A system and non-transitory computer-readable medium including security logic engine (SLE) to detect malicious objects based on operations conducted by an endpoint device and/or a malware detection system. The SLE includes formatting logic and a correlation engine. The formatting logic is configured to receive data from an endpoint device and a malware detection system via a network interface and to convert the data into a format used by logic within the SLE. The correlation engine is configured to (i) correlate a plurality of features included as part of the data with known behaviors and characteristics of at least malicious objects and (ii) correlate a first set of features of the plurality of features received from the endpoint device with a second set of features of the plurality of features received from the malware detection system to verify a determination of maliciousness by the endpoint device and/or the malware detection system.
A method performed by an enterprise search system to conduct an automated, computerized search for select operational attributes of a plurality of network devices is shown. The method comprises initiating the search via a user interface based on receipt of input information, which is used to form a query. The method then determines based on the query, one or more audits each specifying one or more tasks to be performed by at least a first network device to search for the select operational attributes. Subsequently, the method makes the one or more audits available to the first network device via a network, and receives, from the first network device, one or more responses to the query. The method may include generating one or more filter conditions to apply to results of executing the one or more tasks to yield the select operational attributes when included in the results.
Example apparatus disclosed herein iteratively link data from one or more cybersecurity tools based on a graph schema to generate an information graph. Disclosed example apparatus also cause presentation of a first pattern detected in the information graph. Disclosed example apparatus further update the information graph based on data from at least one of the cybersecurity tools, the at least one of the cybersecurity tools selected based on a second pattern, the second pattern associated with a known cyberattack technique.
In an example, there is disclosed a monolithic reputation update on a data exchange layer (DXL). According to one embodiment, designating a set of objects as good or bad can be achieved via a single administrative action by leveraging persistent client initiated connections to the DXL framework. This may enable communication of the reputation updates across a heterogeneous infrastructure, including systems potentially unreachable by the server, such as those behind a firewall or NAT.
G06F 16/28 - Databases characterised by their database models, e.g. relational or object models
G06F 21/00 - Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
G06F 21/57 - Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
5.
System and method for selectively processing content after identification and removal of malicious content
A system and method directed toward the deployment of one or more security plug-ins for software components (e.g., applications) that analyze incoming content and selectively prevent malicious portions of the content from being processed by the applications without limiting the processing and/or rendering of the legitimate (non-malicious) portions of the incoming content is described. Each of the security plug-ins is communicatively coupled to a published interface of a software component, such as an application. The security plug-in includes logic to (i) gain access to content received by the software component prior to processing of the content by the software component, (ii) parse the content into separate segments, (iii) analyze each content segment to determine whether the content segment is malicious or non-malicious, and (iv) permit rendering of one or more non-malicious content segments while preventing processing of one or more malicious content segments.
A system and method for detecting phishing cyberattacks. The method involves parsing a code segment retrieved using a suspect uniform resource locator (URL) to identify any links included in the code segment. From these links, additional code segments may be recovered in accordance with a code segment recovery scheme. Thereafter, analytics are performed on the retrieved and possibly recovered code segments. The analytics include determining whether any of the code segments is correlated with a code segment associated with a known prior phishing cyberattack. Upon completing the analytics, an alert message including meta-information associated with results from the analytics is generated to identify that the URL is associated with a known prior phishing cyberattack when one or perhaps a combination of code segments associated with the URL are correlated to any code segment associated with a known prior phishing cyberattack.
A cloud-based system is design with multi-tenancy controls for conducting analytics performed on objects submitted by a subscriber. This system features an analysis monitoring service and an analysis selection services. The analysis monitoring service, operating as a first cloud service, includes logic that is configured to collect metadata associated with an operating state for each of a plurality of clusters and generate cluster selection information. The analysis selection service, operating as a second cloud service and communicatively coupled to the analysis monitoring service, is configured to select a cluster of the plurality of clusters to analyze the object for malware based, at least in part, on the cluster selection information provided from the analysis monitoring service.
G06F 21/56 - Computer malware detection or handling, e.g. anti-virus arrangements
G06F 21/57 - Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
8.
System and method for automated system for triage of cybersecurity threats
A device for verifying previous determinations from cybersecurity devices comprising a processor and a memory. The memory comprises submission analysis logic including workflow selector logic to receive the object data and process the object data to select at least one analyzer supported by the analyzer logic. The analyzer logic, in accordance with the selected analyzer(s), is configured to (i) analyze the object data for potential threats and embedded object data, (ii) generate results data based on that analysis, and (iii) pass the embedded object data back to the workflow selector for further analysis. Finally, the submission analysis logic comprises triage ticket generation logic to generate triage tickets for analyst review and alert logic to generate automatic alerts.
A technique verifies a determination of an exploit or malware in an object at a malware detection system (MDS) appliance through correlation of behavior activity of the object running on endpoints of a network. The appliance may analyze the object to render a determination that the object is suspicious and may contain the exploit or malware. In response, the MDS appliance may poll the endpoints (or receive messages pushed from the endpoints) to determine as to whether any of the endpoints may have analyzed the suspect object and observed its behaviors. If the object was analyzed, the endpoints may provide the observed behavior information to the appliance, which may then correlate that information, e.g., against correlation rules, to verify its determination of the exploit or malware. In addition, the appliance may task the endpoints to analyze the object, e.g., during run time, to determine whether it contains the exploit and provide the results to the appliance for correlation.
G06F 21/53 - Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity, buffer overflow or preventing unwanted data erasure by executing in a restricted environment, e.g. sandbox or secure virtual machine
10.
System and method for circumventing evasive code for cyberthreat detection
One embodiment of the described invention is directed to a computerized method for improving detection of cybersecurity threats initiated by a script. Herein, the method is configured to analyze the script provided as part of a script object by at least (i) determining whether any functional code blocks forming the script include a critical code statement, (ii) determining whether any of the functional code blocks include an evasive code statement, (iii) modifying the script to control processing of a subset of the functional code blocks by avoiding an execution code path including the evasive code statement and processing functional code blocks forming a code path including the critical code statement, and (iv) executing of the modified script and monitoring behaviors of a virtual environment. Thereafter, the method is configured to determine whether the script including cybersecurity threats based on the monitored behaviors.
G06F 21/00 - Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
G06F 21/54 - Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity, buffer overflow or preventing unwanted data erasure by adding security routines or objects to programs
G06F 21/55 - Detecting local intrusion or implementing counter-measures
G06F 21/56 - Computer malware detection or handling, e.g. anti-virus arrangements
11.
Dynamically remote tuning of a malware content detection system
According to one embodiment, an non-transitory storage medium is configured to store a plurality of engines, which operate to conduct an analysis of a received object to determine if the object is associated with a malicious attack. The plurality of engines includes a first engine and a second engine. The first engine is configured to conduct a first analysis of the received object for anomalous behaviors including anomalous actions or omissions during virtual processing of the object that indicate the received object is malicious. The second engine is configured to conduct a second analysis corresponding to a classification of the object as being associated with a malicious attack. The analysis schemes conducted by the first engine and the second engine may be altered via configuration files, which adjusts (i) parameter value(s) or (ii) operation rules(s) to alter the analysis conducted by the first engine and/or second engine.
Computerized techniques to determine and verify maliciousness of an object are described. A malware detection system intercepts in-bound network traffic at a periphery of a network to capture and analyze behaviors of content of network traffic monitored during execution in a virtual machine. One or more endpoint devices on the network also monitor for behaviors during normal processing. Correlation of the behaviors captured by the malware detection system and the one or more endpoint devices may verify a classification by the malware detection system of maliciousness of the content. The malware detection system may communicate with the one or more endpoint devices to influence detection and reporting of behaviors by those device(s).
