Abstract: The technology disclosed relates to detecting a ransomware attack on a cloud-based file storage system. The detecting includes collecting metadata on files at they are manipulated, storing the collected metadata as historical metadata, detecting multiple artifacts of the ransomware attack resulting from ransomware manipulation of the files by (i) comparing at least one of the extension, the magic number and the size included in the historical metadata to at least one of the extension, the magic number and the size included in current metadata of the files to identify a volume of changes in the files, and (ii) detecting that the identified volume of changes exceeds a change volume to determine that the ransomware attack is in progress, and identifying a user/machine that manipulated the files and responding to the determination that the ransomware attack is in progress by restricting further manipulation of other files by the identified user/machine.

Abstract: A system and method for inspecting different types of cloud workloads for cybersecurity threats, all deployed in a cloud computing environment, includes a unifying extractor to expose different compute types to agnostic inspectors. The method includes accessing a first cloud workload of a first type from a plurality of deployed cloud workloads; accessing a second cloud workload of a second type from the plurality of deployed cloud workloads; extracting data from each of the first cloud workload and the second cloud workload into a storage layer having a data schema, based on a predefined data structure; and inspecting the extracted data to detect a first target object, the target object indicating a cybersecurity threat, wherein extraction for each of the first cloud workload and the second cloud workload is based on the workload type.

Abstract: A system for conducting a security recognition task, the system comprising a memory configured to store a model and training data including auxiliary information that will not be available as input to the model when the model is used as a security recognition task model for the security recognition task. The system further comprising one or more processors communicably linked to the memory and comprising a training unit and a prediction unit. The training unit is configured to receive the training data and the model from the memory and subsequently provide the training data to the model, and train the model, as the security recognition task model, using the training data to predict the auxiliary information as well as to perform the security recognition task, thereby improving performance of the security recognition task. The prediction unit is configured to use the security recognition task model output to perform the security recognition task while ignoring the auxiliary attributes in the model output.

Abstract: The technology disclosed relates to detecting a data attack on a file system stored on an independent data store. The detecting includes scanning a list to identify files of the independent data store that have been updated within a timeframe, assembling current metadata for files identified by the scanning, obtaining historical metadata of the files, determining that a malicious activity is in process by analyzing the current metadata of the files and the historical metadata to identify a pattern of changes that exceeds a predetermined change velocity. Further, the detecting includes determining that the malicious activity is in process by analyzing the current metadata of the files and known patterns of malicious metadata to identify a match between the current metadata and the known patterns of malicious metadata, determining a machine/user that initiated the malicious activity, and implementing a response mechanism that restricts file modifications by the determined machine/user.

Abstract: An application executing on an endpoint accesses remote resources using a gateway. In response to a requested remote access, the application may be marked with a descriptor that specifies a target action and a pattern of occurrences of the target action. When a second observable action on the endpoint includes the pattern of events following the first observable action, a reportable event may be generated indicating a compromised state of the endpoint. The gateway can then regulate usage of the remote resource based on the reportable event.

Abstract: A method and a computer system are disclosed for determining a threat score of an electronic document comprising the steps of: loading and rendering the electronic document in a document sandbox, controlling the document sandbox to simulate user interaction with the electronic document, while loading and rendering the electronic document and while controlling the document sandbox to simulate user interaction with the electronic document, monitoring the document sandbox for events triggered by the electronic document and belonging to one of at least two predefined event classes, recording each observed event together with a respective event class to which each observed event belongs, and determining a threat score of the electronic document based on predefined numerical weights associated with each of the predefined event classes to which the recorded events belong.

Abstract: In some embodiments, a method includes processing at least a portion of a received file into a first set of fragments and analyzing each fragment from the first set of fragments using a machine learning model to identify within each fragment first information potentially relevant to whether the file is malicious. The method includes forming a second set of fragments by combining adjacent fragments from the first set of fragments and analyzing each fragment from the second set of fragments using the machine learning model to identify second information potentially relevant to whether the file is malicious. The method includes identifying the file as malicious based on the first information within at least one fragment from the first set of fragments and the second information within at least one fragment from the second set of fragments. The method includes performing a remedial action based on identifying the file as malicious.

