Abstract: This disclosure provides for rapid deployments of application-level deceptions (i.e., booby traps) to implant cyber deceptions into running legacy applications both on production and decoy systems, with no downtime and minimal performance overhead compared with the original application. An application-level booby trap is a piece of code injected into an application, and which provides an active defense or deception in response to an attack. A booby trap does not influence program execution under normal operation, and preferably elicits a response that can be defined by a security analyst. In operation, a booby trap is compiled into a bitcode using a patch synthesis process, and it is then injected into a running application, where it is compiled further into machine code, and linked directly with the existing application constructs. The original function also is modified with a function trampoline, and subsequent calls to the original function are then directed to the new function.

Abstract: Rapid deployments of application-level deceptions (i.e., booby traps) implant cyber deceptions into running legacy applications both on production and decoy systems. Once a booby trap is tripped, the affected code is moved into a decoy sandbox for further monitoring and forensics. To this end, this disclosure provides for unprivileged, lightweight application sandboxing to facilitate monitoring and analysis of attacks as they occur, all without the overhead of current state-of-the-art approaches. Preferably, the approach transparently moves the suspicious process to an embedded decoy sandbox, with no disruption of the application workflow (i.e., no process restart or reload). Further, the action of switching execution from the original operating environment to the sandbox preferably is triggered from within the running process.

Abstract: Communications are intercepted between a universal serial bus (USB) device and a host, at least by implementing first device firmware of the USB device. The USB device contains its own second device firmware. Using at least the implemented first device firmware, intercepted communications from the USB device toward the host are sanitized. The sanitizing is performed so that no communication from the USB device is directly forwarded to the host and instead only sanitized communications are forwarded to the host. Methods, apparatus, and computer program products are disclosed.

Abstract: A command endpoint used by Domain Generation Algorithm (DGA) malware is identified using machine learning-based clustering. According to this technique, at least one attribute associated with a candidate resolved DNS name is identified. The candidate resolved DNS name has associated therewith a set of names that are failed DNS lookups but that cluster with the candidate resolved DNS name. A set of additional names that share the at least one attribute with the candidate resolved DNS name are then identified. For the set of additional names, an extent to which the set of additional names also clusters with the set of names that are failed DNS lookups is then determined. The candidate resolved DNS name is characterized as associated with the command endpoint when the set of additional names cluster with the set of names that are failed DNS lookups to a configurable degree.

Abstract: A computer-implemented method (and apparatus) includes receiving input data comprising bipartite graph data in a format of source MAC (Machine Access Code) data versus destination IP (Internet Protocol) data and timestamp information. The input bipartite graph data is provided into a first processing to detect malicious beaconing activities using a lockstep detection method on the input bipartite graph data to detect possible synchronized attacks against a targeted infrastructure. The input bipartite graph data is also provided into a second processing, the second processing initially converting the bipartite graph data into a co-occurrence graph format that indicates in a graph format how devices in the targeted infrastructure communicate with different external destination servers over time. The second processing detects malicious beaconing activities by analyzing data exchanges with the external destination servers to detect anomalies.

Abstract: An automated method for processing security event data in association with a cybersecurity knowledge graph having nodes and edges. It begins by receiving from a security system (e.g., a SIEM) information representing an offense. An offense context graph is built. Thereafter, and to enhance the offense context graph, given nodes and edges of the knowledge graph are prioritized for traversal based on an encoding captured from a security analyst workflow. This prioritization is defined in a set of weights associated to the graph nodes and edges, and these weights may be derived using machine learning. The offense context graph is then refined by traversing the nodes and edges of the knowledge graph according to a prioritization tailored at least in part by the encoding. In addition to using security analyst workflow to augment generation of weights, preferably the machine learning system provides recommendations back to the security analysts to thereby influence their workflow.

Abstract: A method (and system) of scoring asset risk including modeling an interdependence of risks of a plurality of entities within a network by modeling the network as a graph connecting different entities, the different entities are selected from a group of a user, a device, a credential, a high-value asset, and an external server, the graph being defined as a set of vertices comprising the user, the device, the credential, the high-value asset, and the external server and a set of edges represented by an N-by-N adjacency matrix with each pair of the entities sharing a relationship and applying a Belief Propagation (BP) algorithm for solving the inference problem over the graph by inferring the risk from the entities own properties and surrounding entities with the shared relationship in the adjacency matrix, the Belief Propagation algorithm obtains risk information related to each entity of the plurality of entities.

Abstract: USB traffic is intercepted between a USB device and a computer system. It is determined whether the USB device has previously had a policy associated with it as to whether USB traffic from the device should be blocked, allowed, or sanitized. In response to not having a previous policy for the USB device, a request is made for a user to be prompted to provide a policy of one of block, allow, or sanitize for the USB device. In response to a user-provided-policy, one of the following are performed: blocking the traffic, allowing the traffic, or sanitizing the traffic between the USB device and the computer system. Apparatus, methods, and computer program products are disclosed.

Abstract: Communications are intercepted between a universal serial bus (USB) device and a host, at least by implementing first device firmware of the USB device. The USB device contains its own second device firmware. Using at least the implemented first device firmware, intercepted communications from the USB device toward the host are sanitized. The sanitizing is performed so that no communication from the USB device is directly forwarded to the host and instead only sanitized communications are forwarded to the host. Methods, apparatus, and computer program products are disclosed.

