files have been scanned, wherein the first set of information is stored as metadata using alternative data stream (ADS) associated with each scanned file; monitor, by the second driver, changes to existing files based on the metadata stored; send instructions to rescan any existing file that has changed for malware; and update the information associated with any rescanned file's metadata using the ADS.

Abstract: A system and method for securing an application through an application-aware runtime agent can include: acquiring a code profile, instrumenting the application with a runtime agent according to the code profile, enforcing the runtime agent on the execution of the application, and responding to the runtime agent. Enforcing the runtime agent on the execution of the application can include monitoring the execution flow, which comprises of monitoring the utilization of the controls through the execution of the application; detecting a threat, which comprises identifying a section of the execution flow as a potential security threat; and regulating the execution flow to prevent or ameliorate the security threat. Responding to the runtime agent can include responding to the security threat and providing a user interface that may output runtime agent diagnostics and trigger alerts.

Abstract: A notification message is received indicating an upload of a file to a cloud service. An analysis engine (which can execute one or more machine learning models or other analysis operations) can generate information that characterizes the file which can be indicative of a level of trustworthiness for the file. In response to the generated information, each of a plurality of judges are notified to commence or revisit a judging process. In response to the notifications, the judges (which can execute one or more machine learning models or other analysis operations) retrieve the generated information and determine a respective trustworthiness score for the file. These scores can be stored in a corresponding judge database and/or data can be provided which characterizes the determined trustworthiness scores to a consuming application or process. Related apparatus, systems, techniques and articles are also described.

Abstract: Methods and systems for detecting malware by monitoring client-side memory stacks are described. A request for a payment process is received and a client-side memory stack is populated with a series of functions corresponding to the requested payment process. The execution of each function is monitored to determine whether the series of functions and an order of execution of the functions from the client-side memory stack are the same as an expected series of functions and in an expected order corresponding to the payment process. The monitoring also determines whether the number and types of parameters called by the functions are the same as the expected number and types of parameters. The monitoring further determines whether the timing of the execution of the functions is the same as an expected timing. Remedial action is performed when the any of these factors is determined to be different than what is expected.

Abstract: A method and system for detecting and analyzing internet traffic from Internet of Things (IoT) devices is presented. A network telescope is employed to collect unsolicited data packets. The data packets are analyzed to determine whether they arise from a misconfigured device or from a malicious device (darknet sanitization) or from some other source. Traffic from misconfigured devices is filtered out. The data packets from malicious devices are analyzed and a classification model is trained to classify the data packets into originating from an IoT or from a non-IoT device. The classifier is then validated on a separate set of data. The data packets originating from malicious IoT devices are further analyzed by such techniques a clustering (e.g. agglomerative hierarchical clustering), geo-location analysis, methods of attack, and coordination of attacks.

Abstract: Techniques are described for assessing container images for vulnerabilities without actually scanning the container images. A vulnerability assessment system (VAS) is described that is configured to perform vulnerabilities assessment for container images. The VAS is configured to perform the vulnerability assessment without scanning the container images. In certain embodiments, the VAS calculates a vulnerability score for the container image where the vulnerability score is indicative of a probability that the container image contains a vulnerability.

Abstract: A threat intelligence gateway (TIG) may protect TCP/IP networks from network (e.g., Internet) threats by enforcing certain policies on in-transit packets that are crossing network boundaries. The policies may be composed of packet filtering rules with packet-matching criteria derived from cyber threat intelligence (CTI) associated with Internet threats. These CTI-derived packet-filtering rules may be created offline by policy creation and management servers, which may distribute the policies to subscribing TIGs that subsequently enforce the policies on in-transit packets. Each packet filtering rule may specify a disposition that may be applied to a matching in-transit packet, such as deny/block/drop the in-transit packet or pass/allow/forward the in-transit packet, and also may specify directives that may be applied to a matching in-transit packet, such as log, capture, spoof-tcp-rst, etc.

Abstract: Methods, systems, and apparatus, including computer programs encoded on computer storage media, for pathogen detection. One of the methods includes providing, to a classifier, sensor data for a physical area, at a property, to cause the classifier to generate output data using the sensor data; receiving, from the classifier, the output data that indicates whether a pathogen was likely detected; detecting, using the output data, a likely pathogen in the physical area; determining whether to provide an alert given the detection of the likely pathogen; and in response to determining whether to provide the alert given the detection of the likely pathogen, selectively providing, to a device, the alert to cause the device to present the alert or determining to skip providing the alert.

