Abstract: A server manager for detecting ransomware includes a server interface to retrieve, from a storage device, a backup of a plurality of files stored by a client device. A ransomware detection module includes a statistical filter to generate a standard pattern of file activities of the client device for a time period. A statistical behavior analysis is performed on the backup of the plurality of files based on the standard pattern to identify a portion of the backup corresponding to a statistical anomaly different from the standard pattern. The statistical anomaly corresponds to an abnormal file activity. An entropy detector generates an entropy score for the portion of the backup. The entropy score represents a randomness of a distribution of bits in a block of a file in the portion of the backup. It is determined whether the backup includes the ransomware based on the generated entropy score.

Abstract: An endpoint agent extension of a cyber defense system for email that includes modules and machine learning models. An integration module integrates with an email client application to detect email cyber threats in emails in the email client application as well as regulate emails. An action module interfaces with the email client application to direct autonomous actions against an outbound email and/or its files when a cyber threat module determines the email and/or its files (a) to be a data exfiltration threat, (b) to be both malicious and anomalous behavior as compared to a user's modeled email behavior, and (c) any combination of these. The autonomous actions can include actions of logging a user off the email client application, preventing the sending of the email, stripping the attached files and/or disabling the link to the files from the email, and sending a notification to cyber security personnel regarding the email.

Abstract: A system for detecting Denial-of-Service (DoS) attacks on one or more user profiles collects a number of invalid sign-on attempts on the one or more user profiles during every time interval. The system determines a number of invalid sign-on attempts on every user profile since the start of the first time interval. The system detects a first DoS attack on a particular user profile if a first number of invalid sign-on attempts on the particular user profile exceeds a single-user profile. The system detects a second DoS attack on multiple user profiles during the first time interval if the increase in the total number of invalid sign-on attempts since the last time interval exceeds a scan-level threshold number. The system detects a third DoS attack on multiple user profiles if the total number of invalid sign-on attempts detected during combined time intervals exceeds a third threshold number.

Abstract: Disclosed is system for executing service request. The system comprises a processing arrangement and data sources. The processing arrangement receives the service request and is configured to extract data from the data sources based on the service request. The data sources respond in response to a characteristic framework of the service request. The system further comprises an administrator module to permute the service request received by the processing arrangement in accordance with the characteristic framework employed by the data sources. The administrator module is configured to identify at least one attribute of the service request, obtain data corresponding to the at least one attribute of the service request from the data sources, normalize the obtained data and provide the normalized data to execute the service request, via the processing arrangement.

Abstract: A method for classifying domains to malware families includes identifying a corpus of malicious domains, identifying one or more suspicious domains, extracting a timeframe corresponding to the one or more suspicious domains, calculating a rank coefficient between the one or more suspicious domains and a current seed domain of the corpus of malicious domains, determining whether the rank correlation coefficient exceeds a rank threshold for the one or more suspicious domains, comparing a number of suspicious domains whose correlation coefficients exceed the rank threshold to a relation threshold, and responsive to determining the number of suspicious domains whose correlation coefficients exceed the rank threshold exceeds the relation threshold, applying a tag to the suspicious domains indicating that the one or more suspicious domains correspond to a same malware family as the current seed domain.

Abstract: A data diode chip provides a flexible device for collecting data from a data source and transmitting the data to a data destination using one-way data transmission. On-chip processing elements allow the data diode to identify automatically the type of connectivity provided to the data diode and configure the data diode to handle the identified type of connectivity.

Abstract: Techniques for preventing ransomware from encrypting files on a target machine are disclosed. In some embodiments, a system/process/computer program product for preventing ransomware from encrypting files on a target machine includes monitoring file system activities on a computing device; detecting an unauthorized activity associated with a honeypot file or honeypot folder; and performing an action based on a policy in response to the unauthorized activity associated with the honeypot file or honeypot folder.

Abstract: Methods and systems for improved collection and evaluation of audit responses for healthcare sites are provided. In one embodiment, a method is provided that includes receiving responses associated with an audit of a healthcare site. A deficiency score and a total score may be calculated based on the responses. The deficiency scores may be calculated based on a quantity of responses indicating a deficient status and/or an improvement required status. The total score may be calculated based on a total quantity of the responses and a quantity of the responses that indicate an inapplicable status. The risk score may then be calculated based on the deficiency score.

