Abstract: A computer model is created for automatically evaluating the business value of computing objects such as files and databases on an endpoint. This can be used to assess the potential business impact of a security compromise to an endpoint, or a process executing on an endpoint, in order to prioritize potential threats within an enterprise for human review and intervention.

Abstract: A system prevents divulgation of sensitive data in two snapshots, taken at different times, of one or more systems. The system identifies a set of files from among file pairs. Each file pair is formed from a respective file that includes a difference with respect to each of the two snapshots. The system performs a pattern reducing process that removes, from the set, any file having, as the at least one difference, a predetermined non-sensitive difference between respective executions of a pre-determined system operation. The system performs a commonality reducing process that removes, from the set, any file having, as the at least one difference, a common difference between different system users. The system annotates data in remaining files in the set as potentially being sensitive data. The predetermined non-sensitive difference is determined using a Sandbox host. The common difference is determined using an actual one of the systems.

Abstract: A computer readable medium causing a processor to evaluate a URL: when an evaluation resides in a cache, determine whether the URL is safe based on the evaluation, and when an evaluation does not reside in cache: perform an evaluation for the URL using one or more virus scanners, store the evaluation in the cache and determine whether the URL is safe based on the evaluation, when the URL is safe, load and display the web page for the URL, and when the URL is not safe, block the web page for the URL from being loaded and displayed, further determine whether a QA check criterion is met, if so, send the URL to an evaluator for behavioral analysis of the web page of the URL, and store results of the behavioral analysis of the web page of the URL, received from the evaluator, in a QA database.

Abstract: A system and method detects malware by processing notifications from an intrusion detection system and baseline snapshots from an image capture utility. The image capture utility constructs an image of the suspected malware intrusion and links the suspected malware intrusion to the baseline snapshots. The system and method propagates the image of the suspected malware intrusion across multiple networks before it distinguishes malicious code, device state, and files from benign code, device state, and files. Some systems and methods include a malware recovery system that executes machine learning instructions and heuristics to revert a client and/or a remote server to one or more baseline snapshots.

Abstract: Disclosed embodiments relate to systems and methods for automatically and transparently detecting potential compromises or unauthorized use of endpoint computing devices. Techniques include engaging, at a security server, in an agentless management session with an application running on an endpoint computing device; controlling, at the security server and through the agentless management session, a user-facing session of the application; receiving, at the security server, an indication of anomalous activity or loss of a proximity between at least one of: the one or more personal computing devices associated with the user and the endpoint computing device, or the one or more personal computing devices associated with the user and the user; and implementing a control action in the agentless management session, based on the received indication.

Abstract: Example embodiments relate to executing services in containers. The examples disclosed herein include a computing device comprising instructions to load an inner portion of an operating system kernel in an inner region of a kernel space and an outer portion of the operating system kernel in an outer region of the kernel space. The example computing device may execute a service in a container in a user space. The container may be communicatively coupled with the outer region of the operating system kernel but divided from the inner portion of the operating system kernel.

Abstract: Systems and methods are disclosed for enhancing cybersecurity in a computer system by detecting safeness levels of executables. An installation lineage of an executable is identified in which entities forming the installation lineage include at least an installer of the monitored executable, and a network address from which the executable is retrieved. Each entity of the entities forming the installation lineage is individually analyzed using at least one safeness analysis. Results of the at least one safeness analysis of each entity are inherited by other entities in the lineage of the executable. A backtrace result for the executable is determined based on the inherited safeness evaluation of the executable. A total safeness of the executable, based on at least the backtrace result, is evaluated against a set of thresholds to detect a safeness level of the executable. The safeness level of the executable is output on a display screen.

Abstract: Disclosed herein are systems and methods of identifying malicious files using a learning model trained on a malicious file. In one aspect, an exemplary method comprises selecting, using a hardware processor, the malicious file from a plurality of malicious files that are known to be harmful, selecting, using the hardware processor, a plurality of safe files from a set of safe files that are known to be safe, generating, using the hardware processor, a learning model by training a neural network with the malicious file and the plurality of safe files, generating, using the hardware processor, rules for detection of malicious files from the learning model, determining, using the hardware processor, whether attributes of an unknown file fulfill the rules for detection of malicious files using the learning model and responsive to determining that the rules for detection are fulfilled, identifying, using the hardware processor, the unknown file as malicious.