Abstract: Examples of file analytics systems are described that may obtain metadata data and events data from a virtualized file server. The file analytics systems may detect one or more events from the events data matching a criteria indicating malicious activity. The file analytics systems may validate the detection of malicious activity. The validation may be performed by comparing the file type, such as the MIME type, of sample files before and after the suspected malicious activity. The systems may recover a share of the distributed file server including the one or more affected files by replacing the one or more affected files with stored versions of the one or more affected files from a snapshot of the share taken prior to the detected malicious activity.

Abstract: Methods, systems, and storage media for generating polls in an end-to-end encrypted messaging platform are disclosed. Exemplary implementations may: initiate, by an initiator, a poll comprising a poll name, an ending time, and response choices; generate a message to a group of users regarding the poll; for each user of the group of users, generate a key pair comprising a chain key and a signature key; receive, from a user of the group of users, a selection comprising at least one of the response choices; and cause display of the selection through the poll.

Abstract: A method for characterizing application layer denial-of-service (DDoS) attacks comprises generating a plurality of dynamic applicative signatures by analyzing at the application layer application layer requests received during an on-going DDoS attack, a dynamic applicative signature characterizing each received request based on frequent application layer attributes appearing in the received requests, wherein the requests are represented as a set of paraphrases, each paraphrase representing a specific aspect of a request's structure, the frequent application layer attributes being determined based on frequency of paraphrases in the set; characterizing each of the received requests based on one of the dynamic applicative signatures, the characterization providing an indication for each request whether a request is generated by an attack tool executing the on-going DDoS attack; and causing a mitigation action on the received request generated by the attack tool based on the generated dynamic applicative signatur

Abstract: The present invention provides an information security incident diagnosis system for assisting in detecting whether a target network system has been hacked. First, a plurality of activities records of one or more computing devices in a target network system are collected. Then, a discrete space metric tree is generated according to the plurality of activities records, and a clustering operation is performed on the discrete space metric tree to generate one or more event clusters associated with one or more suspicious event categories. Each event cluster may form a guide tree corresponding to the event cluster through single linkage clustering analysis to indicate a merging order from high to low similarity. The merging order is used for recursively performing a graph generating operation to convert a plurality of activities records corresponding to the one or more event clusters into a hierarchical directed acyclic graph (HDAG).

Abstract: The disclosed embodiments relate to a cyber threat information processing apparatus, a cyber threat information processing method, and a storage medium storing a cyber threat information processing program. A disclosed embodiment provides a cyber threat information processing method including: a step to classify at least one executable file into a set of code blocks corresponding to at least one malware by performing conversion of such executable file and provide the classified set of block codes; a step to select one or more code blocks included in the classified set of code blocks and generate a new set of code blocks by combining such selected code blocks; and a step to predict new malware based on the set of code blocks generated as above and provide information about the new malware predicted.

Abstract: Systems and methods for detecting malicious behavior in a network by analyzing process interaction ratios (PIRs) are provided. According to one embodiment, information regarding historical process activity is maintained. The historical process activity includes information regarding various processes hosted by computing devices of a private network. Information regarding process activity within the private network is received for a current observation period. For each process, for each testing time period of a number of testing time periods within the current observation period, a PIR is determined based on (i) a number of unique computing devices that hosted the process and (ii) a number of unique users that executed the process. A particular process is identified as potentially malicious when a measure of deviation of the PIR of the particular process from a historical PIR mean of the particular process exceeds a pre-defined or configurable threshold during a testing time period.

Abstract: A computerized method and system for mobile application clip detection and capturing on a mobile computing device includes receiving a user consent for capturing screen content by a content capture executable. The method and system includes executing the content capture executable in a background and monitoring processing operations in a foreground of the mobile computing device. Upon detecting capturable content from a application executable executing in the foreground, buffering screen content in a first memory device for a first period of time. The method and system includes executing the content capture executable in the foreground, including receiving a clip generation command from the user and generating a content clip from at least a portion of the screen content in the first memory device. Therein, in response to a clip distribution command, the clip is distributed across a networked connection.

Abstract: Programmable devices, hierarchical parallel machines and methods for providing state information are described. In one such programmable device, programmable elements are provided. The programmable elements are configured to implement one or more finite state machines. The programmable elements are configured to receive an N-digit input and provide a M-digit output as a function of the N-digit input. The M-digit output includes state information from less than all of the programmable elements. Other programmable devices, hierarchical parallel machines and methods are also disclosed.