Abstract: Techniques regarding augmenting one or more training datasets for training one or more AI models are provided. For example, one or more embodiments described herein can comprise a system, which can comprise a memory that can store computer executable components. The system can also comprise a processor, operably coupled to the memory, and that can execute the computer executable components stored in the memory. The computer executable components can comprise training augmentation component that can generate an augmented training dataset for training an artificial intelligence model by extracting a simplified source code sample from a source code sample comprised within a training dataset.

Abstract: According to one embodiment, an non-transitory storage medium is configured to store a plurality of engines, which operate to conduct an analysis of a received object to determine if the object is associated with a malicious attack. The plurality of engines includes a first engine and a second engine. The first engine is configured to conduct a first analysis of the received object for anomalous behaviors including anomalous actions or omissions during virtual processing of the object that indicate the received object is malicious. The second engine is configured to conduct a second analysis corresponding to a classification of the object as being associated with a malicious attack. The analysis schemes conducted by the first engine and the second engine may be altered via configuration files, which adjusts (i) parameter value(s) or (ii) operation rules(s) to alter the analysis conducted by the first engine and/or second engine.

Abstract: Isolating suspicious email links is described. An email security service receives an email that includes a link that refers to an external resource. A first suspicious link determination is performed to determine whether the link is suspicious. If the link is suspicious, the link is rewritten to refer to the email security and the email is delivered to the recipient. A request from a client device is received responsive to the link being opened. A second suspicious link determination is performed to determine whether the link is suspicious. If the link is suspicious, an interstitial page is transmitted to the client device that includes an option that, when selected, causes the first link to be opened in a remote browser isolation session.

Abstract: A method and a device for automatically detecting potential failures in mobile applications implemented on an operating system for mobile devices, a mobile application being executable on the operating system installed on a hosting device by executing code instructions stored in an associated executable file. Provided an executable file associated to a mobile application, the device implements a module for decompiling the executable file to obtain at least one descriptive file of the mobile application containing descriptive code formatted with a markup language, a module for providing a plurality of predetermined string patterns related to potential failures, and a module for searching for the presence of at least one of the string patterns in the at least one descriptive file, and in case of presence, outputting an indication of presence of a potential failure associated to the detected string pattern.

Abstract: Novel tools and techniques might provide for implementing Internet of Things (“IoT”) functionality, and, in particular embodiments, implementing added services for OBD2 connection for IoT-capable vehicles. In various embodiments, a portable device (when connected to an OBD2 DLC port of a vehicle) might monitor wireless communications between a vehicle computing system(s) and an external device(s), might monitor vehicle sensor data from vehicular sensors tracking operational conditions of the vehicle, and might monitor operator input sensor data from operator input sensors tracking input by a vehicle operator. The portable device (or a server) might analyze either the monitored wireless communications or a combination of the monitored vehicle sensor data and the monitored operator input sensor data, to determine whether vehicle operation has been compromised.

Abstract: A system performs static program analysis with artifact reuse. The system identifies artifacts associated with the software program being analyzed. The system processes the identified artifacts for performing static program analysis and transmits either the artifacts or identifiers for the artifacts to a second processing device for performing program analysis. The second processing device receives the artifacts and uses the received identifiers to retrieve the artifacts from a networked storage system. The second device also retrieves stored summaries of previous program analysis from the networked storage system. The program analysis uses the retrieved artifacts to generate work units for static program analysis. The analysis is performed only for those work units that are determined to remain unchanged from previous static program analysis cycles.

Abstract: A condition exists that triggers an HTTP server to modify one or more HTTP connections for one or more HTTP clients that are connected to the HTTP server. The HTTP server dynamically modifies the one or more HTTP connections including dynamically modifying one or more HTTP connection resource parameters for the one or more HTTP connections. For each of the one or more HTTP clients, the HTTP server monitors that HTTP client to determine whether it is complying with the modified one or more HTTP connection resource parameters. If one of the one or more HTTP clients is not complying with the modified one or more HTTP connection resource parameters, the HTTP server closes an HTTP connection to that HTTP client.

Abstract: A computing system is configured to perform zero-trust domain name resolution. The computing system includes applications coupled to a zero-trust client. The zero-trust client is configured to receive requests for IP addresses corresponding to endpoint identifiers for internet connected endpoints. The zero-trust client includes a synthetic DNS service configured to identify synthetic IP addresses for the endpoint identifiers. The zero-trust client provides the synthetic IP addresses for the endpoint identifiers to the applications. The zero-trust client sends data traffic from the applications to a zero-trust service with the synthetic IP addresses and sends corresponding endpoint identifiers to the zero-trust service in a fashion that allows the synthetic IP addresses to be correlated to the endpoint identifiers at the zero-trust service.