Abstract: An automated method for processing security events. It begins by building an initial version of a knowledge graph based on security information received from structured data sources. Using entities identified in the initial version, additional security information is then received. The additional information is extracted from one or more unstructured data sources. The additional information includes text in which the entities (from the structured data sources) appear. The text is processed to extract relationships involving the entities (from the structured data sources) to generate entities and relationships extracted from the unstructured data sources. The initial version of the knowledge graph is then augmented with the entities and relationships extracted from the unstructured data sources to build a new version of the knowledge graph that consolidates the intelligence received from the structured data sources and the unstructured data sources. The new version is then used to process security event data.

Abstract: An automated method for processing security events begins upon receipt of information representing an offense. Based in part on context data extracted from the offense, an offense context graph is built. The offense context graph comprises nodes and edges, with an edge therein representing a relationship between a pair of nodes, at least one of the nodes being a root node representing an entity associated with the offense. The method then continues by mining information about other events that are determined to share a local contextual relationship with the offense represented by the offense context graph. This operation generates an enriched offense context graph. The enriched offense context graph is then pruned to identify an offense context for further examination. Pruning may involve applying a metric to events associated with the offense and removing nodes that, based on evaluation of the metric, do not contribute to the offense.

Abstract: This disclosure provides for a signal flow analysis-based exploration of security knowledge represented in a graph structure comprising nodes and edges. “Conductance” values are associated to each of a set of edges. Each node has an associated “toxicity” value representing a degree of maliciousness associated with the node. The conductance value associated with an edge is a function of at least the toxicity values of the nodes to which the edge is incident. A signal flow analysis is conducted with respect to an input node representing an observable associated with an offense. The flow analysis seeks to identify a subset of the nodes that, based on their conductance values, are reached by flow of a signal representing a threat, wherein signal flow over a path in the graph continues until a signal threshold is met. Based on the analysis, nodes within the subset are designated as hypothesis nodes for further examination.

Abstract: An automated method for processing security events in association with a cybersecurity knowledge graph. The method begins upon receipt of information from a security system representing an offense. An initial offense context graph is built based in part on context data about the offense. The graph also activity nodes connected to a root node; at least one activity node includes an observable. The root node and its one or more activity nodes represent a context for the offense. The knowledge graph, and potentially other data sources, are then explored to further refine the initial graph to generate a refined graph that is then provided to an analyst for further review and analysis. Knowledge graph exploration involves locating the observables and their connections in the knowledge graph, determining that they are associated with known malicious entities, and then building subgraphs that are then merged into the initial graph.

Abstract: Unknown and reference signatures are accessed. The unknown and reference signatures indicate patterns that correspond to known threats to resources (such as computer systems and/or computer networks) in a computer environment and comprise a multitude of descriptive elements having information describing different aspects of a corresponding signature. A set of similarity measures is created of the unknown and reference signatures from different perspectives, each perspective corresponding to a descriptive element. The set of similarity measures are integrated to generate an overall similarity metric. The overall similarity metric is used to find appropriate categories in the reference signatures into which the unknown signatures should be placed. The unknown signatures are placed into the appropriate categories to create a mapping from the unknown signatures to the reference signatures.

Abstract: A method of detecting exploit kits includes receiving, at an input port of a computer, indication of HTTP (Hypertext Transfer Protocol) traffic. The HTTP traffic is clustered into a web session tree according to a client IP (Internet Protocol. A client tree structure of the web session tree is generated. The client tree structure is compared with tree structures of exploit kit samples.

Abstract: Log(s) of IT events are accessed in a distributed system that includes a distributed application. The distributed system includes multiple data objects. The distributed application uses, processes, or otherwise accesses one or more of data objects. The IT events concern the distributed application and concern accesses by the distributed application to the data object(s). The IT events are correlated with a selected set of the data objects. Risks are estimated to the selected set of data objects based on the information technology events. Estimating risks uses at least ranks of compliance rules as these rules apply to the data objects in the system, and vulnerability scores of systems corresponding to the set of data objects and information technology events. Information is output that allows a user to determine the estimated risks for the selected set of data objects. Techniques for determining ranks of compliance rules are also disclosed.

Abstract: A method includes receiving, at an input port of a computer, indication of HTTP (Hypertext Transfer Protocol) traffic and clustering, using a processor on the computer, the HTTP traffic according to a client IP (Internet Protocol) into a web session tree.

Abstract: A method of detecting exploit kits includes receiving, at an input port of a computer, indication of HTTP (Hypertext Transfer Protocol) traffic. The HTTP traffic is clustered into a web session tree according to a client IP (Internet Protocol. A client tree structure of the web session tree is generated. The client tree structure is compared with tree structures of exploit kit samples.

Abstract: A method of detecting exploit kits includes receiving, at an input port of a computer, indication of HTTP (Hypertext Transfer Protocol) traffic. The HTTP traffic is clustered into a web session tree according to a client IP (Internet Protocol. A client tree structure of the web session tree is generated. The client tree structure is compared with tree structures of exploit kit samples.

Abstract: A method of detecting exploit kits includes receiving, at an input port of a computer, indication of HTTP (Hypertext Transfer Protocol) traffic. The HTTP traffic is clustered into a web session tree according to a client IP (Internet Protocol. A client tree structure of the web session tree is generated. The client tree structure is compared with tree structures of exploit kit samples.