A method of monitoring an endpoint for malicious code includes deploying an artificial intelligence (AI) model to a endpoint protection system, the AI model trained on a plurality of executable code files in byte form, monitoring a target system for execution of a target executable file. The method further includes analyzing, by the AI model, the target executable file in the byte form of the target executable file and determining, based on an output of the AI model, a decision variable for the target executable file.
A method of monitoring an endpoint for malicious code includes obtaining a corpus of files collected by an endpoint protection system, selecting a subset of the corpus of files comprising labeled files, wherein the subset of the corpus is representative of the corpus of files, and training a first artificial intelligence (AI) model, using the subset of the corpus of files in byte form, to infer labels for unlabeled data. The method further includes applying the first AI model to unlabeled files of the corpus of files in byte form to generate labels for the unlabeled files, performing supervised training of a second AI model using the corpus of files and the labels generated for the unlabeled data, and deploying the second AI model to the endpoint protection system.
The present disclosure provides techniques for context-sensitive token-bucket rate limiting. A processing device obtains, in a kernel space of an operating system (OS), a message comprising a unique process identifier (UPID) and a message type. The processing device determines whether to send the message from the kernel space to a user space of the OS based on at least one of: the UPID, the message type, or a token count and a discrete time unit in an entry in a data structure in the kernel space. The processing device processes the message based on the determination of whether to send the message from the kernel space to the user space.
G06F 21/54 - Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity, buffer overflow or preventing unwanted data erasure by adding security routines or objects to programs
G06F 21/55 - Detecting local intrusion or implementing counter-measures
A cloud-based, machine-learned cybersecurity command line interpretation service simplifies complex command lines using plain language. Command lines are input to the cybersecurity command line interpretation service for an interpretation by a machine learning model. If, however, a command line is known and been previously interpreted, then the cybersecurity command line interpretation service may conserve hardware and software resources by retrieving a historical command line interpretation. If the command line is unknown or not historically logged, then the cybersecurity command line interpretation service may generate a current command line interpretation using the machine learning model. The cybersecurity command line interpretation service may then generate a cybersecurity prediction associated with the command line based on the historical or current command line interpretation. The cybersecurity command line interpretation service thus provides a much faster interpretation and cybersecurity prediction for assessing command lines as malicious or benign.
A cloud-based file integrity monitoring service identifies content changes to a computer file. An endpoint cybersecurity agent monitors its host client device for read/write and other operating system events associated with the computer file. When the endpoint cybersecurity agent detects each operating system event, the endpoint cybersecurity agent captures and reports, in real time or near real time, a snapshot of the file content representing the computer file. So, as the host client device changes the computer file with each operating system event, the endpoint cybersecurity agent uploads timestamped snapshots of the file content to a cloud-based file integrity monitoring service. The cloud-based file integrity monitoring service stores each snapshot of the file content, thus logging a change history for the computer file. The cloud-based file integrity monitoring service may thus retrieve and analyze different snapshots at different points in time, thus quickly identifying the content changes to the computer file.
The present disclosure provides techniques for AI model-based detection explainability. A processing device obtains computer-readable text and an indication of a false positive detection of malicious behavior with respect to the computer-readable text by a cybersecurity system, The processing device obtains, via an artificial intelligence (AI) model trained to generate language, a reason for the false positive detection of the malicious behavior. The processing device provides an indication of the reason for the false positive detection to a destination device.
Systems and methods for smart generation of content for a deceptive honeynet environment. The systems and methods generate a first prompt to an artificial intelligence (AI) model to generate a first output based on an initial input, receive the first output from the AI model, the first output comprising a first set of content, generate a second prompt to the AI model to generate a second output comprising a network configuration based on the first set of content and the initial input, receive the second output from the AI model, the second output comprising the network configuration, wherein the network configuration is consistent with the first set of content and the initial input, and store the first set of content and the network configuration.
A system and method of securing a Function as a Service (FaaS) cloud computing system without using access rights to operating system (OS) kernels of the cloud service system. The method includes receiving a request to invoke a user-function associated with a computing language. The method includes executing the user-function within an operating system that executes on a processing device of the cloud service system. The method includes monitoring, by the processing device, a real-time behavior of the user-function using a security sensor that executes within the operating system, wherein the security sensor is without access rights to a kernel of the operating system. The method includes acquiring behavioral data indicative of the real-time behavior of the user-function.
The present disclosure provides techniques for fine-grained access to system commands run via an installed agent application. A processing device receives, from an agent application, a user identifier and an indication of an agent application command with respect to a target endpoint, wherein the agent application command is included in a plurality of agent application commands assigned to a first user type that is different from a second user type corresponding to the user identifier. The processing device maps the agent application command to a permission level assigned to the agent application command. The processing device determines, based on the mapping, that the permission level is assigned to the user identifier. The processing device enables, based on the determination, the agent application to execute the agent application command with respect to the target endpoint.
Malicious indicators rule generation using historical data is provided. A method includes receiving, from threat detection engines of a plurality of vendor systems, a plurality of threat detection indications for a dataset. Each threat detection indication of the plurality of threat detection indications receives a vendor-specific tokenization based on historical data associated with the plurality of vendor systems. The method further includes identifying, from the plurality of threat detection indications, a lead detection from a first vendor system of the plurality of vendor systems and an accuracy detection from at least one second vendor system of the plurality of vendor systems. The lead detection and the accuracy detection have overlapping data from the dataset. The method further includes generating, by a processing device, a malicious behavior detection procedure based on the lead detection, the accuracy detection, and the vendor-specific tokenization being used to detect a malicious behavior in dataset.
42 - Scientific, technological and industrial services, research and design
Goods & Services
Computer security consulting; consulting in the field of information technology; Computer security and network security consulting, namely, consultation in the fields of protecting data and information from unauthorized access, identifying malware on computer systems, identifying the source and genealogy of malware, and identifying the objectives of computer system attackers; computer security consultancy in the field of scanning and penetration testing of computers and networks to assess information security vulnerability; maintenance and updating of computer software relating to computer and network security and prevention of computer risks; computer security consultancy for protecting data and information from unauthorized access, namely, developing plans for improving computer and network security and preventing criminal activity; cloud computing featuring software for detecting breaches for use in computer and network security; cloud computing services featuring software for authorizing access to databases in the field of computer and network security; computer services, namely, online scanning, detecting, quarantining, and eliminating viruses, worms, trojans, spyware, adware, malware and unauthorized data and programs on computers, networks, and electronic devices; computer systems analysis; monitoring of computer systems for protecting data and information from unauthorized access; computer security consultancy for protecting data and information from unauthorized access; computer technology consulting in the field of systems for the surveillance and monitoring of vulnerability and security problems in computer hardware, networks, and software; computer security consultancy for protecting data and information from unauthorized access in the field of endpoint protection software or curated cyberthreat data for computer security assurance and identification of malicious intrusions into computers, computer networks or computer endpoints; software as a service (SAAS) services featuring software for ensuring the security of computers and computer networks; software as a service (SAAS) services, namely, hosting software for use by others for detecting, blocking, and removing computer viruses and threats; application service provider (ASP) featuring non-downloadable computer software for ensuring the security of computers and computer networks; computer services, namely, acting as an application service provider in the field of knowledge management to host computer application software for creating databases of information and data related to malware and computer and network security; computer security consultancy in the field of administration of digital keys and digital certificates
A cloud-based cybersecurity detection prioritization service prioritizes cybersecurity detections reported by endpoint client devices. The endpoint client devices report the cybersecurity detections to a cloud computing environment providing the cloud-based cybersecurity detection prioritization service. The endpoint client devices also report client machine contexts sampled from the endpoint client devices. The client machine contexts are compared to a cybersecurity machine contextual profile generated by a machine learning model trained using the client machine contexts sampled from the endpoint client devices. The cybersecurity detection prioritization service prioritizes the cybersecurity detections based on the cybersecurity machine contextual profile. The cloud-based cybersecurity detection prioritization service thus provides a quick ranking or categorization for queuing thousands of daily reports of viruses, hacks, and other cybersecurity detections. Prioritization allows for timely mitigations by humans of these alerts that minimize breaches.