Abstract: In an anomaly detection method that determines whether each frame in observation data constituted by a collection of frames sent and received over a communication network system is anomalous, a difference between a data distribution of a feature amount extracted from the frame in the observation data and a data distribution for a collection of frames sent and received over the communication network system, obtained at a different timing from the observation data, is calculated. A frame having a feature amount for which the difference is predetermined value or higher is determined to be an anomalous frame. An anomaly contribution level of feature amounts extracted from the frame determined to be an anomalous frame is calculated, and an anomalous payload part, which is at least one part of the payload corresponding to the feature amount for which the anomaly contribution level is at least the predetermined value, is output.

Abstract: Techniques for process privilege escalation protection in a computing environment are disclosed. For example, the disclosure describes a system/process/computer program product for process privilege escalation protection in a computing environment that includes monitoring a process executed on a computing device, detecting an unauthorized change in a token value associated with the process, and performing an action based on a policy (e.g., a kernel protection security policy/rule(s), which can include a whitelisted set of processes and/or configured actions/responses to perform for other/non-whitelisted processes) in response to an unauthorized change in the token value associated with the process.

Abstract: A method for transmitting messages on a communications network on board a vehicle between a requesting entity requesting a service instance and an offering entity offering a service instance using a Service Oriented MiddlewarE over Internet Protocol (SOME/IP) communication protocol is provided.

Abstract: A computerized method is disclosed that includes operations of obtaining network traffic data between a source device and a destination device, performing a regularity assessment of a first metric of the network traffic data across communication sessions of the source device and the destination device over a given time period by: determining an average of the first metric for each of the communication sessions; establishing an upper bound and a lower bound for the averages of the first metric over the given time period; determining a difference between the upper bound and the lower bound; comparing the difference between the upper bound and the lower bound to a mean of the first metric for each of the communication sessions over the given time period, and determining whether beaconing transmissions are present within the network traffic data based on the regularity assessment of the first metric.

Abstract: Knowledge graph systems are disclosed for implementing multiple approaches, including stand alone or combined approaches, for knowledge graph pruning. The approaches are based on graph sampling work such as, for example, information gain theory. The approaches are applied by a knowledge graph system to perform schema pruning, automatic graph pruning, and query correlation for improving query performance.

Abstract: A device for automatically identifying anti-analysis techniques by using the signature extraction, includes an extraction unit which extracts a DEX file and an ELF file from an application file after unpacking the application file, which is in an APK format and includes compressed execution code to be executed on Android, a detection unit which receives the acquired signature classified according to types of the signature, analytically compares the input signature with the signature stored in a database, and detects the signature used in anti-analysis techniques, and a determination unit which determines according to the detected signature what anti-analysis technique is applied to the application. According to the present invention, it is possible to enable an appropriate and quick response to damages due to malicious applications by shortening the time required for analysis and automatically recognizing the application to which the anti-analysis technique is applied.

Abstract: Described are techniques including a computer-implemented method of aggregating a number of authentication failures from a plurality of connection attempts for an application or a service that services a plurality of clients, where respective authentication failures are detected by evaluating encrypted packets of the plurality of connection attempts. The method further comprises determining that the number of authentication failures is greater than a upper bound number of authentication failures, where the upper bound number of authentication failures is determined by an anomalous function using the plurality of connection attempts as input, where the anomalous function is defined, at least in part, by a Chebyshev's bound and a Chernoff bound. The method further comprises generating an alert indicating a potential credential attack against the application or the service.

Abstract: In an example embodiment, a deep learning algorithm is introduced that operates directly on a raw sequence of user activity in an online network. This allows the system to scalably leverage more of the available signal hidden in the data and stop adversarial attacks more efficiently than other machine-learned models. More particularly, each specific request path is translated into a standardized token that indicates the type of the request (e.g., profile view, search, login, etc.). This eliminates the need for human curation of features. Then, the standardized request paths are standardized to integers based on the frequency of that request path across all users. This allows information about how common a given type of request is to be provided to the machine-learned model. The integer array is the activity sequence that is fed into the deep learning algorithm.

