Abstract: Example techniques herein determine that a trial data stream is associated with malware (“dirty”) using a local computational model (CM). The data stream can be represented by a feature vector. A control unit can receive a first, dirty feature vector (e.g., a false miss) and determine the local CM based on the first feature vector. The control unit can receive a trial feature vector representing the trial data stream. The control unit can determine that the trial data stream is dirty if a broad CM or the local CM determines that the trial feature vector is dirty. In some examples, the local CM can define a dirty region in a feature space. The control unit can determine the local CM based on the first feature vector and other clean or dirty feature vectors, e.g., a clean feature vector nearest to the first feature vector.

Abstract: In one embodiment, a computing device provides a feature vector as input to a random decision forest comprising a plurality of decision trees trained using a training dataset, each decision tree being configured to output a classification label prediction for the input feature vector. For each of the decision trees, the computing device determines a conditional probability of the decision tree based on a true classification label and the classification label prediction from the decision tree for the input feature vector. The computing device generates weightings for the classification label predictions from the decision trees based on the determined conditional probabilities. The computing device applies a final classification label to the feature vector based on the weightings for the classification label predictions from the decision trees.

Abstract: A technique for detecting malware looks at startup hooks that may be created by malware to assist in ensuring that the malware is started upon a reboot of a programmable device. After enumerating startup hooks in the system, startup hooks associated with untrusted executables are deleted. If the startup hook is restored, that is an indication that the untrusted executable may be malware. An indication may then be passed to an anti-malware software to analyze the executable further.

Abstract: A unified backup workflow process for different hypervisor configurations of virtual machines on different storage of a cluster leverages RCT-based backup functionality so that backup operations can be performed by a single host of the cluster. The process enables backing up together virtual machines that are local, as well as part of CSV or SMB storage using virtual machine level snapshots as checkpoints rather than volume level snapshots that were traditionally used. Backup data is sent to a backup server as a data stream rather than a file, which avoids the necessity of maintaining chains or structures that identify parent-child disks on the server.

Abstract: Systems, methods, and software can be used to generating security manifests for software components using binary static analysis. In some aspects, one computer-implemented method includes performing a binary static analysis of a binary software component to determine one or more security characteristics of the binary software component; generating a security manifest for the binary software component including the determined one or more security characteristics of the binary software component; and providing the security manifest to a software management system configured to determine whether to deploy the binary software component based on the security manifest.

Abstract: This document discloses a system and method for consolidating threat intelligence data for a computer and its related networks. Massive volumes of raw threat intelligence data are collected from a plurality of sources and are partitioned into a common format for cluster analysis whereby the clustering of the data is done using unsupervised machine learning algorithms. The resulting organized threat intelligence data subsequently undergoes a weighted asset based threat severity level correlation process. All the intermediary network vulnerabilities of a particular computer network are utilized as the critical consolidation parameters of this process. The final processed intelligence data gathered through this high speed automated process is then formatted into predefined formats prior to transmission to third parties.

Abstract: Disclosed are systems and methods for detection of malicious intermediate language files. In one exemplary aspect, the system comprises a database comprising hashes of known malicious files, a resource allocation module configured to select a set of resources from a file being analyzed, a hash calculation module, coupled to the resource allocation module, configured to calculate a perceptive hash of the set of resources; and an analysis module, coupled to the other modules, configured to identify a degree of similarly between the set of resources and a set of resources from known malicious files by comparing the perceptive hash with perceptive hashes of the set of resources from known malicious files, determine a harmfulness of the file being analyzed based on the degree of similarity and remove or quarantine the file being analyzed when the harmfulness exceeds a predetermined threshold.

Abstract: An example embodiment may include a security enforcement point device disposed within a managed network and a security decision point device disposed within a computational instance of a remote network management platform. The security decision point device may be configured to: receive a message by way of the managed network; parse the message to identify observable indicators of one or more of the security threats, where the observable indicators include at least one of a network addresses, a hyperlink, or a representation of an attached file; remotely query a security threat database for the observable indicators; receive, from the security threat database, an indication that the observable indicators are associated with a particular security threat, and transmit, to the security enforcement point device, a command to update its associated security policy such that the particular security threat is mitigated.

