Abstract: In one embodiment, a networking device in a network causes formation of device clusters of devices in the network. The devices in a particular cluster exhibit similar characteristics. The networking device receives feedback from a device identity service regarding the device clusters. The feedback is based in part on the device identity service probing the devices. The networking device adjusts the device clusters based on the feedback from the device identity service. The networking device performs anomaly detection in the network using the adjusted device clusters.

Abstract: A method for maintaining conversational cadence may include determining, by a processor, a conversational cadence associated with a user in a social network. The conversational cadence may be determined based on a plurality of messages previously transmitted by the user. The method may also include detecting, by the processor, a reduction in the conversational cadence of the user. The method may further include providing, by the processor, a set of fill-in messages that create an appearance to another user in the social network that there is no reduction in the conversational cadence.

Abstract: Provided are systems, methods, and computer program products for a cyber-vaccination technique. In various implementations, the cyber-vaccination technique includes using a network device that is infected by a malware program to determining a marker generated by the malware program. The marker may indicate to the malware program that the network device has been infected by the malware program. Determining the marker can include identifying a placement of the marker on the network device. The technique further includes identifying one or more other network devices that have not previously been infected by the malware program. The technique further includes automatically distributing copies of the marker. When a copy of the marker is received at one of the previously identified, uninfected network devices, the identified network device can place the marker on the identified network device according to the identified placement.

Abstract: The disclosure is directed towards systems and methods for improving security in a computer network. The system can include a planner and a plurality of controllers. The controllers can be deployed within each zone of the production network. Each controller can be configured to assume the role of an attacker or a target for malicious network traffic. Simulations of malicious behavior can be performed by the controllers within the production network, and can therefore account for the complexities of the production network, such as stateful connections through switches, routers, and other intermediary devices. In some implementations, the planner can analyze data received from the controllers to provide a holistic analysis of the overall security posture of the production network.

Abstract: A security device may receive actual behavior information associated with an object. The actual behavior information may identify a first set of behaviors associated with executing the object in a live environment. The security device may determine test behavior information associated with the object. The test behavior information may identify a second set of behaviors associated with testing the object in a test environment. The security device may compare the first set of behaviors and the second set of behaviors to determine a difference between the first set of behaviors and the second set of behaviors. The security device may identify whether the object is an evasive malicious object based on the difference between the first set of behaviors and the second set of behaviors. The security device may provide an indication of whether the object is an evasive malicious object.

Abstract: According to some embodiments, a threat detection model creation computer may receive a series of normal monitoring node values (representing normal operation of the industrial asset control system) and generate a set of normal feature vectors. The threat detection model creation computer may also receive a series of threatened monitoring node values (representing a threatened operation of the industrial asset control system) and generate a set of threatened feature vectors. At least one potential decision boundary for a threat detection model may be calculated based on the set of normal feature vectors, the set of threatened feature vectors, and an initial algorithm parameter. A performance of the at least one potential decision boundary may be evaluated based on a performance metric. The initial algorithm parameter may then be tuned based on a result of the evaluation, and the at least one potential decision boundary may be re-calculated.

Abstract: Methods and systems for neutralizing malicious locators. Threat actors may shut down their web pages or applications (i.e., resources) that serve malicious content upon receiving request(s) configured to be perceived by the resource as non-browser requests. Therefore, initiating (large-scale) non-browser requests, or requests that are at least perceived as non-browser requests, may effectively act to inhibit, or even nullify, intended attack vectors.

Abstract: Systems and method identify potentially mislabeled file samples. A graph is created from a plurality of sample files. The graph includes nodes associated with the sample files and behavior nodes associated with behavior signatures. Phantom nodes are created in the graph for those sample files having a known label. During a label propagation operation, a node receives data indicating a label distribution of a neighbor node in the graph. In response to determining that the current label for the node is known, a neighborhood opinion is determined for the associated phantom node, based at least in part on the label distribution of the neighboring nodes. After the label propagation operation has completed, differences between the neighborhood opinion and the current label distribution for nodes are determined. If the difference exceeds a threshold, then the current label may be incorrect.

Abstract: A computer-implemented method includes generating an emulated view of an advertisement; determining, based on the emulated view, one or more elements associated with the advertisement; comparing the one or more elements to one or more criteria associated with an advertisement marketplace; and determining, based on comparing, whether the advertisement complies with the one or more criteria.

