Abstract: The present invention relates to a method for representing objects of a network in a GUI with a graph clustering comprising retrieving a base graph comprising all of the objects of the network as respective nodes and links between said nodes, grouping two or more of the nodes in one or more clusters, initializing the clusters by calculating the cluster mass and the cluster radius of each of the clusters, assessing the clusters defining a visualization graph which represents the base graph as seen from a predefined distance value and positioning the visualization graph in the GUI, wherein the assessing comprises creating an empty visualization graph, calculating for each of the clusters the distance ratio as ratio between the cluster radius and the predefined distance value, evaluating the distance ratio with regard to a predefined distance ratio threshold, compressing the cluster when the distance ratio is higher than the predefined distance ratio threshold, adding in the visualization graph a single compress

Abstract: The present invention relates to a method for verifying vulnerabilities of network device using Common Vulnerabilities and Exposures (“CVE)” entries comprising generating a CVE tree from each of the CVE entry and defining an indexed CVE entry, that identifies vulnerable configuration fields and extracts a set of vulnerable conditions comprising an operator attribute and nested CPE records. The CVE tree is provided with the operator attribute as node and with Common Platform Enumeration (“CPE”) records as leaves from the node, wherein the decoding comprises tokenizing of the decoded string in a sequence of plurality of n-grams having predefined sizes, and wherein the matching comprises a lookup of the sequence of plurality of n-grams into the CVE tree, that raises an alert when the operator attribute corresponds a match between CPE records.

Abstract: The present invention relates to a method for evaluating quality of signature-based detections in an infrastructure provided with a plurality of sensors, comprising defining predefined rules for the rule-based detections, wherein the rules are of a silent type such that operate without generating alerts to the user of the infrastructure, collecting telemetry events at each of the sensors, storing the telemetry events of each of the sensors to respective local sensor databases operatively connected to the sensors, aggregate, at predetermined aggregating time intervals, the telemetry events from the local sensor databases to a central database, analyzing the telemetry events at the central database, by evaluating the telemetry events with respect to the rules and calculating the quality measurements of the rules, according to a plurality of predefined quality metrics in a predefined metrics time interval, wherein the quality metrics comprise precision metric, by counting the instances of false positives of the

Abstract: The present invention relates to a method for automatic translation of ladder logic to a SMT-based model checker in a network comprising defining (10) the topology of the network as an enriched network topology based on packets exchanged in the network, extracting (20) a program from the packets relating to a PLC in the network and identifying inputs, outputs, variables and a ladder diagram of the PLC, translating (30) the inputs, outputs, variables and ladder diagram into a predefined formal model, wherein the predefined formal model is a circuit-like SMT-based model checker, and wherein the translating (30) comprises translating the set of data types of the program according to a predefined model set of data types of the circuit-like SMT-based model checker, translating the inputs of the PLC as model inputs of the circuit-like SMT-based model checker of the same type, translating the outputs of the PLC as model output latches of the circuit-like SMT-based model checker of the same type, translating the vari

Abstract: Disclosed are methods for automatic retrieving and managing assets information in a network. The method includes identifying, defining, and valuing stored assets in a network. An asset is defined and identified by assigned values that include criticality values, resiliency values, granularity values, and freshness values that may be selected from a predefined set of values. The assets are valued by an overall quality score that is determined through computerized data processing and optimized by updating asset properties.

Abstract: The present invention relates to a method for automatic signatures generation from a plurality of sources, comprising defining a plurality of identified sources of samples providers, collecting, by a computerized data processing unit, input samples from the sample providers, verifying, by the computerized data processing unit, the input samples defining verified input samples, generating, by the computerized data processing unit, verified signatures from the verified input samples, storing, in a verified signatures database operatively connected to the computerized data processing unit, the verified signatures, wherein the collecting comprises extracting raw IoCs from the input samples, wherein the verifying comprises evaluating the reputation of each of the raw IoCs according to predefined reputation rules and comparing each of the raw IoCs with a database of existing signatures operatively connected to the data processing unit to define allowable raw IoCs; and wherein the generating comprises creating the v

Abstract: The present invention relates to a method for automatic derivation of attack paths in a network comprising defining the topology of the network as an enriched network topology, identifying the vulnerabilities of the topology as vulnerabilities information artifacts, building the atomic attack database of the network based on the topology and the vulnerabilities, translating the enriched network topology, the vulnerabilities information artifacts and the atomic attack database into a predefined formal model, executing a predefined SMT-based model checker for the predefined formal model to seek counterexamples and deriving the attack paths from the counterexamples, wherein the defining the topology comprises running, by a computerized data processing unit operatively connected to the network, a module of deep packet inspection of the network to build a network topology based on the information derived from the deep packet inspection module, running, by the computerized data processing unit, a module of active q