Abstract: A method provides a set of computer data statistical profiles derived from a corresponding set of samples of computer data to a ransomware detection system and obtains a prediction of the likelihood of a ransomware attack in the set of samples of computer data. The system utilizes a machine learning system trained to achieve data models, with each model trained initially on a corresponding cluster of curated computer data statistics profiles, each cluster including statistics characterizing a corresponding cluster of curated samples resulting from exposing a selection of raw data samples to processing by actual ransomware. Each model is subject to iterations against initial validation data until performance convergences, with sample sources from the same backups not being present in both training and validation models. The models have been subject to final validation against actual customer data to address data drift that would otherwise result in excessive false predictions.

Abstract: A gateway device between a first and second communication network outside the gateway device handles communication between a first device in the first network and a second device in the second network. When the gateway receives a communication request from the first device, directed to the second device, for performing a first cryptographic data communication protocol, the gateway determines whether the first cryptographic data communication protocol is registered as unsafe in the gateway device, and/or registered as safe, in particular whether it is safe against key reconstruction by a quantum computer. When the first cryptographic data communication protocol is not registered as unsafe in the gateway device, and/or registered as safe, the gateway device forwards messages exchanged as part of execution of the first cryptographic data communication protocol between the first and second device.

Abstract: A method and a system for detecting malicious files in non-isolated environment are provided. The method comprises, during a training phase: acquiring a plurality of executable files, analyzing a given executable file to obtain: (i) data associated with the given executable file; (ii) a control-flow graph associated with the given executable file, and (iii) a data-flow graph associated with the given executable file; determining, based on the data, parameters of the given executable file; generating, by the processor, based on the parameters, at least a first feature vector and a second feature vector; generating, by the processor, based on the control-flow graph, a third feature vector; generating, by the processor, based on the data-flow graph, a fourth feature vector; and training the each one of ensemble of classifiers based on a respective feature vector to determine if a given in-use executable file is one of malicious and non-malicious.

Abstract: According to aspect of the disclosure, there are provided methods and apparatus for connecting a peripheral device to a computer system, including an apparatus for interfacing with a peripheral device, the apparatus comprising a port configured to couple to the peripheral device, a processor, a memory coupled to the processor and comprising a software module comprising instructions that when executed on the processor protect the device from a peripheral device coupled to the port, and a hardware security controller coupled to the port, the hardware security controller configured to monitor execution of the software module by the processor and to disable the port in response to determining that the software module is not executing.

Abstract: Embodiments of a method and non-transitory computer readable mediums for displaying remote browser isolation (RBI) protected browsing are disclosed. In an embodiment, a method for RBI protected browsing, the method comprising initiating, by a device, RBI protected browsing via an RBI server, and displaying, by the device, an RBI protected browser, a border at least partially around the RBI protected browser, and a security feature within the border, where the border and the security feature indicate the RBI protected browsing to a user.

Abstract: Methods, computer-readable media, software, and apparatuses may assist a consumer in keeping track of a consumer's accounts in order to prevent unauthorized access or use of the consumer's identified subscriptions and financial accounts. The identified subscriptions and financial accounts may be displayed to the consumer along with recommendations and assistance for closing unused or unwanted financial accounts and subscriptions to prevent unauthorized access or use.

Abstract: Embodiments of non-transitory computer readable mediums for displaying a remote browser isolation (RBI) protected browser are disclosed. In an embodiment, a non-transitory computer readable medium includes instructions to be executed in a computer system, where the instructions when executed in the computer system perform a method including displaying an RBI protected browser, displaying a border at least partially around the RBI protected browser, and displaying a security feature within the border, where the border and the security feature indicate to a user that the RBI protected browser is RBI protected.

Abstract: A plurality of computing devices are communicatively coupled to each other via a network, and each of the plurality of computing devices is operably coupled to one or more of a plurality of storage devices. A plurality of failure resilient address spaces are distributed across the plurality of storage devices such that each of the plurality of failure resilient address spaces spans a plurality of the storage devices. The plurality of computing devices maintains metadata that maps each failure resilient address space to one of the plurality of computing devices. The metadata is grouped into buckets. Each bucket is stored in a group of computing devices. However, only the leader of the group is able to directly access a particular bucket at any given time.

Abstract: A computer-implemented method, computer program product and computing system for: obtaining one or more artifacts concerning a detected security event; obtaining artifact information concerning the one or more artifacts; and generating a conclusion concerning the detected security event based, at least in part, upon the detected security event, the one or more artifacts, and the artifact information.

