Abstract: A system and method (referred to as the system) detect malware by training a rule-based model, a functional based model, and a deep learning-based model from a memory snapshot of a malware free operating state of a monitored device. The system extracts a feature set from a second memory snapshot captured from an operating state of the monitored device and processes the feature set by the rule-based model, the functional-based model, and the deep learning-based model. The system identifies identifying instances of malware on the monitored device without processing data identifying an operating system of the monitored device, data associated with a prior identification of the malware, data identifying a source of the malware, data identifying a location of the malware on the monitored device, or any operating system specific data contained within the monitored device.

Abstract: A method for preventing ransomware attacks on a computing system. By controlling the access to a calling interface through which cryptographic functions, such as the random number generator, can be accessed to generate strong encryption keys the method allows to efficiently terminate cryptographic ransomware attacks on the system before they can start doing any damage. If the access to the cryptographic functions, such as the random number generator, is not granted, the ransomware is unable to build a strong encryption key, and it is unable to deploy its intended effect.

Abstract: A method for extracting, correlating, consolidating and presenting metadata from transmissions is provided. The method may include receiving a TCP/IP transmission. The transmission may include a header and a body. The method may include extracting an originating IP address from a location of the transmission. The location may be in the header or in the body. The IP address may be extracted in binary form. The method may include determining an accuracy and validity metric of the transmission using an artificial intelligence module. The method may include converting the extracted IP address from binary form into hexadecimal form. The method may include embedding the hexadecimal form of the IP address into one or more unused options of the header. The method may include processing the transmission. The processing may be completed upon determination that the transmission is a valid transmission.

Abstract: A system and method generating a database of tuple addresses associated with a computer program, the method comprising fetching from a repository of sample files a sample file suitable for running by the computer program, and performing dynamic learning of the sample file to obtain tuple addresses used by the computer program in loading of the sample file, the dynamic learning comprising while loading of the sample file by the computer program, monitoring loaded processes and modules, for each loaded process, tracing process branches, upon identification of a mispredicted branch, getting an address tuple of the mispredicted branch, and identifying a module to which the tuple belongs based on the module's base address.

Abstract: An anomaly detection model is trained to detect malicious traffic sessions with a low rate of false positives. A sample feature extractor extracts tokens corresponding to human-readable substrings of incoming unstructured payloads in a traffic session. The tokens are correlated with a list of malicious traffic features and frequent malicious traffic features across the traffic session are aggregated into a feature vector of malicious traffic feature frequencies. An anomaly detection model trained on feature vectors for unstructured malicious traffic samples predicts the traffic session as malicious or unclassified. The anomaly detection model is trained and updated based on its' ongoing false positive rate and malicious traffic features in the list of malicious traffic features that result in a high false positive rate are removed.

Abstract: Methods, apparatus, systems, and articles of manufacture for detecting anomalous activity of an IoT device are disclosed. An example apparatus includes a communications aggregator to aggregate communications from a device communicating via a communications interface, a statistical property extractor to extract statistical properties of the aggregated communications, an image generator to generate an image based on the extracted statistical properties, a persona identifier to identify a persona associated with the device, and a machine learning model trainer to train a machine learning model using the generated image and the persona.

Abstract: A computer-implemented method at a data management system comprises receiving, at the system, a write made to a virtual machine from a virtual machine host; computing, at the system, a fingerprint of the transmitted write; comparing, at the system, the computed fingerprint to malware fingerprints in a malware catalog; repeating the computing and comparing; and disabling the virtual machine if a number of matches from the comparing breaches a predetermined threshold over a predetermined amount of time.

Abstract: A system and method is provided for detecting a suspicious process in an operating system environment. In an exemplary aspect, a method comprises generating, by a hardware processor, a file honeypot in a directory in a file system and receiving a directory enumeration request from a process executing in the operating system environment. The method comprises determining whether the process is identified in a list of trusted processes and in response to determining that the process is not in the list of trusted processes, providing, to the process by the file system, a file list including the file honeypot responsive to the directory enumeration request. The method further comprises intercepting, by a file system filter driver, a file modification request for the file honeypot from the process, and identifying the process as a suspicious object responsive to intercepting the file modification request from the process.

