An artefact is received. Features are extracted from this artefact which are, in turn, used to populate a vector. The vector is then input into a classification model to generate a score. The score is then modified to result in a modified score by interleaving the generated score or a mapping thereof into digits of a pseudo-score. Thereafter, the modified score can be provided to a consuming application or process. Related apparatus, systems, techniques and articles are also described.

Disclosed herein are systems and method for inspecting archived slices for malware using empty spare files. In one exemplary aspect, the method comprises generating a backup slice and a virtual volume comprising a list of files in the backup slice and associated file information. The method comprises mounting the virtual volume to a disk. The method comprises creating, in the virtual volume, empty sparse files that are placeholders of the files reference in the list of files. The method comprises detecting a change between a respective empty sparse file and a corresponding file in a previous backup slice and accordingly storing the actual content of the file in the virtual volume in place of the respective empty sparse file. The method comprises scanning the virtual volume for malicious software and generating a cured slice that replaces the backup slice in the backup archive upon detection.

Systems and methods are described for synergistically combining static file based detection and behavioral analysis to improve both threat detection time and accuracy. An endpoint security solution running on an endpoint device generates a static analysis score by performing a static file analysis on files associated with a process initiated on the endpoint device. When the static analysis score meets or exceeds a static analysis threshold, then a network security platform treats the process as malicious and blocks execution of the process. When the static analysis score is less than the static analysis threshold, then the endpoint security solution obtains a dynamic analysis score for the process. The network security platform treats the process as malicious and causes execution of the process to be blocked based on a function of the static analysis score and the dynamic analysis score.

A verification information modification device includes processing circuitry configured to acquire, from each verification device that uses verification information of software to verify a file forming the software, an error log relating to erroneous detection that has occurred in the verification device, when it is determined that a same error has occurred in a predetermined number or more of verification devices based on the acquired error log, extract an error log of the error from acquired error logs and create information indicating verification information that has caused the erroneous detection and candidates for modification details of the verification information based on the extracted error log, and output the information indicating verification information that has caused the erroneous detection and candidates for modification details of the verification information.

Systems and methods include receiving a trained machine learning model that has been processed with training information removed therefrom, wherein the training information is utilized in training of the trained machine learning model; monitoring traffic, inline at the node, including processing the traffic with the trained machine learning model; obtaining a verdict on the traffic based on the trained machine learning model; and performing an action on the traffic based on the verdict.

Methods, apparatus, systems and articles of manufacture are disclosed to facilitate malware detection using compressed data. An example apparatus includes an input processor to obtain a model, the model identifying a first sequence associated with a first trace of data known to be repetitive, a sequence identifier to identify a second sequence associated with a second trace of data, a comparator to compare the first sequence with the second sequence, and an output processor to when the first sequence matches the second sequence, transmit an encoded representation of the second sequence to the central processing facility using a first channel of communication, and when the first sequence fails to match the second sequence, transmit the second sequence to the central processing facility using a second channel of communication, the second sequence to be analyzed by the central processing facility to identify whether the second sequence is indicative of malware.

A system and method is provided that tests and determines whether candidate artificial intelligence model contains a Trojan from when it was trained and using the outcome determination of the Trojan to determine whether the candidate artificial intelligence model should be deployed. The system utilizes a first artificial intelligence that operates as a data generator and a second artificial intelligence that operates as a discriminator to determine whether the candidate artificial intelligence contains a Trojan. The first artificial intelligence combines sets of data with random Trojan triggers and the second artificial intelligence discriminates output classifications from the candidate artificial intelligence model to determine whether the Trojan is present based on probability outputs.

An automated system and method for analyzing a set of extracted strings from a binary is disclosed including processing the binary with a string-extraction logic that can locate strings within the binary and output an extracted string set for use in cybersecurity analysis. The logic retrieves a set of training data comprising a plurality of previously analyzed extracted string sets where each element of the previously analyzed extracted string set comprises at least one extracted string and a corresponding previously determined threat prediction score. A prediction model based upon the training data is generated and the extracted string set is processed by the prediction model to determine a threat prediction score for each string. Ranking of the located strings is based upon the determined threat prediction score, and an output of a ranked string list is generated.

Aspects of the disclosure describe methods and systems for cross-referencing forensic snapshots over time. In one exemplary aspect, a method may comprise receiving a first snapshot of a computing device at a first time and a second snapshot of the computing device at a second time and applying a pre-defined filter to the first snapshot and the second snapshot, wherein the pre-defined filter includes a list of files that are to be extracted from each snapshot. The method may comprise subsequent to applying the pre-defined filter, identifying differences in the list of files extracted from the first snapshot and the second snapshot. The method may comprise creating a change map for the computing device that comprises the differences in the list of files over a period of time, wherein the period of time comprises the first time and the second time, and outputting the change map in a user interface.

Android has been a constant target of cybercriminals that try to attack one of the most used operating systems, commonly using malicious applications (denominated malwares). The present invention uses a lightweight and non-invasive approach to detect malware in the Android system. The method employs a set of specific-type detectors in which each one performs a multi-stage analysis, based on rules and machine learning techniques, in different phases of the application cycle. The invention includes a process to obtain application's characteristics that does not infringe licenses and terms of use of applications; a more efficient process to classify applications on Android devices that requires less processing power; and, finally, by using different detection phases that employ distinct sets of characteristics obtained from the application, the present invention can outperform the detection performance of techniques of the prior-art and reduce the number of misclassified samples.