Abstract: Described systems and methods allow protecting a computer system from malicious software. In some embodiments, a security application organizes a set of monitored executable entities (e.g., processes) into a plurality of groups, wherein members of a group are related by filiation and/or code injection. The security application may further associate a malice-indicative entity score with each monitored entity, and a malice-indicative group score with each entity group. Group scores may be incremented when a member of the respective group performs certain actions. Thus, even though actions performed by individual members may not be malware-indicative per se, the respective group score may capture collective malicious behavior and trigger malware detection.

Abstract: The disclosed computer-implemented method for efficiently classifying data objects may include (1) receiving a data object to be classified according to a group of rules, where each rule includes one or more clauses, (2) creating, for each rule, a rule evaluation job that directs a rule evaluation processor to evaluate the data object according to the clauses within the rule, where the rule evaluation processor evaluates the clauses in increasing order of estimated processing time, (3) submitting the rule evaluation jobs created for the rules to rule evaluation queues for processing by the rule evaluation processor, where the rule evaluation jobs are submitted in decreasing order of estimated processing time, (4) receiving an evaluation result for each rule evaluation job, and (5) in response to receiving the evaluation results, classifying the data object according to the evaluation results. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: Examples relate to identifying algorithmically generated domains. In one example, a computing device may: receive a query domain name; split the query domain name into an ordered plurality of portions of the query domain name, the ordered plurality of portions beginning with a first portion and ending with a last portion, the last portion including a top level domain of the query domain name; provide, in reverse order beginning with the last portion, the portions of the query domain name as input to a predictive model that has been trained to determine whether the query domain name is an algorithmically generated domain name, the determination being based on syntactic features of the query domain name; and receive, as output from the predictive model, data indicating whether the query domain name is algorithmically generated.

Abstract: A method includes, in response to receiving an email message, detecting one or more artifacts within an email message, wherein each of the artifacts is associated with a payload; for each artifact, generating, a descriptor object representing the artifact that does not include the payload, so that the processor is prevented from accessing the payload via the descriptor object; and at least one payload button based on the payload associated with the artifact for causing the payload to be transmitted to an external system for analysis of the payload; and presenting an artifact dashboard in a graphical user interface (GUI) rendered on a display of the email security system, the artifact dashboard displaying, for each artifact, the descriptor object representing the artifact and the at least one payload button based on the payload associated with the artifact.

Abstract: Exemplary embodiments described herein relate to a destination path for use with multiple different types of VMs, and techniques for using the destination path to convert, copy, or move data objects stored in one type of VM to another type of VM. The destination path represents a standardized (canonical) way to refer to VM objects from a proprietary VM. A destination location may be specified using the canonical destination path, and the location may be converted into a hypervisor-specific destination location. A source data object may be copied or moved to the destination location using a hypervisor-agnostic path.

Abstract: Examples determine a number of hosts, within an enterprise, which are resolving a particular domain. Based on the number of hosts within the enterprise resolving the particular domain, the examples identify whether the particular domain is benign.

Abstract: To analyze cybersecurity threats, an analysis module of a processor may receive log data from at least one network node. The analysis module may identify at least one statistical outlier within the log data. The analysis module may determine that the at least one statistical outlier represents a cybersecurity threat by applying at least one machine learning algorithm to the at least one statistical outlier.

Abstract: A method for evaluating a scope of cyber-attack incidents, the method may include detecting original compromised assets and malicious external machines that are related to each of the cyber-attack incidents; classifying potentially compromised assets to different classes based on (a) similarities between the potentially compromised assets and the original compromised assets, (b) a level of accessibility from the original compromised assets and malicious external machines to the potentially compromised assets, and (c) volumes of traffic between the potentially compromised assets and each one of the malicious external machines and the original compromised assets; wherein the different classes comprise compromised and non-compromised; and generating an alert that is indicative of the compromised assets and of potentially compromised assets that were classified as compromised.

