Abstract: A method protects a daemon in an operating system of a host computer. The operating system detects that there is an access of a plist file of a daemon by a process in the computer. If so, then it executes a callback function registered for the plist file. The callback function sends to a kernel extension a notification of the attempted access. The kernel extension returns a value to the operating system indicating that the access should be denied. The operating system denies access to the plist file of the daemon by the process. The extension may also notify an application which prompts the user for instruction. The kernel extension also protects itself by executing its exit function when a command is given to unload the extension, and the exit function determines whether or not the command is invoked by an authorized application, such as by checking a flag.

Abstract: Techniques are provided for detecting malicious software code embedded in image files, using machine learning. One method comprises obtaining metadata for an image file; applying the obtained metadata to at least one machine learning technique to classify the image file into at least one of a plurality of predefined classes, wherein the plurality of predefined classes comprises at least one malicious file class; and determining whether the image file comprises malicious software code based on the classification. The machine learning technique can be trained using image files classified into at least one of the plurality of predefined classes. The machine learning technique may employ a deep neural network and/or a convolutional neural network to classify the image file into the at least one predefined class.

Abstract: In one aspect, an example method includes receiving, from a first content-presentation device, a request for supplemental content for use in connection with performing a content-modification operation; identifying a download conflict between the first content-presentation device and a second content-presentation device having a same IP address as the first content-presentation device; and providing, to the first content-presentation device, a response to the request, with the request including a download delay instruction. Reception of the download delay instruction by the first content-presentation device causes the first content-presentation device to wait until a condition associated with the download delay instruction is satisfied before downloading a supplemental content item specified in the response.

Abstract: A testing computer system communicates with a cloud computing platform coupled to one or more target computer systems. The testing computer system receives a list of target computer systems from the cloud computing platform, generates respective test payloads for a set of the target systems, and sends the test payloads to the set of target systems. Each respective test payload is useable by its respective target system to perform a security scan of the target system and send test results to the testing computer system and includes instructions that cause the test payloads to be deleted after the security scan is performed. The testing computer system receives test results generated by the set of target systems and evaluates the test results to determine whether any of the set of target systems is implicated in a security breach.

Abstract: In one embodiment, a device obtains execution records regarding executions of a plurality of binaries. The execution records comprise command line arguments used during the execution. The device determines measures of similarity between the executions of the binaries based on their command line arguments. The device clusters the executions into clusters based on the determined measures of similarity. The device flags the command line arguments for a particular one of the clusters as an indicator of compromise for malware, based on at least one of the binaries associated with the particular cluster being malware.

Abstract: There is disclosed in one example a computing apparatus, including: a processor and a memory; instructions encoded within the memory to instruct the processor to: identify a downloaded file on a file system; inspect a metadata object attached to the downloaded file; parse the metadata object to extract an advertiser identification string from a GET code portion of a uniform resource locator (URL); query a reputation cache for a reputation for the advertiser identification string; receive a deceptive reputation for the advertiser identification string; and take a remedial action against the downloaded file.

Abstract: A fraudulent email decision device (10) is provided with a consistency analysis unit (24). The consistency analysis unit (24) identifies an intention of a subject email by, for example, a method of, with respect to a newly received incoming email as a subject email, extracting a function term, being a word expressing a reason the subject email was sent, from a body of the subject email. The consistency analysis unit (24) decides whether or not the subject email is a fraudulent email, from a relationship between another incoming email received in the past from the same sender as the sender of the subject email, and the identified intention of the subject email.

Abstract: Examples of the present disclosure describe systems and methods for detecting and mitigating stack pivoting exploits. In aspects, various “checkpoints” may be identified in software code. At each checkpoint, the current stack pointer, stack base, and stack limit for each mode of execution may be obtained. The current stack pointer for each mode of execution may be evaluated to determine whether the stack pointer falls within a stack range between the stack base and the stack limit of the respective mode of execution. When the stack pointer is determined to be outside of the expected stack range, a stack pivot exploit is detected and one or more remedial actions may be automatically performed.