Abstract: A virus scanning router may manages a local network, including routing network traffic between devices on the network and routing network traffic being sent to and from such devices via an external communication system. The virus scanning router remotely scans for viruses the files stored on one or more such devices on the network. The virus scanning router may be a device trusted by the other devices on local network to facilitate the virus scanning router reading and scanning one or more files stored on such devices for viruses. The virus scanning router also takes corrective actions such as isolating the infected device or isolating an affected network zone to which the remote device belongs.

Abstract: Automatic generation of a malware signature is disclosed. Code of a sample including packages and function names is parsed. Standard type packages and vendor type packages are filtered from the code of the sample to obtain main type packages. A signature using a fuzzy hash for the sample is generated based on the main type packages. A determination of whether the sample is malware is performed using the signature and a similarity score threshold.

Abstract: A method for processing, by a device in a network, an alert message received by user equipment connected to the network. The alert message indicates detection of an anomaly by the user equipment in traffic transmitted via the network. The processing method includes: obtaining from the alert message at least one piece of information which is representative of at least one user equipment constraint; processing, by means of an algorithm for detecting cyber attacks, traffic characteristics provided by the user equipment and associated with the detected anomaly, the algorithm for detecting cyber attacks being chosen and/or configured according to the at least one piece of information; and determining from the at least one piece of information, according to an outcome of the processing, and if a cyber attack is detected, a response to the user equipment regarding the detected anomaly.

Abstract: A system, method and storage medium for operating a stealth mode of an emergency vehicle includes receiving input data including at least one of an input from an operator or one or more program input parameters; determining a data operation mode based on the received input data, wherein the data operation mode is one of a normal mode and one or more stealth modes; and generating a control signal based on the determined operation mode. When the data operation mode is one of the one or more stealth modes, the control signal is adapted to control a first device to suspend a transmission of at least one data group among candidate suspended data to at least one second device in communication with the first device.

Abstract: A method of re-establishing a connection between a LWM2M client and an LWM2M server following a reconnection of the LWM2M client to the LWM2M server includes determining, at the LWM2M client, a state of the LWM2M client device prior to reconnection of the LWM2M client, transmitting, to the LWM2M server, an indication of the state of the LWM2M client prior to reconnection of the LWM2M client, and receiving a response from the LWM2M server indicating whether the indicated state of the LWM2M client is an expected state or an unexpected state of the LWM2M client.

Abstract: In one embodiment, a computing platform features a controller in communication with one or more virtual private cloud networks, including a first virtual private cloud network (VPC). The virtual private cloud network includes at least a first egress filtering gateway configured to filter egress traffic data received from a first gateway and route the filtered egress traffic data to a public network in accordance with a first set of filter rules. The first set of filter rules are included as part of a first security policy provided by the controller.

Abstract: Methods, apparatus, systems, and articles of manufacture are disclosed that augment classification for low prevalence samples. An example non-transitory computer readable medium comprises instructions that, when executed, causes a machine to at least classify a data sample using a first classifier, classify the data sample using a second classifier different from the first classifier, the second classifier using a plurality of sensitive hashing (LSH) forests to analyze a sorted plurality of neighbor samples, determine whether a first classification result of the first classifier meets or exceeds a confidence threshold, in response to the first classification result of the first classifier meeting or exceeding the confidence threshold, output the first classification result, and in response to the first classification result of the first classifier not meeting or exceeding the confidence threshold, output a second classification result of the second classifier.

Abstract: A rootkit detection system and method analyzes memory dumps to determine connections between intercepted system driver operations requested by unknown files and changes in system memory before and after those operations. Memory dump differences and I/O buffers are analyzed with machine learning models to identify clustered features associated with rootkits.

Abstract: A computer-implemented method for detecting a security status of a computer system may include: in response to satisfaction of a predetermined trigger condition associated with an electronic application installed on a memory of the computer system, performing a security check process on the computer system; in response to the security check process determining that a security status of the computer system is currently compromised, performing a first security action; and in response to the security check process determining that the security status is formerly compromised, performing a second security action.