Abstract: According to one embodiment, a computerized method comprises conducting a first static scan on content within a file. Thereafter, if the first static scan did not result in the file being classified as malicious, the file is deconstructed to gain access to one or more objects within the file. A second static scan associated with the one or more objects is performed to determine whether the one or more objects are suspected of including malware. The file may then be classified as malicious based on results of the second static scan.

Abstract: An anti-malware application analyzes behavior of an executing process to identify ransomware. The anti-malware application detects an untrusted process requesting enumeration of a directory of user files and causes the untrusted process to initially operate on a decoy file that mimics the user files. If the behavior of the untrusted process with respect to the decoy file is indicative of ransomware, the process can be terminated without loss of the user files. The decoy file may be deployed in a way that is undetectable to the user.

Abstract: Disclosed are systems and methods for improving interactions with and between computers in content searching, generating, hosting and/or providing systems supported by or configured with personal computing devices, servers and/or platforms. The systems interact to identify and retrieve data within or across platforms, which can be used to improve the quality of data used in processing interactions between or among processors in such systems. The disclosed systems and methods provide a novel clustering framework applied on datasets of network interactions to automatically identify IP clusters carrying out a specific task(s) based on an IP blacklist. The disclosed systems and methods can analyze network activity of devices associated with the IP addresses, and/or the IP addresses themselves, and perform an automatic, on-the-spot analysis that results in a determination whether the activity is permitted on or over a network.

Abstract: Aspects of the present disclosure involve systems and methods computing devices to access a public network posing as a user to the network to detect one or more malware programs available for downloading through the network. More particularly, a malware detection control system utilizes a browser executed on a computing device to access a public network, such as the Internet. Through the browser, sites or nodes of the public network are accessed by the control system with the interactions with the sites of the public network designed to mimic or approximate a human user of the browser. More particularly, the control system may apply the one or more personality profiles to the browser of the computing device to access and interact with the nodes of the public network. Further, the control system may monitor the information retrieved from the network sites to detect the presence of malware within the nodes.

Abstract: Techniques are provided herein for classifying domains based on DNS traffic so that domains that are malicious or associated with malicious activity can be identified. Traffic between one or more domain name system (DNS) resolvers and one or more authoritative name servers hosted on the Internet is analyzed analyzing at a server having network connectivity. A mismatch between a hostname and Internet Protocol (IP) information for the hostname is detected in the traffic and domains included in the traffic are classified based on the detecting.

Abstract: Client devices detect malware based on a ruleset received from a security server. To evaluate a current ruleset, an administrative client device initiates a ruleset evaluation of the malware detection ruleset. A security server partitions stored malware samples into a group of evaluation lists based on an evaluation policy. The security server then creates scanning nodes on an evaluation server according to the evaluation policy. The scanning nodes scan the malware samples of the evaluation lists using the rulesets and associate each malware sample with a rule of the ruleset based on the detections, if any. The security server analyzes the associations and optimizes the ruleset and stored malware samples. The security server sends the optimized ruleset to client devices such that they more efficiently detect malware samples.

Abstract: Technologies are described herein for examining memory data of execution environments to identify potential anomalies. An execution environment is identified as having a potential anomaly. The memory data associated with the execution environment is identified as having a potential anomaly. Checksums may be generated for the identified memory and for memory associated with other execution environments. Execution environments may be identified as having potential anomalies based, at least in part, on a commonality of the memory data of the execution environment that is identified as a having a potential anomaly with the memory data of another execution environment. Different actions may be performed on the execution environments that are identified as having a potential anomaly.

Abstract: In one embodiment, a method includes receiving packet flow data at a feature extraction hierarchy comprising a plurality of levels, each of the levels comprising a set of feature extraction functions, computing a first set of feature vectors for the packet flow data at a first level of the feature extraction hierarchy, inputting the first set of feature vectors from the first level of the feature extraction hierarchy into a second level of the feature extraction hierarchy to compute a second set of feature vectors, and transmitting a final feature vector to a classifier to identify malicious traffic. An apparatus and logic are also disclosed herein.