Abstract: Techniques are disclosed for identifying anomalous subjects and devices at a site. The devices may or may not be carried by or associated with subjects at the site. A number of various types of sensors may be utilized for this purpose. The sensors gather data about the subjects and devices. The data is processed by a data processing module which provides its output to a rolling baseline engine. The rolling baseline engine establishes a baseline for what is considered the “normal” behavior for subjects/devices at the site based on a desired dimension of analysis. Data associated with subjects/devices that is not normal is identified as an anomaly along with the associated subject/device. The findings are archived for performing analytics as required.

Abstract: Artificial intelligence (AI)-based process identification, extraction, and automation for robotic process automation (RPA) is disclosed. Listeners may be deployed to user computing systems to collect data pertaining to user actions. The data collected by the listeners may then be sent to one or more servers and be stored in a database. This data may be analyzed by AI layers to recognize patterns of user behavioral processes therein. These recognized processes may then be distilled into respective RPA workflows and deployed to automate the processes.

Abstract: An information management system is described herein that performs either a pre-processing or a post-processing operation to increase browse and restore speeds when a user attempts to browse for and restore files from a secondary copy of a data volume. For example, the information management system can implement the pre-processing operation by parsing a master file table (MFT) when a secondary copy operation is initiated on the data volume. The information management system can implement the post-processing operation by parsing the MFT after a secondary copy operation is complete. The parsing can occur to identify records of the MFT that include information useful for enabling a user to browse a secondary copy of the data volume. The information management system can then store the secondary copy of these records for use later in constructing an interface for browsing a secondary copy of the data volume.

Abstract: One embodiment of the described invention is directed to a computerized method for improving detection of cybersecurity threats initiated by a script. Herein, the method is configured to analyze the script provided as part of a script object by at least (i) determining whether any functional code blocks forming the script include a critical code statement, (ii) determining whether any of the functional code blocks include an evasive code statement, (iii) modifying the script to control processing of a subset of the functional code blocks by avoiding an execution code path including the evasive code statement and processing functional code blocks forming a code path including the critical code statement, and (iv) executing of the modified script and monitoring behaviors of a virtual environment. Thereafter, the method is configured to determine whether the script including cybersecurity threats based on the monitored behaviors.

Abstract: The methods and apparatus for detecting malware using JAR file decompilation are disclosed. An apparatus for decompiling class files, the apparatus comprising a class feature unpacker to unpack a class feature from a class file included in an instruction set, a constant pool address generator to generate a constant pool address table, from the class features, including a plurality of constant pool blocks, based on constant pool type, through an iterative process, a class feature identifier to determine values for each constant pool block based on a constant pool type and store the determined values as a class file feature set, a feature value identifier to obtain raw feature values from a class file feature set and non-class file features, and a feature matrix generator to generate a matrix based on the raw features that correspond to the instruction set.

Abstract: Techniques are provided for offloading the management of sensor data and generating custom views of sensor data. Sensor data received from a data network through a message is stored within storage managed by a computing device. A handle is generated to identify the sensor data. The sensor data within the message is replaced with the handle, and the message is transmitted to a device within the data network. The device may use handles of sensor data to request custom views of sensor data.

Abstract: Events within a computer system are grouped in order to identify security threats and, in some cases, perform an action to mitigate the threat. In some aspects, a computing system event that meets a criterion, are identified. A first layer of computing resources is determined which includes computing resources referenced during the computing system event. A second layer of computing resources is then determined, the second layer including one or more of a parent process or file loaded by the first layer processes, a process writing to a file included in the first layer of computing resources, or a previous version of a file included in the first layer of computing resources. Similarities between computing resource pairs in the first and second layers are determined, and a group of high similarity pairs related to each other is identified. In some embodiments, a mitigating action is identified based on the group.

Abstract: A system, method, and computer-readable medium for a security vulnerability detection operation. The security vulnerability operation includes configuring a firmware security profiling environment with a trusted host and a trusted service processor; receiving a firmware update file via the trusted service processor; using the trusted service processor to identify a security vulnerability within the firmware update file; and, installing the firmware update file to the information handling system only when no security vulnerability is identified by the trusted service processor, the installing being performed by the trusted host.

Abstract: A method to transform the function of a programmable circuit (e.g. FPGA) for removing functional bugs or Hardware Trojans is provided.