A cloud-based, external attack surface management (or EASM) service identifies computers, servers, smartphones, and other devices that are exposed to the public Internet. Any device that can connect to the public Internet may be vulnerable to cybersecurity attacks. The EASM service identifies a device exposed to the public Internet by comparing connection notifications to an address scan of the entire Internet. The connection notifications are sent by cybersecurity sensory agents installed at client devices. When a connection notification and the address scan of the entire Internet references a matching IP address and/or a matching port within a timeframe, the corresponding device is identified as being exposed to the public Internet.
Hosts of a digital security system receive event data sent by sensors on endpoints that correspond with the hosts. The hosts locally maintain enrichment caches of information regarding the endpoints, and may update the enrichment caches based on information indicated by received event data. The hosts may also generate enriched event data, corresponding to received event data, by adding enrichment data indicated in the enrichment caches that was omitted from the event data sent by sensors.
G06F 11/14 - Error detection or correction of the data by redundancy in operation, e.g. by using different operation sequences leading to the same result
15.
Scalable key value storage in a distributed storage system
Techniques for implementing a scalable key value storage in a distributed storage separate the storage of the collection of data objects from the storage of the index corresponding to the collection. According to an implementation, a database service may receive a request to create a collection of data objects in an object storage. A schema may be specified for the collection. The database service may generate a unique identifier (ID) corresponding to the collection and create the collection in the object storage. The objects in the collection and the associated schema may be further written to an object table and a schema table, respectively. The database service may further validate the schema and extract one or more indexable fields from the schema. The database service may send a request to a database search service to create an index for the collection in an index storage.
An event detection service detects hardware and software events at endpoint devices. The event detection service deploys templates to agents in the field. Each template is created in the cloud to describe kernel-mode and user-mode events of interest. Each agent installs the templates without rebooting. Each agent monitors its host's event behaviors according to the templates. If the host's event behaviors satisfy the template, then the agent has a Multi-Instance Generic Operation pipeline that determines a template disposition specified by the template. The agent may thus dynamically detect event behaviors for a purpose, as specified by the template.
A cybersecurity detection prediction service pre-screens database queries reported by endpoint client devices. The endpoint client devices may report the database queries to a cloud computing environment providing the cybersecurity detection prediction service. The endpoint client devices, however, may locally assess the database queries. The database queries are compared to a cybersecurity assessment profile generated by a machine learning model trained using endpoint cybersecurity detections. The cybersecurity detection prediction service thus provides a much faster cybersecurity prediction.
Systems and methods for an eBPF general allocator for an eBPF program is provided. The method includes receiving, by a first eBPF program, a first entry based on an atomic operation. The first entry is from a number of entries in a free list that indicates available space in a buffer. The available space is indexed by the number of entries in the free list. The method further includes identifying, based on the first entry, a pointer to the buffer. The pointer is associated with an allocation of the available space in the buffer based on the first entry. The allocation of the available space is to the first eBPF program. The method further includes executing, by a processing device, the first eBPF program with exclusive access to the allocation of the available space in the buffer during an execution instance of the first eBPF program.
Methods and systems for injected byte buffer data classification are disclosed. According to an implementation, a security agent can detect process injection events, gather byte buffer data associated with the process injection events, and send the byte buffer data to a security service comprising a byte buffer classification function. The byte buffer classification function can be implemented as a trained transformer type neural network machine learning model, which can analyze the byte buffer data and generate a classification output comprising a probability that the byte buffer data is associated with a malicious process injection.
G06F 21/54 - Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity, buffer overflow or preventing unwanted data erasure by adding security routines or objects to programs
G06F 21/56 - Computer malware detection or handling, e.g. anti-virus arrangements
45 - Legal and security services; personal services for individuals.
42 - Scientific, technological and industrial services, research and design
Goods & Services
licensing of software, namely, computer and network security software Computer security consulting; consulting in the field of information technology; Computer security and network security consulting, namely, consultation in the fields of protecting data and information from unauthorized access, identifying malware on computer systems, identifying the source and genealogy of malware, and identifying the objectives of computer system attackers; computer security consultancy in the field of scanning and penetration testing of computers and networks to assess information security vulnerability; maintenance and updating of computer software relating to computer and network security and prevention of computer risks; computer security consultancy for protecting data and information from unauthorized access, namely, developing plans for improving computer and network security and preventing criminal activity; cloud computing featuring software for detecting breaches for use in computer and network security; cloud computing services featuring software for authorizing access to databases in the field of computer and network security; computer services, namely, online scanning, detecting, quarantining, and eliminating viruses, worms, trojans, spyware, adware, malware and unauthorized data and programs on computers, networks, and electronic devices; computer systems analysis; monitoring of computer systems for protecting data and information from unauthorized access; computer security consultancy for protecting data and information from unauthorized access; computer technology consulting in the field of systems for the surveillance and monitoring of vulnerability and security problems in computer hardware, networks, and software; computer security consultancy for protecting data and information from unauthorized access in the field of endpoint protection software or curated cyberthreat data for computer security assurance and identification of malicious intrusions into computers, computer networks or computer endpoints; software as a service (SAAS) services featuring software for ensuring the security of computers and computer networks; software as a service (SAAS) services, namely, hosting software for use by others for detecting, blocking, and removing computer viruses and threats; application service provider (ASP) featuring non-downloadable computer software for ensuring the security of computers and computer networks; computer services, namely, acting as an application service provider in the field of knowledge management to host computer application software for creating databases of information and data related to malware and computer and network security; computer security consultancy in the field of administration of digital keys and digital certificates
36 - Financial, insurance and real estate services
Goods & Services
Financial services, namely, providing financing for purchasing cybersecurity software and services; financial services, namely, providing loans, lines of credit, and lease-purchase financing for cybersecurity technologies; financial management and consulting services related to budgeting, payment planning, and cash flow optimization for the acquisition of cybersecurity software and services; providing information and advisory services in the field of financing cybersecurity purchasing; financial transaction services, namely, providing secure commercial transactions and payment options for cybersecurity products and services
22.
System and Method for Timing-Based Network Entity Resolution
A first request message is received from a first device that specifies a destination network address and identifier for a second device, and a first timestamp. A first acceptance message is received from the second device that specifies a destination network address and identifier for the first device, and a second timestamp. A second request message is received from the first device that specifies the destination network address and identifier for the second device, and a third timestamp. A second acceptance message is received from the second device that specifies the destination network address and identifier for the first device, and a fourth timestamp. The first device is determined to be communicating with the second device when the first and second timestamps indicate the first request and acceptance messages, and when the third and the fourth timestamps indicate the second request and acceptance messages, occurred at substantially the same time.
The present disclosure provides an approach of receiving a hash corresponding to a sample file, and providing the hash to an artificial intelligence (AI) model. The AI model is trained to utilize prevalence data corresponding to the hash to predict whether the corresponding sample file includes malware. The approach produces, by a processing device using the AI model, a confidence level based on the hash. In turn, the approach associates a label to the sample file based on the confidence level to produce a labeled sample file.
09 - Scientific and electric apparatus and instruments
42 - Scientific, technological and industrial services, research and design
45 - Legal and security services; personal services for individuals.
