Methods, apparatus, systems, and articles of manufacture are disclosed. An example apparatus comprises at least one memory, instructions, and processor circuitry to execute the instructions. The processor circuitry executes the instructions to provide a neural network a plurality of raw bytes for malware classification. The processor circuitry executes the instructions to generate a visualization of features extracted from the plurality of raw bytes. The processor circuitry executes the instructions to generate a heatmap for the plurality of raw bytes based on gradient activations of the neural networks. The processor circuitry executes the instructions to perform a dimensionality reduction based on features of the plurality of raw bytes identified in the heatmap.

In the face of ransomware attacks, which can be increasingly difficult to effectively prevent, a solution can be considered to be the minimization of the cost and time taken to recover data and, hence business activities. Embodiments perform a restore operation that include automatically identifying the most recent healthy backup, from which data should be restored, and the prioritizing of the order in which data should be restored.

Aspects of the disclosure relate to identifying legitimate websites and removing false positives from domain discovery analysis. Based on a list of known legitimate domains, a computing platform may generate a baseline dataset of feature vectors corresponding to the known legitimate domains. Subsequently, the computing platform may receive information identifying a first domain for analysis and may execute one or more machine learning algorithms to compare the first domain to the baseline dataset. Based on execution of the one or more machine learning algorithms, the computing platform may generate first domain classification information indicating that the first domain is a legitimate domain. In response to determining that the first domain is a legitimate domain, the computing platform may send one or more commands directing a domain identification system to remove the first domain from a list of indeterminate domains maintained by the domain identification system.

A security system includes a backup acquisition unit configured to store given information indicating states of backup data together with backup images generated from the backup data for each backup generation; and a determination unit configured to generate, when a predetermined timing comes, determination information for determining whether there is an abnormality in the stored backup data, based on a predetermined determination rule and the given information for each backup generation, and to output the generated determination information.

Systems, methods, and software can be used for securing in-tunnel messages. One example of a method includes obtaining a parsed file that comprises two or more sub-feature trees, and each of the two or more sub-feature trees comprise at least one feature layer that comprises features. The method further includes generating a feature vector that identifies the features in the at least one feature layer for each of the two or more sub-feature trees. The method yet further includes mapping the features in the at least one feature layer for each of the one or more sub-feature trees to a corresponding position in the feature vector. By converting features in the parsed file into a feature vector, the method provides an applicable format of the feature vector in wide applications for the parsed file.

Methods and systems for defending an infrastructure against a distributed denial of service (DDoS) attack use a software decoy installed in the infrastructure to deliberately attract a malware. An address or a domain name of a command and control (C&C) server is extracted from the malware. A client of the infrastructure uses the address or the domain name of the C&C server to connect to the C&C server. The client receives a command intended by the C&C server to cause the client to participate in the DDoS attack. The client forwards particulars of the DDoS attack to a cleaning component. The cleaning component discards incoming signals having one or more of the particulars of the DDoS attack. The address or domain name of the C&C server may be obfuscated in the malware, in which case reverse engineering is used to decipher the malware.

Embodiments provide functionality to protect computing workloads from script-based attacks. Upon receipt, at a workload, of a command to commence execution of code of a script, an embodiment determines whether (i) permissions of a user issuing the command comply with a permissions security standard, (ii) an identifier of an interpreter supporting the script is included in an approved interpreter list, (iii) an identifier of a selected parameter of the interpreter is included in an approved parameter list, and (iv) an identifier of the script is included in an approved list of executables. If all of the aforementioned checks pass, such an embodiment allows execution of the code of the script; otherwise, execution is denied, thereby protecting the workload in an event of a script-based attack.

Systems and methods for malware detection are provided herein. In some embodiments, a system having one or more processors is configured to: perform, on a plurality of user devices, at least one of a static analysis or a behavioral analysis of a file downloaded to a user device; receive a plurality of features extracted from the downloaded file; train at least one machine learning model, on a central server in communication with the plurality of user device, based on the plurality of features; distribute the at least one trained machine learning model to the plurality of user devices; and update at least one of a machine learning model used for the static analysis or behavioral analysis with the distributed at least one trained machine learning model.

A method and apparatus for using a dynamic security certificate. The method analyzes a browser to access browser information and generates a dynamic security certificate based on the browser information. The method modifies a configuration file for the browser to cause the browser to trust the dynamic security certificate and inserts the dynamic security certificate into the browser to enable a client application to access encrypted data available to the browser. The method may be performed solely upon a user device or have portions thereof performed by a user device and a server.

This invention provides systems and methods for data processing by means of an ongoing background process on an end-user's computer. As a user receives and generates data, files are analyzed. A container file is opened into the volatile memory and its contents (including data and metadata) are extracted, without requiring an index to be created. The extracted components are analyzed based on predefined characteristics.