Abstract: Systems for generating attack event logs are disclosed. An example system includes a storage device for storing an event log template. The system also includes a processor to receive a selection of the event log template, and receive an attack description comprising user instructions to fabricate synthetic log entries according to a format defined in the event log template. The attack description includes variables and rules for determining values for the variables. The processor generates the attack event log by determining values that satisfy the rules and writing the values into selected fields of the event log template.

Abstract: Devices and techniques are generally described for detection of network anomalies. In various examples, first data describing network communication between a plurality of source entities and a plurality of destination entities may be received. In some examples, respective feature data representing network communication between a respective source entity and one or more of the plurality of destination entities may be generated. In some examples, an unsupervised machine learning model may be used to determine a first number of clusters of the feature data. In various cases, a first source entity that is an outlier with respect to the first number of clusters may be determined based at least in part on the first number of clusters. The first source entity may be classified as an anomalous entity.

Abstract: Data is received that characterizes artefacts associated with each of a plurality of layers of a first machine learning model. Fingerprints are then generated for each of the artefacts in the layers of the first machine learning model. These generated fingerprints collectively form a model indicator for the first machine learning model. It is then determined whether the first machine learning model is derived from another machine learning model by performing a similarity analysis between the model indicator for the first machine learning model and model indicators generated for each of a plurality of reference machine learning models each comprising a respective set of fingerprints. Data characterizing the determination can be provided to a consuming application or process. Related apparatus, systems, techniques and articles are also described.

Abstract: Systems and methods are disclosed herein for determining a source of leaked sensitive data (e.g., passwords, insecure coding, log information, any information that should not exist, etc.) in compiled software applications. According to some aspects, a computing device (e.g., a software analysis device, a cloud-computing device, a server, a smart device, binary file/code scanner, etc.) may receive scan pattern information and a binary file of a software application. The computing device may be configured to determine one or more executable files of the software application based on the binary file. Based on the scan pattern information and the one or more executable files, the computing device may determine location information for one or more sensitive data elements configured with the software application. The computing device may use the location information for each of the one or more sensitive data elements to determine a respective source of the sensitive data element.

Abstract: The presently disclosed subject matter includes an apparatus that receives a dataset with values associated with different digital resources captured from a group of compute devices. The apparatus includes a feature extractor, to generate a set of feature vectors, each feature vector from the set of feature vectors associated with a set of data included in the received dataset. The apparatus uses the set of feature vectors to validate multiple machine learning models trained to determine whether a digital resource is associated with a cyberattack. The apparatus selects at least one active machine learning model and sets the remaining trained machine learning models to operate in an inactive mode. The active machine learning model generates a signal to alert a security administrator, blocks a digital resource from loading at a compute device, or executes other remedial action, upon a determination that the digital resource is associated with a cyberattack.

Abstract: A method of anomaly detection for network traffic communicated by devices via a computer network, the method including clustering a set of time series, each time series including a plurality of time windows of data corresponding to network communication characteristics for a device; training an autoencoder for each cluster based on time series in the cluster; generating a set of reconstruction errors for each autoencoder based on testing the autoencoder with data from time windows of at least a subset of the time series; generating a probabilistic model of reconstruction errors for each autoencoder; and generating an aggregation of the probabilistic models for, in use, detecting reconstruction errors for a time series of data corresponding to network communication characteristics for a device as anomalous.

Abstract: The present invention relates to the field of networking and API/application security. In particular, the invention is directed towards methods, systems and computer program products for Application Programming Interface (API) based flow control and API based security at the application layer of the networking protocol stack. The invention additionally provides an API deception environment to protect a server backend from threats, attacks and unauthorized access.

Abstract: An in-vehicle control device includes a vehicle-side communication unit installed on a vehicle and communicating with at least an information processing device external to the vehicle, and a first processor. The first processor is configured to: receive an installation request for an application program from the information processing device; in a case in which the installation request has been received, notify the information processing device of a rule defining whether or not a communication frame received at the vehicle-side communication unit is unauthorized and of equipment information related to optional equipment of the vehicle; acquire the application program and a rule that has been updated based on the notified rule and the equipment information from the information processing device; and, in a case in which the updated rule has been acquired, update the rule to the updated rule.

Abstract: A cyber-defense appliance securely communicates and cooperates with a suite of different lightweight probes that can ingest onboard traffic from multiple different independent systems using protocols for at least one of a data link layer, a physical layer, and then one or more of an application layer, a transport layer, a network layer, and any combination of these layers when a protocol is used in that layer in the independent system. The lightweight probe ingests data and meta data with an independent system it resides within. The appliance has AI models to model a normal pattern of life in each of the independent systems using the data and/or meta data from protocols listed above. An analyzer module cooperates with the AI models that model a normal pattern of life in each of the independent systems to determine when abnormal behavior or suspicious activity is detected.