G06F 21/53 - Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity, buffer overflow or preventing unwanted data erasure by executing in a restricted environment, e.g. sandbox or secure virtual machine
The presently disclosed subject matter includes an apparatus that receives a dataset with values associated with different digital resources captured from a group of compute devices. The apparatus includes a feature extractor, to generate a set of feature vectors, each feature vector from the set of feature vectors associated with a set of data included in the received dataset. The apparatus uses the set of feature vectors to validate multiple machine learning models trained to determine whether a digital resource is associated with a cyberattack. The apparatus selects at least one active machine learning model and sets the remaining trained machine learning models to operate in an inactive mode. The active machine learning model generates a signal to alert a security administrator, blocks a digital resource from loading at a compute device, or executes other remedial action, upon a determination that the digital resource is associated with a cyberattack.
Example methods and apparatus are disclosed herein to mitigate firmware malware, an example apparatus comprising at least one memory; instructions; and at least one processor to execute the instructions to cause the at least one processor to at least: detect presence of firmware malware, the firmware malware to be executed prior to booting of an operating system of a computing device; attempt remediation of the firmware malware; and in response to a failure to remediate the firmware malware, cause display of a notification of the presence of the firmware malware.
G06F 21/56 - Computer malware detection or handling, e.g. anti-virus arrangements
G06F 21/55 - Detecting local intrusion or implementing counter-measures
G06F 21/57 - Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
15.
System and method for identifying and mitigating cyberattacks through malicious position-independent code execution
A computing system including a processor and a memory, which includes a first memory region operating as a kernel space and a second memory region operating as a user space. Maintained within the kernel space, a first logic unit receives a notification identifying a newly created thread and extracts at least meta-information associated with the newly created thread. Maintained within the user space, a second logic unit receives at least the meta-information associated with the newly created thread and conducts analytics on at least the meta-information to attempt to classify the newly created thread. An alert is generated by the second logic unit upon classifying the newly created thread as a cyberattack associated with a malicious position independent code execution based at least on results of the analytics associated with the meta-information associated with the newly created thread.
G06F 21/56 - Computer malware detection or handling, e.g. anti-virus arrangements
G06F 11/32 - Monitoring with visual indication of the functioning of the machine
G06F 21/57 - Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
One embodiment of the described invention is directed to a key management module and a consumption quota monitoring module deployed within a cybersecurity system. The key management module is configured to assign a first key to a subscriber and generate one or more virtual keys, based at least in part on the first key, for distribution to the subscriber. A virtual key is included as part of a submission received from the subscriber to authenticate the subscriber and verify that the subscriber is authorized to perform a task associated with the submission. The consumption quota monitoring module is configured to monitor a number of submissions received from the subscriber.
According to one embodiment, a system for detecting an email campaign includes feature extraction logic, pre-processing logic, campaign analysis logic and a reporting engine. The feature extraction logic obtains features from each of a plurality of malicious email messages received for analysis while the pre-processing logic generates a plurality of email representations that are arranged in an ordered sequence and correspond to the plurality of malicious email message. The campaign analysis logic determines the presence of an email campaign in response to a prescribed number of successive email representations being correlated to each other, where the results of the email campaign detection are provided to a security administrator via the reporting engine.
A system and computerized method for generating an improved cyber-security rule ordering for cyber-security threat detection or post-processing activities conducted by a rules-based cyber-security engine deployed within a network device is described. Herein, historical metadata associated with analytics conducted on incoming data by a rule-based cyber-security engine and in accordance with a plurality of rules is described. These rules are arranged in a first ordered rule sequence. The historical metadata is analyzed to determine one or more salient rules from the plurality of rules. The plurality of rules are reprioritized by at least rearranging an order to a second ordered rule sequence with the one or more salient rules being positioned toward a start of the second ordered rule sequence. Thereafter, the rule-based cyber-security engine operates in accordance with the reprioritized rule set that is arranged in the second ordered rule sequence to achieve improved performance.
Selective virtualization of resources is provided, where the resources may be intercepted and services or the resources may be intercepted and redirected. Virtualization logic monitors for one or more activities that are performed in connection with one or more resources and conducted during processing of an object within the virtual machine. The first virtualization logic further selectively virtualizes resources associated with the one or more activities that are initiated during the processing of the object within the virtual machine by at least redirecting a first request of a plurality of requests to a different resource than requesting by a monitored activity of the one or more activities.
G06F 9/455 - EmulationInterpretationSoftware simulation, e.g. virtualisation or emulation of application or operating system execution engines
G06F 21/53 - Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity, buffer overflow or preventing unwanted data erasure by executing in a restricted environment, e.g. sandbox or secure virtual machine
A computerized method is described for authenticating access to a subscription-based service to detect an attempted cyber-attack. More specifically, service policy level information is received by a cloud broker. The service policy level information includes an identifier of a sensor operating as a source of one or more objects for analysis and an identifier assigned to a customer associated with the sensor. Thereafter, a cluster of a plurality of clusters is selected by the cloud broker. The cloud broker is configured to (i) analyze whether one or more objects are associated with an attempted cyber-attack by at least analyzing the sensor identifier to select the cluster based on at least a geographical location of the sensor determined by the sensor identifier and (ii) establish a communication session between the sensor and the cluster via the cloud broker until termination of the communication session.
A computerized method for analyzing an object is disclosed. The computerized method includes obtaining, by a cybersecurity system, an object and context information generated during a first malware analysis of the object conducted prior to obtaining the object. Thereafter, the cybersecurity system performs a second malware analysis of the object to determine a verdict indicating maliciousness of the object. The scrutiny of the second malware analysis is adjusted based, at least in part, the context information, which may include (i) activating additional or different monitors, (ii) adjusting thresholds for determining maliciousness, or (iii) applying a modified rule set during the second malware analysis based on the context information.
Apparatus, systems, and methods to classify malware with explainability are disclosed. An example apparatus includes at least one memory; instructions in the apparatus; and processor circuitry. The example processor circuitry is to execute the instructions to: generate feature vectors from a first input; train a neural network model using a first portion of the feature vectors; add one or more fully connected layers to the trained neural network model to form a hybrid model; validate the hybrid model using a second portion of the feature vectors; and deploy the validated hybrid model as a malware classifier, the malware classifier to provide a malware classification with explainability in response to a second input.
G06F 21/56 - Computer malware detection or handling, e.g. anti-virus arrangements
G06F 21/53 - Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity, buffer overflow or preventing unwanted data erasure by executing in a restricted environment, e.g. sandbox or secure virtual machine
A system for conducting cyberthreat analytics on a submitted object to determine whether the object is malicious is described. The system features a cybersecurity system operating with a cloud platform, which is configured to host resources including cloud processing resources and cloud storage resources. The cybersecurity system is configured to analyze one or more received objects included as part of a submission received from a subscriber after authentication of the subscriber and verification that the subscriber is authorized to perform one or more tasks associated with the submission. The cybersecurity system is configured to operate as a multi-tenant Security-as-a-Service (SaaS) that relies upon the cloud processing resources and the cloud storage resources provided by the cloud platform in performing the cybersecurity operations.
An embodiment of a computerized method for detecting bootkits is described. Herein, a lowest level software component within a software stack, such as a lowest software driver within a disk driver stack, is determined. The lowest level software component being in communication with a hardware abstraction layer of a storage device. Thereafter, stored information is extracted from the storage device via the lowest level software component, and representative data based on the stored information, such as execution hashes, are generated. The generated data is analyzed to determine whether the stored information includes a bootkit.
G06F 21/57 - Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
G06F 21/56 - Computer malware detection or handling, e.g. anti-virus arrangements
25.