Abstract: Technologies for detecting malware based on reinforcement learning model to detect whether a file is malicious or benign and to determine the best time to halt the file's execution in so detecting. The reinforcement learning model combined with an event classifier and a file classifier learns whether to halt execution after enough state information has been observed or to continue execution if more events are needed to make a highly confident determination. The algorithm disclosed allows the system to decide when to stop on a per file basis.

Abstract: Disclosed are systems and methods generating a convolution function for training a malware detection model. An example method comprises selecting, by a processor, one or more commands from a log according to a set of predetermined rules, forming, by the processor, one or more behavior patterns from the one or more selected commands, determining, by the processor, a feature vector according to the one or more behavior patterns, generating, by the processor, a convolution function according to the feature vector, wherein a size of a result of the convolution function of the feature vector is less than the size of the feature vector, and computing, by the processor, one or more parameters for training a malware detection model using the convolution function on the one or more behavior patterns.

Abstract: An auditing system (10) is provided for detecting at least one unauthorized operational activity in at least one website, and includes a processor coupled to at least one database (34) for storing data related to the at least one unauthorized operational activity. The processor is programmed to detect the at least one unauthorized operational activity in the at least one website using a monitoring module (22) configured to monitor the at least one website via a network (16) and provide unauthorized operational status information about the at least one website using a plurality of status messages generated based on the data, and a detection module (24) configured to examine the plurality of status messages and detect an anomaly caused by the at least one unauthorized operational activity.

Abstract: Technologies for duplicating virtual machines (VMs) are described. A virtual machine monitor (VMM) may operate a parent virtual machine (VM), which may include a parent virtual memory and a parent virtual central processing unit (VCPU). The VMM or a host platform may obtain a command to duplicate the parent VM to create a child VM. In response to the command, the VMM or host may obtain a VCPU state of the parent VCPU, and generate the child VM including a child VCPU based on a state of the parent VCPU and a child virtual memory based on the parent virtual memory. Other embodiments are described herein and claimed.

Abstract: Privacy violation detection of a mobile application program is disclosed. Regular histories of the mobile application are mined. A call-graph representation of the mobile application program can be created and sequences of events of interest according to the platform specification of the mobile application can be collected. A plurality of learnable features are extracted from the regular histories. The plurality of learnable features are combined into a single feature vector which is fed into a machine-learning-based classification algorithm. Whether the mobile application program includes one or more permissions for accessing unauthorized privacy data of a mobile application user is determined based on a machine learning classification of the single feature vector. The collected sequences can be reduced into a plurality of feature vectors which can include at least one of a happens-before feature and a multiplicity of occurrences feature.

Abstract: An application privacy analysis system is described, where the system obtains an application and analyzes it for privacy related data use. The system may determine privacy related activities of the application from established sources of such data and/or may decompile the application and analyze the resulting code to determine the privacy related activities of the application. The system may execute the application and monitor the communications traffic exchanged by the application to determine privacy related activities of the application. The system may store the results of such analyses for future reference.

Abstract: A node enables sharing data connectivity between a consumer device and a broker device, and receives from a first packet routing node a request for a consumer authorization certificate. The request includes a subscriber identity. Based on the subscriber identity authorizing the subscriber for sharing data connectivity; a consumer authorization certificate is generated using a private encryption key associated with the node. The consumer authorization certificate includes the subscriber identity of the subscriber. The consumer authorization certificate is returned to the first packet routing node. A request for a data connectivity service for the subscriber is received from a second packet routing node. The request includes a consumer agreement certificate and a broker identity. The consumer agreement certificate is signed using a private key associated with the subscriber and includes the subscriber identity. The consumer agreement certificate is valued.

Abstract: Described in detail herein is an infected file detection and quarantine system. A pre-scan staging server can receive a set of data files. The pre-scan staging server can determine a type of each of the data files in the set. The pre-scan staging server can select a virus scan application for each type of data file in the set. The pre-scan staging server can detect whether the data files in the set are infected with a virus or malware in response to execution of the at least one virus scan application for each data file type. The post-scan staging server can receive the uninfected data files. The post-scan staging server can transmit a message including a link for retrieving the uninfected data files.

