Abstract: A network security system collects event data over a long duration and mines the event data to identify unique conversations between each unique pair of a source network address and a destination network address. Events in each unique conversation are associated with signature identifiers that identify different types of attacks. Each signature thus identified is assigned with a unique visual clue. The unique visual clue has a particular visual character that reflects a number of occurrences of a particular event. For payload sizes associated with the event, a spatial scale representation is determined. The network security system generates a visualization relative to a conversation timeline for presentation on a user interface. The visualization contains unique visual clues for the different types of attacks associated with the signature identifiers and the spatial scale representation of the payload sizes associated with the events associated with the signature identifiers.

Abstract: Attackers may be uniquely identified by their temporal behavior patterns. Time marks and events in a time sequence between a unique pair of a source network address and a destination network address are pre-processed by a network security system to generate a temporal sequence for spectral extraction. The destination network address resides in a computer network monitored by the network security system. The temporal sequence is transformed from the time domain to the frequency domain to capture periodicity in the time sequence in a spectral vector. The spectral vector is denoised and decorrelated through deep learning to produce a spectral fingerprint that is significantly smaller than the spectral vector. The spectral fingerprint represents a temporal behavior fingerprint of an attacker associated with the source network address with respect to the destination network address over a period of time in the time sequence.

Abstract: A security system and method secures and responds to security threats in a computer having a CPU, a Kernel/OS, and software applications. A data collector intercepts a selection of first tier calls between the CPU and Kernel/OS and/or second tier calls between the Kernel/Operating System and the applications, and stores information pertaining thereof. An Analytic Engine maps the stored first and second tier call information to a rulebase containing patterns of security threats, to generate a threat analysis, and then responds to the threat analysis. The Analytic Engine enlarges or contracts the selection of first and second tier calls to increase or decrease specificity of the threat analysis. A Management Module generates user interfaces accessible remotely by a user device, to update the rulebase and configure the collector, the Kernel module, and the Analytic Engine.

Abstract: A management platform that allows security and compliance users to view risks and vulnerabilities in their environment with the added context of what other mitigating security countermeasures are associated with that vulnerability and that are applicable and/or available within the overall security architecture. Additionally, the platform allows users to take one or more actions from controlling the operation of a security countermeasure for mitigation purposes to documenting the awareness of a security countermeasure that is in place.

Abstract: This disclosure provides a new automated threat detection using synchronized log and Snort streams. Time segments from a log stream are correlated by time to time segments from a Snort stream that have been identified as indicating “true” incidents. To determine whether a correlated time segment is “good” or “bad,” features are extracted from the correlated time segment and used to determine tuples associated therewith, each tuple containing a message type, a location, and an out of vocabulary word in the correlated time segment. A multidimensional feature vector containing a select number of the tuples is generated and provided as input to a machine learning module which determines, based on machine intelligence, whether the correlated time segment indicates a true incident.

Abstract: Active memory for managing network telemetry information, or other types of information stored as objects, has objects partially-serialized to allow greater amounts of information to store in a memory of a given size with slightly increased retrieval times. Storing additional information in an active memory provides an overall increase in network security platform responsiveness by allowing a greater amount of information to be accessible from the active memory instead of archive.

Abstract: A log message collection system selects a configured host and fetches a log message. The log message collection system examines the fetched message to identify one or more DLLs necessary to translating the log message and determines whether the necessary DLL(s) have been loaded into a cache. If so, the log message is translated. If the DLLs are not in the cache, the log message collection system fetches from the log message host only the DLLs necessary to translate that fetched message. After the message is translated, the log message collection system fetches the next log message, identifies the necessary DLLs for that log message, and fetches the DLLs necessary to translate that message.

Abstract: An appliance is co-located on a network with computing devices. Log messages generated by the computing devices are collected by the appliance, filtered based on the content and stored in transmission priority queues based on the content. The appliance packetizes the log messages based on the transmission priority queue and the available bandwidth and compresses the packet. The appliance encrypts the packet, digitally signs the encrypted packet and sends the packet to a first data center over a public network. The first data center stores the packet in reliable storage and performs processing on the data. A copy of the packet is sent to a second data center that stores the copy and performs processing on the copied data. The appliance deletes the packet from its buffer after it has received acknowledgement that the second data center has received the packet.

Abstract: Systems and methods for correlating log messages into actionable incidents. Some embodiments implement a method which includes comparing a plurality of disparate log messages to a plurality of incident descriptions. The disparate log messages can be parsed. When the messages correlate with an incident description an incident case can be created. Workflow steps can be associated with the incident case and output along with the incident case. Additional disparate log messages can be compared to the incident expressions and, when additional messages correlate with the correlated incident description, the incident case can be adjusted. In some embodiments, the adjustment can include adding workflow steps to the incident case. Results of various workflow steps can be monitored and adjustments can be made accordingly. In some embodiments, the results can include out-of-bounds activities.

Abstract: Methods and systems for normalizing log messages. Some methods include obtaining a freeform log message from one of many disparate programs. The methods can include determining which program originated the message and, based on that, determining a signature which matches the message. Using the signature, a parsing expression may be determined with which to extract information from a portion of the message. The time from obtaining the message to extracting the information can be about the same for all messages and can be about 1/40,000th of a second. In some embodiments, a generic signature of the message may be output. A version of the message may be reconstructed based on the generic signature and information. When more than one message signatures matches the reconstructed message, one of the matching signatures can be adjusted. The parsing expression can be the first of an ordered list of expressions which successfully evaluates the log message.

Abstract: Embodiments of the invention provide a security expert system (SES) that automates intrusion detection analysis and threat discovery that can use fuzzy logic and forward-chaining inference engines to approximate human reasoning process. Embodiments of the SES can analyze incoming security events and generate a threat rating that indicates the likelihood of an event or a series of events being a threat. In one embodiment, the threat rating is determined based on an attacker rating, a target rating, a valid rating, and, optionally, a negative rating. In one embodiment, the threat rating may be affected by a validation flag. The SES can analyze the criticality of assets and calibrate/recalibrate the severity of an attack accordingly to allow for triage. The asset criticality can have a user-defined value. This ability allows the SES to protect and defend critical network resources in a discriminating and selective manner if necessary (e.g., many attacks).