Goods & Services
Downloadable computer software for computer and network
security. Computer consultation; consulting in the field of
information technology; computer consultation in the field
of computer and network security; computer security
consultancy in the field of scanning and penetration testing
of computers and networks to assess information security
vulnerability; software as a service (SAAS) services
featuring software in the field of computer and network
security; software as a service (SAAS)services, namely,
hosting software for use by others for detecting, blocking,
and removing computer viruses and threats; application
service provider (ASP) featuring non-downloadable computer
software for use in computer and network security;
maintenance and updating of computer software relating to
computer and network security and prevention of computer
risks; computer security consultancy, namely, developing
plans for improving computer and network security for
businesses and governmental agencies; cloud computing
featuring software for use in computer and network security;
cloud computing services in the field of computer and
network security; application service provider [ASP],
namely, hosting computer software applications of others in
the field of knowledge management for creating searchable
databases of information and data related to malware and
computer and network security; computer services, namely,
online scanning, detecting, quarantining, and eliminating
viruses, worms, Trojans, spyware, adware, malware and
unauthorized data and programs on computers, networks, and
electronic devices; computer systems analysis; implementing
plans for improving computer and network security and
preventing criminal activity for businesses and governmental
agencies, namely, identifying malware on computer systems,
identifying the source and genealogy of malware, and
identifying the objectives of computer system attackers;
provision of systems for the management of computer and
network threats, namely, surveillance and monitoring of
vulnerability and security problems in computer hardware,
networks, and software; implementing plans for improving
computer and network security for businesses and
governmental agencies, namely, computer security assurance
and administration of digital keys and digital certificates
via a global computer network. Monitoring of computer systems for security purposes.
25.
PRIVATE DATA SET INTERSECTION WITH MUTUAL DEVICE ANONYMITY
A method for detecting a private set intersection includes receiving, at a third computing device, a first plurality of transformed data elements from a first computing device; receiving, at the third computing device, a second plurality of transformed data elements from a second computing device, wherein an identity of the first computing device is unknown to the second computing device and an identity of the second computing device is unknown to the first computing device; and transmitting, by a processing device executing on the third computing device to the first computing device and the second computing device, an indication of a subset of transformed data elements that are present in both the first plurality of transformed data elements and the second plurality of transformed data elements.
A hierarchical subscription-publication service distributes an event notification. The event notification is associated with a database. The event notification is also associated to a graph having nodes and to a subgroup of the nodes. A first subscription service publishes the event notification to all subscribers associated with the database. A second or intermediary subscription service hierarchically nests within the outer subscription service and publishes the event notification to a subscriber subgroup of the subscribers associated with the subgroup of the nodes.
A system and method of a localization middleware. The method includes receiving a request for a particular dataset that is stored in a data store. The particular dataset includes a plurality of textual strings in a first format. The method includes selecting a first configuration file indicating that a first textual string of the plurality of textual strings should be localized and a second textual string of the plurality of textual strings should not be localized. The method includes generating, based on the first configuration file and a string replacement procedure, a localized dataset in a second format by replacing the first textual string of the plurality of textual strings with a previously translated string stored in a library of previously translated strings and abstaining from replacing the second textual string of the plurality of textual strings with another translated string.
Computer nodes associated with a cluster store a distributed database. As the cluster provides a distributed database service, some or all of the nodes may interface with one or more external services. The external services may be specified by a service agreement, or the external services may be dynamically specified by a user/customer of the distributed database service. The external services may be available to any node of the cluster, or the external services may only be accessible to particular nodes and/or to particular cluster/service roles. In a mapreduce database framework, for example, the external services may be restricted to reducer/coordinator nodes. Whichever nodes are permitted, the nodes may use remote procedure calls to access external services.
G06F 16/27 - Replication, distribution or synchronisation of data between databases or within a distributed database systemDistributed database system architectures therefor
29.
AUTOMATED VULNERABILITY REMEDIATION GUIDANCE BASED ON DETECTION LOGIC ELEMENTS
The present disclosure provides an approach of receiving a detection element that includes a vulnerability identifier and a version identifier. The vulnerability identifier corresponds to a vulnerability of an application and the version identifier corresponds to a version of the application effected by the vulnerability. The approach determines a remediation version identifier based on the vulnerability identifier and the version identifier. The remediation version identifier corresponds to a remediation version of the application that remediates the vulnerability. The approach then initiates an update at a client system based on the vulnerability identifier and the remediation version identifier.
G06F 21/57 - Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
30.
AI model based cybersecurity detection prioritization for cybersecurity management systems
The present disclosure provides an approach of collecting historical cybersecurity detection data comprising a plurality of cybersecurity detections and a plurality of detection times. The approach transforms the historical cybersecurity detection data into a plurality of rank ordered detection datasets that rank order each one of the plurality of cybersecurity detections based on the plurality of detection times. In turn, the approach trains an artificial intelligence (AI) model using the plurality of rank ordered detection datasets to generate a prioritized output dataset from an input dataset.
H04L 41/16 - Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks using machine learning or artificial intelligence
31.
Asynchronous Blocking of Exfiltration Events via Browser Extensions
A cybersecurity data loss prevention service stops users from stealing, or exfiltrating, sensitive data. An endpoint cybersecurity agent coordinates the installation of a browser extension. The browser extension adds content scripts to a web browser that monitor for exfiltration events. The exfiltration events represent a user's browser inputs (such as cut-n-paste or drag-n-drop) that can be used to exfiltrate usernames, passwords, credit card numbers, company secrets, and any other sensitive data. When the browser extension detects any exfiltration event, the browser extension intercepts and synchronously blocks the exfiltration event from the web browser. Moreover, the browser extension sends a duplicate copy of the exfiltration event to the cybersecurity agent for evaluation. If the cybersecurity agent determines that the user's browser inputs should have been allowed, then the browser extension is instructed to trigger the duplicate copy. The web browser thus asynchronously processes the user's browser inputs, albeit slightly delayed.
G06F 21/55 - Detecting local intrusion or implementing counter-measures
G06F 21/54 - Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity, buffer overflow or preventing unwanted data erasure by adding security routines or objects to programs
The present disclosure provides an approach of computing a plurality of feature attribution vectors from a plurality of samples. The approach determines a plurality of low entropy distribution samples from the plurality of samples based on the plurality of feature attribution vectors, and determines a feature value distribution corresponding to the plurality of low entropy distribution samples. Then, the approach identifies a false positive candidate sample based on the feature value distribution and, in turn, constructs a mitigation rule, based on the false positive candidate sample, to mitigate a future false positive sample.
The present disclosure describes an approach that schedules a collector application, comprising executable code, to collect data from a workload. The approach executes the executable code to perform an operation to collect data from the workload. In turn, the approach removes the collector application from the workload in response to completion of the operation by the collector application.
The present disclosure provides an approach of analyzing multiple modalities of a file to produce multiple analysis tokens. Each one of the analysis tokens corresponds to a respective modality of the file. The approach provides the multiple analysis tokens to an artificial intelligence model, which is trained to produce an intermediate representation vector based on the plurality of analysis tokens. In turn the approach uses the artificial intelligence model to produce, based on the intermediate representation vector, a classification that indicates whether the file corresponds to a cybersecurity threat.
Data prefiltering techniques for large scale data classification are disclosed herein. According to an implementation, a machine learning (ML) model can be trained to classify data elements. The ML model can be applied to a first data volume, resulting in determinations of data elements that belong in a relevant classification. The determined data elements can then be used to configure a prefilter. The prefilter can be applied to a second data volume to identify filtered data elements of types that are similar to the determined data elements. The filtered data elements can be provided to the ML model for classification.