Abstract: An interface, through which functionality of a cloud computing infrastructure can be accessed, can create defined endpoints through which such an interface is accessed, with such defined endpoints limiting the functionality accessible through the interface to only allowed functions. An elevate function can, through a secure key exchange protocol, receive appropriate assurances and can, in response, remove the functionality limitations of the endpoint, thereby enabling unfettered access to the cloud computing infrastructure. Such unrestricted access can be limited in duration, which duration can be established in advance, or agreed-upon through the key exchange mechanism.

Abstract: The subject matter described herein provides protection against zero-day attacks by detecting, via a hypervisor maintaining an extended page table, an attempt to execute arbitrary code associated with malware in a guest operation system (OS) running within a virtual machine (VM). Further, the subject matter provides detection of lateral movement of the malware. The hypervisor uses hidden breakpoints to detect a request for thread creation, and then determines whether the request is to download and execute arbitrary code.

Abstract: Intrusion features of a landing page associated with sponsored content are identified. A feature score for the landing page based on the identified intrusion features is generated, and if the feature score for the landing page exceeds a feature threshold, the landing page is classified as a candidate landing page. A sponsor account associated with the candidate landing page can be suspended, or sponsored content associated with the candidate landing page can be suspended.

Abstract: A threat level is evaluated for an ongoing attack detected for a set of resources based on received notifications having low weight in the evaluation of the threat level. If the threat level is smaller than an entrapment threshold, sensors associated with resources of an information system infrastructure that are potential subsequent targets of the ongoing attack are activated, the weight of the notifications sent from the activated sensors are set as average weight in the evaluation of the threat level, and the threat level is further evaluated for the ongoing attack. If the threat level is greater than the entrapment threshold, traps are deployed in the information system infrastructure, the weight of the notifications sent from the deployed traps are set as high weight in the evaluation of the threat level, and the threat level is further evaluated for the ongoing attack.

Abstract: Threat detection instrumentation is simplified by providing and updating labels for computing objects in a context-sensitive manner. This may include simple labeling schemes to distinguish between objects, e.g., trusted/untrusted processes or corporate/private data. This may also include more granular labeling schemes such as a three-tiered scheme that identifies a category (e.g., financial, e-mail, game), static threat detection attributes (e.g., signatures, hashes, API calls), and explicit identification (e.g., what a file or process calls itself). By tracking such data for various computing objects and correlating these labels to malware occurrences, rules can be written for distribution to endpoints to facilitate threat detection based on, e.g., interactions of labeled objects, changes to object labels, and so forth.

Abstract: A security platform employs a variety techniques and mechanisms to detect security related anomalies and threats in a computer network environment. The security platform is “big data” driven and employs machine learning to perform security analytics. The security platform performs user/entity behavioral analytics (UEBA) to detect the security related anomalies and threats, regardless of whether such anomalies/threats were previously known. The security platform can include both real-time and batch paths/modes for detecting anomalies and threats. By visually presenting analytical results scored with risk ratings and supporting evidence, the security platform enables network security administrators to respond to a detected anomaly or threat, and to take action promptly.

Abstract: A method for analyzing a document may include obtaining a runtime model for an application used to process the document, extracting, from the document, code blocks each including statements, and generating, using the runtime model, a result including a series of abstract states for each statement of a code block. Each abstract state may include a series of abstract values each corresponding to concrete values. The method may further include determining, using the result and the runtime model, whether the document includes potentially malicious code.

Abstract: A malware detection system configured to detect suspiciousness in obfuscated content. A multi-stage static detection logic is utilized to detect obfuscation, make the obfuscated content accessible, identify suspiciousness in the accessible content and filter non-suspicious non-obfuscated content from further analysis. The multi-stage static detection logic includes a controller, a de-constructor, and a post-processor. The controller is configured to receive content while the de-constructor configured to receive content from the controller and deconstruct the content using the analysis technique selected by the controller. The post-processor is configured to receive the de-constructed content from the de-constructor, determine whether a specimen within the de-constructed content is suspicious, and remove non-suspicious content from further analysis.