Abstract: Examples of the present disclosure describe systems and methods for providing advanced file modification heuristics. In aspects, software content is selected for monitoring. The monitoring comprises determining when the software content performs file accesses that are followed by read and/or write operations. The read/write operations are analyzed in real-time to determine whether the software content is modifying file content. If the monitoring indicates the software content is modifying accessed files, mathematical calculations are applied to the read-write operations to determine the nature of the modifications. Based on the determined nature of the file modifications, the actions of the software content may be categorized and halted prior to completion; thereby, mitigating malicious cyberattacks and/or unauthorized accesses.

Abstract: Systems and methods for monitoring a process a provided. An example method commences with providing a management platform. The management platform is configured to receive user rules for processing at least one function call within the process. A high-level script can be used based on the user rules to develop and install at least one library to execute synchronously within the process. The at least one library can be configured to monitor the process for at least one function call and capture argument values of the function call before the argument values are passed to a function. The at least one library can filter the function call based at least in part on the argument values. The method can continue with selectively creating an API event for execution by a dedicated worker thread. The execution of the API event is performed asynchronously with regard to the process.

Abstract: Techniques for enabling secure access to data using data blocks is described. Computing device(s) can provide instruction(s) to a component associated with an entity, wherein the instruction(s) are associated with an identifier corresponding to a data block of a plurality of data blocks. The computing device(s) can receive, from the component, data associated with the component, wherein the data is associated with the identifier and is indicative of a state of the component. The computing device(s) can store the data in the data block and monitor, using rule(s), changes to the state of the component based at least partly on the data in the data block. As a result, techniques described herein enable near real-time—and in some examples, automatic—reporting and/or remediation for correcting changes to the state of the component using data that is securely accessed by use of data blocks.

Abstract: A cyber defense system using models that are trained on a normal behavior of email activity and user activity associated with an email system. A cyber-threat module may reference the models that are trained on the normal behavior of email activity and user activity. A determination is made of a threat risk parameter that factors in the likelihood that a chain of one or more unusual behaviors of the email activity and user activity under analysis fall outside of a derived normal benign behavior. An autonomous response module can be used, rather than a human taking an action, to cause one or more autonomous rapid actions to be taken to contain the cyber-threat when the threat risk parameter from the cyber-threat module is equal to or above an actionable threshold.

Abstract: Systems, methods, and computer-readable media for performing threat remediation through a switch fabric of a virtualized network environment. Data traffic passing into a virtualized network environment including a plurality of virtual machines running on a switch fabric is monitored. A network threat introduced through at a least a portion of the data traffic is identified at the switch fabric. One or more remedial measures are performed in the network environment based on the identification of the network threat in the virtualized network environment.

Abstract: A network address assigned to a virtual network interface of a packet transformation node of a flow management service is identified. A packet of a particular network flow associated with an application implemented at an isolated virtual network is sent to the network address. Using a rewrite directive generated at a rewriting decisions node of the service and cached at the packet transformation node, a transformed packet corresponding to a packet received at the packet transformation node is generated and transmitted to a destination.

Abstract: A method including: establishing an internal swarm intelligence network including security agent modules of a plurality of interconnected network nodes of a local computer network, collecting data related to the respective network nodes, sharing information based on the collected data in the established internal swarm intelligence network, and using the collected data and information received from the internal swarm intelligence network for generating and adapting models related to the respective network node nodes. In case a new threat is identified, the threat is verified and contained, a new threat model is generated and the generated new threat model is shared. The security alert and/or the generated new threat model is transmitted to a security service network for enabling the security service network to share the received security alert and/or the new threat model.

Abstract: A device for verifying previous determinations from cybersecurity devices comprising a processor and a storage device communicatively coupled to the processor. The storage device comprises submission analysis logic including object parsing logic to receive submission message data and then parse the submission message data into object data, along with workflow selector logic to receive the object data and process the object data to select at least one analyzer within analyzer logic. The analyzer logic can generate at least one analyzer based on the selected analyzer within the workflow selector logic, analyze the object data for potential threats and embedded object data, generate results data based on that analysis, and pass the embedded object data back to the workflow selector for further analysis. Finally, the submission analysis logic comprises triage ticket generation logic to generate triage tickets for analyst review and alert logic to generate automatic alerts.

Abstract: A game engine sensor of a computing device executing an operating system receives first data from the operating system that represents occurrence of a monitored event. The game engine sensor sends second data corresponding to the monitored event to a game engine logic controller. A first logic block of the game engine logic controller determines, based on the second data and third data representing a system state of the computing device, that a first predicate condition is satisfied. A second logic block of the game engine logic controller determines, based on the second data and the third data, that a second predicate condition is satisfied. A computer security threat is detected based on the first and second predicate conditions being satisfied, and at least one game engine actuator is instructed to perform at least one action responsive to the computer security threat.