System and method for retrieval and analysis of operational data from customer, cloud-hosted virtual resources
A system for protecting public cloud-hosted virtual resources features cloud visibility logic. According to one embodiment, the cloud visibility logic includes credential evaluation logic, data collection logic, correlation logic, and reporting logic. The credential evaluation logic is configured to gain authorized access to a cloud account within a first public cloud network. The data collection logic is configured to retrieve account data from the cloud account, while the correlation logic is configured to conduct analytics on the account data to determine whether the cloud account is subject to a cybersecurity threat or misconfiguration. The reporting logic is configured to generate an alert when the cloud account is determined by the correlation logic to be subject to the cybersecurity threat or misconfiguration.
Methods, apparatus, systems and articles of manufacture are disclosed for generic process chain entity mapping. An example apparatus includes at least one memory, instructions in the apparatus, and processor circuitry to execute the instructions to receive process chain input data, the input data including a system path, identify a match between a path alias and the input data, wherein the path alias includes an alias for one or more system path format patterns, extract at least one of (1) metadata information or (2) command line parameter information from the match, and output transformed data based on the at least one of the extracted metadata information or command line parameter information, the transformed data output in a generalized format.
G06F 21/57 - Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
G06F 21/51 - Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems at application loading time, e.g. accepting, rejecting, starting or inhibiting executable software based on integrity or source reliability
G06F 21/56 - Computer malware detection or handling, e.g. anti-virus arrangements
27.
Methods and apparatus to implement a deterministic indicator and confidence scoring model
Methods, apparatus, systems, and articles of manufacture are disclosed. In one example, an apparatus includes at least one memory, instructions, and processor circuitry. The processor circuitry at least executes or instantiates the instructions to receive a group of indicators from a campaign attack, then query an indicator database with an indicator from the group of indicators, and then predict an identification of the campaign attack in response to the indicator having a current deterministic indicator and confidence scoring (DISC) score in the indicator database, wherein the DISC score represents at least one of a lethality component, a determinism component, or a confidence component of the indicator.
To prevent un-authorized accesses to data and resources available in workloads on an organization's or enterprise's computer network, various improvements to automated computer network security processes to enable them to enforce network security policies using native network security mechanisms to control communications to and/or from workload units of applications running on different nodes within hybrid computer network infrastructures having both traditional hardware resources and virtual resources provided by private and public cloud infrastructure services.
An electronic device for detecting threats within a server including a processor, and a memory communicatively coupled to the processor. The memory includes an inspection logic to receive a suspicious object for threat evaluation, and an analyzer logic including at least a first analyzer. The first analyzer, when processed by the processor, generates a virtual environment including a virtual client and a virtual server in communication over a virtualized communication link. The memory also includes a detonator logic configured to trigger the suspicious object. The analyzer logic loads and initializes the suspicious object into the virtual environment and further generates a first score based upon the triggering by the detonator logic that is indicative of a threat posed by the suspicious object. The memory may also include a reporting logic that compares a threat score to at least one threshold and in response may generate at least one remedial action.
A non-transitory storage medium including software for detecting malicious objects stored at a cloud-based remote service is described. Herein, the software includes first, second and third logic modules. The first logic module is configured to (i) identify the cloud-based remote service hosting one or more objects and (ii) acquire access the one or more objects stored within the cloud-based remote service. The second logic module is configured to retrieve the one or more objects from the cloud-based remote service and submit the object(s) to a plurality of analytic engines. Each analytic engine is configured to conduct analytics on at least a first object of the object(s) and generate results based on the analytics conducted on at least the first object. The third logic is configured to conduct an analysis of meta-information associated with the first object to determine whether the first object is to be classified as malicious or benign.
Disclosed is a cyber-security system that is configured to aggregate and unify data from multiple components and platforms on a network. The system allows security administrators to design and implement a workflow of device-actions taken by security individuals in response to a security incident. Based on the nature of a particular threat, the cyber-security system may initiate an action plan that is tailored to the security operations center and their operating procedures to protect potentially impacted components and network resources.
H04L 9/00 - Arrangements for secret or secure communicationsNetwork security protocols
H04L 9/32 - Arrangements for secret or secure communicationsNetwork security protocols including means for verifying the identity or authority of a user of the system
A system for securing electronic devices includes a processor, a storage medium communicatively coupled to the processor, and a monitoring application comprising computer-executable instructions on the medium. The instructions are readable by the processor. The monitoring application is configured to receive an indication that a client has been affected by malware, cause the client to boot from a trusted operating system image, cause a launch of a secured security application on the client from a trusted application image, and analyze a malware status of the client through the secured security application.
G06F 21/57 - Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
G06F 21/56 - Computer malware detection or handling, e.g. anti-virus arrangements
A system for securing electronic devices includes a processor, non-transitory machine readable storage medium communicatively coupled to the processor, security applications, and a security controller. The security controller includes computer-executable instructions on the medium that are readable by the processor. The security application is configured to determine a suspicious file from a client using the security applications, identify whether the suspicious file has been encountered by other clients using the security applications, calculate a time range for which the suspicious file has been present on the clients, determine resources accessed by the suspicious file during the time range, and create a visualization of the suspicious file, a relationship between the suspicious file and the clients, the time range, and the resources accessed by the suspicious file during the time range.
G06F 21/56 - Computer malware detection or handling, e.g. anti-virus arrangements
G06F 21/55 - Detecting local intrusion or implementing counter-measures
G06F 21/57 - Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
An apparatus includes a memory that stores instructions; and a processing unit that executes the instructions to identify a created process, to receive a notification of a first event for an ancestor process and a notification for a second event for the created process, the notification of the first event indicating a first ActivityID and a first ID, the notification of the second event indicating a second ActivityID and a second ID, the first ID being different from the second ID, to perform a first determination that the created process was created by a component object model (COM) call, at least in part based on the second ID, and to perform a second determination that the ancestor process indirectly created the created process, at least in part based on the first and second ActivityIDs and the first determination.
An electronic device for receiving and seamlessly providing cybersecurity analyzer updates and concurrent management systems for detecting cybersecurity threats including a processor and a memory communicatively coupled to the processor. The memory stores an analyzer logic to generate a first analyzer configured to receive a suspicious object for threat evaluation, an inspection logic to manage a first queue of suspicious objects for threat evaluation to the first analyzer, and an update logic to receive updated cybersecurity analytics content data. The analyzer logic receives updated cybersecurity analytics content data and can generate a second analyzer that incorporates at least a portion of the parsed updated cybersecurity analytics content data. In response to the generation of the second analyzer, the inspection logic manages a second queue of subsequent suspicious objects and sends the subsequent suspicious objects to the second analyzer for threat evaluation, thereby minimizing downtime during the analyzer update process.
G06F 21/54 - Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity, buffer overflow or preventing unwanted data erasure by adding security routines or objects to programs
G06F 21/56 - Computer malware detection or handling, e.g. anti-virus arrangements
G06F 21/57 - Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
A system for detecting malware is described. The system features a traffic analysis device and a network device. The traffic analysis device is configured to receive data over a communication network, selectively filter the data, and output a first portion of the data to the network device. The network device is communicatively coupled with and remotely located from the traffic analysis device. The network device features software that, upon execution, (i) monitors behaviors of one or more virtual machines processing the first portion of the data received as output from the traffic analysis device, and (ii) detects, based on the monitored behaviors, a presence of malware in the first virtual machine.
As described, a cloud-based enrollment service is configured to advertise features and capabilities of clusters performing malware analyses within a cloud-based malware detection system. Upon receiving an enrollment request message, including tenant credentials associated with a sensor having an object to be analyzed for malware, the cloud-based enrollment service is configured to use the tenant credentials to authenticate the sensor and determine a type of subscription assigned to the sensor. Thereafter, the cloud-based enrollment service is further configured to transmit an enrollment response message including a portion of the advertised features and capabilities of a selected cluster of the cloud-based malware detection system. The advertised features and capabilities includes information to enable the sensor to establish direct communications with the selected cluster.