Abstract: The systems and methods described herein generally relate to techniques for automated detection, aggregation, and integration of cybersecurity threats. The system ingests multiple data feeds which can be in one or numerous different formats. The system evaluates information based on defined scores to display to users threats and risks associated with them. The system also calculates decay rates for expiration of threats and indicators through various methods.

Abstract: In one embodiment, a method for electronic document sanitization may include receiving a first request from a client device to send a first electronic document, the first request including a requested usability level of the first electronic document, removing at least one document object from the first electronic document, the document object having potentially malicious content, the removing based at least in part on receiving the first request, and transmitting the first electronic document to the client device after removing the at least one document object therefrom.

Abstract: An information processing device includes a selection receiving unit that receives an input indicating selection of at least one countermeasure among a plurality of countermeasures applicable to a terminal, an operating information specifying unit that specifies a type of operating information corresponding to the countermeasure applicable to the terminal, an operating information acquisition unit that acquires operating information of the type specified by the operating information specifying unit, a remaining terminal specifying unit that specifies remaining terminals where a security risk remains when the countermeasure received by the selection receiving unit is applied based on terminal-specific countermeasure information indicating a countermeasure applicable to each terminal against the security risk, a prediction unit that predicts the number of remaining terminals at a future time based on the operating information acquired by the operating information acquisition unit, and a presentation unit that p

Abstract: A security platform employs a variety techniques and mechanisms to detect security related anomalies and threats in a computer network environment. The security platform is “big data” driven and employs machine learning to perform security analytics. The security platform performs user/entity behavioral analytics (UEBA) to detect the security related anomalies and threats, regardless of whether such anomalies/threats were previously known. The security platform can include both real-time and batch paths/modes for detecting anomalies and threats. By visually presenting analytical results scored with risk ratings and supporting evidence, the security platform enables network security administrators to respond to a detected anomaly or threat, and to take action promptly.

Abstract: In an example there is provided a method of applying a mitigation action to a computing system. The method comprises receiving notification of an intrusion event on a computing system. The notification identifies one or more of data, and a process affected by the intrusion event. The method comprises accessing state data corresponding to a state of the computing system prior to the intrusion event, accessing a policy specifying one or more mitigation actions to be applied to the one or more of data, and a process in response to an intrusion event, restoring the one or more of data, and the process on the basis of the state data, and applying a mitigation action according to the policy.

Abstract: A software threat analysis, detection and containment system includes a data aggregation model that receives and aggregates data from a plurality of sources in a computer network, a classification engine that classifies the aggregated data, and a plurality of data sets into which the classified data is stored. A model creation engine creates threat models based on the content of each data set and a prediction and analysis engine generates actionable information and predictions based on the content of each threat model.

Abstract: A system includes a windowing module that divides time series data for each metric into portions. Each portion corresponds to a respective window of time. A hash module calculates a hash value for each of the portions for each of the metrics. An identification module compares the hash values for each pair of metrics and, for a selected pair of metrics, counts how many windows of time in which the hash values of the selected pair of metrics are equal. A pair is identified as a candidate pair in response to the count exceeding a threshold. A metric graph module creates a first edge in a graph based on the candidate pair of metrics. Each of the metrics is a node in the graph and direct relationships between each pair of the metrics are edges in the graph. An anomaly combination module analyzes an anomaly condition based on the graph.

Abstract: Techniques to provide access to file system information are disclosed. In various embodiments, an indication that a user input associated with creating a local copy of a file system object has been received is received at a file system client. The file system client determines that a user-driven pre-fetch option has been set with respect to the file system object. The file system client pre-fetches content data associated with the file system object, based at least in part on the determination that the pre-fetch option has been set with respect to the file system object.

Abstract: A program analysis method according to an exemplary aspect of the present disclosure includes: generating an analysis-target abstract code that is data representing a mathematical model into which an inspection-target execution code is transformed; and determining whether or not the inspection-target execution code is a fraudulent program by executing at least processing of determining whether or not the analysis-target abstract code includes a known factor code that is data representing a mathematical model into which a known execution code is transformed, and processing of determining whether or not a state at an end of execution of the inspection-target execution code is included in success state information indicating a state in which an attack by a fraudulent program is successful.