Abstract: Various examples described herein are directed to identifying a particular computing device, such as a computing device having malware. A DNS query may be received with a token identifying an originating computing device. The DNS query may be compared to a list of domain names associated with particular characteristics, such as having malware. The token may be used to identify the originating computing device and perform further actions.

Abstract: Systems and methods are provided for utilizing natural language process (NLP), namely semantic learning approaches in network security. Techniques include analyzing network transaction records to form a corpus related to a semantics of network activity. The corpus includes formulated network sentences, representing sequences of network entities that are accessed in the network. A corpus of network sentences can include sequences of servers accessed by each user. A network sentence embeddings model can be trained on the corpus. The network sentence embeddings model includes an embedding space of text that captures the semantic meanings of the network sentences. In sentence embeddings, network sentences with equivalent semantic meanings are co-located in the embeddings space. Further, proximity measures in the embedding space can be used to identify whether network sentences (e.g., access sequences), are semantically equivalent.

Abstract: A computing system is provided implementing a text miner configured to mine unstructured data from unstructured text sources and extract features of a target computer system, and a data flow diagram editor configured to process the extracted features to identify system elements of the target computer system and interrelationships between the identified system elements, and to identify system-related candidate properties of the system elements, and to populate a system element template for each identified system element with the system-related candidate properties for that element. The data flow diagram editor is configured to generate a data flow diagram for the target computer system comprising each identified system element having the candidate properties adopted according to the system property adoption user input, and is configured to display the generated data flow diagram in the graphical user interface.

Abstract: A method for monitoring and identifying changes in one or more parameters of an OS is disclosed. The method includes performing a measurement by a measurement application of a first computer system of the one or more parameters of a first OS executing on the first computer system, receiving the measurement of the one or more parameters of the first OS by an appraisal application, and storing the measurement of the one or more parameters of the first OS in a data store. The method also includes comparing the measurement with one or more first OS parameter norms associated with the first network slice, and identifying a change in the one or more parameters of the first OS by the appraisal application in response to comparing the measurement of the one or more parameters of the first OS with the one or more first OS parameter norms.

Abstract: A cutting tool with a cutting region and a connecting support region where the support region is designed to connect to an external motor assembly. The cutting tool is also has a porous region that is integrated within a portion of the tool such that as the tool cuts material the porous region can allow samples of the cut material to permeate into an internal chamber of the tool. Once in the internal chamber material samples can be analyzed in-situ for direct composition analysis.

Abstract: A method for training a machine learning model using information pertaining to characteristics of upload activity performed at one or more client devices includes generating first training input including (i) information identifying first amounts of data uploaded during a specified time interval for one or more of multiple application categories, and (ii) information identifying first locations external to a client device to which the first amounts of data are uploaded. The method includes generating a first target output that indicates whether the first amounts of data uploaded to the first locations correspond to malicious or non-malicious upload activity. The method includes providing the training data to train the machine learning model on (i) a set of training inputs including the first training input, and (ii) a set of target outputs including the first target output.

Abstract: A computer-implemented method, computer program product and computing system for: obtaining hardware performance information concerning hardware deployed within a computing platform; obtaining platform performance information concerning the operation of the computing platform; obtaining application performance information concerning one or more applications deployed within the computing platform; and generating a holistic platform report concerning the computing platform based, at least in part, upon the hardware performance information, the platform performance information and the application performance information.

Abstract: A device configured to identify a first set of clusters based on the group information and to determine a first cluster quantity that identifies a number of clusters within the first set of clusters. The device is further configured to obtain user interaction data for user devices, to input the user interaction data into a machine learning model, to receive a second set of clusters from the machine learning model based on the user interaction data, and to determine a second cluster quantity that identifies a number of clusters within the second set of clusters. The device is further configured to determine the second cluster quantity is greater than the first cluster quantity, to identify a cluster that is not present in the first set of clusters, and to modify settings on a user device from within the cluster.