Abstract: Various embodiments described herein are directed to optimizing cloud computing infrastructures functionality based on an abuse prevention and remediation platform. A tenant profile may have a tenant confidence score for a tenant, the tenant confidence score being an indicator of the reputation of the tenant usage of cloud computing resources. Based on the confidence score of the tenant, one or more policies for the tenant may be identified limiting access to cloud computing resources. If the virtual internet protocol address (VIP) of the tenant is determined to be tainted, the VIP may be quarantined in a tainted VIP pool, the quarantining excluding the VIP from being selected for use until the VIP is clean. A cleanup routine may be executed, the cleanup routine communicating remedial actions for the tainted VIP. Upon completion of the cleanup routine, the VIP may be restored to a clean VIP pool.

Abstract: Processor(s) for detecting malicious software. A hardware virtual machine monitor (HVMM) operates under a host OS. Container(s) initialized with network application template(s) operate under a guest OS VM. A detection module operates under the guest OS VM includes a trigger detection module, a logging module and a container command module. The trigger detection module monitors activity on container(s) for a trigger event. The logging module writes activity report(s) in response to trigger event(s). The container command module issues command(s) in response to trigger event(s). The command(s) include a container start, stop and revert commands. A virtual machine control console operates under the host OS and starts/stops the HVMM. A container control module operates under the guest OSVM and controls container(s) in response to the command(s). The server communication module sends activity report(s) to a central collection network appliance that maintains a repository of activities for infected devices.

Abstract: A system and method for .Net PE files malware detection is provided. The method may include accessing two or more portable executable (PE) files and detecting at least one identical global user identifier (GUID) attribute. In response to finding identical GUID attributes, the method may include clustering a group of files into family clusters each having the same GUID attribute. The method may generate and release a signature for the family cluster. An exoneration criteria level may be set in accordance with matching characteristics associated with an acceptable software standard for the computing system or network, such that when the exoneration criteria level is reached, the PE file is exonerated from being associated with PUA or malware. Until this criterion is met, the PE file will be identified as PUA or malware. Additional GUID attributes may be identified as further proof that the PE file is polymorphic.

Abstract: A virtual machine transmits local files to a secure virtual machine hosted by a hypervisor for malware detection. When malware is detected, the secure virtual machine can responsively provide remediation code to the virtual machine on a temporary basis so that the virtual machine can perform suitable remediation without a permanent increase in size of the virtual machine.

Abstract: In one embodiment, a security device identifies, from monitored network traffic of one or more users, one or more suspicious domain names as candidate domains, the one or more suspicious domain names identified based on an occurrence of linguistic units used in discovered domain names within the monitored network traffic. The security device may then determine one or more features of the candidate domains, and confirms certain domains of the candidate domains as malicious domains using a parameterized classifier against the one or more features.

Abstract: A method includes assigning unique guest identifications to different guests, specifying an address region and permissions for the different guests and controlling a guest jump from one physical memory segment to a second physical memory segment through operational permissions defined in a root memory management unit that supports guest isolation and protection.

Abstract: Techniques of scanning a set of files by a plurality of virus scanning modes are provided. The disclosed techniques includes operating a first scan on a set of files according to a first virus scanning mode to identify a first target file and obtain a first scanning result; operating a second scan on files of the set of files other than the first target file according to a second virus scanning mode to identify a second target file and obtain a second scanning result; wherein the first scan according to the first virus scanning mode uses less system resources than the second scan according to the second virus scanning mode.

Abstract: An anti-malware system including at least one database, remote from a plurality of computers to be protected, which stores identification of computer applications resident on the computers to be protected and an application-specific communications footprint for the computer applications, and at least one server, remote from the plurality of computers to be protected, and being operative to calculate a reference computer-specific communications composite pattern based on multiple application-specific communications footprints for applications installed on the computer to be projected, calculate a current computer-specific communications composite pattern based on actual communications of at least one the plurality of computers to be protected, and provide an alert when the current computer-specific communications composite pattern of the at least one of the plurality of computers to be protected differs from the reference computer-specific communications composite pattern of the at least one of the plurality o

Abstract: In an example, a security-connected platform is provided on a data exchange layer (DXL), which provides messaging on a publish-subscribe model. The DXL provides a plurality of DXL endpoints connected via DXL brokers. In one case, DXL endpoints designated as producers are authorized to produce certain types of messages, including security-related messages such as object reputations. Other DXL endpoints are designated as consumers of those messages. A domain master may also be provided, and may be configured to provide physical and logical location services via an asset management engine.