A device for verifying previous determinations from cybersecurity devices comprising a processor and a storage device communicatively coupled to the processor. The storage device comprises submission analysis logic including object parsing logic to receive submission message data and then parse the submission message data into object data, along with workflow selector logic to receive the object data and process the object data to select at least one analyzer within analyzer logic. The analyzer logic can generate at least one analyzer based on the selected analyzer within the workflow selector logic, analyze the object data for potential threats and embedded object data, generate results data based on that analysis, and pass the embedded object data back to the workflow selector for further analysis. Finally, the submission analysis logic comprises triage ticket generation logic to generate triage tickets for analyst review and alert logic to generate automatic alerts.
A computerized system and method to detect phishing cyber-attacks is described. The approach entails analyzing one or more displayable images of a webpage referenced by a URL to ascertain whether the one or more displayable images, and thus the webpage and potentially an email including the URL, are part of a phishing cyber-attack.
H04L 9/32 - Arrangements for secret or secure communicationsNetwork security protocols including means for verifying the identity or authority of a user of the system
40.
Multi-vector malware detection data sharing system for improved detection
A computerized method for analyzing an object is disclosed. The computerized method includes performing, by a first cybersecurity system, a first malware analysis of the object, wherein a first context information is generated by the first cybersecurity system based on the first malware analysis. The first context information includes at least origination information of the object. Additionally, a second cybersecurity system, obtains the object and the first context information and performs a second malware analysis of the object to determine a verdict indicating maliciousness of the object. The second malware analysis is based at least in part on the first context information. The second cybersecurity system generates and issues a report based on the second malware analysis, the report including the verdict.
A non-transitory storage medium having stored thereon logic wherein the logic is executable by one or more processors to perform operations is disclosed. The operations may include parsing an object, detecting one or more features of a predefined feature set, evaluating each feature-condition pairing of a virtual feature using the one or more values observed of each of the one or more detected features, determining whether results of the evaluation of one or more feature-condition pairings satisfies terms of the virtual feature, and responsive to determining the results of the evaluation satisfy the virtual feature, performing one or more of a static analysis to determine whether the object is associated with anomalous characteristics or a dynamic analysis on the object to determine whether the object is associated with anomalous behaviors.
Embodiments are disclosed herein for remote retrieval of information from endpoints and comprise receiving a master query at an endpoint in a network environment and executing a set of one or more subqueries defined in the master query. Embodiments also comprise an execution of a first subquery that includes executing a function to produce a first output, applying one or more conditions to the first output to determine a second output, and determining a result of the master query based, at least in part, on the second output. In specific embodiments, the master query is received from another node over a network connection. In more specific embodiments, the function is executed on the endpoint to collect real-time information based on one or more parameters. In further embodiments, the function is one of a plug-in or a script.
One embodiment of the described invention is directed to a key management module deployed within a cybersecurity system that operates as a multi-tenant Security-as-a-Service (SaaS) by relying on Infrastructure-as-a-Service (IaaS) cloud processing resources and cloud storage resources. The key management module is configured to assign a master key to a subscriber upon registration and, as requested, generate one or more virtual keys, based at least in part on the master key, for distribution to the subscriber. Each virtual key is included as part of a submission into the cybersecurity system and is used to authenticate the subscriber of the submission and verify that the subscriber is authorized to perform one or more tasks associated with the submission before the one or more tasks are performed.
Example methods disclosed herein to determine whether a first monitored device is compromised include determining a first entropy value for the first monitored device based on a first number of unique event identifiers included in log entries obtained for the first monitored device, the log entries associated with a first time window. Disclosed example methods also include determining a second entropy value for the first monitored device based on numbers of unique event identifiers included in corresponding groups of log entries obtained for respective ones of a plurality of monitored devices including the first monitored device, the groups of log entries associated with the first time window. Disclosed example methods further include determining whether the first monitored device is compromised based on the first entropy value and the second entropy value, and performing an action in response to a determination that the first monitored device is compromised.
An apparatus includes a network interface and a processor. The network interface receives an application programming interface (API) request, transmits a customer management request including an identifier of the customer apparatus, and receives a customer management response including a policy. The processor performs a security service on the API request, at least in part based on the policy.
In one or more examples, there is disclosed a system and method of detecting agent presence for self-healing. An out-of-band monitoring process, such as Intel® AMT, or any process in firmware executing on a co-processor, may monitor one or more processes to determine if one goes down or otherwise meets a security criterion. Crashed processes may be reported to an enterprise security controller (ESC). The ESC may notice trends among affected machines and instruct the machines to take appropriate remedial action, such as booting from a remedial image.
G06F 21/56 - Computer malware detection or handling, e.g. anti-virus arrangements
G06F 21/57 - Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
48.
System and method for circumventing evasive code for cyberthreat detection
One embodiment of the described invention is directed to a computerized method for improving detection of cybersecurity threats initiated by a script. Herein, the method is configured to analyze the script provided as part of a script object by at least (i) determining whether any functional code blocks forming the script include a critical code statement, (ii) determining whether any of the functional code blocks include an evasive code statement, (iii) modifying the script to control processing of a subset of the functional code blocks by avoiding an execution code path including the evasive code statement and processing functional code blocks forming a code path including the critical code statement, and (iv) executing of the modified script and monitoring behaviors of a virtual environment. Thereafter, the method is configured to determine whether the script including cybersecurity threats based on the monitored behaviors.
G06F 21/00 - Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
G06F 21/56 - Computer malware detection or handling, e.g. anti-virus arrangements
G06F 21/55 - Detecting local intrusion or implementing counter-measures
G06F 21/54 - Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity, buffer overflow or preventing unwanted data erasure by adding security routines or objects to programs
A computerized method is described for authenticating access to a subscription-based service to detect an attempted cyber-attack. First, a request is received by a subscription review service to subscribe to the subscription-based service. The service is configured to analyze one or more objects for a potential presence of malware representing the attempted cyber-attack. Using service policy level information, the cloud broker selects a cluster from a plurality of clusters to analyze whether the one or more objects are associated with the attempted cyber-attack and establishes a communication session between the sensor and the cluster via the cloud broker. The service policy level information is associated with the customer and is used in accessing the subscription-based service. The service policy level information includes at least an identifier assigned to the customer.
A trust verification system for automatically verify an integrity of an object across multiple operating system (OS) platforms. The trust verification system features package verification logic, catalog verification logic, and component verification logic. The package verification logic recovers, from an incoming package, (i) an object, (ii) a catalog including identifiers associated with software component(s) forming the object and representation(s) associated with each of the software component(s), and (iii) a representation of the catalog. The catalog verification logic is configured to verify an integrity of the catalog while the component verification logic is configured to verify an integrity of software component(s) associated with the object. Thereafter, the package verification logic verifies an integrity of the object associated with the incoming package in response to the catalog verification logic verifying the integrity of the catalog and the component verification logic verifying the integrity of the software component(s).
G06F 21/57 - Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
G06F 21/56 - Computer malware detection or handling, e.g. anti-virus arrangements
A system and method are disclosed for network-based file analysis for malware detection. Network content is received from a network tap. A binary packet is identified in the network content. A binary file, including the binary packet, is extracted from the network content. It is determined whether the extracted binary file is detected to be malware.
A system and method for retrieval and analysis of stored objects for malware is described. The method involves receiving a scan request message from a customer to conduct analytics on one or more objects stored within a third-party controlled service. In response to receipt of the scan request message, the system generates a redirect message. The redirect message redirects the customer to an authentication portal of the third-party controlled service operating as a logon page and configures receipt by the system of access credentials for the third-party controlled service upon verification of the customer. Using the access credentials, the system is able to retrieve the one or more objects using the access credentials and performing analytics on each object of the one or more objects to classify each object as malicious or benign.