Abstract: A computer implemented method for access control for a restricted resource in a computer system, the method including receiving a first set of records for the computer system, each record detailing an occurrence in the computer system during a training time period when the resource is accessed in an approved manner; generating a sparse distributed representation of the set of records to form a training set for a hierarchical temporal memory (HTM); training the HTM based on the training set in order that the trained HTM provides a model of the operation of the computer system during the training time period; receiving a second set of records for the computer system, each record detailing an occurrence in the computer system during an operating time period for the computer system in use by a consumer of the resource; generating a sparse distributed representation of the second set of records to form an input set for the trained HTM; executing the trained HTM based on the input set to determine a degree of recog

Abstract: Systems and methods for managing Application Programming Interfaces (APIs) are disclosed. Systems may involve automatically generating a honeypot. For example, the system may include one or more memory units storing instructions and one or more processors configured to execute the instructions to perform operations. The operations may include receiving, from a client device, a call to an API node and classifying the call as unauthorized. The operation may include sending the call to a node-imitating model associated with the API node and receiving, from the node-imitating model, synthetic node output data. The operations may include sending a notification based on the synthetic node output data to the client device.

Abstract: A component security device may be disposed at an interface between a component and a cyber-physical system. The disclosed component security device may be physically and/or electrically coupled between the component and infrastructure of the cyber-physical system, such as a backplane, bus, and/or the like. The component security device may be configured to monitor the component, and selectively isolate the component from the cyber-physical system. Since the component security device is interposed at the interface of the component, the component security device may be capable of isolating the component regardless of whether the component has been compromised (e.g., regardless of whether the component is capable of complying with system commands).

Abstract: An example computer-implemented method of providing security for a software container includes discovering credentials that a software container is expected to use at runtime. The discovering is performed prior to instantiation of the software container from a container image, and is based on one or more of credentials stored in the container image, credentials stored in runtime configuration data for the software container, and credentials from a secrets management service. An unsafe credential set is determined that includes one or more of the discovered credentials that do not meet predefined credential safety criteria. A runtime request is intercepted from the software container. A credential violation is detected based on the intercepted runtime request attempting to use a credential from the unsafe discovered credential set. A corrective action is performed for the software container based on the detected credential violation.

Abstract: Accelerated behavior change for upgrades in a distributed system is described herein. A method as described herein can include facilitating a file system upgrade of a first computing node of a computing cluster from a first file system version to a second file system version that is newer than the first file system version, wherein the file system upgrade comprises pre-restart operations and a system restart performed subsequent to the pre-restart operations; activating a supervisor system of the first computing node in response to the first computing node completing the file system upgrade; and causing, in response to the activating, the supervisor system of the first computing node to initiate concurrent performance of the pre-restart operations of the file system upgrade at second computing nodes of the computing cluster, distinct from the first computing node.

Abstract: A system, a method, and a computer program are provided for securely connecting a main network to one or more subnetworks in an enterprise network through a group of enterprise routers has all data traffic routed between the main network and the subnetwork through an encrypted virtual private network (VPN) tunnel. The data traffic is monitored for a cyberthreat indication in the enterprise network, and any cyberthreat indication is has the cyberthreat remediated by modifying a policy in a firewall or one of the group of enterprise routers to stop routing exchange or cease encryption or transmission of data between the main network and the one or more subnetworks. In part, a key server and each router and the group of enterprise routers is configured with an Internet Protocol address, a group security association value, and a group profile which are employed by the technological solution for secure enterprise connectivity.

Abstract: Disclosed herein are systems and methods for enabling the automatic detection of executable code from a stream of bytes. In some embodiments, the stream of bytes can be sourced from the hidden areas of files that traditional malware detection solutions ignore. In some embodiments, a machine learning model is trained to detect whether a particular stream of bytes is executable code. Other embodiments described herein disclose systems and methods for automatic feature extraction using a neural network. Given a new file, the systems and methods may preprocess the code to be inputted into a trained neural network. The neural network may be used as a “feature generator” for a malware detection model. Other embodiments herein are directed to systems and methods for identifying, flagging, and/or detecting threat actors which attempt to obtain access to library functions independently.

Abstract: Providing an isolation system that allows analysts to analyze suspicious information in way that aids in preventing harmful information from spreading to other applications and systems on a network. A plurality of virtual containers may be used by analysts to analyze suspicious information. The suspicious information may first be checked for signatures or patterns before being analyzed by the analyst or the isolation system. The identified signatures or patterns are then compared with the stored signatures or patterns to determine whether the suspicious information comprises harmful information or not. When the identified signatures or patterns are matched with stored signatures or patterns, the system may determine that the suspicious information comprises harmful information and performs one or more mitigation actions.