Abstract: A computing device can install and execute a kernel-level security agent that interacts with a remote security system as part of a detection loop aimed at defeating malware attacks. The kernel-level security agent can be installed with a firewall policy that can be remotely enabled by the remote security system in order to “contain” the computing device. Accordingly, when the computing device is being used, and a malware attack is detected on the computing device, the remote security system can send an instruction to contain the computing device, which causes the implementation, by an operating system (e.g., a Mac™ operating system) of the computing device, of the firewall policy accessible to the kernel-level security agent. Upon implementation and enforcement of the firewall policy, outgoing data packets from, and incoming data packets to, the computing device that would have been allowed prior to the implementation of the firewall policy are denied.

Abstract: An amount of data change associated with a version of a content file with respect to one or more previous versions of the content file is determined. The amount of change associated with the version of the content file is determined using a tree data structure associated with the content file that is stored on a storage cluster. One or more statistics associated with backup snapshot are provided to a server. The server is configured to determine that the amount of data change associated with the version of the content file is anomalous based in part on the one or more statistics associated with the backup snapshot. A notification that data associated with the backup snapshot is potentially infected by malicious software is received from the server. The version of the content file is indicated as being potentially infected by malicious software.

Abstract: A system for collection and analysis of forensic and event data comprising a server and an endpoint agent operating on a remote system. The server is configured to receive event data including process creation data, persistent process data, thread injection data, network connection data, memory pattern data, or any combination thereof, and analyze the event data to detect compromises of a remote system. The endpoint agent is configured to acquire event data, and communicate the event data to the server.

Abstract: A network device may include a memory and one or more processors configured to analyze execution of suspicious data; detect one or more states of execution of the suspicious data; determine that the one or more states of execution are to be assigned a priority level; and extract at least a portion of the suspicious data from one or more locations based on determining that the one or more states of execution are to be assigned a priority level.

Abstract: Exception lists may be generated by combining a standard list and a client list. Standard benign file information identifying a set of standard benign files may be obtained. A set of standard signatures for the set of standard benign files may be obtained. Client benign file information identifying a set of client benign files for a client may be obtained. A set of client signatures for the set of client benign files for the client may be obtained. A client exception list for the client may be generated based on the set of standard signatures and the set of client signatures.

Abstract: At an electronic computing device, a first memory footprint is obtained for a protected computer. The protected computer is monitored with the electronic computing device. At the electronic computing device, a second memory footprint is obtained for the protected computer. The first memory footprint is compared with the second memory footprint. When the first memory footprint does not match the second memory footprint, a security alert is initiated for the protected computer.

Abstract: Disclosed are an apparatus and method of verifying an application installation procedure. One example method of operation may include receiving an application at a computer device and initiating the installation of the application on the computer device. The method may also provide executing the application during the installation procedure and creating a hash value corresponding to the executed application data. The method may further provide storing the hash value in memory and comparing the hash value to a pre-stored hash value to determine whether to continue the installation of the application.

Abstract: In some embodiments, a method includes processing at least a portion of a received file into a first set of fragments and analyzing each fragment from the first set of fragments using a machine learning model to identify within each fragment first information potentially relevant to whether the file is malicious. The method includes forming a second set of fragments by combining adjacent fragments from the first set of fragments and analyzing each fragment from the second set of fragments using the machine learning model to identify second information potentially relevant to whether the file is malicious. The method includes identifying the file as malicious based on the first information within at least one fragment from the first set of fragments and the second information within at least one fragment from the second set of fragments. The method includes performing a remedial action based on identifying the file as malicious.

Abstract: A system for protecting a database against a ransomware attack includes a database backup handler configured to selectively output database backup data associated with a database to a storage device. A ransomware detector is configured to monitor changes to the database and to detect data changes to the database resulting from a ransomware attack. A ransomware remediator communicates with the ransomware detector and the database backup handler and is configured to restore data in the database to a point prior to the ransomware attack based upon the backup data in the storage device.

Abstract: Network link processing method, apparatus, and system are disclosed. For example, the method includes: generating an interface-invocation request carrying a target link, a number of bytes of the target link being greater than a preset threshold; sending the interface-invocation request to an open platform server; receiving a unique identifier string sent by the open platform server, a number of bytes of the unique identifier string being less than the preset threshold; and providing the unique identifier string to a client.