An apparatus includes a network interface and a processing unit. The network interface transmits a security payload. The processing unit determines a first partition of a queuing service for the security payload at a first time, at least in part based on a determination that an initial attempt to transmit the security payload failed. The processing unit also instructs a retrieval of the security payload from the first partition to perform a first retry attempt to transmit the security payload, at least in part based on a determination that a first retry interval since the first time has elapsed.
According to one embodiment, a method detecting and mitigating a privilege escalation attack on an electronic device is described. The method involves operations by a user agent mode operating within a user space and a kernel driver mode operating within a kernel space. The kernel driver mode, in response to detecting an initial activation of a process being monitored, stores metadata associated with an access token. This metadata includes the initial token state information. Responsive to detecting an event associated with the process being monitored, the kernel mode driver extracts a portion of current state information for the access token for comparison to a portion of the stored token state information. Differences between content within the current state information and the stored token state information are used, at least in part, by the user agent mode to detect a privilege escalation attack.
H04L 9/32 - Arrangements for secret or secure communicationsNetwork security protocols including means for verifying the identity or authority of a user of the system
G06F 21/55 - Detecting local intrusion or implementing counter-measures
G06F 21/56 - Computer malware detection or handling, e.g. anti-virus arrangements
A system and computerized method for generating an improved cyber-security rule ordering for cyber-security threat detection or post-processing activities conducted by a rules-based cyber-security engine deployed within a network device is described. Herein, historical metadata associated with analytics conducted on incoming data by a rule-based cyber-security engine and in accordance with a plurality of rules is described. These rules are arranged in a first ordered rule sequence. The historical metadata is analyzed to determine one or more salient rules from the plurality of rules. The plurality of rules are reprioritized by at least rearranging an order to a second ordered rule sequence with the one or more salient rules being positioned toward a start of the second ordered rule sequence. Thereafter, the rule-based cyber-security engine operates in accordance with the reprioritized rule set that is arranged in the second ordered rule sequence to achieve improved performance.
A system for protecting public cloud-hosted virtual resources features cloud visibility logic. According to one embodiment, the cloud visibility logic includes credential evaluation logic, data collection logic, correlation logic and reporting logic. The credential evaluation logic is configured to gain authorized access to a cloud account within a first public cloud network. The data collection logic is configured to retrieve account data from the cloud account, while the correlation logic is configured to conduct analytics on the account data to determine whether the cloud account is subject to a cybersecurity threat or misconfiguration. The reporting logic is configured to generate an alert when the cloud account is determined by the correlation logic to be subject to the cybersecurity threat or misconfiguration.
Selective virtualization of resources is provided, where the resources may be intercepted and services or the resources may be intercepted and redirected. Virtualization logic monitors for one or more activities that are performed in connection with one or more resources and conducted during processing of an object within the virtual machine. The first virtualization logic further selectively virtualizes resources associated with the one or more activities that are initiated during the processing of the object within the virtual machine by at least redirecting a first request of a plurality of requests to a different resource than requesting by a monitored activity of the one or more activities.
G06F 9/455 - EmulationInterpretationSoftware simulation, e.g. virtualisation or emulation of application or operating system execution engines
G06F 21/53 - Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity, buffer overflow or preventing unwanted data erasure by executing in a restricted environment, e.g. sandbox or secure virtual machine
H04L 29/06 - Communication control; Communication processing characterised by a protocol
58.
Dynamically remote tuning of a malware content detection system
According to one embodiment, an apparatus comprises a processor and memory. Communicatively coupled to the processor, the memory includes a detection module that, when executed, conducts an analysis of a received object to determine if the received object is associated with a malicious attack. The detection module is configurable, and thus, certain capabilities can be enabled, disabled or modified. The analysis is to be altered upon receipt of a configuration file that includes information to alter one or more rules controlling the analysis conducted by the detection module.
A system for securing electronic devices includes a processor, a storage medium communicatively coupled to the processor, and a monitoring application comprising computer-executable instructions on the medium. The instructions are readable by the processor. The monitoring application is configured to receive an indication that a client has been affected by malware, cause the client to boot from a trusted operating system image, cause a launch of a secured security application on the client from a trusted application image, and analyze a malware status of the client through the secured security application.
G06F 21/57 - Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
G06F 21/56 - Computer malware detection or handling, e.g. anti-virus arrangements
In an example, there is disclosed a system and method for providing a service-oriented architecture, including request/response, over a publish/subscribe framework. In one embodiment, a system is disclosed for adding layers upon a publish/subscribe messaging framework for sophisticated messaging such as point-to-point (request/response) and the ability to query for available services, in a reliable, scalable manner.
According to one embodiment, a malware detection software being loaded into non-transitory computer readable medium for execution by a processor. The malware detection software comprises exploit detection logic, rule-matching logic, reporting logic and user interface logic. The exploit detection logic is configured to execute certain event logic with respect to a loaded module. The rule-matching logic includes detection logic that is configured to determine whether an access source is attempting to access a protected region and determine whether the access source is from a dynamically allocated memory. The reporting logic includes alert generating logic that is configured to generate an alert while the user interface logic is configured to notify a user or a network administrator of a potential cybersecurity attack.
G06F 21/55 - Detecting local intrusion or implementing counter-measures
H04L 29/06 - Communication control; Communication processing characterised by a protocol
G06F 21/53 - Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity, buffer overflow or preventing unwanted data erasure by executing in a restricted environment, e.g. sandbox or secure virtual machine
62.
Verification of trusted threat-aware visualization layer
A trusted threat-aware microvisor may be deployed as a module of a trusted computing base (TCB). The microvisor is illustratively configured to enforce a security policy of the TCB, which may be implemented as a security property of the microvisor. The microvisor may manifest (i.e., demonstrate) the security property in a manner that enforces the security policy. Trustedness denotes a predetermined level of confidence that the security property is demonstrated by the microvisor. The predetermined level of confidence is based on an assurance (i.e., grounds) that the microvisor demonstrates the security property. Trustedness of the microvisor may be verified by subjecting the TCB to enhanced verification analysis configured to ensure that the TCB conforms to an operational model with an appropriate level of confidence over an appropriate range of activity. The operational model may then be configured to analyze conformance of the microvisor to the security property. A combination of conformance by the microvisor to the operational model and to the security property provides assurance (i.e., grounds) for the level of confidence and, thus, verifies trustedness.
H04L 9/00 - Arrangements for secret or secure communicationsNetwork security protocols
G06F 21/57 - Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
x to each slot corresponding to a home position for the peer device; and load balancing slots not assigned to a home position according to a deterministic algorithm; and discovering additional nodes and performing discovery iteration for the additional nodes.
Computerized techniques to determine and verify maliciousness of an object by a security logic engine are described. A method features receiving information pertaining to a first set of events associated with a first object (first information) from an endpoint and information pertaining to a second set of events associated with a second object (second information) from an analysis system. Thereafter, the likelihood of the cyber-attack being conducted on the network is determined by at least correlating the first information and the second information with at least events associated with known malicious objects. Any endpoint vulnerable to the cyber-attack are identified based on a configuration of each of the plurality of endpoints and requesting the analysis system to conduct one or more further analyses in accordance with at least a software profile identified in a configuration of the first endpoint of the plurality of endpoints identified as vulnerable.
A network device for collecting and distributing cybersecurity intelligence, which features analytics logic and a plurality of plug-ins. The analytics logic is configured to (i) receive a request message to conduct a cybersecurity analysis and (ii) select one of a first set or second set of plug-ins to conduct the cybersecurity analysis. Responsive to selecting a first plug-in of the first set of plug-ins by the analytics logic, the system conducts and completes the cybersecurity analysis while a communication session between the first plug-in and a network device initiating the request message remains open. Responsive to selecting a second plug-in by the analytics logic, the system conducts and completes the cybersecurity analysis while allowing the cybersecurity intelligence to be provided in response to the request message during a different and subsequent communication session than the communication session during which the request message is received.
