Graph computing over micro and macro views includes expanding, with a processor at run-time, a set of nodes to include a node generated in response to received data corresponding to an event query. A first inference of an inference ensemble is determined by traversing a base graph whose nodes are associated with a discriminant power that exceeds a predetermined entity threshold. A second inference of the inference ensemble is determined by traversing a micro-view graph whose nodes are selected based on a number of references that exceeds a predetermined reference threshold. A third inference of the inference ensemble is determined by traversing a macro-view graph having one or more committee nodes and computing for each committee node a macro-node vote and generating a response to the event query based on the inference ensemble.

Identifying Internet of Things (IoT) devices with packet flow behavior including by using machine learning models is disclosed. Information associated with a network communication of an IoT device is received. A determination of whether the IoT device has previously been classified is made. In response to determining that the IoT device has not previously been classified, a determination is made that a probability match for the IoT device against a behavior signature exceeds a threshold. Based at least in part on the probability match, a classification of the IoT device is provided to a security appliance configured to apply a policy to the IoT device.

In method of identifying capabilities of a malware intrusion that has been detected by an intrusion detection system, a notification that the malware intrusion has been detected is received from the intrusion detection system. A memory image associated with the malware is then captured. The memory image is parsed and a prior execution context is reconstructed by loading a last central processing unit (CPU) state and memory state into a symbolic environment. Addresses and prototype summaries associated with the malware are extracted from the memory image from the symbolic environment. Paths that are possible for execution due to the malware based on the addresses and prototype summaries are determined. Each path is modeled and a probability of each path being executed with concrete data is assigned. Paths with a low probability of leaving a plurality of paths of interest are pruned. Application programming interfaces (APIs) detected in the plurality of paths of interest are matched to a repository of capability analysis plugins. Any application programming interface (API) that matches at least one plugin in the repository of capability analysis plugins is reported to an analyst.

Systems, computer program products, and methods are described herein for active detection and mitigation of unauthorized activity within a technology infrastructure. The present invention is configured to continuously monitor one or more incoming messages in one or more computing devices; detect one or more assessment vectors embedded in the one or more incoming messages; initiate an isolated virtual environment; redirect the one or more incoming messages associated with the one or more assessment vectors from the one or more computing devices to the isolated virtual environment; trigger an access routine to emulate, within the isolated virtual environment, an action of accessing the one or more incoming messages; determine, based on at least the access routine, whether the one or more incoming messages is associated with malware; and display a notification to the user indicating whether the one or more incoming messages is associated with malware.

In one implementation, a method for providing security on an externally connected controller includes launching, by the controller, a security layer that includes a whitelist of permitted processes on the controller, the whitelist including (i) signatures for processes that are authorized to be executed and (ii) context information identifying permitted controller contexts within which the processes are authorized to be executed; determining, by the security layer, whether the particular process is permitted to be run on the controller based on a comparison of the determined signature with a verified signature for the particular process from the whitelist; identifying, by the security layer, a current context for the controller; determining, by the security layer, whether the particular process is permitted to be run on the controller based on a comparison of the current context with one or more permitted controller contexts for the particular process from the whitelist.

A method of generating a predictive model for malware detection using federated learning includes transmitting, to each of a plurality of remote devices, a copy of the predictive model, where the predictive model is configured to predict whether a file is malicious; receiving, from each of the plurality of remote devices, model parameters determined by independently training the copy of the predictive model on each of the plurality of remote devices using local files stored on respective ones of the plurality of remote devices; generating a federated model by training the predictive model based on the model parameters received from each of the plurality of remote devices; and transmitting the federated model to each of the plurality of remote devices.

Systems and methods to detect malicious software include an application software repository including a stored header file associated with a driver, an executable, or both, and are operable to (i) receive a memory dump file upon an operating system crash including a driver copy, an executable copy, or both, (ii) verify the memory dump file is new for analysis, (iii) compress the verified memory dump file to generate a memory snapshot of the verified memory dump file, (iv) scan the memory snapshot for a memory dump header file associated with the driver copy, the executable copy, or both, and (v) identify and extract malicious software when the memory dump header file from the memory snapshot fails to match at least one stored header file in the application software repository.

A protection module operates to analyze threats, at the protocol level (e.g., at the HTML level), by intercepting all requests that a browser engine resident in a computing device sends and receives, and the protection agent completes the requests without the help of the browser engine. And then the protection module analyzes and/or modifies the completed data before the browser engine has access to it, to, for example, display it. After performing all of its processing, removing, and/or adding any code as needed, the protection module provides the HTML content to the browser engine, and the browser engine receives responses from the protection agent as if it was speaking to an actual web server, when in fact, browser engine is speaking to an analysis engine of the protection module.

In an example embodiment, a system determines a set of instructions from the available instructions for a computer application. The determined set of instructions provides specific functionality of the computer application. The system may determine the set of instructions by performing functional testing and negative testing on the specific functionality. The system may reorganize and randomize the set of instructions in memory and write the reorganized set of instructions to a smaller memory space. For each available instruction not in the set of instructions, the system changes the respective instruction to inoperative to prevent execution of the respective instruction. The system may change the respective instruction to inoperative by overwriting the instruction with a NOP instruction. The system then captures a memory address of the computer application being accessed at runtime. The system may declare a security attack if the captured memory address matches a memory address for an inoperative instruction.

Systems and methods are provided in example embodiments for mitigating malicious calls. The system can be configured to receive a function call, determine the location of a memory page that initiated the function call, determine if the memory page is associated with a trusted module, and block the function call if the memory page is not associated with the trusted module. In addition, the system can determine the return address for the function call and block the function call if the return address does not belong to the trusted module. Further, the system can determine a parameter for the function call, determine if the parameter is a known parameter used by the process that called the function, and block the function call if the parameter is not the known parameter used by the process that called the function.