Abstract: A system and method for detecting anomalous activity, the method includes collecting data from a plurality of data sources, wherein each data source generates a data stream; harmonizing each data stream using a computer processor so that the harmonized data is in a common format; generating behavior models based on the harmonized data using the computer processor; analyzing the harmonized data at a first level using the behavior models and the computer processor to generate meta-events, wherein the meta-events represent anomalous behavior; analyzing the meta-events at a second level using the computer processor to determine if an alert should be issued; and when an alert should be issued, displaying the alert is disclosed.

Abstract: A method for determining a zero-day attack by an electronic device is described. According to one embodiment, the method comprises instantiating, by the electronic device, at least one virtual machine, the at least one virtual machine being based on a fortified software profile. The method further comprises executing content capable of behaving as an exploit on the at least one virtual machine, and determining that the exploit is associated with zero-day exploit when the exploit, upon execution of the content on the at least one virtual machine, performs an undesired behavior.

Abstract: A method in a memory system having a security device and a serial external electrically erasable read-only memory (EEPROM) is disclosed. The method includes accepting N bits of a command prefix and matching the bits to command filtering rules. Upon matching the prefix to a command filtering rule, the method may perform a filter action associated with the matched rule. When the command prefix is for a destructive command prefix that can modify data in the EEPROM, the filter action may convert the command into a non-destructive command and inspect it for authentication. The converted command may be output to the external EEPROM without security processing in the security device and the external EEPROM may return read data without outputting. When the command prefix is for a non-destructive command prefix, the command may be allowed to pass through the external EEPROM unchanged without performing security processing in the security device.

Abstract: In an example, a context-aware network is disclosed, including threat intelligence services provided over a data exchange layer (DXL). The data exchange layer may be provided on an enterprise service bus, and may include services for classifying objects as malware or not malware. One or more DXL brokers may provide messaging services including, for example, publish-subscribe messaging and request-response messaging. Advantageously, DXL endpoint devices must make very few assumptions about other DXL endpoint devices.

Abstract: Technologies for securing an electronic device may include determining a plurality of rules, monitoring execution of the electronic device, generating a notification that one of the operations has occurred based upon the rules, and, based on the notification and the pattern of the operations, determining whether the operations are indicative of malware. The rules may include an identification of a plurality of entities of the electronic device to be monitored, an identification of one or more operations between the entities to be monitored, and an identification of a pattern of the operations to be monitored.

Abstract: A novel security framework that is part of an operating system of a device is provided. The framework includes a security assessor that performs security policy assessments for different operations that need to be performed with respect to an application executing on the device. Examples of such operations include the installation of the application, execution of the application, and the opening of content files (e.g., opening of documents) by the application.

Abstract: The technology described in this document can be embodied in a computer implemented method that includes receiving, at a processing device, information about one or more assets associated with a network of devices. The method also includes generating, for at least one of the assets, a security token that is based at least on a portion of the received information about the corresponding asset. The security token can be configured to identify a home network defined for the asset, and to restrict access to the corresponding asset upon detecting an occurrence of an unauthorized activity involving the asset. The method further includes storing, in a storage device, information about the security token and information linking the security token to the corresponding asset, and initiating integration of the security token with the corresponding asset.

Abstract: The present disclosure relates to systems and methods for detecting malware. In some embodiments, a method may include detecting, via a processor, a user login event at an application; dynamically comparing, via the processor, the user login event with one or more expected behaviors associated with the application; and determining, via the processor, whether the application is potential malware based at least in part on a result of the comparing.

Abstract: A method for task access behavior based site security includes recording file accesses by an application and user during operation; automatically generating a permissions record indicating allowable access to files by the application and user based on the recorded file accesses; intercepting a file access request; comparing the file access request to a permissions record; and blocking access to the file when the file access is not included in the permissions record.

Abstract: Methods, systems, and apparatus, including computer programs encoded on computer storage media, for detecting suspicious users. One of the methods includes obtaining a collection of event logs or event feeds associated with a plurality of users to generate a collection of user properties; using the user properties to generate a plurality of groups of events; determining whether one or more groups are suspicious groups; and in response to a determination that one or more groups are suspicious, determining whether there are malicious accounts or events associated with each suspicious group.

