Circuits and methods are provided for detecting, identifying and/or removing undesired content. According to one embodiment, a method for performing content scanning of content objects is provided. A content object that is to be scanned is stored by a general purpose processor to a system memory of the general purpose processor. Content scanning parameters associated with the content object are set up by the general purpose processor. Instructions from a signature memory of a co-processor that is coupled to the general purpose processor are read by the co-processor based on the content scanning parameters. The instructions contain op-codes of a first instruction type and op-codes of a second instruction type. Those of the instructions containing op-codes of the first instruction type are assigned by the co-processor to a first instruction pipe of multiple instruction pipes of the co-processor for execution. An instruction of the assigned instructions containing op-codes of the first instruction type is executed by the first instruction pipe including accessing a portion of the content object from the system memory.

A computer readable storage medium, system and method for improving automated testing systems to include a first and second behavioral data. The first behavioral data is collected periodically and the second behavioral data is collected in real time. The receipt of the first behavioral data and a second behavioral data are followed by the receipt of a system configuration template. A test case is updated based on the first and second behavioral data, and an automated test environment is reconfigured based on the first behavioral data, second behavioral data, and the system configuration template. The test executes in the automated test environment producing a test result.

Methods and systems for improving accuracy, speed, and efficiency of context-aware pattern matching are provided. According to one embodiment, a packet stream is received by a first stage of a hardware accelerator of a network device. A pre-matching process is performed by the first stage to identify a candidate packet that matches a string or over-flow pattern associated with access control (e.g., IPS or ADC) rules. A candidate rule is identified based on a correlation of results of the pre-matching process. The candidate packet is tokened to produce matching tokens and corresponding locations. A full-match process is performed on the candidate packet by a second stage of the hardware accelerator to determine whether it satisfies the candidate rule by performing one or more of (i) context-aware pattern matching, (ii) context-aware string matching and (iii) regular expression matching based on contextual information, the matching tokens and the corresponding locations.

Examples of the present disclosure describe systems and methods of automatic inline detection based on static data. In aspects, a file being received by a recipient device may be analyzed using an inline parser. The inline parser may identify sections of the file and feature vectors may be created for the identified sections. The feature vectors may be used to calculate a score corresponding to the malicious status of the file as the information is being analyzed. If a score is determined to exceed a predetermined threshold, the file download process may be terminated. In aspects, the received files, file fragments, feature vectors and/or additional data may be collected and analyzed to build a probabilistic model used to identify potentially malicious files.

Automated malware detection for application file packages using machine learning (e.g., trained neural network-based classifiers) is described. A particular method includes generating, at a first device, a first feature vector based on occurrences of character n-grams corresponding to a first subset of files of multiple files of an application file package. The method includes generating, at the first device, a second feature vector based on occurrences of attributes in a second subset of files of the multiple files. The method includes sending the first feature vector and the second feature vector from the first device to a second device as inputs to a file classifier. The method includes receiving, at the first device from the second device, classification data associated with the application file package based on the first feature vector and the second feature vector. The classification data indicates whether the application file package includes malware.

A malware monitoring method includes: obtaining a malware sample; extracting operational parameters corresponding to the malware sample; configuring an emulator application corresponding to the malware sample using the operational parameters; executing a plurality of instances of the configured emulator application; collecting output data from each of the plurality of instances; and generating indicators of compromise (IOCs) based on the collected output data.

A method for detection of malware being installed in an Internet Operating System (iOS) device comprises: identifying at least one known malware signature that is indicative of malware being installed on the iOS device; obtaining a backup of the iOS device that contains a plurality of data files; scanning the plurality of data files of the backup of the iOS device; comparing the scanned plurality of backup data files with at least one known malware signature that is indicative of malware being installed on the iOS device; and identifying malware as being installed on the iOS device, in response to a match of the at least one of the plurality of scanned backup data files with the at least one known malware signature.

Methods, systems, and apparatus, including computer programs encoded on computer storage media, for automatically generating intrusion detection system (IDS) signatures. One of the systems includes obtaining a new data object and determining whether the new data object is malicious or not malicious; identifying a plurality of components of the new data object; updating tracking data that identifies, for each of a plurality of tracked components of previous data objects, a frequency with which the tracked component has been identified in previous data objects determined to be malicious and a frequency with which the tracked component has been identified in previous data objects determined not to be malicious; and determining, from the tracking data, that one or more particular tracked components satisfy one or more conditions and, in response: automatically generating a new IDS signature for identifying malicious data objects that include the one or more particular tracked components.

Systems and methods include receiving a trained machine learning model that has been processed with training information removed therefrom, wherein the training information is utilized in training of the trained machine learning model; monitoring traffic, inline at the node, including processing the traffic with the trained machine learning model; obtaining a verdict on the traffic based on the trained machine learning model; and performing an action on the traffic based on the verdict.

Herein disclosed is a method for automatically extracting signatures for malware. The method takes advantage of a fundamental economic requirement of malware authors: they must reuse code to manage the time investment. The method disclosed finds shared code between malware and generates signatures from the code. A method is also disclosed for separating code that is found predominantly, if not exceptionally, in malware from code that may be found in benign program.