Provided is a backup system including a storage system and a backup server, in which the backup server includes a ledger for managing a copy number and a backup acquisition date and time for each backup image, a data volume that stores data accessed by a business server, a backup image volume that stores a plurality of backup images at different time points of the data volume, an access volume having a volume ID for accessing the backup image from the backup server, and a data protection area including at least one volume having an internal volume ID instead of the volume ID for accessing from the backup server are configured in the storage system, and the backup image stored in the data protection area and the access volume are associated, and the backup image in the data protection area is provided to the backup server.

Systems and methods for a machine learning based approach for identification of malware using static analysis and a machine-learning based automatic clustering of malware are provided. According to various embodiments of the present disclosure, a processing resource of a computer system receives a potential malware sample. A plurality of feature vectors is extracted from the potential malware sample and is converted into an input vector. A byte sequence is generated by walking a plurality of decision trees based on the input vector. Further, a hash value for the byte sequence is calculated and a determination is made regarding whether the hash value matches a malware hash value of a plurality of malware hash values corresponding to a known malware sample. Upon said determination being affirmative, the potential malware sample is classified as malware and is associated with a malware family of the known malware sample.

A file is stored in a public cloud storage. A serverless computing platform receives an event notification that the file has been stored and, in response, creates an instance of an ephemeral environment wherein a security module is executed. The security module creates a memory-mapped space with memory locations that are mapped to the entire content of the file but does not allocate memory for all of the memory locations. Instead, the security module retrieves sections of the file from the public cloud storage as these sections are accessed in their designated memory locations in accordance with the memory mapping, allocates memory for the retrieved sections, stores the retrieved sections in their designated memory locations, and scans the retrieved sections in their designated memory locations for malicious code. The security module continues scanning the file in sections until relevant sections of the file have been scanned.

In one implementation, a method for providing security on an externally connected controller includes launching, by the controller, a security layer that includes a whitelist of permitted processes on the controller, the whitelist including (i) signatures for processes that are authorized to be executed and (ii) context information identifying permitted controller contexts within which the processes are authorized to be executed; determining, by the security layer, whether the particular process is permitted to be run on the controller based on a comparison of the determined signature with a verified signature for the particular process from the whitelist; identifying, by the security layer, a current context for the controller; determining, by the security layer, whether the particular process is permitted to be run on the controller based on a comparison of the current context with one or more permitted controller contexts for the particular process from the whitelist.

A system and method mediate transfer of encrypted data files between local applications and external computer systems. Application containers perform cryptographic operations using stored credentials to decrypt data coming from these external systems and configurably forward them to the local applications, and to encrypt data sent from the local applications to the external systems. Access to this encryption-as-a-service (EaaS) functionality is gated by a fingerprint service that classifies requests by security level, and detects anomalous requests. Security classification is performed by a supervised machine learning algorithm, while anomalous request detection is performed by unsupervised machine learning algorithm. Stored keys are monitored, and when they near expiration or are damaged, embodiments proactively undertake key renewal and key exchange with the external computer systems. Containerization enables key storage in multiple vaults, thereby making such storage vendor-agnostic.

A method of generating a predictive model for malware detection using federated learning includes transmitting, to each of a plurality of remote devices, a copy of the predictive model, where the predictive model is configured to predict whether a file is malicious; receiving, from each of the plurality of remote devices, model parameters determined by independently training the copy of the predictive model on each of the plurality of remote devices using local files stored on respective ones of the plurality of remote devices; generating a federated model by training the predictive model based on the model parameters received from each of the plurality of remote devices; and transmitting the federated model to each of the plurality of remote devices.

Systems and methods to detect malicious software include an application software repository including a stored header file associated with a driver, an executable, or both, and are operable to (i) receive a memory dump file upon an operating system crash including a driver copy, an executable copy, or both, (ii) verify the memory dump file is new for analysis, (iii) compress the verified memory dump file to generate a memory snapshot of the verified memory dump file, (iv) scan the memory snapshot for a memory dump header file associated with the driver copy, the executable copy, or both, and (v) identify and extract malicious software when the memory dump header file from the memory snapshot fails to match at least one stored header file in the application software repository.

An anti-malware device 50 includes: a risk information storage unit 51 in which risk information 510 is stored, in which there are associated a value indicating an attribution of an information processing device 60 for executing software 600, a value indicating an attribution of the software 600, and a value that indicates the degree of risk when the software 600 is executed; a subject attribution collection unit 53 for collecting the value indicating the attribution of the information processing device 60; an object attribution collection unit 54 for collecting the value indicating the attribution of the software 600; and a determination unit 55 for determining that the software 600 is malware when the value indicating the degree of risk obtained by comparing the risk information 510 and the values collected by the subject attribution collection unit 53 and object attribution collection unit 54 satisfies a criterion.

A system including a guest virtual machine with one or more virtual machine measurement points configured to collect virtual machine operating characteristics metadata and a hypervisor control point configured to receive virtual machine operating characteristics metadata from the virtual machine measurement points. The hypervisor control point is further configured to send the virtual machine operating characteristics metadata to a hypervisor associated with the guest virtual machine. The system further includes the hypervisor configured to receive the virtual machine operating characteristics metadata and to forward the virtual machine operating characteristics metadata to a hypervisor device driver in a virtual vault machine. The system further includes the virtual vault machine configured to determine a classification for the guest virtual machine based on the virtual machine operating characteristics metadata and to send the determined classification to a vault management console.

An example system includes a main processor operable in a normal mode or a trusted mode, the main processor having an embedded diagnostic trusted code executable in the trusted mode; a secure memory accessible by the main processor when the main processor is in the trusted mode and inaccessible to the main processor when the main processor is in the normal mode, wherein execution of the embedded diagnostic trusted code causes the main processor to write diagnostic information to the secure memory; and a monitor processor having access to the secure memory to analyze the diagnostic information to determine a state of the main processor.