Techniques are disclosed relating to malware clustering based on function call graph similarity. In some embodiments, a computer system may access information corresponding to a plurality of malware samples and, based on the information, generate a function call graph for each of the malware samples. In some embodiments, generating the function call graph for a given malware sample includes identifying a plurality of function calls included in the information, assigning a label to each of the function calls, identifying relationships between the function calls, and generating the function call graph based on the relationships and the labels. Based on the function call graphs, the computer system may assign each of the plurality of malware samples into one of a plurality of clusters of related malware samples.

Disclosed herein are techniques for visualizing and configuring controller function sequences. Techniques include identifying at least one executable code segment associated with a controller; analyzing the at least one executable code segment to determine at least one function and at least one functional relationship associated with the at least one code segment; constructing, a software functionality line-of-code behavior and relation model visually depicting the determined at least one function and at least one functional relationship; displaying the software functionality line-of-code behavior and relation model at a user interface; receiving a first input at the interface; in response to the received first input, animating the line-of-code behavior and relation model to visually depict execution of the at least one executable code segment on the controller; receiving a second input at the interface; and in response to the received second input, animating an update to the line-of-code behavior and relation model.

This application provides an application download monitoring method and a device. A mobile terminal detects whether access URL information requested by a plurality of first applications includes an application download request; when detecting that access URL information requested by any one of the plurality of first applications includes an application download request, the mobile terminal blocks the application download request, and sends the URL information to a server; the server queries, based on the application download request in the URL information, whether a security analysis result of a second application corresponding to the application download request exists, and if finding the security analysis result, the server sends the security analysis result to the mobile terminal; and the mobile terminal determines, based on the security analysis result, whether to download the second application.

Cryptocurrency based malware and ransomware detection systems and methods are disclosed herein. An example method includes analyzing a plurality of malware or ransomware attacks to determine cryptocurrency payment address of malware or ransomware attacks, building a malware or ransomware attack database with the cryptocurrency payment addresses of the plurality of malware or ransomware attacks, identifying a proposed cryptocurrency transaction that includes an address that is included in the malware or ransomware attack database, and denying the proposed cryptocurrency transaction.

A method of application integrity verification and remediation includes scanning an appliance to identify installed program files associated with an application under analysis deployed at the appliance. The method includes computing a hash value of a first installed file of the installed program files. The method includes determining whether the first installed file exists in vendor program files of the application that are maintained separate from the installed program files. The method includes fetching a hash value of a first vendor file of the vendor program files. The first vendor file corresponds to the first installed file. Responsive to the fetched hash value differing from the computed hash value, the method includes classifying the first installed program file as a compromised file and remediating the compromised file at the network appliance.

A device may receive a malicious file associated with a network of network devices and may identify a file type and file characteristics associated with the malicious file. The device may determine one or more rules to apply to the malicious file based on the file type and the file characteristics associated with the malicious file and may apply the one or more rules to the malicious file to generate a partial file signature for the malicious file. The device may provide the partial file signature for the malicious file to one or more of the network devices of the network. The partial file signature may cause the one or more of the network devices to block the malicious file.

A system and method of anti-malware analysis including iterative techniques. These techniques are used to create a file attribute tree used by a machine learning analyzer to identify malicious files.

A system and method for software verification provides a lifting dictionary for each desired computer architecture. The lifting dictionary is used to translate native machine language instructions into descriptive intermediate language instructions. Each descriptive intermediate language instruction is atomic, in that, each descriptive intermediate language instruction changes at most one state of the emulated system. An emulator then runs the descriptive intermediate language instructions with tools that show each change of state after each DIL is emulated.

Methods, apparatus, systems, and articles of manufacture are disclosed. An example apparatus comprises at least one memory, instructions, and processor circuitry to execute the instructions. The processor circuitry executes the instructions to provide a neural network a plurality of raw bytes for malware classification. The processor circuitry executes the instructions to generate a visualization of features extracted from the plurality of raw bytes. The processor circuitry executes the instructions to generate a heatmap for the plurality of raw bytes based on gradient activations of the neural networks. The processor circuitry executes the instructions to perform a dimensionality reduction based on features of the plurality of raw bytes identified in the heatmap.

There is described a neural network system implemented by one or more computers for determining graph similarity. The neural network system comprises one or more neural networks configured to process an input graph to generate a node state representation vector for each node of the input graph and an edge representation vector for each edge of the input graph; and process the node state representation vectors and the edge representation vectors to generate a vector representation of the input graph. The neural network system further comprises one or more processors configured to: receive a first graph; receive a second graph; generate a vector representation of the first graph; generate a vector representation of the second graph; determine a similarity score for the first graph and the second graph based upon the vector representations of the first graph and the second graph.