Abstract: The present invention relates to a method for detecting anomalies in time series data produced by devices of an infrastructure in a network comprising, for each of the devices through computerized data processing means, retrieving a time series data for the device in the network, extracting a plurality of time series samples relating to respective time windows and having a predefined window size and a predefined stride, by sliding the time windows to overlap the time series data, supplying the time series samples as input to a Convolutional Autoencoder to define reconstructed time series values having a predefined percentile intervals, analysing the reconstructed time series values to identify anomalous behaviours of the time series data, signalling an anomaly of the device when at least one anomalous behaviour is identified.

Abstract: The present invention relates to a method for detecting anomalies in time series data produced by devices of an infrastructure in a network comprising, for each of the devices through computerized data processing means, retrieving a time series data for the device in the network, extracting a plurality of time series samples relating to respective time windows and having a predefined window size and a predefined stride, by sliding the time windows to overlap the time series data, supplying the time series samples as input to a Convolutional Autoencoder to define reconstructed time series values having a predefined percentile intervals, analysing the reconstructed time series values to identify anomalous behaviours of the time series data, signalling an anomaly of the device when at least one anomalous behaviour is identified.

Abstract: The present invention relates to a method and to an apparatus for detecting anomalies of an infrastructure in a network comprising analysing, through a network analyser (101) connected to the network, a data packet (PD) exchanged in the network, identifying, through said network analyser (101), the network protocol and all the fields for said analysed data packet (PD) defining an identified protocol and identified fields of said data packet (PD), extracting, through computerized data processing means (102), identification fields from the identified fields to identify a device of the infrastructure in the network, matching, through the computerized data processing means (102), the identified device with a plurality of predefined standard devices in a predefined devices knowledge database to recognise a matching device, retrieving, through the computerized data processing means (102), one or more allowed fields and one or more allowed protocols of the matching device from the predefined devices knowledge databa

Abstract: The present invention relates to a method and an apparatus for detecting anomalies of a DNS traffic in a network comprising analysing, through a network analyser connected to said network, each data packets exchanged in the network, isolating, through the network analyser, from each of the analysed data packets the related DNS packet, evaluating, through a computerized data processing unit, each of the DNS packets generating a DNS packet status, signaling, through the computerized data processing unit, an anomaly of the DNS traffic when the DNS packet status defines a critical state, wherein the evaluating further comprises assessing, through the computerized data processing unit, each of the DNS packet by a plurality of evaluating algorithms generating a DNS packet classification for each of the evaluating algorithms, aggregating, through the computerized data processing unit, the DNS packet classifications generating the DNS packet status, and wherein the critical state is identified when the DNS packet sta

Abstract: The present invention relates to a method for representing objects of a network in a GUI with a graph clustering comprising retrieving a base graph comprising all of the objects of the network as respective nodes and links between said nodes, grouping two or more of the nodes in one or more clusters, initializing the clusters by calculating the cluster mass and the cluster radius of each of the clusters, assessing the clusters defining a visualization graph which represents the base graph as seen from a predefined distance value and positioning the visualization graph in the GUI, wherein the assessing comprises creating an empty visualization graph, calculating for each of the clusters the distance ratio as ratio between the cluster radius and the predefined distance value, evaluating the distance ratio with regard to a predefined distance ratio threshold, compressing the cluster when the distance ratio is higher than the predefined distance ratio threshold, adding in the visualization graph a single compress

Abstract: The present invention relates to a method for evaluating quality of signature-based detections in an infrastructure provided with a plurality of sensors, comprising defining predefined rules for the rule-based detections, wherein the rules are of a silent type such that operate without generating alerts to the user of the infrastructure, collecting telemetry events at each of the sensors, storing the telemetry events of each of the sensors to respective local sensor databases operatively connected to the sensors, aggregate, at predetermined aggregating time intervals, the telemetry events from the local sensor databases to a central database, analyzing the telemetry events at the central database, by evaluating the telemetry events with respect to the rules and calculating the quality measurements of the rules, according to a plurality of predefined quality metrics in a predefined metrics time interval, wherein the quality metrics comprise precision metric, by counting the instances of false positives of the

