Example implementations described herein provide systems and methods for detecting damage to data by malware and involve generating log information at a storage device based on a write input/output (I/O) provided to the storage device by one or more servers, the log information comprising time information for storing the write I/O to the storage device, logical block information for the write I/O, and a compression ratio associated with storing the write I/O to the storage device; and, for a request by a management server to provide the log information for a specified time range for the storage device, returning, from the storage device, the logical block information and the compression ratio associated with the time information within the specified time range.

A virtualized storage for use in performing dynamic analysis on a sample is configured, at least in part by copying the sample to the virtualized storage. A virtual machine emulator is launched using a snapshot of a virtualized platform. The virtualized platform is previously configured to use the virtualized storage, and the snapshot is configured to use a placeholder file to occupy space for later use when installing the sample. A location of the copied sample in an image corresponding to the virtualized storage is determined. The copied sample is installed and dynamic analysis is performed on the sample.

The present disclosure provides techniques for implementing self-adapting neutralization against cyber-faults within industrial assets. The disclosed neutralization techniques may include obtaining an input dataset from a plurality of nodes of industrial assets and reconstructing compromised nodes in the plurality of nodes to neutralize cyber-faults detected based on the input dataset. A confidence metric may be computed for the reconstruction of the compromised nodes, e.g., using inductive conformal prediction. Based on the confidence metric and the reconstruction of the compromised nodes, input signals from the reconstruction of the compromised nodes may be transformed, or configuration parameters for a controller of the industrial assets may be tuned.

A secure executable container executed by a network device generates a secure private key and a secure public key for secure communications in a secure peer-to-peer data network, and establishes a trusted two-way relationship with a second network device based on receiving a second secure public key generated by the second network device and the second network device receiving the secure public key. The secure executable container encrypts a data structure into an encrypted data structure using the secure private key, and autonomically replicates the data structure based on securely sending a copy of the data structure (or the encrypted data structure) to the second network device using the second secure public key. The secure executable container autonomically executes a secure recovery of the copy, from the second network device, in response to detecting an unusability of the encrypted data structure stored in the network device.

Systems and methods for event threat prioritization are provided. In some embodiments, an event priority engine receives event data detected by event agents executing on devices. The events are prioritized and ranked according to threat scores for events generated according to threat indicators which are fed event data and threat data. In some embodiments, security systems may take the approach of prioritizing events based on the endpoints from which they originate using attributes associated with those endpoints. In this way, events can be prioritized at least in part based on the damage to the enterprise that may occur if those events were to compromise security, not just the likelihood of those events actually resulting in a security breach.

A system comprising an inner kernel of an operating system (OS) running at a higher privilege level than an outer kernel of the OS, the inner kernel to measure a data structure in a memory; a device including a measurement engine to measure the data structure in the memory, wherein the device operates independently of the OS; and a trusted execution environment including an application to compare measurements from the inner kernel and the measurement engine.

Disclosed herein are systems and method for generating and storing forensics-specific metadata. In one aspect, a digital forensics module is configured to generate a backup of user data stored on a computing device in accordance with a backup schedule. The digital forensics module identifies, from a plurality of system metadata of the computing device, forensics-specific metadata of the computing device based on predetermined rules, wherein the forensics-specific metadata is utilized for detecting suspicious digital activity. The digital forensics module generates a backup of the forensics-specific metadata in accordance with the backup schedule and analyzes the forensics-specific metadata for an indication of the suspicious digital activity on the computing device. In response to detecting the suspicious digital activity based on the analysis, generates a security event indicating that the suspicious digital activity has occurred.

A computer-implemented method, computer program product and computing system for: obtaining system-defined consolidated platform information for a computing platform from an independent information source; obtaining client-defined consolidated platform information for the computing platform from a client information source; and comparing the system-defined consolidated platform information to the client-defined consolidated platform information to define differential consolidated platform information for the computing platform.

A malware detection method and system using a memory map. A malware detection method may include collecting, by processing circuitry, a plurality of memory maps from a plurality of client devices, a client program being installed in each of the plurality of client devices, analyzing, by the processing circuitry, a plurality of memory addresses of the plurality of memory maps to obtain an analysis result, and determining, by the processing circuitry, whether malware is present in one of the plurality of client devices based on the analysis result.

A method, computing device, and non-transitory machine-readable medium for detecting malware attacks and mitigating data loss. In various embodiments, an agent is implemented in the operating system of a storage node to provide protection at the bottommost level in a data write path. The agent intercepts write requests and observes file events over time to detect anomalous behavior. For example, the agent may monitor incoming write requests and, when an incoming write request is detected, determine whether the file is associated with a malware attack risk based on an analysis of an encryption state of data in the file. If the file is associated with a malware attack risk, an entry for the file is added to a file log. The agent may analyze the chi-square values for data written to the files, the file log, and the file format to determine whether a malware attack is underway.