According to one embodiment, a computerized method operates by configuring a virtual machine operating within an electronic device with a first instrumentation for processing of a suspicious object. In response to detecting a type of event during processing of the suspicious object within the virtual machine, the virtual machine is automatically reconfigured with a second instrumentation that is different from the first instrumentation in efforts to achieve reduced configuration time and/or increased effectiveness in exploit detection.

Methods and systems for improving accuracy, speed, and efficiency of context-aware pattern matching are provided. According to one embodiment, a packet stream is received by a first stage of a hardware accelerator of a network device. A pre-matching process is performed by the first stage to identify a candidate packet that matches a string or over-flow pattern associated with access control (e.g., IPS or ADC) rules. A candidate rule is identified based on a correlation of results of the pre-matching process. The candidate packet is tokened to produce matching tokens and corresponding locations. A full-match process is performed on the candidate packet by a second stage of the hardware accelerator to determine whether it satisfies the candidate rule by performing one or more of (i) context-aware pattern matching, (ii) context-aware string matching and (iii) regular expression matching based on contextual information, the matching tokens and the corresponding locations.

Methods and systems for improving accuracy, speed, and efficiency of context-aware pattern matching are provided. According to one embodiment, a packet stream is received by a first stage of a hardware accelerator of a network device. A pre-matching process is performed by the first stage to identify a candidate packet that matches a string or over-flow pattern associated with access control (e.g., IPS or ADC) rules. A candidate rule is identified based on a correlation of results of the pre-matching process. The candidate packet is tokened to produce matching tokens and corresponding locations. A full-match process is performed on the candidate packet by a second stage of the hardware accelerator to determine whether it satisfies the candidate rule by performing one or more of (i) context-aware pattern matching, (ii) context-aware string matching and (iii) regular expression matching based on contextual information, the matching tokens and the corresponding locations.

A system and method of security assessment of a network is described. The system may include one or more security assessment computers controlled by a security assessor, and connected to a network, and first executable program code for acting as an agent on a first end device on the network. The first executable program code is configured to be executed by a browser application of the first end device, and is configured to collect software information, hardware information, and/or vulnerability information of the first end device and transmit the same to a first security assessment computer of the one or more security assessment computers. The information may be transmitted as part of a domain name server (DNS) request. The DNS request may include information identifying the first end device to thus allow modification of the first end device in response to analysis of the collected information.

An example system includes a main processor operable in a normal mode or a trusted mode, the main processor having an embedded diagnostic trusted code executable in the trusted mode; a secure memory accessible by the main processor when the main processor is in the trusted mode and inaccessible to the main processor when the main processor is in the normal mode, wherein execution of the embedded diagnostic trusted code causes the main processor to write diagnostic information to the secure memory; and a monitor processor having access to the secure memory to analyze the diagnostic information to determine a state of the main processor.

Among other things, embodiments of the present disclosure help provide entities with the ability to remotely detect behavior associated with malware and identify compromised user-sessions, regardless of the malware variant or family, and independently of the page structure.

Examples of the present disclosure describe systems and methods of automatic inline detection based on static data. In aspects, a file being received by a recipient device may be analyzed using an inline parser. The inline parser may identify sections of the file and feature vectors may be created for the identified sections. The feature vectors may be used to calculate a score corresponding to the malicious status of the file as the information is being analyzed. If a score is determined to exceed a predetermined threshold, the file download process may be terminated. In aspects, the received files, file fragments, feature vectors and/or additional data may be collected and analyzed to build a probabilistic model used to identify potentially malicious files.

This technical solution relates to systems and methods of cyber attack detection, and more specifically it relates to analysis methods and systems for protocols of interaction of malware and cyber attack detection and control centres (servers). The method comprises: uploading the malware application into at least one virtual environment; collecting, by the server, a plurality of malware requests transmitted by the malware application to the malware control center; analyzing the plurality of malware requests to determine, for each given malware request: at least one malware request parameter contained therein; and an order thereof of the at least one malware request parameter. The method then groups the plurality of malware requests based on shared similar malware request parameters contained therein and order thereof and for each group of the at least one group containing at least two malware requests, generates a regular expression describing malware request parameters and order thereof of the group, which regular expression can be used as an emulator of the malware application.

Techniques for searching an inverted index associating byte sequences of a fixed length and files that contain those byte sequences are described herein. Byte sequences comprising a search query are determined and searched in the inverted index. In some examples, training data for training machine learning model(s) may be created using pre-featured data from the inverted index. In various examples, training data may be used to retrain a ML model until the ML model meets a criterion. In some examples, the trained ML model may be used to perform searches on the inverted index and classify files.

Some embodiments described herein include an apparatus having a processor communicatively coupled to a memory. The processor is configured to monitor, at a characteristic controller, a first characteristic of an electronic device. The processor is then configured to receive side-channel signature analysis of the electronic device from a signature analyzer. The processor is configured to determine if the first characteristic of the electronic device has changed or will change in a predefined period of time based on the side-channel signature analysis. The processor is then configured to adjust a second characteristic of the electronic device and/or filtering characteristics such that the side-channel signature analysis reflects predefined side-channel behavior.