Disclosed herein are systems and method for blocking malicious script execution. In one exemplary aspect, the method may comprise detecting an execution of a script that creates or modifies a file on a computing device and recording a first report comprising a list of operations involved in the execution of the script, an identifier of the script, and an identifier of the file. The method may comprise determining that the file includes malicious code using a malware scanner and recording a second report comprising an indication that the file includes malicious code and an identifier of the file. In response to determining that identifier of the file is present in both the first report and the second report, the method may comprise generating and storing a first rule that prevents complete execution of any script that shares at least one operation in the list of operations with the script.

A technique for detecting malware involves loading known malware information, finding a string in the known malware information, saving the string in a first database, identifying a first contiguous string block from the known malware information, assigning a confidence indicator to the first contiguous string block, attempting to find the first contiguous string block in a second database containing one or more contiguous string blocks extracted from known malware, and responsive to a determination the first contiguous string block meets a predetermined threshold of similarity with a second contiguous string block contained in the second database, labelling the first contiguous string block.

Disclosed herein are systems and methods for enabling the automatic detection of executable code from a stream of bytes. In some embodiments, the stream of bytes can be sourced from the hidden areas of files that traditional malware detection solutions ignore. In some embodiments, a machine learning model is trained to detect whether a particular stream of bytes is executable code. Other embodiments described herein disclose systems and methods for automatic feature extraction using a neural network. Given a new file, the systems and methods may preprocess the code to be inputted into a trained neural network. The neural network may be used as a “feature generator” for a malware detection model. Other embodiments herein are directed to systems and methods for identifying, flagging, and/or detecting threat actors which attempt to obtain access to library functions independently.

Methods, apparatus, systems and articles of manufacture are disclosed for classification of unknown samples using agglomerative clustering. An apparatus includes an extractor to extract a feature from a sample source code, the feature including at least one of a register, a variable, or a library based on a threshold of occurrence in a corpus of samples, the corpus of samples including malware samples, a dendrogram generator to generate a dendrogram based on features extracted from the sample source code, the dendrogram representing a collection of samples clustered based on similarity among the samples, the samples including sample clusters belonging to known malware families, and an anchor point identifier to traverse the dendrogram to identify similarity of an unknown sample to the sample clusters based on a confidence score, and identify anchor point samples from the sample clusters identified as similar to the unknown sample, the anchor point samples to provide metadata for use in extrapolating information to classify the unknown sample.

A discrete three-dimensional (3-D) processor comprises first and second dice. The first die comprises 3-D memory (3D-M) arrays, whereas the second die comprises logic circuits and at least an off-die peripheral-circuit component of the 3D-M array(s). Typical off-die peripheral-circuit component could be an address decoder, a sense amplifier, a programming circuit, a read-voltage generator, a write-voltage generator, a data buffer, or a portion thereof.

A discrete three-dimensional (3-D) processor comprises stacked first and second dice. The first die comprises three-dimensional memory (3D-M) arrays, whereas the second die comprises at least a portion of a logic/processing circuit and an off-die peripheral-circuit component of the 3D-M array(s). The preferred 3-D processor can be used to compute non-arithmetic function/model. In other applications, the preferred 3-D processor may also be a 3-D configurable computing array, a 3-D pattern processor, or a 3-D neuro-processor.

Systems and methods for a machine learning based approach for identification of malware using static analysis and a machine-learning based automatic clustering of malware are provided. According to various embodiments of the present disclosure, a processing resource of a computer system receives a potential malware sample. A plurality of feature vectors is extracted from the potential malware sample and is converted into an input vector. A byte sequence is generated by walking a plurality of decision trees based on the input vector. Further, a hash value for the byte sequence is calculated and a determination is made regarding whether the hash value matches a malware hash value of a plurality of malware hash values corresponding to a known malware sample. Upon said determination being affirmative, the potential malware sample is classified as malware and is associated with a malware family of the known malware sample.

In one implementation, a method for providing security on an externally connected controller includes launching, by the controller, a security layer that includes a whitelist of permitted processes on the controller, the whitelist including (i) signatures for processes that are authorized to be executed and (ii) context information identifying permitted controller contexts within which the processes are authorized to be executed; determining, by the security layer, whether the particular process is permitted to be run on the controller based on a comparison of the determined signature with a verified signature for the particular process from the whitelist; identifying, by the security layer, a current context for the controller; determining, by the security layer, whether the particular process is permitted to be run on the controller based on a comparison of the current context with one or more permitted controller contexts for the particular process from the whitelist.

A method of generating a predictive model for malware detection using federated learning includes transmitting, to each of a plurality of remote devices, a copy of the predictive model, where the predictive model is configured to predict whether a file is malicious; receiving, from each of the plurality of remote devices, model parameters determined by independently training the copy of the predictive model on each of the plurality of remote devices using local files stored on respective ones of the plurality of remote devices; generating a federated model by training the predictive model based on the model parameters received from each of the plurality of remote devices; and transmitting the federated model to each of the plurality of remote devices.

Systems and methods to detect malicious software include an application software repository including a stored header file associated with a driver, an executable, or both, and are operable to (i) receive a memory dump file upon an operating system crash including a driver copy, an executable copy, or both, (ii) verify the memory dump file is new for analysis, (iii) compress the verified memory dump file to generate a memory snapshot of the verified memory dump file, (iv) scan the memory snapshot for a memory dump header file associated with the driver copy, the executable copy, or both, and (v) identify and extract malicious software when the memory dump header file from the memory snapshot fails to match at least one stored header file in the application software repository.