Abstract: A trusted component is suggested to be added to off the shelf computing systems such as PCs or smartphone providing secure functions for access management and credential protection—safe authentication, maintaining session integrity and validation of content modification. An additional advantage of the solution that it detects malware/hacking attempts on first try allowing of taking action while oblivious to the malware/hacker to avoid retaliation. The trusted component may be any type of computing system that could be regarded trusted.

Abstract: A method and system for generating anomaly-detection rules for communication protocols are provided. The method includes receiving communication data; constructing at least one N-gram from the received communication data; analyzing the at least one N-gram by comparing the constructed at least one N-gram with a repository of N-gram analyses to identify conditional probabilities of certain characteristics; and generating anomaly-detection rules based on the N-gram analysis.

Abstract: Systems and methods for formatting data are disclosed. For example, a system may include at least one memory storing instructions and one or more processors configured to execute the instructions to perform operations. The operations may include receiving data comprising a plurality of sequences of data values and training a recurrent neural network model to output conditional probabilities of subsequent data values based on preceding data values in the data value sequences. The operations may include generating conditional probabilities using the trained recurrent neural network model and the received data. The operations may include determining a data format of a subset of the data value sequences, based on the generated conditional probabilities, and reformatting at least one of the data value sequences according to the determined data format.

Abstract: In an approach for smart test data workload generation, a processor receives a plurality of expected image frames for a user interface application to be tested. The plurality of expected image frames is pre-defined and represents a series of workflows and operations of the user interface application to be expected based on a design requirement. A processor calculates a first set of hash-values for each corresponding expected image frame. A processor samples the user interface application with a frequency to a plurality of testing image frames during a test run on the user interface application. A processor calculates a second set of hash-values for each sampled testing image frame. A processor compares the first set of hash-values to the second set of hash-values. A processor verifies that the second set of hash-values matches the first set of hash-values.

Abstract: Provided is a gateway device capable of reducing influence on intra-vehicle network communication from a cyber security attack that infringes availability represented by a DoS attack from an extra-vehicle network.

Abstract: The communication control apparatus (10) performs a receiving process, a counting process, and a determination process. The receiving process is a process for receiving a request packet to query a predetermined server. The counting process is a process for counting, based on a source address of the request packet, in multiple stages corresponding to different ranges of address areas that include the source address. The determination process is a process for determining an address area corresponding to a stage, from the multiple stage, in which a count value by the counting process exceeds a predetermined threshold value as an unauthorized access address area.

Abstract: A behavioral monitor executing in user space generates a plurality of filters corresponding to a plurality of processes executing in the user space. A first process transmits a system call to a corresponding filter of the plurality of filters in kernel space. The first process receives a signal from the corresponding filter. The first process analyzes the arguments submitted in the system call. The first process determines that the arguments may be associated with malicious activity. The first process generates an event and transmitting the event to the behavioral monitor. The behavioral monitor analyzes the event to determine whether the event is associated with malicious activity. The behavioral monitor causes a process group associated with the first process to cease executing and restores a previous version of the at least one file modified by the process group.

Abstract: A computer-implemented method of managing computer vulnerabilities is disclosed. The method comprises detecting one or more processes running on a particular computing system during a particular period of time including now; and determining a set of active vulnerabilities that are associated with the one or more processes from a plurality of vulnerabilities. The method also comprises determining, for each vulnerability of the set of active vulnerabilities, context metadata related to a process or an application associated with the vulnerability, including how often the application has been executed, for how long the process has run, or when in the particular period of time the process was, is, or will be running. The method further comprises ranking the set of active vulnerabilities based on the context metadata for each active vulnerability to obtain a ranked order; and transmitting information related to the ranking to a device.

Abstract: An embodiment includes a method of application vulnerability assessment and prioritization. The method includes ingesting modelling data from data sources for application vulnerabilities. The method includes transforming at least a portion of the modelling data to covariate vectors. The method includes extracting keywords and phrases from the modelling data and statistically measuring relevance of files of the modelling data based on the extracted keywords and phrases. The method includes generating threat levels of the application vulnerabilities based on the covariate vectors and the measured relevance. The method includes outputting the threat levels to a network management system. The method includes implementing, at a first endpoint device of the network, a first patch to address one of the application vulnerabilities.