Abstract: A processing system including at least one processor may detect an accessing of a file, where the accessing comprises a read operation, generate a copy of the file in response to detecting the accessing of the file, and store the copy of the file in a designated storage location. The processing system may further detect a completion of the accessing of the file, apply a checksum operation to the file to generate a checksum in response to detecting the completion of the accessing of the file, determine that the checksum does not match an expected checksum for the file, and generate an alert of a possible manipulation of the file in response to determining that the checksum does not match the expected checksum.

Abstract: There is disclosed in one example an advertisement reputation server, including: a hardware platform including a processor and a memory; a network interface; and an advertisement reputation engine including instructions encoded in memory to instruct the processor to: receive via the network interface a plurality of advertisement instances displayed on client devices; extract from the advertisement instances an advertiser identifier; analyze one or more advertisements associated with the advertiser identifier to assign an advertiser reputation; and publish via the network interface advertisement reputation information derived from the reputation for the advertisement identifier.

Abstract: A computerized method is described for authenticating access to a subscription-based service to detect an attempted cyber-attack. First, a request is received by a subscription review service to subscribe to the subscription-based service. The service is configured to analyze one or more objects for a potential presence of malware representing the attempted cyber-attack. Using service policy level information, the cloud broker selects a cluster from a plurality of clusters to analyze whether the one or more objects are associated with the attempted cyber-attack and establishes a communication session between the sensor and the cluster via the cloud broker. The service policy level information is associated with the customer and is used in accessing the subscription-based service. The service policy level information includes at least an identifier assigned to the customer.

Abstract: Provided is a method of monitoring mobile game macro user. The method is performed by a processor of a computer.

Abstract: A system provides for generation and implementation of resiliency controls for securing technology resources. In particular, the system may generate a model for securing technology resources based on compromise vectors that may affect the integrity or security of the resources, along with resiliency controls which may be used by the system to protect the resources. Based on the above information, the system may determine the impact that certain vectors may have on certain resources and assess the resistance of the resources to the impacts. In this way, the system may provide an efficient way to assess resiliency of resources and implement resiliency controls to protect such resources.

Abstract: A system and method model activities in the production environment as sequences of microservices, and identify unusual activities by analyzing these sequences. In particular, a directed graph of usual activity is formed as a basis for determining unusual activities. Next, activities that were actually performed are determined by statistically analyzing records of microservice invocation in application diagnostic files. These activity sequences are overlaid on the directed graph to determine relative fit by using a trace coverage percentage score. Application instances or activities with low relative fit are deemed suspicious. If the low fit persists for an extended duration, then the instances or activities are deemed unusual and an individual is alerted to begin a manual review.

Abstract: Provided is a storage system in which a plurality of virtual volumes obtained by replicating a master virtual volume are provided to each of a plurality of virtual machines of a physical server, respectively, the storage system including: a snapshot management unit that configures a continuous scan generation from the plurality of virtual volumes; a selection processing unit that groups into at least one scan group on the basis of a duplication rate of the plurality of virtual volumes included in the continuous scan generation; and a path setting unit that collectively unmounts the plurality of virtual volumes belonging to the scan group from the physical server in a case where a replica of the virtual volume selected by the selection processing unit is attached to a virus scanning server and one of the plurality of virtual volumes belonging to the scan group is infected with virus.

Abstract: Disclosed is a method of analyzing abnormal behavior by using data imaging, including: receiving data to be analyzed as an input, wherein the data to be analyzed is related to a state of a system to be analyzed; converting the inputted data to be analyzed into image data; training a neural network unit with the converted image data as an input; and detecting or predicting abnormal behavior in the system to be analyzed, at the neural network unit, which has received the image data converted from the data to be analyzed as the input and completed training.

Abstract: A method may include monitoring calls and/or traffic on a network and identifying behavior associated with each of a plurality of user devices with respect to activity on the network. The method may also include aggregating information about the behavior associated with the user devices, determining whether the aggregated information corresponds to an anomaly with respect to usage of the network and determining, when the aggregated information corresponds to the anomaly, whether the anomaly meets a threshold based on a type of anomaly and a number of user devices affected by the anomaly. The method may further include identifying, when the aggregated information corresponds to the anomaly, user devices in an area corresponding to the anomaly, generating a notification in response to determining that the aggregated information corresponds to the anomaly and transmitting the notification to the identified user devices in the area corresponding to the anomaly.