Example apparatus disclosed herein to perform a cybersecurity investigation are to generate an information graph based on a set of information seeker tools in response to detection of a threat alert in a monitored network, and search the information graph for a reference pattern associated with a cybersecurity threat. Disclosed example apparatus are also to, in response to detection of a portion of the reference pattern in the information graph, (i) select a first one of information seeker tools associated with a first input-output relationship capable of expanding the portion of the reference pattern to complete the reference pattern, and (ii) execute the first one of information seeker tools to complete the reference pattern associated with the cybersecurity threat.
The presently disclosed subject matter includes an apparatus that receives a dataset with values associated with different digital resources captured from a group of compute devices. The apparatus includes a feature extractor, to generate a set of feature vectors, each feature vector from the set of feature vectors associated with a set of data included in the received dataset. The apparatus uses the set of feature vectors to validate multiple machine learning models trained to determine whether a digital resource is associated with a cyberattack. The apparatus selects at least one active machine learning model and sets the remaining trained machine learning models to operate in an inactive mode. The active machine learning model generates a signal to alert a security administrator, blocks a digital resource from loading at a compute device, or executes other remedial action, upon a determination that the digital resource is associated with a cyberattack.
A cyber-threat detection system that maintains consistency in local configurations of one or more computing nodes forming a cluster for cyber-threat detection is described. The system features a distributed data store for storage of at least a reference configuration and a management engine deployed within each computing node, including the first computing node and configured to obtain data associated with the reference configuration from the distributed data store, From such data, the management engine is configured to detect when the shared local configuration is non-compliant with the reference configuration, and upload information associated with the non-compliant shared local configuration into the distributed data store. Upon notification, the security administrator may initiate administrative controls to allow the non-compliant shared local configuration or modify the shared local configuration to be compliant with the reference configuration.
Techniques for efficient malicious content detection in plural versions of a software application are described. According to one embodiment, the computerized method includes installing a plurality of different versions of a software application concurrently within a virtual machine and selecting a subset of the plurality of versions of the software application that are concurrently installed within the virtual machine. Next, one or more software application versions of the subset of the plurality of versions of the software application are processed to access a potentially malicious content suspect within the virtual machine, without switching to another virtual machine. The behaviors of the potentially malicious content suspect during processing by the one or more software application versions are monitored to detect behaviors associated with a malicious attack. Thereafter, information associated with the detected behaviors pertaining to a malicious attack is stored, and an alert with respect to the malicious attack is issued.
G06F 21/53 - Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity, buffer overflow or preventing unwanted data erasure by executing in a restricted environment, e.g. sandbox or secure virtual machine
G06F 21/56 - Computer malware detection or handling, e.g. anti-virus arrangements
G06F 21/55 - Detecting local intrusion or implementing counter-measures
G06F 9/455 - EmulationInterpretationSoftware simulation, e.g. virtualisation or emulation of application or operating system execution engines
70.
Late load technique for deploying a virtualization layer underneath a running operating system
A technique deploys a virtualization layer underneath an operating system executing on a node of a network environment to enable the virtualization layer to control the operating system is described. One or more executables (binaries) for the virtualization layer may be included in a kernel module loaded in memory of the node with a first privilege level (e.g., highest privilege level) needed to control the guest operating system. The kernel module may be configured to suspend the guest operating system and one or more hardware resources to a quiescent state. Furthermore, the kernel module is configured to (i) capture and save states of the hardware resource(s) and (ii) bootstrap the virtualization layer to create a virtual machine with an initial state that corresponds to a state of the system prior to deployment of the virtualization layer.
According to one embodiment of the disclosure, a method for reassigning execution of certain instructions directed to a speculative execution task or a reserved instruction, attempted by a guess process, to be handled by a host process is described herein. The method involves detecting whether a software component, operating within a virtual machine deployed within a guest environment of the network device, is attempting to execute an instruction associated with a speculative execution task. If so, the speculative execution task is prevented from being performed by the software component without the virtual machine detecting that speculative execution by the software component has been reassigned.
G06F 21/00 - Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
G06F 21/53 - Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity, buffer overflow or preventing unwanted data erasure by executing in a restricted environment, e.g. sandbox or secure virtual machine
G06F 21/55 - Detecting local intrusion or implementing counter-measures
G06F 21/56 - Computer malware detection or handling, e.g. anti-virus arrangements
G06F 9/455 - EmulationInterpretationSoftware simulation, e.g. virtualisation or emulation of application or operating system execution engines
G06F 9/48 - Program initiatingProgram switching, e.g. by interrupt
72.
Methods and apparatus to accelerate security threat investigation
Methods, apparatus, systems and articles of manufacture are disclosed herein to accelerate security threat investigation. An example apparatus includes a model trainer to train a security investigation model, a game engine to determine a source security software product and a destination security software product of a security threat object, an actions database to store at least one of the previous security response action, the source security software product, the destination security software product, and the security threat object, an action generator to generate at least one suggested security response action in response to a user security investigation action, wherein the suggested security response action is based on an execution of the security investigation model, and a software product controller to adjust a display of the destination security software product of the security threat object in response to the security response action.
A method in an embodiment includes detecting a change for a virtual machine in a virtual server of a virtual network infrastructure, determining whether a virtual security appliance is configured in the virtual server, and sending a request to create the virtual security appliance in the virtual server. The method further includes allowing the virtual machine to initiate when the virtual security appliance is created in the virtual machine. The virtual security appliance performs security inspections on network packets sent from the virtual machine. In more specific embodiments, the method further includes creating an intercept mechanism in the virtual server to intercept the network packets from the virtual machine. In further embodiments, one or more security policies identify one or more virtual security appliances to process the network packets from the virtual machine.
Methods, apparatus, systems, and articles of manufacture are disclosed to securely audit communications. An example apparatus includes a participant list generator to, responsive to a command to provision a secured group of devices in a network to prevent malicious activity, generate a participant device list including one or more endpoint devices and a control plane server; a privilege controller to, based on a policy indicated in the command, set read and write privileges for the one or more endpoint devices and the control plane server; a command controller to, based on the command, determine whether to generate a shared communication key using a shared system key; and a communication processor to encrypt communications between the one or more endpoint devices and the control plane server using the shared communication key.
Malicious network content is identified based on the behavior of one or more virtual environment components which process network content in a virtual environment. Network content can be monitored and analyzed using a set of heuristics. The heuristics identify suspicious network content communicated over a network. The suspicious network content can further be analyzed in a virtual environment that includes one or more virtual environment components. Each virtual environment component is configured to mimic live environment components, for example a browser application component or an operating system component. The suspicious network content is replayed in the virtual environment using one or more of the virtual environment components. The virtual environment component behavior is analyzed in view of an expected behavior to identify malicious network content. The malicious network content is then identified and processed.
Example apparatus disclosed herein to perform a cybersecurity investigation include a graph generator to iteratively generate an information graph based on investigative data in response to detection of a threat alert in a monitored network, the investigative data accessed from information sources based on a set of information seeker tools, the information graph generated based on a graph schema specifying possible relationships between the information seeker tools. Example apparatus also include a pattern recognizer to traverse the information graph to identify a path in the information graph matching a pattern from the graph schema associated with a cybersecurity threat. Example apparatus further include a user interface to output the path identified in the information graph and the cybersecurity threat to an output device.
According to one embodiment, a computing device comprises one or more hardware processor and a memory coupled to the one or more processors. The memory comprises software that supports a virtualization software architecture including a first virtual machine operating under control of a first operating system. Responsive to determining that the first operating system has been compromised, a second operating system, which is stored in the memory in an inactive (dormant) state, is now active and controlling the first virtual machine or a second virtual machine different from the first virtual machine that now provides external network connectivity.