Abstract: An inspection device supports work related to ensuring security by including: a conversion unit that converts a regular expression of a first signature into a first representation by a nondeterministic finite automaton and converts a regular expression of a second signature into a second representation by a nondeterministic finite automaton; a determination unit that determines the presence or absence of an inclusive relationship between the first representation and the second representation; and an output unit that when a result of determination by the determination unit indicates that the first representation and the second representation have an inclusive relationship, outputs information indicating that the first signature and the second signature have the inclusive relationship.

Abstract: The present disclosure is directed to monitoring internal process memory of a computer at a time with program code executes. Methods and apparatus consistent with the present disclosure monitor the operation of program code with the intent of detecting whether received program inputs may exploit vulnerabilities that may exist in the program code at runtime. By detecting suspicious activity or malicious code that may affect internal process memory at run-time, methods and apparatus described herein identify suspected malware based on suspicious actions performed as program code executes. Runtime exploit detection may detect certain anomalous activities or chain of events in a potentially vulnerable application during execution. These events may be detected using instrumentation code when a regular code execution path of an application is deviated from.

Abstract: Malware prevention and remediation is provided by monitoring actions performed by processes and maintaining indications of which processes are trusted; selectively presenting canary files to these processes, which includes presenting the canary files to processes not indicated as being trusted and hiding the canary files from processes indicated as being trusted, and where the monitoring includes monitoring for access of canary files with change privileges; scoring each of the processes based on the actions performed, including any access of canary files with change privileges, which scoring produces a malice score for each process; and automatically terminating any process for which its malice score indicates at least a threshold level of malice in the execution of the process.

Abstract: A system and method for malware classification using machine learning models trained using synthesized feature sets based on features extracted from samples of known malicious objects and known safe objects. The synthesized feature sets act as virtual samples for training a machine learning classifier to recognize new objects in the wild that are likely to be malicious.

Abstract: File risk and malware detection and classification can be enhanced using machine learning analysis of content disarm and reconstruction (CDR) output. Correlations can be discovered or analyzed between individual elements of such outputs, which can include an XML report. Such correlations can provide useful information on threat intelligence and help validate content disarm and reconstruction. A method can include training machine learning algorithms with a dataset derived from CDR results from test files labelled as malicious or not malicious; instructing algorithms to predict probabilities; and determining correlation between the report items and malware (for example, using the function feature importances and the SHAP value method).

Abstract: Artificial Intelligence (“AI”) apparatus and method are provided that correlate and consolidate operation of discrete vendor tools for detecting cyberthreats on a network. An AI engine may filter false positives and eliminate duplicates within cyberthreats detected by multiple vendor tools. The AI engine provides machine learning solutions to complexities associated with translating vendor-specific cyberthreats to known cyberthreats. The AI engine may ingest data generated by the multiple vendor tools. The AI engine may classify hardware devices or software applications scanned by each vendor tool. The AI engine may decommission vendor tools that provide redundant cyberthreat detection. The AI engine may display operational results on a dashboard directing cyberthreat defense teams to corroborated cyberthreats and away from false positives.

Abstract: A file format identification system can predict file formats associated with binary data. The file format identification system can extract n-grams, such as byte 4-grams, from the binary data. A trained neural network with at least one embedding layer can generate embedding arrays that correspond to the extracted n-grams. A trained file format classifier can compare values in the embedding arrays with patterns of values associated with known file formats. The trained file format classifier can accordingly determine which of the known file formats are most likely to be associated with the binary data.

Abstract: Detection of command and control malware is disclosed. A network traffic session is monitored. Automatic feature identification for real-time malicious command and control traffic detection based on a request header of the monitored network traffic session using a deep learning model is performed.

Abstract: Methods, apparatus, systems, and articles of manufacture are disclosed. In one example, an apparatus includes at least one memory, instructions, and processor circuitry. The processor circuitry at least executes or instantiates the instructions to receive a group of indicators from a campaign attack, then query an indicator database with an indicator from the group of indicators, and then predict an identification of the campaign attack in response to the indicator having a current deterministic indicator and confidence scoring (DISC) score in the indicator database, wherein the DISC score represents at least one of a lethality component, a determinism component, or a confidence component of the indicator.