Abstract: A system facilitates detection of malicious properties of software packages. A generic application which comprises known functionality into which a software package has been included is analyzed through a static analysis and/or dynamic analysis, which is performed based on executing the generic application in a controlled environment. The static analysis and/or dynamic analysis are performed to determine whether one or more properties associated with the software package comprise deviations from the known behavior of the generic application. Behavior deviations identified based on the static and/or dynamic analysis are associated with a score. An aggregate score is calculated for the software package based on the scores which have been assigned to the identified behavior deviations and may be adjusted based on a reputation multiplier determined based on metadata of the software package. If the aggregate score of the software package exceeds a score threshold, the software package is flagged as malicious.

Abstract: A centralized network environment is provided for processing validated executable data based on authorized hash outputs. In particular, the system may generate cryptographic hash outputs of code or software that has been evaluated (e.g., within a virtual environment). The system may then store the hash outputs within a hash database which may be accessible by multiple entity networks, where multiple entities may upload hash output values to and/or retrieve hash output values from the hash database. Based on the data within the hash database, each entity may efficiently identify code that may be safe or unsafe to execute on certain computing systems within its network environment. The system may further comprise an artificial intelligence-powered component which may be configured to detect patterns within code that has been identified by the system as unsafe and provide notifications containing systems likely to be affected and recommended countermeasures.

Abstract: Presence of malicious code can be identified in one or more data samples. A feature set extracted from a sample is vectorized to generate a sparse vector. A reduced dimension vector representing the sparse vector can be generated. A binary representation vector of reduced dimension vector can be created by converting each value of a plurality of values in the reduced dimension vector to a binary representation. The binary representation vector can be added as a new element in a dictionary structure if the binary representation is not equal to an existing element in the dictionary structure. A training set for use in training a machine learning model can be created to include one vector whose binary representation corresponds to each of a plurality of elements in the dictionary structure.

Abstract: An interface, through which functionality of a cloud computing infrastructure can be accessed, can create defined endpoints through which such an interface is accessed, with such defined endpoints limiting the functionality accessible through the interface to only allowed functions. An elevate function can, through a secure key exchange protocol, receive appropriate assurances and can, in response, remove the functionality limitations of the endpoint, thereby enabling unfettered access to the cloud computing infrastructure. Such unrestricted access can be limited in duration, which duration can be established in advance, or agreed-upon through the key exchange mechanism.

Abstract: In order to analyze, efficiently and with high precision, the similarity in operation between software that is being examined and a known malware, this malware analysis device 40 is equipped with: an abstraction unit 41 for generating first abstraction information 410 obtained by abstracting first operation information 440 which indicates the result of an operation of sample software; an abstraction information storage unit 45 for storing second abstraction information 450 obtained by abstracting second operation information which indicates one or more operation results obtained for each piece of software that has been compared with the sample; a calculation unit 42 for calculating the similarity between the first abstraction information 410 and the second abstraction information 450; and a specifying unit 43 for specifying the compared software for which the similarity satisfies a criteria.

Abstract: A system and method for retrieval and analysis of stored objects for malware is described. The method involves receiving a scan request message from a customer to conduct analytics on one or more objects stored within a third-party controlled service. In response to receipt of the scan request message, the system generates a redirect message. The redirect message redirects the customer to an authentication portal of the third-party controlled service operating as a logon page and configures receipt by the system of access credentials for the third-party controlled service upon verification of the customer. Using the access credentials, the system is able to retrieve the one or more objects using the access credentials and performing analytics on each object of the one or more objects to classify each object as malicious or benign.

Abstract: A computing device can install and execute a kernel-level security agent that interacts with a remote security system as part of a detection loop aimed at defeating malware attacks. The kernel-level security agent can be installed with a firewall policy that can be remotely enabled by the remote security system in order to “contain” the computing device. Accordingly, when the computing device is being used, and a malware attack is detected on the computing device, the remote security system can send an instruction to contain the computing device, which causes the implementation, by an operating system (e.g., a Mac™ operating system) of the computing device, of the firewall policy accessible to the kernel-level security agent. Upon implementation and enforcement of the firewall policy, outgoing data packets from, and incoming data packets to, the computing device that would have been allowed prior to the implementation of the firewall policy are denied.