Abstract: The present invention relates to a method for automatic aggregating and enriching data from honeypots comprising defining a plurality of identified honeypots of a different type to be monitored in a network; collecting metadata and samples from said honeypots of a different type in said network, which in turn comprises defining a predefined collection model for the honeypots such as to collect homogeneous metadata and samples among the honeypots of a different type, extracting the metadata according to the collection model defining a model metadata, and extracting the samples according to the collection model defining model samples; enriching said metadata and sample collected, which in turn comprises scanning the model metadata to extract IoCs, scanning the model samples to extract IoCs, recursively scanning the model samples to generate secondary model metadata and scanning the secondary model metadata to extract IoCs, until no further IoCs can be generated, recursively obtaining secondary samples from the

Abstract: The present invention relates to a method for automatic aggregating and enriching data from honeypots comprising defining a plurality of identified honeypots of a different type to be monitored in a network; collecting metadata and samples from said honeypots of a different type in said network, which in turn comprises defining a predefined collection model for the honeypots such as to collect homogeneous metadata and samples among the honeypots of a different type, extracting the metadata according to the collection model defining a model metadata, and extracting the samples according to the collection model defining model samples; enriching said metadata and sample collected, which in turn comprises scanning the model metadata to extract IoCs, scanning the model samples to extract IoCs, recursively scanning the model samples to generate secondary model metadata and scanning the secondary model metadata to extract IoCs, until no further IoCs can be generated, recursively obtaining secondary samples from the

Abstract: The present invention relates to a method for automatic retrieving and managing assets information in a network comprising for each identified assets in a network, assigning a criticality value from a predefined set of criticality values, assigning a resiliency value from a predefined set of resiliency values, assigning a granularity value to each of the identified asset properties from a predefined set of resiliency values, assigning a confidence value to each of the identified asset properties from a predefined set of confidence values, assigning a freshness value to each of the identified asset properties from a predefined set of freshness values, calculating, by computerized data processing unit, the quality score of each of the asset properties as combination of the critical value, resiliency value, granularity value, confidence value and freshness value, calculating, by the computerized data processing unit, the quality score of the asset as sum of the quality score of the asset properties, wherein the

Abstract: The present invention relates to a method for automatic translation of ladder logic to a SMT-based model checker in a network comprising defining (10) the topology of the network as an enriched network topology based on packets exchanged in the network, extracting (20) a program from the packets relating to a PLC in the network and identifying inputs, outputs, variables and a ladder diagram of the PLC, translating (30) the inputs, outputs, variables and ladder diagram into a predefined formal model, wherein the predefined formal model is a circuit-like SMT-based model checker, and wherein the translating (30) comprises translating the set of data types of the program according to a predefined model set of data types of the circuit-like SMT-based model checker, translating the inputs of the PLC as model inputs of the circuit-like SMT-based model checker of the same type, translating the outputs of the PLC as model output latches of the circuit-like SMT-based model checker of the same type, translating the vari

Abstract: The present invention relates to a method for forecasting health status of a distributed network by an artificial neural network comprising the phase of identifying one or more sites, one or more assets of the sides and the links between the identified assets in said distributed network, comprising the phase of evaluating the actual health status of each of the identified assets, the phase of evaluating the actual health status of each of said identified sites and the phase of forecasting, by the artificial neural network, the subsequent health status of each of the identified sites according to a forecasting function based on a set of values comprising the actual asset health status rank, the actual asset infection risk, the actual asset infection factor, the actual site health status rank and the actual site infection risk.

Abstract: The present invention relates to a method for automatic derivation of attack paths in a network comprising defining the topology of the network as an enriched network topology, identifying the vulnerabilities of the topology as vulnerabilities information artifacts, building the atomic attack database of the network based on the topology and the vulnerabilities, translating the enriched network topology, the vulnerabilities information artifacts and the atomic attack database into a predefined formal model, executing a predefined SMT-based model checker for the predefined formal model to seek counterexamples and deriving the attack paths from the counterexamples, wherein the defining the topology comprises running, by a computerized data processing unit operatively connected to the network, a module of deep packet inspection of the network to build a network topology based on the information derived from the deep packet inspection module, running, by the computerized data processing unit, a module of active q

Abstract: The present invention relates to a method for assessing the quality of network-related Indicators of Compromise comprising the phase of calculating, by a computerized data processing unit, a quality score for Indicators of Compromise of the IP Address type, the steps of assigning an autonomous system score of the IP Address according to a predefined range of values based on a database of autonomous system owners, assigning a subnet score of said IP Address according to a predefined range of values based on a database of subnet owners, assigning a services hosted score of the IP Address according to a predefined range of values based on known malicious services hosted by the IP Address before the phase of calculating the quality score, calculating the IP Address quality score as sum of the autonomous system score, subnet score and services hosted score and wherein the method comprises a phase of evaluating the calculated quality score comprises, for each of the Indicators of Compromise of the IP Address type,