A multi-endpoint event graph is used to detect malware based on malicious software moving through a network.

A compute instance is instrumented to detect certain kernel memory allocation functions, in particular functions that allocate heap memory and/or make allocated memory executable. Dynamic shell code exploits can then be detected when code executing from heap memory allocates additional heap memory and makes that additional heap memory executable.

A compute instance is instrumented to detect certain kernel memory allocation functions, in particular functions that allocate heap memory and/or make allocated memory executable. Dynamic shell code exploits can then be detected when code executing from heap memory allocates additional heap memory and makes that additional heap memory executable.

An electronic device is provided. The electronic device includes a communication circuit, a display, a memory including a first display driver, a processor functionally connected with the communication circuit, the display, and the memory, and a secure module which is physically separated from the processor, and includes a secure processor and a second display driver, and the secure processor is configured to: when secure data is received from an external server through the communication circuit, disable the first display driver and enable the second display driver, and output a user interface including a first object corresponding to the secure data to the display by using the enabled second display driver.

Adapting detection of security threats, including by retraining computer-implemented models is disclosed. An indication is received that a natural language processing model should be retrained. A list of training samples is generated that includes at least one synthetic training sample. The natural language processing model is retrained at least in part by using the set of generated training samples. The retrained natural language processing model is used to determine a likelihood that a message poses a risk.

Techniques are described that enable an IT and security operations application to prioritize the processing of selected events for a defined period of time. Data is obtained reflecting activity within an IT environment, wherein the data includes a plurality of events each representing an occurrence of activity within the IT environment. A severity level is assigned to each event of the plurality of events, where the events are processed by the IT and security operations application in an order that is based at least in part on the severity level assigned to each event. Input is received identifying at least one event of the plurality of events for expedited processing to obtain a set of expedited events, and the identified events are processed by the IT and security operations application before processing events that are not in the set of expedited events.

Systems and methods for detecting and/or identifying an attack on a battery management system (BMS) or a battery system. The voltage and/or state of charge (SOC) of the BMS or battery system can be monitored, and one or more datasets can be obtained. A principal component analysis (PCA) based unsupervised k-means approach can be applied on the one or more datasets to monitor for irregularities that indicate an attack.

Systems and methods to detect malicious software include an application software repository including a stored header file associated with a driver, an executable, or both, and are operable to (i) receive a memory dump file upon an operating system crash including a driver copy, an executable copy, or both, (ii) verify the memory dump file is new for analysis, (iii) compress the verified memory dump file to generate a memory snapshot of the verified memory dump file, (iv) scan the memory snapshot for a memory dump header file associated with the driver copy, the executable copy, or both, and (v) identify and extract malicious software when the memory dump header file from the memory snapshot fails to match at least one stored header file in the application software repository.

A proxy server receives from a client device a request for a network resource that is hosted at an origin server for a domain. The request is received at the proxy server as a result of a DNS request for the domain resolving to the proxy server. The origin server is one of multiple origin servers that belong to different domains that resolve to the proxy server and are owned by different entities. The proxy server retrieves the requested network resource. The proxy server determines that the requested resource is an HTML page. The proxy server scans the HTML page to locate one or more modification tokens that each indicates content that is subject to being modified. For at least one of the located modification tokens, the proxy server automatically modifies at least a portion of the content of the HTML page that corresponds to that modification token. The proxy server then transmits the modified HTML page to the client device.

Circuits and methods are provided for detecting, identifying and/or removing undesired content. According to one embodiment, a method for performing content scanning of content objects is provided. A content object that is to be scanned is stored by a general purpose processor to a system memory of the general purpose processor. Content scanning parameters associated with the content object are set up by the general purpose processor. Instructions from a signature memory of a co-processor that is coupled to the general purpose processor are read by the co-processor based on the content scanning parameters. The instructions contain op-codes of a first instruction type and op-codes of a second instruction type. Those of the instructions containing op-codes of the first instruction type are assigned by the co-processor to a first instruction pipe of multiple instruction pipes of the co-processor for execution. An instruction of the assigned instructions containing op-codes of the first instruction type is executed by the first instruction pipe including accessing a portion of the content object from the system memory.