Abstract: A host operating system running on a computing device monitors resource access by an application running in a container that is isolated from the host operating system. In response to detecting resource access by the application, a security event is generated describing malicious activity that occurs from the accessing the resource. This security event is analyzed to determine a threat level of the malicious activity. If the threat level does not satisfy a threat level threshold, the host operating system allows the application to continue accessing resources and continues to monitor resource access. When the threat level satisfies the threat level threshold, the operating system takes corrective action to prevent the malicious activity from spreading beyond the isolated container. Through the use of security events, the host operating system is protected from even kernel-level attacks without using resources required to run anti-virus software in the isolated container.

Abstract: This disclosure relates generally to static analysis of the program code, and more specifically to method and system for non-impacting control dependencies (NCDs)-based repositioning of static analysis alarms in a program code. By determining each of the transitive control dependencies (controlling conditions) of each of the original alarms either as NCD or an impacting control dependency (ICD) of the corresponding alarm, the system is able to reposition and group similar alarms even if the alarms are associated with or are under different conditional statements by considering the effect of the NCDs and ICDs of the alarms, and the repositioning further reduces number of the alarms.

Abstract: Computerized methods and systems determine an initial execution of an attack on an endpoint. An indicator of the attack is obtained by analysis of a first process on the endpoint. A sequence of processes that includes the first process associates the initial execution of the attack with the first process. Each respective process in the sequence of processes is created or executed by at least one of the initial execution or a process in the sequence of processes. The initial execution is identified based on linking from the first process to the initial execution through a combination of executions and creations of the processes in the sequence of processes.

Abstract: The present disclosure is directed to a system and method of detecting malicious files by using a trained machine learning model. The system may comprise a hardware processor configured to form at least one behavior pattern, calculate the convolution of all behavior patterns, select from a database of detection models at least two models for detection of malicious files on the basis of the behavior patterns, calculate the degree of harmfulness of a file being executed on the basis of an analysis of the convolution and the at least two models for detection of malicious files, form, on the basis of the degrees of harmfulness, a decision-making pattern, recognize the file being executed as malicious if the degree of similarity between the formulated decision-making pattern and at least one of a predetermined decision-making patterns from a database of decision-making patterns previously formulated on the basis of an analysis of malicious files, exceeds a predetermined threshold value.

Abstract: A system, method, and computer program product are provided for isolating a device associated with at least potential data leakage activity, based on user input. In operation, at least potential data leakage activity associated with a device is identified. Furthermore, at least one action is performed to isolate the device, based on user input received utilizing a user interface.

Abstract: Systems and techniques for sharing security data are described herein. Security rules and/or attack data may be automatically shared, investigated, enabled, and/or used by entities. A security rule may be enabled on different entities comprising different computing systems to combat similar security threats and/or attacks. Security rules and/or attack data may be modified to redact sensitive information and/or configured through access controls for sharing.

Abstract: Disclosed are systems and methods for cloud detection, investigation and elimination of targeted attacks. In one exemplary aspect, the system comprises a computer protection module configured to: gather information on an object in a computer in a network; and save a security notification with the object in an object database in the network; and a module for protection against targeted attacks configured to: search for the object in a threat database in the network; add one or more tags to the object when the object is found in the threat database and adding a correspondence between a record in the object database and the threat database; and determine that a computer attack has occurred when the one or more tags correspond to signatures in a database of computer attacks.

Abstract: This disclosure relates to systems and methods generating and distributing protected software applications. In certain embodiments, integrity checking mechanisms may be implemented using integrity checking code in software code prior to compilation into machine code. Following compilation and execution of the application, the introduced code may check the integrity of the application by determining whether the application behaves and/or otherwise functions as expected. By introducing integrity checking in this manner, integrity checking techniques may be injected into the application prior to compilation into machine code and/or independent of the particular manner in which the application is compiled.

Abstract: Disclosed are systems and methods generating a convolution function for training a malware detection model. An example method comprises generating, by a processor, a plurality of behavior patterns based on one or more logs of commands executed on a computing device, calculating, by the processor, an effectiveness of each of a plurality of methods for machine learning based on the plurality of behavior patterns, determining, by the processor, a preferred method for machine learning from the plurality of methods for machine learning by selecting the preferred method as a method with the greatest effectiveness from the plurality of methods for machine learning, obtaining, by the processor, parameters of the malware detection model by applying convolution functions to the plurality of behavior patterns, training, by the processor, the malware detection model to detect malicious files using the preferred method for machine learning.