Abstract: To detect identity spray attacks, a machine learning model classifies account access attempts as authorized or unauthorized, based on dozens of different pieces of information (machine learning model features). Boosted tree, neural net, and other machine learning model technologies may be employed. Model training data may include user agent reputation data, IP address reputation data, device or agent or location familiarity indications, protocol identifications, aggregate values, and other data. Account credential hash sets or hash lists may serve as model inputs. Hashes may be truncated to further protect user privacy. Classifying an access attempt as unauthorized may trigger application of multifactor authentication, password change requirements, account suspension, or other security enhancements. Statistical or heuristic detections may supplement the model.

Abstract: In some embodiments, an apparatus includes a memory and a processor. The processor can further be configured to extract a set of scripts from potentially malicious a file. The processor can further be configured to concatenate a representation of each script from the set of scripts with a representation of the remaining scripts from the set of scripts to define a script string. The processor can further be configured to define a feature vector based on the set of n-gram representations of the script string for input of the feature vector to a neural network for output. The processor can further be configured to identify, based on the output from the neural network, a maliciousness classification of the file.

Abstract: An internal network can include a plurality of linked internal nodes, each internal node being configured to communicate with other internal nodes or with one or more external servers over an external network. The internal network can analyze the configuration of the internal nodes and the network traffic between internal nodes of the internal network and external servers. Based on the analysis, a network vulnerability score measuring the vulnerability of the internal network to attack can be determined. If the vulnerability score is below a threshold, the internal network can be isolated from the external network, for example by preventing internal nodes from communicating with or over the external network.

Abstract: A method including determining a combined data set including query data files that are to be classified, clean data files that are known to be free of malware, and malicious data files that are known to include malware; calculating respective compression functions for each of the query data files, each of the clean data files, and each of the malicious data files; individually comparing each respective compression function with each other respective compression function to determine degrees of similarity between contents included in the data files; determining a plurality of clusters based on the degrees of similarity between contents included in the data files; and classifying each query data file as a file that is likely free of malware or as a file that likely includes malware based on analyzing the combination of the query data files, the clean data files, and the malicious data files in each cluster.

Abstract: An anomaly detection device is located between a network and a first ECU in the plurality of ECUs, and includes: a communication circuit; a processor; and a memory including a set of instructions that, when executed, causes the processor to perform operations including: receiving a message from the first ECU and transmitting the message to the network, and receiving a message from the network and transmitting the message to the first ECU, using the communication circuit; holding, in the memory, a received ID list; when an ID of the message received by the communication circuit from the network is not included in the received ID list, adding the ID to the received ID list; and when an ID of the message received by the communication circuit from the first ECU is included in the received ID list, causing the communication circuit not to transmit the message to the network.

Abstract: A cyber threat intelligence (CTI) gateway device may receive rules for filtering TCP/IP packet communications events that are configured to cause the CTI gateway device to identify communications corresponding to indicators, signatures, and behavioral patterns of network threats. The CTI gateway device may receive packets that compose endpoint-to-endpoint communication events and, for each event, may determine that the event corresponds to criteria specified by a filtering rule. The criteria may correspond to one or more of the network threat indicators, signatures, and behavioral patterns. The CTI gateway may create a log of the threat event and forward the threat event log to a task queue managed by a cyberanalysis workflow application. Human cyberanalysts use the cyberanalysis workflow application to service the task queue by removing the task at the front of the queue, investigating the threat event, and deciding whether the event is a reportable finding that should be reported to the proper authorities.

Abstract: A method and system for detecting anomalies in mission-critical environments using word representation learning are provided. The method includes parsing at least one received data set into a text structure; isolating a protocol language of the at least one received data set, wherein the protocol language is a standardized pattern for communication over at least one communication protocol; generating at least one document from the contents of the received at least one data set, wherein the at least one document includes at least one parsed text structure referencing a unique identifier; detecting insights in the at least one generated document, wherein insights are detected in at least one representation having at least one dimension, wherein the representation is mapped to at least one learned hyperspace; extracting rules from the detected insights; and detecting anomalies by applying the extracted rules on patterns for communication over at least one communication protocol.