Contextual session-based operational prediction greatly improves computer functioning. As a cloud service is provided, a current contextual session is generated using multiple events provided by the cloud service. The current contextual session is compared to a contextual session profile. The contextual session profile represents historical contextual sessions that have been historically logged in associated with the cloud service. If the current contextual session conforms to the contextual session profile, then the cloud service is normally operating as historically observed and may be predicted as normal operation. If, however, the current contextual session fails to conform to the contextual session profile, then the cloud service is not operating as historically observed and may be predicted as abnormal operation. Alerts and warning may be generated to notify of abnormal cloud service operation. The contextual session-based operational prediction produces a faster and more accurate detection of the abnormal operation.
Techniques for automatically determining metadata for fields of a data string, byte slice, or byte array using a semantic data model framework (SDMF) and a large language model (LLM) are discussed herein. The LLM can provide field descriptions to the SDMF which outputs additional or finer field descriptions. The techniques can include determining descriptions for fields of a non-standardized data string from a third-party or other entity thereby enabling analysis of third-party data strings for a potential security threat. The techniques can reduce an amount of time to identify missing metadata caused by lack of standardization of field names and evolving data feeds (e.g., third-parties).
Computer nodes associated with a cluster store a distributed database. The computer nodes are polled to retrieve their individual nodal query states. A coordinator node then merges the individual nodal query states to determine an overall query state associated with the distributed database. The coordinator node, though, has a memory capacity that can be overcome by some nodal query states. The coordinator node thus imposes a data size limit on the nodal query states to prevent memory failures. The coordinator node specifies the data size limit during any polling cycle, and the coordinator node receives compliant nodal query states that satisfy the data size limit. The coordinator node may adjust or revise the data size limit for subsequent polling cycles, based on a count of the nodal query states yet to be retrieved. The data size limit thus ensures that the memory capacity is not overcome during any polling cycle.
A system and method of using generative AI to generate natural language descriptions of code for enhanced threat analysis and malware detection. The method includes determining that a file comprises source code for causing malicious activity. The method includes generating, by a processing device and using one or more large language models (LLMs), natural language (NL) descriptions of the source code responsive to determining whether the file comprises the source code to cause the malicious activity. The method includes providing the NL descriptions of the source code to a classification model trained to generate a first set of maliciousness scores each indicating whether source codes are associated with one or more types of malicious activity. The method includes generating, using the classification model, a maliciousness score for the source code indicating that the source code is associated with the one or more types of malicious activity.
G06F 21/51 - Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems at application loading time, e.g. accepting, rejecting, starting or inhibiting executable software based on integrity or source reliability
40.
LARGE LANGUAGE MODEL-BASED SOFTWARE REVERSE ENGINEERING ASSISTANT
Systems and methods of utilizing a large language model (LLM) to reverse engineer software is provided. The method includes obtaining sample assembly language from coded information or data. The sample assembly language is input to a machine learning (ML) model trained to recognize when the sample assembly language includes malicious code. The method further includes identifying, from the sample assembly language, a functionality implemented by the sample assembly language, where the functionality is indicative of whether the sample assembly language includes the malicious code. The method further includes generating, by a processing device, a natural language indication of the functionality implemented by the sample assembly language. The natural language indication is an output of the ML model.
Techniques, systems, and computer-readable media for dynamic behavior-based asset classification are described herein. An asset classification system can detect and receive data associated with a host computer, determine, based on the data, a behavior associated with the host computer, assign the host computer a server classification based on the determination that the behavior represents a behavior of focus, and record the assigned server classification associated with the host computer. In various examples, the asset classification system can determine the behavior is a behavior of focus based on one or more of: a number of connections to other computers associated with a shared customer identifier, a number of unique other host computers connecting to the host computer, and/or a number of unique non-local accounts that have logged in to the host computer, and that the host computer has had an inbound connection on a common port.
The present disclosure provides an approach of generating a target feature vector based on information corresponding to a target entity. The target entity utilizes a target system that includes a target asset. The approach matches the target feature vector to a compatible entity cluster from a plurality of entity clusters. The compatible entity cluster corresponds to a current entity system. The approach generates a target asset prioritization rule based on prioritization information of the current entity system. In turn, the approach prompts the target system to assign a prioritization label to the target asset based on the target asset prioritization rule.
H04L 41/16 - Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks using machine learning or artificial intelligence
A method of monitoring a network for linked events includes receiving an indication of an occurrence of a first event in a computing environment, calculating a first estimated rate of occurrence of the first event based on a first cache associated with the first event, and identifying an occurrence of a second event within a threshold amount of time prior to the occurrence of the first event. The method further includes calculating a second estimated rate of occurrence of the second event based on a second cache associated with the second event and determining, based on the first estimated rate of occurrence of the first event and the second estimated rate of occurrence of the second event, whether the occurrence of the first event and the occurrence of the second event have a common cause.
Techniques for calculating risk scores of entity assignments are discussed herein. The system generates a probability matrix using a collaborative filtering technique such as singular value decomposition. The probability matrix is populated with probability values for each entity representing a probability that, based on the various relationships or associations of that entity with other entities, the entity has been granted an assignment. Risk values are used to provide a weighting value to assignments, separating relatively higher risk assignments from relatively lower risk assignments. The system thereafter calculates a risk score for one or more of the entities using the information in the assignment matrix, the probability matrix, and the risk values. The system can flag or identity one or more entities whose risk scores do not meet various criteria.
Techniques for calculating risk scores of entity assignments are discussed herein. The system generates a probability matrix using a collaborative filtering technique such as singular value decomposition. The probability matrix is populated with probability values for each entity representing a probability that, based on the various relationships or associations of that entity with other entities, the entity has been granted an assignment. Risk values are used to provide a weighting value to assignments, separating relatively higher risk assignments from relatively lower risk assignments. The system thereafter calculates a risk score for one or more of the entities using the information in the assignment matrix, the probability matrix, and the risk values. The system can flag or identity one or more entities whose risk scores do not meet various criteria.
Techniques for using supervised machine learning to train risk models used to analyze group data for security risks are discussed herein. A system can receive a user input identifying risk values associated with categories or attributes of a group having access to computing resources. The system can use the risk model to generate a risk score for the group. The risk score can be used to further analyze aspects of the group or provide recommendations to reduce or eliminate security risks.
G06F 21/57 - Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
47.
Conditional bloom filters representing field aliasing
Conditional Bloom filters improve computer functioning when membership testing different data sets. Today's cloud service providers maintain large, distributed datasets often incorporating or absorbing data having different labels and schemes. Nearly all cloud service providers, for example, utilize one or more different log vendors/providers that use different data conventions. The conditional Bloom filters resolve these vendor differences using field aliasing that relates vendor-specific field names to their corresponding common or alias field names. Each vendor's unique dataset may be mapped or normalized to a common scheme, thus ensuring that membership testing using the conditional Bloom filters retains precision and improves computer functioning in the presence of aliases.
Methods and systems for designing a default-deny network egress control architecture in a virtual private cloud (VPC) environment are described herein. According to an implementation, the system may create a first subnet in a private computer network to perform egress control. The system implements a private network address translation (NAT) gateway, a network access control list (NACL), and a private elastic network interface (ENI) in the first subnet. The first subnet may be referred to a “blackhole subnet” or a “terminating subnet.” Upon receiving a traffic destined to a public computer network, e.g., Internet, the private NAT gateway may determine whether the traffic is authorized to egress based on the NACL. The private NAT gateway forwards the traffic to the private ENI to discard the traffic if the traffic is not authorized to egress and logs the information associated with the traffic.
A cybersecurity service assesses, scores, and/or prioritizes activities associated with a directory service. When the directory service is requested to change a directory service assignment, the directory service may first request a verdict from the cybersecurity service. The cybersecurity service may use profiling and/or machine learning to predict directory service assignments. The cybersecurity service may then score and prioritize requests to change/update directory service assignments. Small deviations from predicted directory service assignments, for example, may indicate harmless/normal directory service activity. Larger deviations, though, may indicate abnormal directory service activity. Larger deviations may even indicate malicious directory service activity, such as permission escalation and cyberbreaches. Scoring and prioritization allows for resource allocation and timely mitigations by human experts.