Abstract: The technology disclosed prevents phishing attacks where a malicious attacker creates a malicious file in a cloud-based store and shares it with endpoint users. A user, opening the shared document, is redirected to a malicious website where a corporation's critical data may be compromised. The cloud-based method applies a set of rules and policies to allow the shared document or block the shared document from the network, based on identifying the ownership or originator of the shared document. Documents from blacklisted websites are blocked. Documents from trusted sources are allowed access to the network. Unknown documents are blocked and threat-scanned to determine if they contain malicious content. If analysis proves a blocked document to be safe, it may be released into the network along with subsequent documents having the same ownership or originator.

Abstract: Aspects of the disclosure relate to dynamically controlling access to linked content in electronic communications. A computing platform may receive, from a user computing device, a request for a uniform resource locator associated with an email message and may evaluate the request using one or more isolation criteria. Based on evaluating the request, the computing platform may identify that the request meets at least one isolation condition associated with the one or more isolation criteria. In response to identifying that the request meets the at least one isolation condition associated with the one or more isolation criteria, the computing platform may initiate a browser mirroring session with the user computing device to provide the user computing device with limited access to a resource corresponding to the uniform resource locator associated with the email message.

Abstract: Disclosed are a message sending method and apparatus. The method includes: a front-end device receiving a message preview instruction and sending the message preview instruction to a server; the server determining, on the basis of the message preview instruction, whether a message currently corresponding to a message type satisfies a sending rule, and if so, making an electronic message correspond to the message type, and sending the electronic message to the front-end device; the front-end device outputting and displaying the electronic message for a user to view; and the user triggering a message sending instruction after confirming same, so as to complete the sending of the electronic message.

Abstract: The described technology is generally directed towards secure collaborative processing of private inputs. A secure execution engine can process encrypted data contributed by multiple parties, without revealing the encrypted data to any of the parties. The encrypted data can be processed according to any program written in a high-level programming language, while the secure execution engine handles cryptographic processing.

Abstract: In general, in one aspect, a method includes receiving software code with an invalid characteristic, repeatedly attempting to execute the software code with the invalid characteristic on a device, and in response to successful execution of the software code with the invalid characteristic, taking an action. The action may include an action to remediate the device.

Abstract: Examples of the present disclosure describe systems and methods for a behavioral threat detection virtual machine. In examples, the virtual machine executes a rule comprising rule instructions. A rule may comprise one or more wait rule instructions that causes the virtual machine to pause execution. As events are added to an event queue for the rule virtual machine, the behavioral threat detection virtual machine evaluates such events in order to identify a positive or, in some instances, a negative match. When a matching event is identified, rule execution resumes. Eventually, a determination is made as a result of processing events and wait packets, thereby indicating the presence or absence of a malicious or potentially malicious behavior, among other examples. Thus, among other things, the behavioral threat detection virtual machine maintains a state associated with rule execution and processes events to identify behaviors accordingly.

Abstract: A method and network are provided for monitoring a network during a DDoS attack. The method includes establishing a flow record for flows designated for tarpitting and a state machine, each state of multiple states of the state machine having an associated handler function. The handler function associated with a current state of a state machine associated with a flow is invoked to perform one or more actions associated with the flow or the flow record for applying at least one tarpitting technique of one or more candidate tarpitting techniques associated with the flow record, and return a next state, which is used to update the current state of the state machine. The handler function associated with the current state of the state machine is repeatedly invoked, wherein each invocation of the handler function potentially applies different tarpitting techniques.

Abstract: A method including receiving, by a security device from a network device, an initial security instruction set including a plurality of initial security instructions associated with operation of the security device; receiving, by the security device from the network device, an event signal associated with the security device carrying out a network-facing operation; transmitting, by the security device to the network device based on receiving the event signal, a security instruction associated with the security device carrying out the network-facing operation, the security instruction being from among the plurality of initial security instructions; receiving, by the security device from the network device based on transmitting the security instruction, communication information to enable the security device to carry out the network-facing operation; and carrying out, by the security device, the network-facing operation based on utilizing the communication information is disclosed.

Abstract: Method of detecting malware in a computer storage medium is described. The method involves connecting the computer storage medium to an air-gapped anti-malware device. Scanning the computer storage medium for malware.

Abstract: This application discloses a cyber threat deception method and system, and a forwarding device. The forwarding device obtains a deception target set, where the deception target set includes a deception target, and the deception target includes an unused internet protocol (IP) address or an unopened port number on a used IP address. The forwarding device receives an IP packet from a host, and determines whether a destination party that the IP packet requests to access belongs to the deception target set. If the destination party that the IP packet requests to access belongs to the deception target set, the forwarding device sends the IP packet to a honeypot management server. The forwarding device receives a response packet, returned by the honeypot management server, of the corresponding IP packet. The forwarding device sends the response packet to the host.