Abstract: The present invention discloses the method and apparatus for topology discovery enabled intrusion detection. In information and communications technology (ICT) systems, end devices are organized into subnets that are communicated with the system center through the multi-service gateways. Any intrusion can incur the variations of the communications environments and the subnet topologies. The potential external intruding devices are detected by the varied communications environments and identified by the difference between the original and new subnet topologies constructed by the topology discovery method. The information of potential external intruding devices is sent to the system center for device authentication. If passed, the device is kept associated and the system topology is updated with the newly discovered subnet topology. If failed, the device is enforced to disassociate, and an enhanced secure mode is triggered where the messages communicated over the intruded subnet are encrypted.

Abstract: This application discloses a method and an apparatus for defending against a network attack, to resolve a problem that network defense costs are relatively high. The method includes: a network security device receives a first packet sent by an external device, and matches a destination IP address of the first packet with configuration information of a fake network. If an IP address of a node in the configuration information of the fake network has a same subnet prefix as the destination IP address, the network security device processes the first packet based on a fake network policy; if no IP address of a node in the configuration information of the fake network has a same subnet prefix as the destination IP address, the network security device processes the first packet based on a firewall policy.

Abstract: Techniques for detection over-the-top piracy are described. In some embodiments, a piracy detection method is performed at a server by a piracy detector. The piracy detector obtains records associated with requests for access from a plurality of client devices. The piracy detector further distributes the records to a plurality of nodes according to distribution keys extracted from the records, where each of the plurality of nodes receives a respective set of records associated with a respective distribution key and generates a set of respective watch session records based on the respective set of records. The piracy detector also generates watch session records associated with the distribution keys by aggregating the respective watch session records from the plurality of nodes. The piracy detector additionally identifies one or more pirated client devices among the plurality of client devices based on clusters established from the watch session records.

Abstract: Branded content, or a target asset, may be included in a set of ordered assets based on the category of an anchor asset. Fill rates, total views of the target asset, or a combination may be used in selecting an optimization strategy. A dual optimization may be used to reduce the burden of presentation based on historical yield rates and follow-on rates observed from category transition data. Serendipity may be incorporated in the process through use of a reserve pool of transitions.

Abstract: A method for automatically sensing attack behaviors, the method including: distributing a service request from a network switch to a response module, where the response module includes a main controller configured for data interaction processing and an auxiliary controller configured for interactive data processing; generating, by the main controller and the auxiliary controller in the response module, respective response data according to the service request, respectively; and comparing the respective response data of the main controller with the respective response data of the auxiliary controller; if a result of comparison is inconsistent, indicating the network switch is abnormal, an administrator is informed, and the response data generated by the auxiliary controller is fed back to the network switch; and, if the result of comparison is consistent, the response data generated by the main controller is fed back to the network switch.

Abstract: There may be provided a method for detecting a cyberattack or an operational issue, the method may include generating, by an IOT device or by an intermediate device located upstream to the IOT device and downstream to a computerized system, a first core-set, wherein the core-set comprises weighted records that are an approximation of a first data set related to a behavior of the IOT device; sending to the computerized system the first core-set; and finding, by the computerized system, outliers in the first core-set, and labeling the outliers as cyber attacks or operational events by the relations between the outliers and a second dataset of cluster centroid indicative of cyber attacks or operational events.

Abstract: The present disclosure provides a data processing method for coping with ransomware, which encrypts data with a malicious intent and blocks an access to the data, to protect the data, and a program for executing the data processing method. In a computer apparatus that loads an application program stored in a memory onto a processor and carries out a predetermined processing according to the application program, on an operating system (OS) kernel which controls an access of the application program to hardware components of the computer apparatus, the processor reads the data stored in the memory, performs the predetermined processing at the request of the application program, determines whether a ransomware attack occurred for the data before storing the processed data back to the memory, and stores the processed data to the memory according to a determination result, thereby preventing the damage caused by the ransomware attack.

Abstract: System, device, and method of determining cyber-attack vectors and mitigating cyber-attacks.

Abstract: Systems and methods are disclosed herein that relate to partially reconfiguring a Field Programmable Gate Array (FPGA) of a wireless communication device to provide time-slicing of modem and application functionality. In this manner, a low-cost, small size, and low power consumption implementation of the FPGA and thus the wireless communication device is provided.

Abstract: A method, computer program product, and computer system for receiving, by a computing device, a plurality of file segments of a file, the plurality of file segments being received individually by the computing device. A first file segment of the file may be scanned to identify the presence of malware within the file segment. The first file segment of the file may be encrypted to create an encrypted file segment in response to identification by the scan of the first file segment that malware is absent from the first file segment. The encrypted file segment of the file may be sent to another computing device before a second file segment of the file is received by the computing device.