A computing system includes a first computing device that executes an object-oriented software application which maintain objects, for example, in a heap data structure, in memory. The object-oriented software application includes an API to convert between objects in the memory and data in a relational database and transmit requests to perform one or more operations involving the data in the relational database corresponding to the objects in the memory. A decorator layer in communication with the API identifies the objects in the memory corresponding to the transmitted requests to perform one or more operations involving the data in the relational database. A local object storage API transfers copies of the identified objects to a local data store. A persistence API, in communication with the decorator layer and the object storage API, synchronizes the copied objects in the local data store with the data involved in the requests to perform the one or more operations with the relational database.
G06F 16/27 - Replication, distribution or synchronisation of data between databases or within a distributed database systemDistributed database system architectures therefor
51.
Monitoring File System Operations using eBPF DFA Architecture
A deterministic finite automata (DFA) is used by an extended Berkley packet filter (or “eBPF”) to monitor file system operations and non-file system operations. The DFA is stored as an eBPF map. Before a kernel of an operating system executes any file system operation, the kernel runs an eBPF program that queries the DFA for a filename associated with the system operation. The DFA represents safe/suspicious filenames associated with computer files. If the filename matches the DFA, then the kernel notifies a cybersecurity agent. The cybersecurity agent may then block or allow the file system operation, depending on whether the filename is safe or suspicious. The DFA stored in the extended BPF thus greatly improves computer functioning by very quickly and simply identifying safe/suspicious operations.
G06F 21/52 - Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity, buffer overflow or preventing unwanted data erasure
52.
Secure code clustering through LLM-based semantic analysis
An approach is provided that provides a plurality of source code samples to an artificial intelligence model (AIM) trained to describe source code based on performing semantic analysis on the source code. The approach produces, using the AIM, a plurality of semantic descriptions that describe the plurality of source code samples. Then, the approach converts the plurality of semantic descriptions into a plurality of semantic embeddings. In turn, the approach creates a plurality of clusters from the plurality of semantic embeddings, wherein each one of the plurality of clusters corresponds to two or more of the plurality of source code samples.
A cybersecurity event validation service provides a user-friendly scheme for detecting a cyberattack or threat. The cybersecurity event validation service accepts very simple, high-level, user-friendly descriptions of the cyberattack or threat. A user of the cybersecurity event validation service thus need not input detailed hardware/software events that specify the potential cyberattack or threat. The cybersecurity event validation service, instead, validates the user's very simple descriptions for correctness. If the user's very simple descriptions conform to basic rules or requirements, then the cybersecurity event validation service elegantly fills in the deep hardware and software details using context and inferences. The cybersecurity event validation service thus elaborates and enhances the user's very simple descriptions by supplying specific hardware/software details needed to detect the cyberattack or threat. The user thus need not be versed in the intricate programming/configurational details for defining the cyberattack or threat.
An approach is provided that trains an artificial intelligence model (AIM) using training data to produce a generalized AIM, wherein the training data comprises log-collected data corresponding to multiple application types and the generalized AIM is trained to detect one or more cross-platform cybersecurity threats. The approach identifies multiple application-specific training data sets, wherein each one of the application-specific training data sets includes labeled application logs corresponding to one of the multiple application types. The approach then fine-tunes the generalized AIM using the multiple application-specific training data sets to produce multiple dedicated AIMs, wherein each one of the dedicated AIMs is trained to detect one or more application-centric cybersecurity threats targeted at a corresponding one of the application types.
An approach is provided that identifies a vulnerability corresponding to an initial source code. Then, the approach generates a prompt comprising the initial source code and the vulnerability. The approach inputs the prompt into an artificial intelligence model (AIM) that is trained to determine whether the initial source code comprises the vulnerability. In turn, the approach removes, using the AIM, the vulnerability from the initial source code to produce a refactored source code in response to determining that the initial source code comprises the vulnerability.
G06F 21/57 - Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
Data is received. Each datum therein has one of a plurality of categorical values associated with a categorical variable. Each datum is deterministically mapped to a respective one of a plurality of colors in a color space based on its categorical value. The color to which each datum is deterministically mapped is then transformed to yield a minimum threshold separation between the respective colors. A graphical representation comprising the color to which each datum is respectively deterministically mapped, and as transformed to yield the minimum threshold separation between the respective colors, is displayed.
A system and method of a localization middleware for localizing datasets using textual replacement techniques. The method includes receiving a request for a particular dataset that is stored in a data store, the particular dataset includes a plurality of textual strings in a non-regional version. The method includes determining a regional version for the particular dataset based on the request. The method includes identifying a library of translations associated with the non-regional version and the regional version. The method includes performing, by a processing device based on the library of translations and the particular dataset, a string replacement procedure to generate a localized dataset including one or more textual strings in the regional version.
09 - Scientific and electric apparatus and instruments
42 - Scientific, technological and industrial services, research and design
45 - Legal and security services; personal services for individuals.
Goods & Services
(1) Downloadable computer software for computer and network security. (1) Computer consultation; consulting in the field of information technology; computer consultation in the field of computer and network security; computer security consultancy in the field of scanning and penetration testing of computers and networks to assess information security vulnerability; software as a service (SAAS) services featuring software in the field of computer and network security; software as a service (SAAS)services, namely, hosting software for use by others for detecting, blocking, and removing computer viruses and threats; application service provider (ASP) featuring non-downloadable computer software for use in computer and network security; maintenance and updating of computer software relating to computer and network security and prevention of computer risks; computer security consultancy, namely, developing plans for improving computer and network security for businesses and governmental agencies; cloud computing featuring software for use in computer and network security; cloud computing services in the field of computer and network security; application service provider [ASP], namely, hosting computer software applications of others in the field of knowledge management for creating searchable databases of information and data related to malware and computer and network security; computer services, namely, online scanning, detecting, quarantining, and eliminating viruses, worms, Trojans, spyware, adware, malware and unauthorized data and programs on computers, networks, and electronic devices; computer systems analysis; implementing plans for improving computer and network security and preventing criminal activity for businesses and governmental agencies, namely, identifying malware on computer systems, identifying the source and genealogy of malware, and identifying the objectives of computer system attackers; provision of systems for the management of computer and network threats, namely, surveillance and monitoring of vulnerability and security problems in computer hardware, networks, and software; implementing plans for improving computer and network security for businesses and governmental agencies, namely, computer security assurance and administration of digital keys and digital certificates via a global computer network.
(2) Monitoring of computer systems for security purposes.
Automated source code similarity greatly improves computer functioning. Any source code file is evaluated with respect to publicly-available open source code. If the source code file is similar to the publicly-available open source code, then a computer system may be approved or authorized to perform any hardware/software operations associated with the source code file. Should, however, the source code file be dissimilar to the publicly-available open source code, then the hardware/software operations are blocked to prevent disclosure of the source code file. For example, read/write/input/output operations are blocked and/or network interfaces are disabled. Source code similarity thus thwarts suspicious activities that indicate misappropriation or exfiltration of the source code file.
Nodal redundancy storage decisions efficiently distribute redundant copies of electronic data. A cloud computing network establishes a policy that governs how and where the redundant copies are stored within the cloud computing network (such as by region, zone, and cluster targets). Each cloud computing node is then delegated, with autonomy, to manage a redundant copy to achieve the policy established by the cloud computing network. Each cloud computing node may independently and individually decide to store, to not store, or to evict the redundant copy without consensus of other nodes and without consultation or instruction from the cloud computing network. The nodal redundancy storage decisions are thus decentralized from region, zone, and cluster management.
