A malware family identification engine constructs a graph data structure of direct relationships between malware instances and malware families, direct relationships between malware instances and detected tags, and indirect relationships between detected tags and malware families. The engine builds a dictionary data structure comprising detected tag entries linking each detected tag to one or more malware family nodes based on the graph data structure. The engine identifies significant indirect entities (SIEs) within the detected tag entries of the dictionary data structure and selects a SIE with a highest number of out-going links (OGLs) as a root node in a family tree data structure, recursively connects SIEs with a number of OGLs less than the highest number of OGLs to the root node in the family tree data structure, and converts each SIE name in the family tree data structure to a chained family entity name in the family tree data structure.

Provided are a security defense method and apparatus applied to a network security defense system. The method includes: using memoryless technology in a cyberspace information system, where the memoryless technology includes technology which is not affected by generalized disturbance; eliminating a memory of the cyberspace information system on an effect of random disturbance by using a redundancy and replacement mechanism; and eliminating a memory of the cyberspace information system on an effect of non-random disturbance by eliminating a memory of a program running in the cyberspace information system and/or data in the cyberspace information system. The present solution can block a memory of the cyberspace information system on an error caused by the generalized disturbance including the non-random disturbance and the random disturbance, thereby improving security of the cyberspace information system.

A method of compressing a string array comprising strings with similarity includes selecting a string compression method from among a plurality of available compression methods based on at least which of the available compression method yields the shortest compressed string. The string is then compressed using the selected string compression method. The array of strings to be compressed comprises text characters represented by a first range of values within a word, and compressed string comprises one or more words in a second range of values dedicated to compression and not overlapping with the first range of values. This process is repeated for additional strings in the string array, such that the compression method used for each of a plurality of strings is independently selected.

A method including receiving a feature vector of an unknown sample, computing a MinHash of the unknown sample based on Jaccard-compatible features, querying a Locality Sensitive Hashing forest of known samples with the MinHash of the unknown sample to identify a first subset of known samples that are similar to the unknown sample, receiving for each individual known sample in the first subset, a feature vector including non-Jaccard distance-compatible features, computing a first sub-distance and a second sub-distance between the unknown sample and the known samples in the first subset, calculating a total distance for each known sample in the first subset by combining the first and the second sub-distances, identifying, based on the calculated total distances, a second subset of known samples that are most similar to the unknown sample, and classifying the unknown sample based on the second subset.

Ransomware detection and/or isolation and/or remediation of a ransomware-encryption device is performed in a Remote Monitoring and Management (RMM) system environment. The RMM system is operatively associated with monitoring and managing a plurality of devices and, according to an exemplary embodiment, the RMM system includes a RMM agent module locally installed on each device, a cloud-based RMM platform operatively communicating with each device RMM agent module, and a Ransomware Detection (RD)/Isolation module locally installed on each device. The RD/Isolation module locally detects a potential ransomware-encryption in one or more files received by the device and the RMM system isolates a ransomware affected device using a locally executed script provided by the cloud-based RMM platform.

A method and system for securely transmitting a file via a remote browser, where method includes: a first step of connecting to a client web browser accessing a designated Internet Protocol (IP) address, and setting a relay environment between a service server of the designated IP address and a client terminal; a second step of constructing a sandbox with respect to the client web browser, and executing a web page constructed in the website of the service server in the sandbox; a third step of extracting the rendering screen of the web page from the sandbox, and transmitting rendering screen information so that the rendering screen is displayed on the client web browser; and a fourth step of receiving first input information about the rendering screen information from the sandbox, and generating and transmitting second input information corresponding to the first input information.

A cybersecurity scanner deployment system, comprising: at least one processor configured to: access a primary account maintained in a cloud environment; receive information defining a structure of the primary account, the structure including a plurality of assets, and the information excluding raw data of the primary account; deploy, inside the primary account or a secondary account for which trust is established with the primary account, at least one ephemeral scanner configured to scan at least one block storage volume and output metadata defining the at least one block storage volume, the output excluding raw data of the primary account; receive a transmission of the metadata from the at least one ephemeral scanner, excluding raw data of the primary account; analyze the metadata to identify cybersecurity vulnerabilities; correlate each of the cybersecurity vulnerabilities with one of the assets; and generate a report correlating the cybersecurity vulnerabilities with the assets.

There are disclosed devices, system and methods for feeding identification data of malicious creatives existing in internet advertisements to a supply side platform (SSP) by receiving reports of unwanted actions without user action by malicious creatives of internet advertisements (ads) requested from the SSP by webpages being displayed to users. The reports include a creative identification (ID), a malicious code chain of events, and a demand side platform (DSP) ID or a seat ID. The reports are pre-processed by classifying the unwanted action attempts based on the chain of events. The pre-processed reports are parsed to extract the creative IDs, the SSP IDs and the DSP IDs; and then stored in a searchable database. The stored parsed pre-processed reports are feed to SSPs based on the SSP identifications. The feed includes the creative IDs, the SSP IDs, the DSP IDs, timestamps of the unwanted action attempt and the classifications.

Novel tools and techniques might provide for implementing Internet of Things (“IoT”) functionality, and, in particular embodiments, implementing added services for OBD2 connection for IoT-capable vehicles. In various embodiments, a portable device (when connected to an OBD2 DLC port of a vehicle) might monitor wireless communications between a vehicle computing system(s) and an external device(s), might monitor vehicle sensor data from vehicular sensors tracking operational conditions of the vehicle, and might monitor operator input sensor data from operator input sensors tracking input by a vehicle operator. The portable device (or a server) might analyze either the monitored wireless communications or a combination of the monitored vehicle sensor data and the monitored operator input sensor data, to determine whether vehicle operation has been compromised. If so, the portable device (or the server) might alert the operator of the vehicle via a user interface, and might initiate one or more remediation operations.

A system and method for backing up data is disclosed. In one embodiment, the method comprises receiving N data segments, the N of data segments together defining first backup data read from a processing device, receiving L data segments, the L data segments together defining second backup data read from the processing device temporally subsequent to the reading of the N data segments, determining if the L data segments comprise ransomware, preventing overwriting of the stored N data segments if the L data segments comprise ransomware, and storing the received L data segments if the L data segments do not comprise ransomware.