Abstract: A detection system for determining whether an update of at least one application installed on at least one whitelisted host is legitimate is provided. The system includes an update management server and update detectors installed with the application(s). During a process that software automatic update occurs in each update detector and a corresponding update installation package is executed, the executed update installation package generates at least one updater corresponding to each application. Each update detector transmits report information which includes the information of the at least one updater and sampled executable files to the update management server. The update management server obtains a number of update detectors, having performed the update operation of each application, according to the report information of each update detector. If the number is greater than or equal to a threshold value, it is determined that the update is legitimate.

Abstract: Techniques for early exit dynamic analysis of a virtual machine are disclosed. In some embodiments, a system/process/computer program product for early exit dynamic analysis of a virtual machine includes initiating a dynamic analysis of a malware sample by executing the malware sample in a virtual computing environment; monitoring activities of the malware sample during execution of the malware sample in the virtual computing environment; and determining when to exit the dynamic analysis before a predetermined period of time.

Abstract: Techniques are described for monitoring and analyzing input/output (I/O) messages for patterns indicative of ransomware attacks affecting computer systems of a cloud provider, and for performing various remediation actions to mitigate data loss once a potential ransomware attack is detected. The monitoring of I/O activity for such patterns is performed at least in part by I/O proxy devices coupled to computer systems of a cloud provider network, where an I/O proxy device is interposed in the I/O path between guest operating systems running on a computer system and storage devices to which I/O messages are destined. An I/O proxy device can analyze I/O messages for patterns indicative of potential ransomware attacks by monitoring for anomalous I/O patterns which may, e.g., be indicative of a malicious process attempting to encrypt or otherwise render in accessible a significant portion of one or more storage volumes as part of a ransomware attack.

Abstract: A device property control system determines whether a current user of a device is an owner of the device, a trusted secondary user of the device, or an untrusted secondary user of the device. The system maintains device property values for the owner as well as each trusted secondary user of the device. When the current user of the device changes, the system determines whether the current user is the owner or a trusted secondary user and if so changes the device property values to those previously used by the owner or one of the trusted secondary users (whichever is the current user of the device). However, if the current user is an untrusted secondary user, the device property control system changes the device property values to demonstration mode device property values that are expected to best demonstrate the capabilities of the device.

Abstract: Methods and apparatus consistent with the present disclosure may be performed by a Cloud computing device may use instrumentation code that remains transparent to an application program that the instrumentation code has been injected into, may perform deep packet inspection (DPI) on computer data, or identify a content rating associated with computer data. In certain instances, data sets that include executable code may be received via packetized communications or be received via other means, such as, receiving a file from a data store. The present technique allows one or more processors executing instrumentation code to monitor actions performed by the program code included in a received data set. Malware can be detected using exception handling to track memory allocations of the program code included in the received data set. Furthermore, access to content associated with malware, potential malware, or with inappropriate content ratings may be blocked.

Abstract: A server kernel processing system receives an input/output (I/O) request from a user mode computing environment. The I/O request is analyzed to determine whether it is a file open request. If so, target analysis logic determines whether the file open request is for a driver file or for a file within a protected volume that stores a driven whitelist file. If the file open request is for a file stored in a protected volume, the request is blocked. If the file open request is for a driver file, then the driver whitelist file is examined to determine whether the target driver is on the whitelist. If not, the file open request is also blocked.

Abstract: The disclosure herein describes the processing of malware scan requests from VCIs by an anti-malware scanner (AMS) on a host device. A malware scan request is received by the AMS from a VCI, the malware scan request including script data of a script from a memory buffer of the VCI. The AMS scans the script data of the malware scan request, outside of the VCI, and determines that the script includes malware. The AMS notifies the VCI that the script includes malware, whereby the VCI is configured to prevent execution of the script or take other mitigating action. The AMS provides scanning for fileless malware to VCIs on a host device without consuming or otherwise affecting resources of the VCIs.

Abstract: A system for detection of files not matching a known malware file in a computing environment that includes a processor coupled to a memory storing instructions to permit the processor to function as an analyzer. The analyzer is configured to receive, as input, an unknown file and the known malware file, compare the unknown file to the known malware file by comparing N (where N is greater of equal to 1) blocks B1, . . . , BN of lengths L1, . . . , LN located at offsets O1, . . . , ON such that the number of blocks, lengths and offsets are calculated according to pre-defined algorithm, and output a value indicating that the unknown file is different from the known malware file if exists at least one j that a Bj block of the unknown file is different from a Bj block of the known malware file.