Abstract: Examples of the present disclosure describe systems and methods for detecting and mitigating stack pivoting exploits. In aspects, various “checkpoints” may be identified in software code. At each checkpoint, the current stack pointer, stack base, and stack limit for each mode of execution may be obtained. The current stack pointer for each mode of execution may be evaluated to determine whether the stack pointer falls within a stack range between the stack base and the stack limit of the respective mode of execution. When the stack pointer is determined to be outside of the expected stack range, a stack pivot exploit is detected and one or more remedial actions may be automatically performed.

Abstract: In one embodiment, a device obtains simulation environment data regarding traffic generated within a simulation environment in which malware is executed. The device trains a malware detector using the simulation environment data. The device obtains deployment environment characteristics of a network to which the malware detector is to be deployed. The device configures the malware detector to ignore data in the simulation environment data that is associated with one or more environment characteristics that are not present in the deployment environment characteristics.

Abstract: Methods and systems for neutralizing malicious locators. Threat actors may shut down their web pages or applications (i.e., resources) that serve malicious content upon receiving request(s) configured to be perceived by the resource as non-browser requests. Therefore, initiating (large-scale) non-browser requests, or requests that are at least perceived as non-browser requests, may effectively act to inhibit, or even nullify, intended attack vectors.

Abstract: Methods, computer-readable media, software, and apparatuses may assist a consumer in keeping track of a consumer's accounts in order to prevent unauthorized access or use of the consumers identified subscription and financial accounts. The discovered subscriptions and financial accounts may be displayed to the consumer along with recommendations and assistance for closing unused or unwanted financial accounts and subscriptions to prevent unauthorized access or use.

Abstract: A node for use in a data management system includes a persistent storage and a data protection agent. The persistent storage stores data. The data protection agent makes an identification of a data protection strategy change event for the data; in response to the identification: makes a determination that the data protection strategy change event is a scale down event; in response to the determination: identifies a number of replicas of the data in other nodes that are in a predetermined state; makes a second determination that the number of the replicas of the data in the other nodes that are in the predetermined state exceeds a threshold specified by a data protection policy associated with the data protection strategy change event; and reduces the number of replicas that exceed the threshold to be less than the threshold in response to the second determination.

Abstract: The disclosed computer-implemented method for detecting and protecting against malicious software may include loading an untrusted application having a defined entry point into an emulated computing environment, executing a first instance of the untrusted application in the emulated computing environment beginning at the defined entry point, executing a second instance of the untrusted application beginning at a second entry point downstream from the defined entry point so as to bypass at least a portion of the untrusted application executed in the first instance, identifying the untrusted application as a potential threat based on information extracted from the second instance of the untrusted application, and performing a security action to protect against the untrusted application identified as a threat. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: Malware scan status determination for network-attached storage systems is provided herein. A data storage system as described herein can include a memory that stores computer executable components and a processor that executes computer executable components stored in the memory. The computer executable components can include a data creation component that creates a scan status data structure associated with a network-attached storage (NAS) device, the scan status data structure comprising respective records that indicate a file identifier and a malware scan status for respective files stored on the NAS device, and a data update component that updates a record in the scan status data structure corresponding to a target file stored on the NAS device in response to receiving a malware scan result for the target file.

Abstract: Data is received or accessed that includes a structured file encapsulating data required by an execution environment to manage executable code wrapped within the structured file. Thereafter, code and data regions are iteratively identified in the structured file. Such identification is analyzed so that at least one feature can be extracted from the structured file. Related apparatus, systems, techniques and articles are also described.

Abstract: An example process includes: identifying, by one or more processing devices, candidate code in executable code based on a static analysis of the executable code, where the candidate code includes code that is vulnerable to attack or the candidate code being on a path to code that is vulnerable to attack, where information related to the attack is based, at least in part, on the candidate code; customizing, by one or more processing devices, a healing template based on the information to produce a customized healing template; and inserting, by one or more processing devices, the customized healing template into a version of the executable code at a location that is based on a location of the candidate code in the executable code, where the customized healing template includes code that is executable to inhibit the attack.