G06F 11/34 - Recording or statistical evaluation of computer activity, e.g. of down time, of input/output operation
78.
System, apparatus and method for automatically verifying exploits within suspect objects and highlighting the display information associated with the verified exploits
According to one embodiment, a threat detection system comprising an intrusion protection system (IPS) logic, a virtual execution logic and a reporting logic is shown. The IPS logic is configured to receive a first plurality of objects and analyze the first plurality of objects to identify a second plurality of objects as potential exploits, the second plurality of objects being a subset of the first plurality of objects and being lesser or equal in number to the first plurality of objects. The virtual execution logic including at least one virtual machine configured to process content within each of the second plurality of objects and monitor for anomalous behaviors during the processing that are indicative of exploits to classify that a first subset of the second plurality of objects includes one or more verified exploits. The reporting logic configured to provide a display of exploit information associated with the one or more verified exploits.
H04L 29/06 - Communication control; Communication processing characterised by a protocol
G06F 21/56 - Computer malware detection or handling, e.g. anti-virus arrangements
G06F 9/455 - EmulationInterpretationSoftware simulation, e.g. virtualisation or emulation of application or operating system execution engines
G06F 21/53 - Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity, buffer overflow or preventing unwanted data erasure by executing in a restricted environment, e.g. sandbox or secure virtual machine
79.
System and method for offloading packet processing and static analysis operations
According to one embodiment, a system features a network security device and a cloud computing service. The network security device is configured to determine whether an object includes one or more characteristics associated with a malicious attack. The cloud computing service, communicatively coupled to and remotely located from the network security device, includes virtual execution logic that, upon execution by a processing unit deployed as part of the cloud computing service and after the network security device determining that the object includes the one or more characteristics associated with the malicious attack, processes the object and monitors for behaviors of at least the object suggesting the object is associated with a malicious attack.
According to one embodiment, a system for detecting an email campaign includes feature extraction logic, pre-processing logic, campaign analysis logic and a reporting engine. The feature extraction logic obtains features from each of a plurality of malicious email messages received for analysis while the pre-processing logic generates a plurality of email representations that are arranged in an ordered sequence and correspond to the plurality of malicious email message. The campaign analysis logic determines the presence of an email campaign in response to a prescribed number of successive email representations being correlated to each other, where the results of the email campaign detection are provided to a security administrator via the reporting engine.
According to one embodiment, a computerized method comprises three operations. First, an exploit is determined to have been activated on a client device to transition a state of the client device from a non-infected state to an infected state. Second, a software image is determined prior to the client device receiving the object including the exploit. Lastly, an operating state of the client device is restored by at least reinstalling the software image on the client device so that the client device reverts to an operating state of the client device prior to activation of the exploit.
Technologies for privacy-safe security policy evaluation are disclosed herein. An example apparatus includes at least one memory, and at least one processor to execute instructions to at least identify one or more non-sensitive parameters of a plurality of policy parameters and one or more sensitive parameters of the plurality of the policy parameters, the plurality of the policy parameters obtained from a computing device in response to a request from a cloud analytics server for the plurality of the policy parameters, encrypt the one or more sensitive parameters to generate encrypted parameter data in response to the identification of the one or more sensitive parameters, and transmit the encrypted parameter data to the cloud analytics server, the cloud analytics server to curry a security policy function based on one or more of the plurality of the policy parameters.
According to one embodiment, an electronic device features processing circuitry and memory that includes a first logic and a second logic. When executed by the processing circuitry, the first logic organizes (i) a first plurality of indicators of compromise (IOCs) received from a first source, where the first plurality of IOCs being caused by a known origin of a malicious attack, and (ii) one or more IOCs received from a second source that is different from the first source and an origin of the one or more IOCs is unknown. The second logic conducts a predictive analysis that evaluates whether the one or more IOCs have at least a degree of correlation with the first plurality of IOCs, and determines a threat level. The threat level signifies a degree of confidence that IOCs received from the second source are caused by the known origin of the first plurality of IOCs.
In an example, a threat intelligence controller is configured to operate on a data exchange layer (DXL). The threat intelligence controller acts as a DXL consumer of reputation data for a network object, which may be reported in various different types and from various different sources. Of the devices authorized to act as reputation data producers, each may have its own trust level. As the threat intelligence controller aggregates data from various providers, it may weight the reputation reports according to trust level. The threat intelligence engine thus builds a composite reputation for the object. When it receives a DXL message requesting a reputation for the object, it publishes the composite reputation on the DXL bus.
A method for generating rule recommendation utilized in a creation of malware detection rules is described. Meta-information associated with a plurality of events collected during a malware detection analysis of an object by a cybersecurity system is received and a first plurality of features is selected from the received meta-information. Machine learning (ML) models are applied to each of the first plurality of features to generate a score that represents a level of maliciousness for the feature and thereby a degree of usefulness of the feature in classifying the object as malicious or benign. Thereafter, a second plurality of features is selected as the salient features, which are used in creation of the malware detection rules in controlling subsequent operations of the cybersecurity system. The second plurality of features being lesser in number that the first plurality of features.
A computing apparatus to provide endpoint detect and response (EDR) filtering to an enterprise, including: a processor and memory; a network interface; a network protocol to communicatively couple to a data source via the network interface; and instructions encoded within the memory to provide an EDR filtering pipeline to receive an unfiltered EDR stream via the network interface, extract an EDR record from the EDR stream, and apply a hash to the EDR record to determine that the EDR record is uncommon in context of the enterprise; and a decorator module to decorate the EDR record for in-depth analysis.
In one embodiment, a method for detecting one or more behaviors by software under test that indicate a presence of malware is described. First, an analysis of operations conducted by the software being processed by a virtual machine is performed. The analysis includes monitoring one or more behaviors conducted by the software during processing within the virtual machine. Next, a video corresponding to at least the one or more monitored behaviors, which are conducted by the software during processing of the software within the virtual machine, is generated. Also, text information associated with each of the one or more monitored behaviors is generated, where the text information being displayed on an electronic device contemporaneously with the video corresponding to the one or more monitored behaviors.
G06F 11/36 - Prevention of errors by analysis, debugging or testing of software
G06F 21/56 - Computer malware detection or handling, e.g. anti-virus arrangements
G06F 21/53 - Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity, buffer overflow or preventing unwanted data erasure by executing in a restricted environment, e.g. sandbox or secure virtual machine
G06F 21/55 - Detecting local intrusion or implementing counter-measures
H04L 29/06 - Communication control; Communication processing characterised by a protocol
G06F 21/57 - Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
G06F 21/54 - Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity, buffer overflow or preventing unwanted data erasure by adding security routines or objects to programs
G06F 11/28 - Error detectionError correctionMonitoring by checking the correct order of processing
G06F 21/50 - Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
In an example, there is disclosed a data exchange layer (DXL) broker, including: a hardware platform including a processor and a memory; a DXL service store; a traditional internet protocol (IP) network stack; a DXL driver to operate a DXL layer on top of the traditional IP network stack; and instructions encoded within the memory to: enumerate a plurality of DXL endpoints connected to the DXL broker via the traditional IP network stack; store IP network routing information and DXL identification information for the DXL endpoints in the DXL service store; receive a DXL message for a DXL endpoint, the DXL message including DXL identification information for one of the plurality of DXL endpoints; and route the DXL message to the one of the plurality of DXL endpoints via the IP network routing information for the one of the plurality of DXL endpoints.