G06F 16/27 - Replication, distribution or synchronisation of data between databases or within a distributed database systemDistributed database system architectures therefor
G06F 16/215 - Improving data qualityData cleansing, e.g. de-duplication, removing invalid entries or correcting typographical errors
61.
STATIC ANALYZER INSTRUCTION GENERATION BASED ON ACTION OF EXTERNAL INITIALIZATION CODE DURING INITIALIZATION
The present disclosure provides an approach that receives an application code including an external initialization code component. The approach emulates the external initialization code component in a simulated local computing environment. The approach records, by a processing circuitry, an action by the external initialization code component to the application code during code initialization. In turn, the approach generates, based on the action, a set of instructions for a static analyzer to perform static analysis on the application code.
Embedding entity matching greatly improves computer functioning. Different datasets are matched to a common entity using entity embeddings generated by a machine learning entity embedding model. The entity embeddings are converted to entity similarities, thus revealing the datasets associated with the common entity. Efficient matrix operations further improve computer functioning. Embedding entity matching thus quickly identifies common employee records and user accounts using less hardware resources, less electricity, and less time.
G06F 18/22 - Matching criteria, e.g. proximity measures
G06F 7/08 - Sorting, i.e. grouping record carriers in numerical or other ordered sequence according to the classification of at least some of the information they carry
Nodal work assignments efficiently distribute server work items, such as storing redundant copies of electronic data. A cloud computing network establishes a policy that governs how and where the redundant copies are stored cloud computing nodes (such as by region, zone, and cluster targets). The cloud computing network repeatedly or continuously re-evaluates the work assignments based on replication assignment skews and/or leadership penalties. The nodal work assignments thus minimize hardware and software operations, network traffic, and electrical energy consumption.
Methods and systems for injected byte buffer data classification are disclosed. According to an implementation, a security agent can detect process injection events, gather byte buffer data associated with the process injection events, and send the byte buffer data to a security service comprising a byte buffer classification function. The byte buffer classification function can be implemented as a trained transformer type neural network machine learning model, which can analyze the byte buffer data and generate a classification output comprising a probability that the byte buffer data is associated with a malicious process injection.
G06F 21/54 - Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity, buffer overflow or preventing unwanted data erasure by adding security routines or objects to programs
G06F 21/56 - Computer malware detection or handling, e.g. anti-virus arrangements
A cybersecurity service protects endpoint devices from cybersecurity attacks. The cybersecurity service deploys cybersecurity attack feature vectors to agents in the field. The cybersecurity attack feature vectors are created in the cloud to efficiently describe observed groups of cybersecurity attacks. One method to assemble these is to generate clustering centroids for the observed groups. Each agent monitors its host according to the cybersecurity attack feature vectors. Each agent monitors its host's event behaviors and locally extracts an event behavior feature vector. The agent compares the cybersecurity attack feature vectors to the event behavior feature vector and, if similarity is determined, then the agent determines that the host's event behaviors are evidence of a cybersecurity attack. The agent may implement threat procedures, such as suspending/terminating the event behaviors and generating alerts. The agent remains a small, lightweight cybersecurity detector that does not need constant Internet access.
H04L 9/00 - Arrangements for secret or secure communicationsNetwork security protocols
G06F 21/57 - Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
A sample file that is associated with malware and a first modification model of a plurality of modification models to alter the sample file are selected. The first modification model generates a modification configuration based on the sample file. The modification configuration identifies a modification to be performed on the sample file. The sample file and the modification configuration are provided to a modification engine to generate a modified sample file. The modification configuration is adjusted based on the first modification model in response to receiving a classification from a classification model that identifies the modified sample file as being free of malware.
A method for detecting a private set intersection includes receiving a first plurality of transformed data elements from a first computing device, the first plurality of transformed data elements representing a transform by a pseudorandom function of a first plurality of data elements; receiving a second plurality of transformed data elements from a second computing device, the second plurality of transformed data elements representing a transform by the pseudorandom function of a second plurality of data elements; and transmitting, by a processing device to the first computing device and the second computing device, an indication of a subset of transformed data elements that are present in both the first plurality of transformed data elements and the second plurality of transformed data elements.
A system and method of using generative AI to maintain conversations with attacking devices to discover their adversary techniques and tactics. The method includes receiving an initial message originating from an attacking device and directed to a target device. The method includes generating, using one or more classification models, a maliciousness score for the initial message indicating that the initial message is associated with one or more types of malicious activity. The method includes providing, by a processing device, the initial message to a predictive model trained to maintain conversations with attacking devices by predicting responses to malicious messages. The method includes generating, using the predictive model, two or more responses based on the initial message and at least one subsequent message, wherein each response of the two or more responses causes the attacking device to send a respective subsequent message to the predictive model.
Assessing computer system vulnerabilities and exposures by periodically querying data sources to gather information pertaining to computing system vulnerabilities and exposures (CVEs), such as, for each CVE, an identification of the CVE, a number of corresponding references to the CVE, and a number of code repositories that can be used to exploit the CVE. Compiling a datastore of the information. Periodically querying the datastore about the information and generating one or more views of a lifecycle of each CVE in response thereto.
G06F 21/57 - Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
G06F 21/55 - Detecting local intrusion or implementing counter-measures
Techniques for identify data usable for generating security recommendations are discussed herein. A system can determine unique identifiers for events associated with a data stream, and determine a frequency of different events occurring in the data stream. The system can generate recommendation data usable for defending the data stream from future malicious events based on a number of similar events occurring over a time period.
Techniques for identifying data usable for generating security recommendations are discussed herein. A system can determine unique identifiers for events associated with a data stream and determine a frequency of different events occurring in the data stream. The system can generate recommendation data usable for defending the data stream from future malicious events based on a number of similar events occurring over a time period.
A system and method of using generative AI to convert NL queries to database commands for accessing one or more databases. The method includes receiving a natural language (NL) request for information associated with a private network. The method includes providing the NL request to an artificial intelligence (AI) model trained to identify, from a plurality of access objects associated with a plurality of databases and a plurality of event types, a particular access object that provides access to one or more event datasets associated with the NL request. The method includes generating, by a processing device and using the AI model, a database request associated with the particular access object based on the NL request.
G06F 21/57 - Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
The present disclosure provides an approach of providing, to an artificial intelligence (AI) model, a malicious script that includes a malicious behavior. The AI model is configured to modify software code of the malicious script to produce modified software code that obfuscates the malicious behavior. The approach produces, by a processing device using the AI model, an adversarial script that includes the modified software code that obfuscates the malicious behavior. In turn, the approach initiates a malware detector to test the adversarial script.
A system and method of using generative AI to recommend and validate asset and/or cloud configurations. The method includes acquiring a set of parameters associated with one or more network entities of a computing network. The method includes providing the set of parameters to a configuration model trained to generate, based on semantic matching, recommended configurations for network entities and validated configurations for the network entities. The method includes generating, by a processing device using the configuration model, one or more recommended configurations for the one or more network entities based on the set of parameters.
Systems and methods for providing cybersecurity notifications based on structured and unstructured data. The systems and methods receive a natural language query from a client device and processes, by an artificial intelligence model, the natural language query to identify elements of cybersecurity intelligence to monitor. The systems and methods further monitor cybersecurity intelligence for a match to the identified elements from the natural language query and provide a notification to the client device in response to the matching of the identified elements to one or more items of cybersecurity intelligence.
A system and method of using generative AI to identify exposures of computing devices on computing networks to actual and/or potential threats. The method includes collecting a plurality of responses from a plurality of devices to a target device on a private network. The method includes providing the plurality of responses to a classification model trained to assign device descriptions for device responses based on semantic matching of the device responses to database data. The method includes assigning, by the processing device using the classification model, a plurality of device descriptions for the plurality of responses to the target device, each response is respectively associated with one or more device descriptions of the plurality of device descriptions. The method includes generating, based on the plurality of device descriptions, a status report comprising a list of network addresses associated with a group of devices having access to the target device.