Abstract: A method is provided for preventing divulgation of sensitive data in two snapshots, taken at different times, of one or more same systems in a cloud environment. The method identifies a set of files from among file pairs. Each file pair is formed from a respective file that includes at least one difference with respect to each snapshot. The method performs a pattern reducing process that removes, from the set of files, any of the files having, as the difference, a predetermined non-sensitive difference between respective executions of a pre-determined system operation. The method performs a commonality reducing process that removes, from the set of files, any files having, as the difference, a common difference between different users. The method annotates data in remaining files in the set as potentially being the sensitive data, subsequent to the reducing processes. The two snapshots include at least one Sandbox-based image.

Abstract: An opportunity to assist with remediation of a file at a remote particular host device is identified. One or more remediation techniques are identified that can be applied to assist with remediation of the file at the particular host device. In one aspect, one or more remediation scripts are identified from a plurality of remediation scripts for remediation of the file and provided to the particular host device for execution on the particular host device. In another aspect, a remediation tool is identified and launched on a computing device remote from the particular host device with operations of the remediation tool applied to resources of the particular host device. In another aspect, at least a portion of the remediation techniques are remotely initiated to be performed locally at the particular host device.

Abstract: Among other things, this document describes systems, methods and devices for discovering and identifying client devices that attempt to access out-of-policy network services via a secure web gateway (or other network security gateway) that lacks visibility into the client network actual IP space. This is a common problem with cloud hosted SWG services that enforce access policy from outside of a customer network (e.g., external to an enterprise network), due to network address translation at the interface between the customer network and the public Internet where the cloud-hosted SWG resides. The teachings hereof address this problem. In one embodiment, a cloud hosted SWG can redirect a client to a bouncer device inside the customer network; that bouncer device can capture the actual client IP address.

Abstract: A computing system utilizes crowd sourcing to generate remediation files for systems experiencing alert conditions. During the generation of the remediation files the computing system identifies a plurality of different types of alerts associated with a plurality of different client systems. The computing system also generates a plurality of different client remediation process sets for each type of alert based on a correlation of process proximity and time to the alert conditions and determines which of the plurality of processes are related to the identified alert based on values in a correlation vector. Then, client remediation process sets are created to include the processes that are determined to be related to the identified alert and are clustered together to identify the processes to include in the generated composite remediation file for each type of alert, based on correlations existing between the plurality of different client remediation process sets.

Abstract: The present invention discloses methods and systems for genetic malware analysis and classification using code reuse patterns. Methods include the steps of: upon receiving a target binary file, disassembling the target binary file into assembly code; extracting individually-identifiable code fragments from the assembly code; normalizing the individually-identifiable code fragments into target genes; and collating the target genes into a code genome database. Alternatively, the step of normalizing includes upon detecting a MOV instruction, corresponding to a command to move values to a register before performing a CALL instruction, normalizing the MOV instruction to a PUSH instruction in the target genes. Alternatively, the step of normalizing includes upon detecting a SUB instruction, corresponding to a command for a subtraction operation to be performed, normalizing the SUB instruction to an ADD instruction, corresponding to a command for an addition operation to be performed, in the target genes.

Abstract: Particular embodiments described herein provide for an electronic device that can be configured to identify a binary file, identify strings in the binary file, determine that at least one string in the binary file is larger than one kilobytes of data, identify at least one substring from each of the at least one strings in the binary file is larger than one kilobytes of data, and analyze each of the at least one substrings to determine if each of the at least one substrings are suspicious and related to malware.

Abstract: Example techniques described herein determine a validation dataset, determine a computational model using the validation dataset, or determine a signature or classification of a data stream such as a file. The classification can indicate whether the data stream is associated with malware. A processing unit can determine signatures of individual training data streams. The processing unit can determine, based at least in part on the signatures and a predetermined difference criterion, a training set and a validation set of the training data streams. The processing unit can determine a computational model based at least in part on the training set. The processing unit can then operate the computational model based at least in part on a trial data stream to provide a trial model output. Some examples include determining the validation set based at least in part on the training set and the predetermined criterion for difference between data streams.