G06F 15/16 - Combinations of two or more digital computers each having at least an arithmetic unit, a program unit and a register, e.g. for a simultaneous processing of several programs
H04L 67/51 - Discovery or management thereof, e.g. service location protocol [SLP] or web services
H04L 67/563 - Data redirection of data network streams
According to one embodiment, a computerized method for acquiring updated predictive model is described. The updated predictive model is achieved through machine learning analyses of information by a training engine, which issues a control message in response to a discrepancy in a determination of the suspect object as malicious or non-malicious by a detection engine and a classification engine. The detection engine analyzes a content of a suspect object to determine whether the suspect object is malicious or non-malicious. Similarly, the classification engine analyses the suspect object based on the predictive model to determine whether the suspect object is malicious or non-malicious. The control message causes the training engine to update the predictive model based on machine learning analyses of information provided via the control message and to return an updated predictive model to the classification engine.
According to one embodiment, a computerized method features monitoring behaviors of an object during processing within a guest system of a virtual machine. Within a guest system, a rule-based analysis of data associated with the monitored behaviors is conducted. The rule-based analysis includes prioritizing data associated with the monitored behaviors that correspond to an exception, and thereafter, storing the data associated with the monitored behaviors that correspond to the exception into a prescribed area of a virtual image file. The prescribed area is accessible by (i) logic within the guest system and (ii) logic within a host system of the virtual machine.
A computerized system and method to detect phishing cyber-attacks is described. The approach entails analyzing at least one displayable image of a webpage referenced by a URL associated with an email to ascertain whether the image, and thus the webpage and the email are part of a phishing cyber-attack.
H04L 29/06 - Communication control; Communication processing characterised by a protocol
H04L 9/32 - Arrangements for secret or secure communicationsNetwork security protocols including means for verifying the identity or authority of a user of the system
92.
Verification and enhancement using detection systems located at the network periphery and endpoint devices
Computerized techniques to determine and verify maliciousness of an object are described. A malware detection system intercepts in-bound network traffic at a periphery of a network to capture and analyze behaviors of content of network traffic monitored during execution in a virtual machine. One or more endpoint devices on the network also monitor for behaviors during normal processing. Correlation of the behaviors captured by the malware detection system and the one or more endpoint devices may verify a classification by the malware detection system of maliciousness of the content. The malware detection system may communicate with the one or more endpoint devices to influence detection and reporting of behaviors by those device(s).
G06F 21/53 - Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity, buffer overflow or preventing unwanted data erasure by executing in a restricted environment, e.g. sandbox or secure virtual machine
A computerized system and method to detect ransomware cyber-attacks is described. The approach entails analyzing the features associated with a file access event by a process operating on a computing device, to ascertain whether the process is associated with a ransomware cyber-attack.
For one embodiment, a computerized method for detecting exploit attacks on an interpreter comprises configuring a virtual machine including a user mode and a kernel mode and processing an object by an application operating in the user mode of the virtual machine. Responsive to the processing of the object, detecting a loading of an interpreter. Furthermore, responsive to the loading of the interpreter, inserting one or more intercept points for detecting one or more types of software calls from the interpreter or for detecting a certain type or certain types of activities occurring within the interpreter. Thereafter, an exploit attack is detected as being conducted by the object in response to the interpreter invoking a software call that corresponds to the one or more types of software calls that is considered anomalous when invoked by the interpreter or an anomalous activity being conducted within the interpreter.
G06F 21/56 - Computer malware detection or handling, e.g. anti-virus arrangements
H04L 29/06 - Communication control; Communication processing characterised by a protocol
G06F 21/55 - Detecting local intrusion or implementing counter-measures
G06F 21/53 - Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity, buffer overflow or preventing unwanted data erasure by executing in a restricted environment, e.g. sandbox or secure virtual machine
In an example, there is disclosed a security management console, comprising: a hardware platform, comprising a processor, a memory, and a data exchange layer (DXL) interface, the DXL interface comprising a hardware network connection and a software layer, the software layer to provide a two-layer messaging bus, wherein a lower layer is an internet protocol (IP) network, and an upper layer is a publish-subscribe enterprise service bus (ESB); an interface to a reputation database, the reputation database including cached reputations for a plurality of network objects, the reputations representing the network objects' safety within an enterprise serviced by the DXL; and instructions encoded within the memory to instruct the processor to: provide a DXL security console graphical user interface (GUI), the GUI including instructions to provide a graphical representation of an object, including the object's default reputation retrieved from the reputation database; receive a user input to override the object's default reputation to a selected reputation; provide an instruction via the reputation database interface to update the object's default reputation in the database with the selected reputation; and publish a DXL message to a DXL topic associated with the object, the DXL message including the selected reputation.
H04L 29/06 - Communication control; Communication processing characterised by a protocol
G06F 16/28 - Databases characterised by their database models, e.g. relational or object models
G06F 21/57 - Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
G06F 21/00 - Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
A system and method for generating an alert regarding a potential attack is described. The method involves receiving data associated with previously analyzed or known malware attacks by a first network device. Additionally, the first network device receives an attack alert associated with an object analyzed and identified as suspicious by a second network device. The attack alert includes information associated with the suspicious object. For alert generation, at least a portion of the information of the attack alert is provided to a system configured to at least (i) extract feature(s) from the attack alert, (ii) determine similarities between the extracted features and features associated with the previously analyzed or known malware attacks to determine a result, (iv) compute an attack value based on the result and at least a portion of the extracted features including time-dependent and/or independent features, and (v) generate an alert based on the attack value.
According to one embodiment, a system featuring one or more processors and memory that includes monitoring logic. During operation, the monitoring logic is configured to monitor for and detect a notification message that is directed to a destination other than the monitoring logic and identify an event associated with a change in state of a data store associated with the file system to occur. The notification message, at least in part, triggers a malware analysis to be conducted on an object associated with the state change event.
According to one embodiment, a malware detection and visualization system includes one or more processors; and a storage module communicatively coupled to the one or more processors, the storage module comprises logic, upon execution by the one or more processors, that accesses a first set of information that comprises (i) information directed to a plurality of observed events and (ii) information directed to one or more relationships that identify an association between different observed events of the plurality of observed events; and generates a reference model based on the first set of information, the reference model comprises at least a first event of the plurality of observed events, a second event of the plurality of observed events, and a first relationship that identifies that the second event is based on the first event, wherein at least one of (i) the plurality of observed events or (ii) the one or more relationships constitutes an anomalous behavior is provided.
H04L 29/06 - Communication control; Communication processing characterised by a protocol
G06F 21/56 - Computer malware detection or handling, e.g. anti-virus arrangements
G06F 3/0481 - Interaction techniques based on graphical user interfaces [GUI] based on specific properties of the displayed interaction object or a metaphor-based environment, e.g. interaction with desktop elements like windows or icons, or assisted by a cursor's changing behaviour or appearance
G16B 20/00 - ICT specially adapted for functional genomics or proteomics, e.g. genotype-phenotype associations
99.
Automated enforcement of security policies in cloud and hybrid infrastructure environments
To prevent un-authorized accesses to data and resources available in workloads on an organization's or enterprise's computer network, various improvements to automated computer network security processes to enable them to enforce network security policies using native network security mechanisms to control communications to and/or from workload units of applications running on different nodes within hybrid computer network infrastructures having both traditional hardware resources and virtual resources provided by private and public cloud infrastructure services.
A method and system to detect cyber-attacks by analyzing client-server or other east-west traffic within an enterprise network is disclosed. East-west traffic comprises communications between network devices within the enterprise network, in contradistinction to north-south traffic which involves communications intended to traverse the periphery of the enterprise network. The system includes a network interface to receive the network traffic; analysis logic to analyze communications within the received network traffic to identify a set of indicators; correlation logic to assemble one or more groups of weak indicators from the set of indicators, and conduct an analysis to determine whether each of the groups of weak indicators is correlated with known malicious patterns or sequences of indicators, thereby producing at least one strong indicator from which a determination can be made of whether a cyber-attack is being conducted.
patents