Abstract: A method includes selecting one or more green addresses, each being a different IP address from a block of IP addresses, associating the green addresses with the IP address of the server, and receiving a packet from a client directed to an IP address of the block of IP addresses. It is determined whether the destination address matches the one or more green addresses or is a yellow address. When determined that the destination address matches the one or more green addresses, the packet is sent to the IP address associated with the matching green address, bypassing any DPI. Otherwise, the packet is sent to a scrubber to analyze the packet using DPI and handle the packet or perform a redirection of the client. The redirection causes subsequent requests from the client to be sent to the IP address associated with the green address, bypassing any DPI.

Abstract: Embodiments of this application disclose an information reporting method, an information processing method, an apparatus, and a device. The method in embodiments of this application includes the network device obtains a routing prefix included in local routing information, and information about a neighboring peer set corresponding to the routing prefix, and sends a local route monitoring message including the routing prefix and the information about the neighboring peer set to a first device. The neighboring peer set includes a source peer set and/or a destination peer set, the source peer set includes one or more source peers, the source peer is a peer that advertises original routing information including the routing prefix to the network device, the destination peer set includes one or more destination peers, and the destination peer is a peer to which the network device advertises destination routing information including the routing prefix.

Abstract: Systems and methods are described for performing blockchain validation of user identity and authority. In various aspects, the blockchain-based validation system includes: a server communicatively coupled to a blockchain-based network; and program instructions stored in a program memory that, when executed by the server, cause the server to: receive a blockchain ID associated with a user, wherein the blockchain ID is associated with a blockchain; aggregate a plurality of blockchain transactions, the plurality of blockchain transactions including at least a blockchain transaction associated with the blockchain; establish, based on the plurality of blockchain transactions, a trust relationship between the user and a second entity; and generate a trust profile for the user and the second entity based on the trust relationship, wherein the trust profile includes a level of trust between the user and the second entity based on the plurality of blockchain transactions.

Abstract: Methods and systems for detecting and preventing malicious software activity are presented. In one embodiment, a method is presented that includes monitoring network communications on a network. The method may also include detect a suspect network communication associated with a suspect network activity and, in response, determine an originating machine based on the suspect network activity. The method may further suspend network communications for the originating machine. A forensics software agent may then be selected based on the suspect network activity. Then, the forensics software agent may be deployed on the originating machine. After deployment, the forensics software agent may fetch computer forensics data from the originating machine. Once the computer forensics data is fetched, a response action may be selected and executed based on said computer forensics data.

Abstract: A machine learning model is trained based at least on previous change requests, wherein each of the previous change requests are associated with a controlled management of a lifecycle of a change to an information technology environment. A security vulnerability of the information technology environment is identified. Using the trained machine learning model, a corresponding match score for each of a plurality of pending change requests is determined for the security vulnerability. An indication of whether a resolution specification for the security vulnerability is to be linked with one of the plurality of pending change requests selected based on a factor associated with its corresponding match score is received.

Abstract: A cybersecurity assessment system is provided for monitoring, assessing, and addressing the cybersecurity status of a target network. The cybersecurity assessment system can analyze the scan data and determine a degree to which the current status of the target network satisfies a particular cybersecurity readiness standard, and how the status changes over time. The cybersecurity assessment system can also transform large amounts of vulnerability scan data into efficient representations for use in providing interactive presentations of the vulnerabilities detected on the target network. The cybersecurity assessment system can also provide information regarding cybersecurity events in substantially real time.

Abstract: In one embodiment, a device computes time series dynamics for a performance metric of a path in a network used to convey traffic for an online application. The device matches those time series dynamics to one or more dynamics categories. The device makes a determination as to whether the path in the network is anomalous, based on the one or more dynamics categories. The device provides, based on the determination, an indication that the path in the network is anomalous for display.

Abstract: Systems and methods are disclosed that minimize ongoing risk to an organization from user behaviors which magnify the severity of a spoofed domain. Systems and method are provided which enable an entity and users of an entity to identify potential harmful domains, combining search, discovery, reporting, the generation of risk indicators, end-user risk assessments, and training into a security awareness system.