Abstract: Disclosed is a method of evaluating membership in a membership set. The membership query system receives data to determine membership. A representative pattern is extracted from the data that may be of a predetermined length or of an arbitrary length. A learning mode of the membership query system defines the membership set as a membership signature. The membership query system then determines whether the representative pattern is a member of the membership signature by applying a membership function. In the context of cybersecurity, if the data is a member of a set of known good executable files, then the executable file may be allowed or installed. If the data is not a member of a set of known good executable files, then the file is flagged for further investigation.

Abstract: A program development support device for supporting development of a safety program to be executed in a safety controller includes: a development module that develops the safety program in response to user operation; a calculation module that calculates an identification value according to data of the developed safety program, in accordance with a function for calculating a random value with respect to an input; and an output module that outputs a document related to the safety program. The output module provides the identification value calculated by the calculation module to all pages of the document which are related to the safety program.

Abstract: Disclosed are a system and method for protecting computers from unauthorized remote administration. One exemplary method includes: intercepting events occurring in the computer system including a first event and a second event associated with data transfer with an application executing in the computer system; determining that the first intercepted event is dependent on the second intercepted event based on parameters of the first intercepted event and the second intercepted event; generating a rule defining a dependency of at least one parameter of the first intercepted event on at least one parameter of the second intercepted event; responsive to determining a degree of similarity of the generated rule and a previously created rule exceeds a threshold value, identifying at least one application as a remote administration application that created the first and second identified intercepted events; and blocking the identified remote administration application from exchanging data with the computer system.

Abstract: An attack tracking system includes multiple hosts in which first event data concerning object behavior are collected and pieces of host-based event information are created therefrom; a tracking information database server storing the pieces of host-based event information; a tracking information analysis server creating behavior events by defining malware behavior from the pieces of host-based event information, retrieving targets to be analyzed from the pieces of host-based event information and the behavior events based on a preset input value, creating first tracking contexts for identifying the malware behavior by analyzing the relationship between the pieces of host-based event information and the relationship between a set of the pieces of host-based event information and a set of the behavior events, and creating second tracking contexts tracking malware routes and behavior events between the multiple hosts by analyzing the correlation between the first tracking contexts.

Abstract: The invention concerns a method for detecting anomalies in network traffic, said traffic being transmitted by a server (10) in response to requests from at least one client device (11), the method comprising: —a step (E10) of receiving a request, said request being of a given type, —a step (E11) of receiving a response to the request, —a step (E13) of constructing a current bit vector (VN), representative of the response, —a step (E17) of calculating a similarity index representative of a distance between the current bit vector and a model bit vector (Vmod) associated with the request type, —a step of checking (E18) that the similarity index (Isc) does not belong to a compliance interval (IC) calculated for the request type, an anomaly being detected when the similarity index does not belong to the compliance interval.

Abstract: Described systems and methods allow protecting a computer system from malicious software. In some embodiments, a security application divides a set of monitored executable entities (e.g., processes) into a plurality of groups, wherein all members of a group are related by filiation or code injection. The security application may further associate a set of scores with each entity group. Such group scores may be incremented when a member of the respective group performs certain actions. Thus, even though actions performed by individual members may not be malware-indicative per se, the group score may capture collective malicious behavior and trigger malware detection. In some embodiments, group membership rules vary according to whether an entity is part of a selected subset of entities including certain OS processes, browsers and file managers. When an entity is determined to be malicious, anti-malware measures may be taken against a whole group of related entities.

Abstract: An enterprise wide data processing system includes at least one watchdog unit and/or software service that is configured to automatically detect an attempt to connect a dynamically connectable and disconnectable peripheral (DCP) such as a USB stick to a watchdog-watched Dynamic Connection-Making Mechanism (DCMM) of the system. The watchdog unit and/or software service is further configured to automatically determine if a type of the attempted connection is in accordance with at least one of a local list of connection permissions and connection rules, and if not to prevent an operatively effective connection to be actually made by way of the watchdog-watched DCMM. The system further includes a remotely modifiable storage storing the at least one of the local list of connection permissions and connection rules.