Abstract: Embodiments of the present disclosure include systems and methods for controlling modification of a data file that is accessed by multiple components of an application platform. The method for controlling modification of a data file includes: preparing a link constraint data that includes information of a data file and a component of an application platform, the component being associated with the data file; preparing an alert data that includes information of the data file and a person having a permission to modify the data file; responsive to an attempt of a user to modify the data file, retrieving the information of the component from the link constraint data and the information of the person from the alert data; and sending a notice of the attempt to at least one of the person and the user.

Abstract: Methods, systems, and computer readable media for preventing code reuse attacks are disclosed. According to one method, the method includes executing, on a processor, code in a memory page related to an application, wherein the memory page is protected. The method also includes detecting a read request associated with the code. The method further includes after detecting the read request, modifying, without using a hypervisor, at least one memory permission associated with the memory page such that the code is no longer executable after the code is read.

Abstract: A method for implementing an Internet of Things security appliance is presented. The method may include intercepting a data packet sent from a server to a client computing device. The method may include performing a security check on the data packet using security modules. The method may include determining the data packet is not malicious based on the security check. The method may include determining a shadow tester to test the data packet based on a type associated with the client computing device. The method may include creating a virtualization environment of the client computing device using the shadow tester. The method may include analyzing behaviors associated with the data packet within the virtualization environment using detection modules. The method may include determining the behaviors do not violate a behavior policy associated with the client computing device. The method may include transmitting the data packet to the client computing device.

Abstract: Mechanisms are provided for correlating security vulnerability detection across multiple applications. The mechanisms perform a security vulnerability analysis of first source code of a first application, and identify, based on results of the security vulnerability analysis, a security vulnerability in a first portion of the first source code. The mechanisms associate characteristics of the security vulnerability with the first portion, and correlate the characteristics of the security vulnerability with second source code of a second application based on the association of the characteristics of the security vulnerability with the first portion. In addition, the mechanisms generate an output to a computing device of a consumer or contributor associated with the second source code identifying a presence of the security vulnerability in the second source code based on the correlation.

Abstract: A monitor apparatus, method, and non-transitory computer readable storage medium thereof are provided. The monitor method is adapted for an electronic computing apparatus, wherein the electronic computing apparatus stores a smart contract and a blockchain ledger of a blockchain system. The monitor method periodically executes the following steps: (a) obtaining a piece of behavior information of a first electronic apparatus at a time point, (b) retrieving, via the smart contract, a plurality of pieces of previous behavior information within a time interval from the blockchain ledger, wherein the time interval is defined by the time point, and each piece of previous behavior information corresponds to one of a plurality of second electronic apparatuses and the first electronic apparatus, (c) determining a legality of the piece of behavior information according to the pieces of previous behavior information, and (d) writing the behavior information into the blockchain ledger.

Abstract: Data is analyzed using feature hashing to detect malware. A plurality of features in a feature set is hashed. The feature set is generated from a sample. The sample includes at least a portion of a file. Based on the hashing, one or more hashed features are indexed to generate an index vector. Each hashed feature corresponds to an index in the index vector. Using the index vector, a training dataset is generated. Using the training dataset, a machine learning model for identifying at least one file having a malicious code is trained.

Abstract: Mechanisms are provided for correlating security vulnerability detection across multiple applications. The mechanisms perform a security vulnerability analysis of first source code of a first application, and identify, based on results of the security vulnerability analysis, a security vulnerability in a first portion of the first source code. The mechanisms associate characteristics of the security vulnerability with the first portion, and correlate the characteristics of the security vulnerability with second source code of a second application based on the association of the characteristics of the security vulnerability with the first portion. In addition, the mechanisms generate an output to a computing device of a consumer or contributor associated with the second source code identifying a presence of the security vulnerability in the second source code based on the correlation.

Abstract: Mechanisms are provided for correlating security vulnerability detection across multiple applications. The mechanisms perform a security vulnerability analysis of first source code of a first application, and identify, based on results of the security vulnerability analysis, a security vulnerability in a first portion of the first source code. The mechanisms associate characteristics of the security vulnerability with the first portion, and correlate the characteristics of the security vulnerability with second source code of a second application based on the association of the characteristics of the security vulnerability with the first portion. In addition, the mechanisms generate an output to a computing device of a consumer or contributor associated with the second source code identifying a presence of the security vulnerability in the second source code based on the correlation.