Abstract: Disclosed herein are systems and methods for automatic takedown of counterfeit websites using API-based and/or email-based takedown. In implementations the method includes checking the domain of a Uniform Resource Locator (URL) against a database to determine if an API-based takedown can be performed for the counterfeit website. If an API-based takedown cannot be performed the system determines the email of the hosting provider hosting the counterfeit website based on the resolve Internet Protocol (IP) address and sends a takedown notification via email with evidence such as screenshots, hosting infrastructure information, website lifecycle and scan timestamp. The system checks periodically whether the counterfeit website has been taken down by the network owner. If, after a check, the website is still live, the process of takedown is repeated until the website is taken down.

Abstract: A computer-implemented system and method for detecting and terminating a ransomware attack at its very early stage, reducing damages of data loss if occurred, while minimally disturbing ongoing operations within the organization's most demanding business goals (RTO/RPO).

Abstract: The present disclosure relates to a system and method for performing anti-malware scanning of data files that is data-centric rather than device-centric. In the example, a plurality of computing devices are connected via a network. An originating device creates or first receives data, and scans the data for malware. After scanning the data, the originating device creates and attaches to the data a metadata record including the results of the malware scan. The originating device may also scan the data for malware contextually-relevant to a second device.

Abstract: A network-based line-rate method and apparatus for detecting and managing potential malware utilizing a black list of possible malware to scan content and detect potential malware content based upon characteristics that match the preliminary signature. The undetected content is then subjected to an inference-based processes and methods to determine whether the undetected content is safe for release. Typical to inference-based processes and method, the verdict is a numerical value within a predetermined range, out of which content is not safe. The network content released if the verdict is within safe range, otherwise, the apparatus provides various options of handling such presumably unsafe content; options including, soliciting user input whether to release, block, or subject the content to further offline behavioral analysis.

Abstract: This disclosure generally revolves around providing users with advance warning that a message that they have received may be suspicious. The user may not be aware of known threats, may not recognize threats in real time, or may not be aware of new threats, and therefore may unintentionally interact with a hazardous message. A security awareness system, on the other hand, is aware of known threats and may become aware of new threats more quickly than users can be trained to identify them. The system may notify the user when one of these threats are found in their messages. The disclosure further provides systems and methods for updating the security awareness training for users for new threats that appear.

Abstract: The present system and method pertain to the detection of malicious software and processes such as malware. A cloud security policy system receives hashes and behavioral information about applications and/or processes executing on user devices. The cloud security policy system records this information and then evaluates the trustworthiness of the hashes based on the information received from the user devices to provide a security policy for the applications and/or processes. The security policy is sent from the cloud security policy system to user devices to be applied by the user devices.

Abstract: A system for reducing the effects of unwanted software (“malware”) is described having a user computing device which runs on a user operating system (UOS) and a user web browser coupled by a limited communication link to a host computing device including VM executable code for emulating a virtual machine, a virtual OS which runs on the virtual machine and a web browser adapted to run on the virtual OS. The limited communication link connected between the user computing device and the host computing device is adapted to pass certain user input communications (signals from the input devices) from the user computing device to the host computing device; and pass certain output communications (signals to output devices) from the host computing device to the user computing device thereby restricting malware from being introduced to the user computing device.

Abstract: The present disclosure relates to methods, systems, and computer program products for generating an asset remediation trend map used in remediating against an attack campaign. The method comprises receiving attack kill chain data. The attack kill chain data comprises steps for executing an attack campaign on one or more assets associated with a computing device. The method further comprises parsing the attack kill chain data to determine one or more attack execution operations for executing the attack campaign on the one or more assets associated with the computing device. The method determines based on the parsing, one or more remediation operations corresponding to the one or more attack execution operations. In addition, the method sequences the one or more remediation operations to form an asset remediation trend map. In one implementation, the asset remediation trend map indicates steps for remediating the attack campaign.