Abstract: A network device may include a memory and one or more processors configured to analyze execution of suspicious data; detect one or more states of execution of the suspicious data; determine that the one or more states of execution are to be assigned a priority level; and extract at least a portion of the suspicious data from one or more locations based on determining that the one or more states of execution are to be assigned a priority level.

Abstract: A standalone storage product having: a first bus connector for connecting to an external processor; a second bus connector for connecting to an external network interface; a storage device accessible over the network interface; and a processing device configured to communicate, via the second bus connector, with the network interface to obtain storage access messages represented by incoming packets received at the network interface from a computer network. The processing device can: identify, from the storage access messages, first messages and second messages; provide, the first messages via the first bus connector, to the processor; and provide, the second messages, to the storage device without the second messages going through the processor. The storage device is configured to: receive, via the first bus connector, third messages from the processor; and execute commands in the second messages and the third messages to implement a network storage service.

Abstract: Embodiments seek to prevent detection of a sandbox environment by a potential malware application. To this end, execution of the application is monitored, and provide information about the execution to a reinforcement learning machine learning model. The model generates a suggested modification to make to the executing application. The model is provided with information indicating whether the application executed successfully or not, and this information is used to train the model for additional modifications. By modifying the potential malware execution during its execution, detection of a sandbox environment is prevented, and analysis of the potential malware applications features are better understood.

Abstract: A system and method of deployment of malware detection traps by at least one processor may include performing a first interrogation of a first Network Asset (NA) of a specific NA family; determining, based on the interrogation, a value of one or more first NA property data elements of the first NA; obtaining one or more second NA property data elements corresponding to the specific NA family; integrating the one or more first NA property data elements and the one or more second NA property data elements to generate a template data element, corresponding to the specific NA family; producing, from the template data element, a malware detection trap module; and deploying, on one or more computing devices of a computer network, one or more instantiations of the malware detection trap module as decoys of the first NA.

Abstract: Methods, computer-readable media, software, and apparatuses may assist a consumer in keeping track of a consumer's accounts in order to prevent unauthorized access or use of the consumer's identified accounts. To discover the various accounts, the methods, computer-readable media, software, and apparatuses can monitor at least a consumer's email accounts, web browser history, and web cache. The discovered accounts may be displayed to the consumer along with recommendations and assistance for closing unused or unwanted accounts to prevent unauthorized access or use.

Abstract: A computer includes a processor and a memory, and the memory stores instructions executable by the processor to receive a plurality of first message patterns; receive a plurality of second message patterns; determine a set of differences between the first message patterns and the second message patterns; for at least one of the differences, determine a respective resolution in favor of either the first message patterns or the second message patterns; and generate a plurality of third message patterns. The message patterns define messaging between electronic control units on board a vehicle. The message patterns include values for attributes assigned to the respective message patterns. The third message patterns include the at least one resolution and commonalities between the first message patterns and the second message patterns.

Abstract: An adaptive malware writing system includes a targeting engine that classifies malware candidates as a malicious candidate or a benign candidate through a surrogate model. The surrogate model assigns a weight to each byte of the malware candidates through a saliency vector. The sum of the weights render a malware classification score. An alteration engine alters a binary form of the malware candidates classified as malware by executing a functional analysis that traces application program interface calls and memory. The alteration engine alters the binary form of the malware candidates classified as malware to render a synthesized malware. The malware analysis determines if the synthesized malware is operational by comparing an image of the synthesized malware to an image of at least one of the plurality of malware candidates. A target classifier engine identifies the vulnerabilities of a targeted computer.

Abstract: Examples of the present disclosure describe systems and methods relating to adaptive virtual services. In an example, a user specifies a device configuration for a platform device. As a result, a service provider installs selected virtual-network functions and defines network connections as specified by the device configuration. Management software may also be installed, thereby enabling the service provider to communicate with and remotely manage the platform device. The installed virtual-network functions are activated on the platform device once it is delivered to the user. In some instances, the user changes the device configuration. For example, the user may install new virtual-network functions, reconfigure or remove existing virtual-network functions, or change defined network connections. As a result, the service provider reconfigures the platform device accordingly. Thus, the user need not purchase new specialized hardware in order to change the available functions of the computer network.