Abstract: A system and method for detecting malware using hierarchical clustering analysis. Unknown files classified by clustering and in view of known malicious and known safe files. Machine learning models and detection rules are used to enhance classification accuracy.

Abstract: An endpoint computer is protected from malicious distributed configuration profiles. The endpoint computer receives a distributed configuration profile over a computer network. Before installation of the distributed configuration profile in the endpoint computer, features of the distributed configuration profile are used to traverse a supervised decision tree. A rating score is generated based on weights of nodes of the supervised decision tree that are traversed using the features of the distributed configuration profile. The distributed configuration profile is detected to be malicious based at least on the rating score.

Abstract: Methods and apparatus consistent with the present disclosure may be used after a computer network has been successfully attacked by new malicious program code. Such methods may include collecting data from computers that have been affected by the new malicious program code and this data may be used to identify a type of damage performed by the new malicious code. The collected data may also include a copy of the new malicious program code. Methods consistent with the present disclosure may also include allowing the new malicious program code to execute at an isolated computer while actions and instructions that cause the damage are identified. Signatures may be generated from the identified instructions after which the signatures or data that describes the damaging actions are provided to computing resources such that those resources can detect the new malware program code.

Abstract: Methods, systems, and apparatus, including computer programs encoded on computer storage media, for machine learning. One of the methods includes receiving a message including an attachment document; determining one or more first features from content of the attachment document; providing the first features to one or more classification models, the one or more classification models including a machine learning model, wherein the machine learning model is trained to generate a prediction of one or more classifications of attachment documents based on input features; generating one or more predicted classifications of the attachment document; and associating the one or more predicted classifications with the attachment document.

Abstract: Disclosed herein are an apparatus and method for detecting violation of control flow integrity. The apparatus includes memory for storing a program and a processor for executing the program, wherein the processor multiple branch identifier registers to which identifiers of branch targets are written, a set branch identifier instruction configured to command an identifier of a branch target to be written to a branch identifier register at a predetermined sequence number, among the multiple branch identifier registers, and a check branch identifier instruction configured to command a signal indicating detection of a control flow hijacking attack to be issued based on whether a value written to the branch identifier register at the predetermined sequence number is identical to a value of an identifier of a branch target at the predetermined sequence number, wherein the program detects whether a control flow is hijacked based on the multiple branch identifier registers.

Abstract: Methods and systems disclosed herein describe obfuscating plaintext cryptographic material stored in memory. A random location in an obfuscation buffer may be selected for each byte of the plaintext cryptographic material. The location of each byte of the plaintext cryptographic material may be stored in a position tracking buffer. To recover the scrambled plaintext cryptographic material, the location of each byte of the plaintext cryptographic material may be read from the position tracking buffer. Each byte of the plaintext cryptographic material may then be read from the obfuscation buffer and written to a temporary buffer. When each byte of the plaintext cryptographic material is recovered, the plaintext cryptographic material may be used to perform one or more cryptographic operations. The scrambling techniques described herein reduce the likelihood of a malicious user recovering plaintext cryptographic material while stored in memory.

Abstract: The present disclosure relates generally to systems and methods for providing dynamic access levels based upon permitted provision of client system data. In particular, proactive blocking of access to protected systems/services may be implemented when client system electronic data provision requirements of the protected systems/services are not met.

Abstract: A non-transitory processor-readable medium storing code representing instructions to cause a processor to perform a process includes code to cause the processor to receive a set of indications of allowed behavior associated with an application. The processor is also caused to initiate an instance of the application within a sandbox environment. The processor is further caused to receive, from a monitor module associated with the sandbox environment, a set of indications of actual behavior of the instance of the application in response to initiating the instance of the application within the sandbox environment. The processor is also caused to send an indication associated with an anomalous behavior if at least one indication from the set of indications of actual behavior does not correspond to an indication from the set of indications of allowed behavior.

Abstract: Examples of the present disclosure describe systems and methods of automatic inline detection based on static data. In aspects, a file being received by a recipient device may be analyzed using an inline parser. The inline parser may identify sections of the file and feature vectors may be created for the identified sections. The feature vectors may be used to calculate a score corresponding to the malicious status of the file as the information is being analyzed. If a score is determined to exceed a predetermined threshold, the file download process may be terminated. In aspects, the received files, file fragments, feature vectors and/or additional data may be collected and analyzed to build a probabilistic model used to identify potentially malicious files.