H04L 41/16 - Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks using machine learning or artificial intelligence
42 - Scientific, technological and industrial services, research and design
Goods & Services
Computer security consulting; consulting in the field of
information technology; computer security and network
security consulting, namely, consultation in the fields of
protecting data and information from unauthorized access,
identifying malware on computer systems, identifying the
source and genealogy of malware, and identifying the
objectives of computer system attackers; computer security
consultancy in the field of scanning and penetration testing
of computers and networks to assess information security
vulnerability; maintenance and updating of computer software
relating to computer and network security and prevention of
computer risks; computer security consultancy for protecting
data and information from unauthorized access, namely,
developing plans for improving computer and network security
and preventing criminal activity; cloud computing featuring
software for detecting breaches for use in computer and
network security; cloud computing services featuring
software for authorizing access to databases in the field of
computer and network security; computer services, namely,
online scanning, detecting, quarantining, and eliminating
viruses, worms, trojans, spyware, adware, malware and
unauthorized data and programs on computers, networks, and
electronic devices; computer systems analysis; monitoring of
computer systems for protecting data and information from
unauthorized access; computer security consultancy for
protecting data and information from unauthorized access;
computer technology consulting in the field of systems for
the surveillance and monitoring of vulnerability and
security problems in computer hardware, networks, and
software; computer security consultancy for protecting data
and information from unauthorized access in the field of
endpoint protection software or curated cyberthreat data for
computer security assurance and identification of malicious
intrusions into computers, computer networks or computer
endpoints; software as a service (SAAS) services featuring
software for ensuring the security of computers and computer
networks; software as a service (SAAS) services, namely,
hosting software for use by others for detecting, blocking,
and removing computer viruses and threats; application
service provider (ASP) featuring non-downloadable computer
software for ensuring the security of computers and computer
networks; computer services, namely, acting as an
application service provider in the field of knowledge
management to host computer application software for
creating databases of information and data related to
malware and computer and network security; computer security
consultancy in the field of administration of digital keys
and digital certificates.
78.
HYBRID SENSITIVE DATA SCRUBBING USING PATTERNS AND LARGE LANGUAGE MODELS
A system and method of scrubbing sensitive data from records using patterns and large language models (LLM). The method includes receiving a request to process a record comprising data including sensitive data. The method includes identifying, based on one or more regex rules, a first set of scrubbing candidates associated with the record. The method includes identifying, by a processing device and based on a large language model (LLM), a second set of scrubbing candidates associated with the record. The method includes generating, based on the first set of scrubbing candidates and the second set of scrubbing candidates, a scrubbed record by scrubbing the record to remove the sensitive data.
A process tree embedding is generated corresponding to a process tree. The process tree comprises a plurality of processes. The process tree embedding is processed with a machine learning model to generate an identification of malware associated with the process tree. In some embodiments, processing the process tree embedding with the machine learning model to generate the identification of malware associated with the process tree includes: processing the process tree embedding with the machine learning model to generate a classification of the process tree as being associated with malware; and, responsive to the classification indicating that the process tree is associated with malware, generating the identification of a first process of the plurality of processes that is relevant to the classification of the process tree as being associated with malware.
Nodal work assignments efficiently distribute server work items, such as storing redundant copies of electronic data. A cloud computing network establishes a policy that governs how and where the redundant copies are stored cloud computing nodes (such as by region, zone, and cluster targets). The cloud computing network repeatedly or continuously re-evaluates the work assignments based on replication assignment skews and/or leadership penalties. The nodal work assignments thus minimize hardware and software operations, network traffic, and electrical energy consumption.
The present disclosure produces a first output in response to inputting a first prompt into a large language model (LLM). The first prompt comprises a first document group that corresponds to a second document group, and the LLM is limited by a maximum token limit that is less than a token count of the second document group. The present disclosure generates a second prompt that comprises a subset of the second document group corresponding to the first output. The present disclosure then produces a second output based on the subset of the second document group in response to inputting the second prompt into the LLM.
A rules-based malware detection and assessment service pre-screens malware events reported by endpoint client devices. The endpoint client devices report the malware events to a cloud-computing environment providing the malware detection and assessment service. The malware events are compared to logical rules specifying malware and safe activities. Moreover, the malware detection and assessment service maintains a comprehensive, historical database that stores logs and tracks each malware event. Any new malware events are compared to the historical database. Any matching historical entry indicates a duplicate or repetitive malware detection, so the historical detection and assessment may be retrieved and suggested. The rules-based malware detection and assessment service thus provides a much faster and simpler resolution that easily scales to the ever-increasing volume of malware reports.
Systems and methods for incremental solves using LLMs for API calls is presented. The systems and methods produce, by a first large learning model (LLM), a processing plan based on a first prompt, wherein the processing plan includes a plurality of tasks corresponding to a plurality of services. The systems and methods send a plurality of messages corresponding to the plurality of tasks to a plurality of service agents, wherein the plurality of service agents correspond to the plurality of services and comprise a plurality of second LLMs that produce a plurality of agent responses. The systems and methods then generate a query response based on the plurality of agent responses.
42 - Scientific, technological and industrial services, research and design
Goods & Services
Computer security consulting; consulting in the field of
information technology; computer security consultancy
services for protecting data and information from
unauthorized access in the field of computer and network
security, identifying malware on computer systems,
identifying the source and genealogy of malware, and
identifying the objectives of computer system attacker;
computer security consultancy in the field of scanning and
penetration testing of computers and networks to assess
information security vulnerability; computer security
consultancy for protecting data and information from
unauthorized access, namely, developing plans for improving
computer and network security and preventing criminal
activity; cloud computing featuring software for use in
computer and network security; cloud computing services in
the field of computer and network security; computer
security services by online scanning, detecting,
quarantining, and eliminating of viruses, worms, Trojans,
spyware, adware, malware and unauthorized data and programs
on computers, networks, and electronic devices; computer
systems analysis; monitoring of computer systems for
protecting data and information from unauthorized access;
computer security consultancy for protecting data and
information from unauthorized access and computer technology
consulting of systems for the surveillance and monitoring of
vulnerability and security problems in computer hardware,
networks, and software; computer security consultancy for
protecting data and information from unauthorized access in
the field of endpoint protection software or curated
cyberthreat data for computer security assurance and
identification of malicious intrusions into computers,
computer networks or computer endpoints; software as a
service (SaaS) services featuring software for computer and
network security; software as a service (SaaS) services,
namely, hosting software for use by others for detecting,
blocking, and removing computer viruses and threats;
application service provider (ASP) featuring
non-downloadable computer software for use in computer and
network security; electronic monitoring services for
advanced computer threat detection using real-time
monitoring and machine learning to detect computer threats
and viruses, and for providing detailed analysis and
contextual intelligence to inform responses to sophisticated
computer threats; monitoring and investigation of bad actors
and adversaries across computer networks to neutralize
emerging computer threats and improve cybersecurity and
computer network security.
85.
Identifying patterns in large quantities of collected emails
A system and method of detecting malicious activity in emails using pattern recognition. The method includes maintaining a plurality of associations between a plurality of emails and a plurality of multi-dimensional (MD) vectors of the plurality of emails. Each association is between a respective email of the plurality of emails and a respective MD vector of the plurality of MD vectors that corresponds to the respective email. The method includes identifying, based on one or more keywords, a set of MD vectors of the plurality of MD vectors. The method includes selecting, based on the plurality of associations, a set of emails associated with the set of MD vectors. The method includes generating, by a processing device, based on the set of emails or the set of MD vectors, a set of clusters to represent patterns in the set of emails.
