Systems and methods for malware filtering are provided herein. In some embodiments, a system having one or more processors is configured to: retrieve a file downloaded to a user device; break the downloaded file into a plurality of chunks; scan the plurality of chunks to identify potentially malicious chunks; predict whether the downloaded file is malicious based on the scan of the plurality of chunks; and determine whether the downloaded file is malicious based on the prediction.

A system and method for generating event-specific handling instructions for accelerating a threat mitigation of a cybersecurity event includes identifying a cybersecurity event; generating a cybersecurity event digest based on the cybersecurity event, computing a cybersecurity hashing-based signature of the cybersecurity event based on the cybersecurity event digest; searching, based on the distinct cybersecurity hashing-based signature of the cybersecurity event, an n-dimensional space comprising a plurality of historical cybersecurity event hashing-based signatures; returning one or more historical cybersecurity events or historical cybersecurity alerts homogeneous to the cybersecurity event based on the search; deriving one or more cybersecurity event-specific handling actions for the cybersecurity event based on identifying a threat handling action corresponding to each of the one or more historical cybersecurity events or historical cybersecurity alerts homogeneous to the cybersecurity event; and executing one or more cybersecurity threat mitigation actions to resolve or mitigate the cybersecurity event.

A computerized method for analyzing an object is disclosed. The computerized method includes performing, by a first cybersecurity system, a first malware analysis of the object, wherein a first context information is generated by the first cybersecurity system based on the first malware analysis. The first context information includes at least origination information of the object. Additionally, a second cybersecurity system, obtains the object and the first context information and performs a second malware analysis of the object to determine a verdict indicating maliciousness of the object. The second malware analysis is based at least in part on the first context information. The second cybersecurity system generates and issues a report based on the second malware analysis, the report including the verdict.

Aspects of the disclosure describe methods and systems for performing an antivirus scan using file level deduplication. In an exemplary aspect, prior to performing an antivirus scan on files stored on at least two storage devices, a deduplication module calculates a respective hash for each respective file stored on the storage devices. The deduplication module identifies a first file stored the storage devices and determines whether at least one other copy of the first file exists on the storage devices. In response to determining that another copy exists, the deduplication module stores the first file in a shared database, replaces all copies of the first file on the storage devices with a link to the first file in the shared database, and performs the antivirus scan on (1) the first file in the shared database and (2) the files stored on the storage devices.

Systems and methods use negative feedback to create generic rules for a high dimensional sparse feature space. A system receives a set of fingerprints, where a fingerprint can be a set of features of a file. The fingerprints can be clustered according to similarity. For each cluster, a proto-rule is created that has a condition for each feature. The proto-rule is simplified using negative feedback to create a well-formed rule having a comparatively small subset of the conditions in the proto-rule that are useful in determining malware. The well-formed rule can be added to a set of rules used in a malware detection system.

Methods and apparatus consistent with the present disclosure may be used after a computer network has been successfully attacked by new malicious program code. Such methods may include collecting data from computers that have been affected by the new malicious program code and this data may be used to identify a type of damage performed by the new malicious code. The collected data may also include a copy of the new malicious program code. Methods consistent with the present disclosure may also include allowing the new malicious program code to execute at an isolated computer while actions and instructions that cause the damage are identified. Signatures may be generated from the identified instructions after which the signatures or data that describes the damaging actions are provided to computing resources such that those resources can detect the new malware program code.

A discrete three-dimensional (3-D) processor comprises first and second dice. The first die comprises 3-D memory (3D-M) arrays, whereas the second die comprises logic circuits and at least an off-die peripheral-circuit component of the 3D-M array(s). Typical off-die peripheral-circuit component could be an address decoder, a sense amplifier, a programming circuit, a read-voltage generator, a write-voltage generator, a data buffer, or a portion thereof.

A system and method for generating event-specific handling instructions for accelerating a threat mitigation of a cybersecurity event includes identifying a cybersecurity event; generating a cybersecurity event digest based on the cybersecurity event, computing a cybersecurity hashing-based signature of the cybersecurity event based on the cybersecurity event digest; searching, based on the distinct cybersecurity hashing-based signature of the cybersecurity event, an n-dimensional space comprising a plurality of historical cybersecurity event hashing-based signatures; returning one or more historical cybersecurity events or historical cybersecurity alerts homogeneous to the cybersecurity event based on the search; deriving one or more cybersecurity event-specific handling actions for the cybersecurity event based on identifying a threat handling action corresponding to each of the one or more historical cybersecurity events or historical cybersecurity alerts homogeneous to the cybersecurity event; and executing one or more cybersecurity threat mitigation actions to resolve or mitigate the cybersecurity event.

A malware detection method that uses federated learning includes receiving a first malware detection model and a database of known malicious files, labeling each file of a training data set as either malicious or clean by comparing each file of the training data set to the database, where a match causes the file to be labeled as malicious. If a match cannot be found, the file is evaluated using the first malware detection model to predict maliciousness and the file is labeled based on the prediction. The method further includes training the first malware detection model using the labeled training data set; transmitting parameters of the trained first malware detection model to the remote device; and receiving a second malware detection model that is trained by federated learning using the parameters of the trained first malware detection model and additional parameters provided by one or more additional remote devices.

A method and apparatus related to developing electromagnetic emission and power models for a target device using photonic emissions thereof are provided. Data of photonic emissions of a target device during a first period of time with the target device in one or more modes is recorded. Data of electromagnetic emissions of the target device during the first period of time with the target device in the one or more modes is also recorded. The recorded data of the photonic emissions and the recorded data of the electromagnetic emissions are correlated to establish one or more electromagnetic emission models for the target device. The one or more electromagnetic emission models enable predictive analysis of emissions by the target device.