Abstract: Methods and systems are disclosed for opening unverified content in a separate, disposable virtualized environment using a temporary virtual machine (VM). In one example, the disclosed method includes intercepting a request to open/access unverified content from a third-party remote server, and comparing the particular information/attributes of the unverified content against predetermined criteria. Then, the user device may connect using a remote presentation protocol to the temporary VM in the separate, disposable environment such that the output of the unverified content may be transported to and displayed in the separate, disposable environment. The connection with the temporary VM may be terminated and the separate, disposable environment may be wiped clean to reduce the risk of malicious code in the unverified content.

Abstract: A method of detecting malware present on a computer system. A set of applications is predefined as benign, and profiles are provided for respective benign applications. Each profile identifies one or more procedures known to be performed by the associated benign application, each procedure being identified by a characteristic action and one or more expected actions. Behavior of the computer system is monitored to detect performance, by a running application, of a characteristic action of a procedure of a benign application. Upon detection of performance of a characteristic action, the profile provided for the associated benign application is used to detect a deviation from the expected actions of the procedure; and the detection of a deviation is used to identify the running application as malicious or suspicious.

Abstract: A security system and method secures and responds to security threats in a computer having a CPU, a Kernel/OS, and software applications. A low-level data collector intercepts a selection of first tier calls between the CPU and Kernel/OS, and stores associated first tier call IDs. A Kernel module intercepts a selection of second tier calls between applications and the Kernel/OS, and stores associated second tier call IDs. An Analytic Engine maps the stored first and second tier call IDs to a rulebase containing patterns of security threats, to generate a threat analysis, and then responds to the threat analysis. The Analytic Engine enlarges or contracts the selection of first and second tier calls to increase or decrease specificity of the threat analysis. A Management Module generates user interfaces accessible remotely by a user device, to update the rulebase and configure the low-level collector, the Kernel module, and the Analytic Engine.

Abstract: A computer program product, system, and method for generating coded fragments comprises initializing historical I/O activity data structures and recent I/O activity data structures associated with a logical unit (LU) of storage; receiving an I/O request from a host, the I/O request associated with one or more chunks within the LU; adding metadata about the I/O request to the recent I/O activity data structures; generating a ransomware probability by comparing the recent I/O activity data structures to the historical I/O activity data structures; and if the ransomware probability exceeds a first threshold value, taking one or more first actions to mitigate the effects of ransomware within the host.

Abstract: In one embodiment, a caching resolver receives a name server query from an end device for an Internet Protocol (IP) address for a hostname, and determines whether the hostname requested is in an access control list (ACL). In response to the hostname being in the ACL, the caching resolver examines a received response to the name server query for the hostname, wherein the received response contains a particular IP address for the hostname, and adds the particular IP address for the hostname to the ACL. In one embodiment, the ACL is local to the caching resolver, while in another embodiment, adding the particular IP address for the hostname to the ACL comprises sending a message to a remote ACL-maintaining device that maintains the ACL.

Abstract: A system and method for detecting reverse command shell intrusions at a process-level on a user device is disclosed. In one embodiment, the system detects each process starting on an operating system of the user device, such as a mobile phone or laptop computer, and monitors Application Programming Interface (API) calls between each process and the operating system. The system then determines whether each process is associated with a reverse command shell intrusion based on information associated with each process and/or the API calls, and executes security policies against the processes associated with the reverse command shell intrusion to remediate the processes. In another embodiment, the system determines whether processes starting on a user device are associated with a reverse command shell intrusion by monitoring and analyzing information associated with the parent process of each process and/or API calls between each parent process and the operating system.

Abstract: In one embodiment, a processor-implemented method for controlling network traffic to and/or from at least one industrial machine, including: (a) receiving, as input, (i) a stored policy object in language form defining at least one desired behavior and/or operational constraint for the at least one industrial machine, and (ii) a stored machine profile defining an association between the language of the stored policy object and at least one control signal or instruction for the at least one industrial machine; (b) detecting, in network traffic to and/or from the at least one industrial machine, a transaction; (c) applying the received policy object and machine profile to the detected transaction to determine whether a desired behavior exists and/or whether an operational constraint is satisfied; and (d) modifying network traffic to and/or from the at least one industrial machine based on the determination in step (c).