Techniques for aggregating data usable for generating security recommendations are discussed herein. A system can aggregate detection data from host devices associated with different organizations based on profile information describing each organization. The system can analyze the aggregated data to identify potential security threats in a data stream, and generate recommendation data usable for defending the data stream from future malicious events.
H04L 41/16 - Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks using machine learning or artificial intelligence
Boot status markers record historical boot processes performed by a computer system. Each time the computer system boots, an operating system performs a boot process and interfaces with an antimalware driver. The antimalware driver determines the boot status markers that were set during previous boot processes. The antimalware driver may then classify other drivers based on the boot status markers set during the previous boot processes. The antimalware driver may then report driver classifications to the operating system. The operating system may then block, or allow, the drivers based on the driver classifications.
G06F 21/00 - Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
G06F 21/57 - Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
88.
PREVENTION OF PROMPT INJECTION ATTACKS ON LARGE LANGUAGE MODELS BY TOKENIZATION OF STRUCTURED DATA ELEMENTS
Systems and methods for implementing prevention of prompt injection attacks on large language models by tokenization of structured data elements is presented. The systems and methods replace one or more data elements in a database response with one or more tokens to produce a tokenized database response. The systems and methods provide the tokenized database response to a large language model (LLM). The systems and methods receive a tokenized LLM output that includes at least one of the one or more tokens. The systems and methods produce a detokenized LLM output by replacing the one or more tokens in the tokenized LLM output with the one or more data elements.
G06F 40/284 - Lexical analysis, e.g. tokenisation or collocates
G06F 16/908 - Retrieval characterised by using metadata, e.g. metadata not derived from the content or metadata generated manually using metadata automatically derived from the content
A security service can determine a synthetic context based at least in part on context data associated with a first malware sample, and detonate the first malware sample in the synthetic context to provide one or more first event records representing events performed by the first malware sample and detected during detonation. Additionally or alternatively, the security service can detonate the first malware sample and locate a second malware sample in a corpus based at least in part on the one or more first event records. Additionally or alternatively, the security service can receive event records representing events detected during a detonation of a first malware sample, the detonation based at least in part on context data, and locate a second malware sample in the corpus based at least in part on the one or more reference event records.
G06F 21/56 - Computer malware detection or handling, e.g. anti-virus arrangements
G06F 21/57 - Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
Techniques to determining a program installed on a computing device may be indicative of performing a targeted intrusion of the computing device is described. A log file associated with the computing device may be generated. Various indicators from the log file may be determined. A security program may determine that the program may be indicative of performing the targeted intrusion based on at least one of the indicators. The security program may determine an action to take based on the indication of performing the targeted intrusion.
A computer-implemented method of detecting similarity between a first file and a plurality of second files, the method includes generating a first vector corresponding to the first file and a plurality of second vectors each corresponding to one of the plurality of second files; determining that the first file is similar to at least one of the plurality of second files based on a comparison of the first vector to the plurality of second vectors; and responsive to determining that the first file is similar to the at least one of the plurality of second files, performing a remediation operation on the first file.
A reconfigurable automatic document-classification system and method provides classification metrics to a user and enables the user to reconfigure the classification model. The user can refine the classification model by adding or removing exemplars, creating, editing or deleting rules, or performing other such adjustments to the classification model. This technology enhances the overall transparency and defensibility of the auto-classification process.
A method for selecting a region of a similarity space in which to locate a file. Numerous files are received, and feature vectors for each of the received files is created, each feature vector comprising values representing corresponding features for the file. A respective similarity space is created for each of the respective number of feature vectors, each respective similarity space comprising several regions. One of the regions of the respective similarity space is selected in which a respective representation of each file is located based on the respective feature vector for the file. A map of relationships between one or more regions of the similarity spaces is then constructed.
A feature vector is created that comprises a plurality of values, each representing a corresponding portion of a filename extension for a digital file. During an inference workflow of a neural network model, an embedding vector is created that represents, in a meaningful way, the feature vector for the filename extension. A class label prediction value is then computed, based on an evaluation of the embedding vector, a first plurality of embedding vectors representing a plurality of feature vectors for a plurality of benign filename extensions, and a second plurality of embedding vectors representing a plurality of feature vectors for a plurality of malicious filename extensions. A prediction as to whether the digital file has been renamed by a malicious computer program is made, based on the class label prediction value.
G06F 18/2415 - Classification techniques relating to the classification model, e.g. parametric or non-parametric approaches based on parametric or probabilistic models, e.g. based on likelihood ratio or false acceptance rate versus a false rejection rate
95.
TECHNIQUES FOR PERFORMING STATIC ANALYSIS ON DEPLOYED APPLICATION CODE
The present disclosure provides an approach of executing application code on a simulator and receiving a result from a hook in response to executing the application code. The hook corresponds to a call to a code object which is inaccessible to the simulator. The result is from an emulation of a connection response corresponding to the code object. The approach generates instructions based on the result and, in turn, performs static analysis on the application code based on the instructions.
Interpolant pattern matching reflects a runtime environment. Any interpolant finite automata (such as a DFA) using a regular expression may be modified with an interpolant string to create an interpolant finite automata (such as an IDFA). The interpolant string incorporates a placeholder that is then modified according to the runtime environment. An environmental variable or a directory path, for example, may be inserted into the placeholder at runtime. An input string may be pattern matched to the IDFA that reflects the runtime environment.
Methods and systems for applying a diffusion model to adversarial purification and generating adversarial samples in malware detection are disclosed. According to an example, a malware file is inputted to a diffusion model to obtain an adversarial sample by altering content of the malware file. The adversarial sample is further tested by a malware detector. In some examples, the content of an input file may be encoded prior to be processed by the diffusion model. If the malware detector can identify the adversarial sample as a malware file, the diffusion model is updated to further alter the content until the adversarial sample successfully deceives the malware detector. According to another example, an executable file is purified using a diffusion model prior to be inputted to a malware detector. The diffusion model may remove potential malware content from the executable file, thus improving the performance of the malware detector.
Cloud-delivered hooks are injected as binary instrumentation into a software application. The cloud-delivered hooks are specified by a cloud computing environment. The cloud-delivered hooks may be set up, and torn down, by software updates from the cloud computing environment. The cloud-delivered hooks monitor and intercept functions, APIs, and system calls in both user space and kernel space. Moreover, the cloud-delivered hooks may utilize a polymorphic universal hooking mechanism that eliminates strict signature requirements between target functions and detour functions. Because the cloud-delivered hooks are commanded by, and received from, the cloud computing environment, the cloud-delivered hooks may be easily and nearly instantaneously distributed to clients in the field for near real time software instrumentation and reporting. The cloud-delivered hooks can thus greatly simplify and quicken software development, software debugging, malware detection, and software monitoring.
An interwoven approximate membership query (AMQ) data structure interweaves multiple AMQ data sets. The interwoven AMQ data structure collapses the AMQ data sets into a composite membership representation. The interwoven AMQ data structure still represents a computer database, but the interwoven AMQ data structure yields far faster membership results. The interwoven AMQ data structure requires orders of magnitude less data reads. Memory allocation is reduced, processor cycles are reduced, input/output operations are reduced, and translations from kernel space to user space are reduced. The interwoven AMQ data structure greatly improves computer functioning.
A system and method of adjusting a classifier to improve a performance of the classifier to detect a malicious file. The method includes receiving a request to process a target file. The method includes generating, based on a configuration file and the target file, one or more modified files and metadata associated with the one or more modified files. The method includes providing the one or more modified files to a classifier trained to generate an output indicating whether each of the one or more modified files is malicious or non-malicious. The method includes generating, based on the output and the metadata, performance data indicative of a performance of the classifier. The method includes adjusting, based on the performance data, parameters of the classifier to improve the performance of the classifier to detect a group of attacks on a computing environment.