Abstract: One or more embodiments provide techniques for analyzing telemetry data. A telemetry agent collects streams of raw telemetry data from the web client. The telemetry data includes obfuscated strings. For each obfuscated string, a mapping program references a database associating the obfuscated string to attributes of a properties file of the web client. The attributes include at least the deobfuscated string corresponding to the obfuscated string. An analytics agent translates the streams of raw telemetry data to streams of modified telemetry data. The streams of modified telemetry data include deobfuscated string from the attributes corresponding to the properties file. The analytics agent analyzes the streams of modified telemetry data.

Abstract: Systems, devices, and methods of an automatic attack testing framework for the security testing of an operational service are disclosed. In an example, such systems, devices, and methods may include operations that: deploy command instructions and a payload for a bot process to a computing device located within a target infrastructure, with the command instructions being selected based on criteria to test a security feature in the target infrastructure with an automated attack action in the bot process, and with the bot process being executed on the computing device and being started with use of the command instructions and the payload; communicate with the computing device to control the automated attack action within the target infrastructure, such that the automated attack action is performed within the bot process; and obtain results of the automated attack action performed within the bot process from the computing device.

Abstract: Provided herein are systems and methods for protecting data from injected malware. In some embodiments, a virtual memory validator may execute in user mode memory space on a computing device. The virtual memory validator may monitor an execution stack of an executing thread of a process. The virtual memory validator may identify a memory address referenced in the execution stack, responsive to the process attempting to access a protected resource. The virtual memory validator may determine that the memory address refers to a memory region that is designated as executable. The virtual memory validator may determine that the memory address is outside memory regions identified in a memory range map. The virtual memory validator may, responsive to the determination, identify the process as a potential malware process.

Abstract: A user-centric cyber security system, comprising: a plurality of DAAs (Data Acquisition Agents) configured to collect data from a plurality of user's OSPs (Online Service Providers) and from a plurality of user devices; and a system server communicating with said plurality of DAAs, said system server configured to receive said collected data from said plurality of DAAs, analyze said data for threats to said user, alert said user accordingly, receiving feedback from said user regarding said alert and improve said threat analysis using said user's feedback.

Abstract: A document state management system includes circuitry configured to receive registration of a document, and a memory to store first information and second information. The first information retains identification information of the document in association with a document state relating to the document. The second information retains tracing data for tracing the document state of the document in association with the identification information of the document. The circuitry records the tracing data in a medium and output the medium. The circuitry acquires the tracing data from the medium. The circuitry acquires, from the second information, the identification information of the document associated with the tracing data acquired from the medium. The circuitry acquires, from the first information, the document state of the document associated with the identification information of the document acquired from the second information. The circuitry outputs the document state acquired from the first information.

Abstract: A method and system of identifying technical experts for an identified vulnerability is provided. One or more technical experts for each of one or more categories of the vulnerability are identified. Questions are sent to and answers are received from the one or more identified technical experts for each of the one or more categories of vulnerabilities, via a chatbot module. Answers to parameters that are missing for a Common Vulnerability Scoring System (CVSS) for the identified vulnerability are determined from the received answers to the parameters. The answers to the parameters are validated and a CVSS score is calculated based on the validated determined answers.

Abstract: Methods and systems for neutralizing malicious locators. Threat actors may shut down their web pages or applications (i.e., resources) that serve malicious content upon receiving request(s) configured to be perceived by the resource as non-browser requests. Therefore, initiating (large-scale) non-browser requests, or requests that are at least perceived as non-browser requests, may effectively act to inhibit, or even nullify, intended attack vectors.

Abstract: The disclosure relates to detection of malicious network communications. In one embodiment, a method for identifying malicious encrypted network traffic associated with a malware software component communicating via a network is disclosed. The method includes training a neural network based on images for extracted portions of network traffic such that subsequent network traffic can be classified by the neural network to identify malicious network traffic associated with malware based on an image generated to represent a defined portion of the subsequent network traffic.