Abstract: An illustrative method includes a data protection system determining that a total amount of read traffic and write traffic processed by a storage system during a time period exceeds a threshold, the read traffic representing data read from the storage system during the time period and the write traffic representing data written to the storage system during the time period, determining that the write traffic is less compressible than the read traffic, and determining, based on the total amount of read traffic and write traffic exceeding the threshold and on the write traffic being less compressible than the read traffic, that the storage system is possibly being targeted by a security threat.

Abstract: A cluster is scanned. The cluster includes one or more virtual machines. A first content file change is detected based on the scan of the cluster. The first content file change is to a first content file. The first content file is located on a first virtual machine related to the cluster. A content-based security level of the cluster is determined based on the detection of the first content file change. The determined content-based security level of the cluster is compared to a security level standard of the cluster. A security gap is identified based on the comparison of the determined content-based security level to the security level standard of the cluster. In response to the identification of the security gap, an update to the security settings of the cluster is performed.

Abstract: A network device includes storage. The network device also includes a forwarding information manager. The storage stores forwarding information. The storage also stores information source rankings. The forwarding information manager obtains information from a source. The information source rankings include a ranking associated with the source. The forwarding information manager makes a determination, based on the information source rankings, that the source is undesirable. The forwarding information manager discards the information without processing the information based on the determination.

Abstract: Techniques to facilitate operation of a centralized trust authority for web application components are disclosed herein. In at least one implementation, a plurality of web resources used to construct web applications is received. Over a secure application programming interface (API), component registration information associated with each of the plurality of web resources is received, provided by producers of the web resources. The plurality of web resources is analyzed to determine unique identities and security attributes for each of the web resources. A plurality of security risk factors is identified for each of the plurality of web resources based on the component registration information and the security attributes determined for each of the web resources. A security profile is generated for each of the plurality of web resources based on the security risk factors identified for each of the web resources.

Abstract: The present disclosure provides a method, device, electronic device, and storage medium for sending and receiving message. The method for sending a message can include: receiving an operation instruction for selecting a resource icon; acquiring an image resource based on the resource icon in response to the operation instruction; detecting an operation gesture; determining control information of the image resource for controlling a presentation effect of the image resource based on the operation gesture; generating the message by encapsulating the image resource and the control information; and sending the message to a receiver device.

Abstract: A method and system for detecting ransomware and repairing data following an attack. The method includes, collecting file statistics for files in a file system, identifying an affected file based on collected file statistics, locking down of access to the file system in response to identifying the affected file, undoing of reconcile processing, repairing the affected files, and unlocking access to the file system. The system includes a computer node, a file system, a plurality of disc storage components, a backup client, a backup client, and a hierarchical storage client. The hierarchical storage client is configured to collect file statistics for files in file system, identify affected files based on collected file statistics for the file, lock down of access to the file system in response to an identified affected file, undo reconcile processing, repair the affected file; and unlock access to the file system.

Abstract: Disclosed herein are systems and method for inspecting archived slices for malware. In one exemplary aspect, the method comprises mounting, to a disk, a first slice of a plurality of slices in a backup archive, wherein the first slice is an image of user data at a first time. The method further comprises detecting a modified block of the mounted, identifying at least one file in the mounted first slice that corresponds to the detected modified block, and scanning the at least one file for viruses and malicious software. In response to detecting that the at least one file is infected, the method comprises generating a cured slice that comprises the user data of the mounted first slice without the at least one file.

Abstract: A computer-implemented method according to one embodiment includes, in response to a determination that a predetermined operation has been performed on an object of a first file stored on a first cluster site, storing predetermined information about the object of the first file stored on the first cluster site. The predetermined information is stored on an extended attribute of the first file stored on the first cluster site. In response to a determination that the predetermined operation is performed on an object of a first file stored on a second cluster site, the predetermined information is removed from the extended attribute of the first file stored on the first cluster site. In response to a determination that a failure event has occurred on a queue of the first cluster site, a predetermined recovery process is performed, thereby enabling fulfillment of entries of the queue of the first cluster site.

Abstract: A computer-implemented method, computer program product and computing system for: obtaining one or more artifacts concerning a detected security event; obtaining artifact information concerning the one or more artifacts; and generating a conclusion concerning the detected security event based, at least in part, upon the detected security event, the one or more artifacts, and the artifact information.