Disclosed herein are systems and methods for categorizing an application on a computing device including gathering a set of attributes of an application. The set of attributes of the application includes at least one of: a number of files in an application package of the application; a number of executable files in the application package; numbers and types of permissions being requested; a number of classes in the executable files in the application package; and a number of methods in the executable files in the application package. sending the gathered set of attributes to a trained classification model. The application is classified, using the classification model, based on the gathered set of attributes by generating one or more probabilities of the application belonging to respective one or more categories of applications. A category of the application is determined based on the generated one or more probabilities.

Methods, apparatus, systems and articles of manufacture are disclosed to facilitate malware detection using compressed data. An example apparatus includes an input processor to obtain a model, the model identifying a first sequence associated with a first trace of data known to be repetitive, a sequence identifier to identify a second sequence associated with a second trace of data, a comparator to compare the first sequence with the second sequence, and an output processor to when the first sequence matches the second sequence, transmit an encoded representation of the second sequence to the central processing facility using a first channel of communication, and when the first sequence fails to match the second sequence, transmit the second sequence to the central processing facility using a second channel of communication, the second sequence to be analyzed by the central processing facility to identify whether the second sequence is indicative of malware.

The disclosed computer-implemented method for detecting inter-personal attack applications may include (i) receiving application marketplace information describing application feature information, (ii) creating, by performing natural language processing on the feature information, a feature vector identifying a potentially malicious functionality of the application, (iii) creating a profiling vector that is a categorical feature representation of installation information from an application installation file, and (iv) performing a security action including (A) mapping, using a machine learning model, the feature vector and the profiling vector to a multi-dimensional output vector having element corresponding to a malware category and (B) determining a malicious extent of the application by combining the categories identified by the multi-dimensional output vector with bi-partite graph information identifying (I) relations between a plurality of applications and (II) relations between a plurality of computing devices hosting the plurality of applications. Various other methods, systems, and computer-readable media are also disclosed.

An integrated-circuit device comprises a processor, a peripheral component, a bus system, connected to the processor and to the peripheral component, and configured to carry bus transactions; and hardware filter logic. The bus system is configured to carry security-state signals for distinguishing between secure and non-secure bus transactions. The peripheral component comprises a register interface, accessible over the bus system, and comprising a hardware register and a direct-memory-access (DMA) controller for initiating bus transactions on the bus system. The peripheral component supports a secure-in-and-non-secure-out state in which the hardware filter logic is configured to prevent non-secure bus transactions from accessing the hardware register of the peripheral component, but to allow secure bus transactions to access the peripheral component. The peripheral component is configured to allow an incoming secure bus transaction to access the hardware register and to initiate a bus transaction as non-secure.

Provided is an intrusion detection technique configured to: obtain kernel-filter criteria indicative of which network traffic is to be deemed potentially malicious, determine that a network packet is resident in a networking stack, access at least part of the network packet, apply the kernel-filter criteria to the at least part of the network packet and, based on applying the kernel-filter criteria, determining that the network packet is potentially malicious, associate the network packet with an identifier of an application executing in userspace of the operating system and to which or from which the network packet is sent, and report the network packet in association with the identifier of the application to an intrusion-detection agent executing in userspace of the operating system of the host computing device, the intrusion-detection agent being different from the application to which or from which the network packet is sent.

Aspects of the disclosure describe methods and systems for cross-referencing forensic snapshots over time. In one exemplary aspect, a method may comprise receiving a first snapshot of a computing device at a first time and a second snapshot of the computing device at a second time and applying a pre-defined filter to the first snapshot and the second snapshot, wherein the pre-defined filter includes a list of files that are to be extracted from each snapshot. The method may comprise subsequent to applying the pre-defined filter, identifying differences in the list of files extracted from the first snapshot and the second snapshot. The method may comprise creating a change map for the computing device that comprises the differences in the list of files over a period of time, wherein the period of time comprises the first time and the second time, and outputting the change map in a user interface.

In embodiments of the present teachings, improved capabilities are described for detecting restricted content associated with retrieved content. The method and system may include receiving a client request for content, saving contextual information from the client request, and presenting the contextual information from the client request, and retrieved content, to a scanning facility. The scanning facility may use the contextual information and the retrieved content to initiate a remedial action on the client.

Systems and methods described herein provide for building policies using namespaces. A device may receive a request to access a resource in a computing environment. The request may include one or more attributes. The device may identify a set of namespaces having domain-specific policy grammar to generate domain-specific policies. The device may determine a namespace from the identified set of namespaces which corresponds to the one or more attributes of the request. The device may generate, using domain-specific policy grammar of the determined namespace, a domain-specific policy to apply to the request.

A rootkit detection system and method analyzes memory dumps to determine connections between intercepted system driver operations requested by unknown files and changes in system memory before and after those operations. Memory dump differences and I/O buffers are analyzed with machine learning models to identify clustered features associated with rootkits.

Analytics processing circuitry can include a data scavenger and a data analyzer coupled to receive the data from the data scavenger. The data scavenger collects data from at least one element of interest of a plurality of elements of interest of an IC. The data analyzer identifies patterns in the data from the data scavenger over a time frame or for a snapshot of time based on a predefined metric. The analytics processing circuitry can further include a moderator and a risk predictor. The risk predictor generates a risk assessment regarding whether the data collected by the data scavenger is indicative of normal behavior or abnormal behavior based at least on the output of the data analyzer and a behavioral model for the IC, which can be device and application specific. A threat response can be performed based on the risk assessment.