Abstract: A system configured to detect a threat activity on a network. The system including a digital device configured to detect a first order indicator of compromise on a network, detect a second order indicator of compromise on the network, generate a risk score based on correlating said first order indicator of compromise on the network with the second order indicator of compromise on said network, and generate at least one incident alert based on comparing the risk score to a threshold.

Abstract: Historical time-series data can be analyzed using a probabilistic model to determine one or more distributions, including at least a normal distribution and an anomaly distribution. These distributions can be analyzed to obtain values for distribution parameters, such as mean, standard deviation, and density, as well as other statistical parameters, for use in building a forecasting model. This model can analyze the time-series data to predict or forecast actionable anomalies at one or more future points or periods in time, such as may exceed a determined anomaly threshold with at least a minimum amount of confidence. A determination can be made as to one or more actions to take in anticipation of the anomalous event, or volume of events, such as to attempt to prevent the occurrence or to be better positioned to handle the occurrence. Such forecasting or prediction can utilize both modeling and feature engineering.

Abstract: Described embodiments provide systems and methods for displaying a service graph in association with a time of a detected anomaly. A device may store a plurality of snapshots of a service graph of a plurality of microservices. Each of the snapshots of the service graphs include metrics at a respective time increment from execution of each of the plurality of microservices. The device may detect an anomaly with operation of one or more microservices of the plurality of services. The device may identify a set of snapshots of the service graph within a predetermined time period of a time of the anomaly. The device may display each of the snapshots in the set of snapshots of in sequence corresponding to time increments within the predetermined time period of the time of the anomaly.

Abstract: A system for suspending a computing device suspected of being infected by a malicious code is configured to receive a signal to initiate a suspension procedure of the computing device. The system captures states of instructions that are being executed by a processor of the computing device, where the instructions comprise the malicious code. The system prioritizes the operation of a kill switch button over the instructions being executed by the processor. The system sends notification signals to servers managing a user account associated with a user currently logged in at the computing device, indicating that the computing device is suspected of having been infected by the malicious code. In response to sending the notification signals to the servers, the user account is suspended. The system terminates network connections of the computing device such that the computing device is disconnected from other devices.

Abstract: Techniques for detecting and mitigating Denial of Service (DoS) attacks in distributed networking environment are disclosed. In certain embodiments, a DoS detection and mitigation system is disclosed that automatically monitors and analyzes network traffic data in a distributed networking environment using a set of pre-defined threshold criteria. The system includes capabilities for automatically invoking various mitigation techniques that take actions on malicious traffic based on the analysis and the pre-defined threshold criteria. The system includes capabilities for automatically detecting and mitigating “outbound” DoS attacks by analyzing network traffic data originating from an entity within the network to a public network (e.g., the Internet) outside the network as well as detect and mitigate “east-west” DoS attacks by analyzing network traffic data originating from a first entity located in a first data center of the network to a second entity located in a second data center of the network.

Abstract: There is provided data-efficient threat detection method in a computer network. The method can include: receiving raw data related to a network node, generating local 5 behaviour models related to the network node; generating at least one common model of normal behaviour on the basis of local behaviour models related to multiple network nodes; filtering input events by using a measure for estimating the likelihood that the input event is produced by the generated common model of normal behaviour and/or by the generated one or more local behaviour models, wherein only input events having a 10 likelihood below a predetermined threshold of being produced by any one of the models are passed through the filtering; and processing input events passed through the filtering for generating a security related decision.

Abstract: The methods and system described herein automatically generate network router access control entities (ACEs) that are used to filter internet traffic and more specifically to block malicious traffic. The rules are generated by an ACE engine that processes incoming internet packets and examines existing ACEs and a statistical profile of the captured packets to produce one or more recommended ACEs with a quantified measure of confidence. Preferably, a recommended ACE is identified in real time of the attack, and preferably selected from a library of pre-authored ACEs. It is then deployed automatically or alternatively sent to system personnel for review and confirmation.

Abstract: Artificial Intelligence (“AI”) apparatus and method are provided that correlate and consolidate operation of discrete vendor tools for detecting cyberthreats on a network. An AI engine may filter false positives and eliminate duplicates within cyberthreats detected by multiple vendor tools. The AI engine provides machine learning solutions to complexities associated with translating vendor-specific cyberthreats to known cyberthreats. The AI engine may ingest data generated by the multiple vendor tools. The AI engine may classify hardware devices or software applications scanned by each vendor tool. The AI engine may decommission vendor tools that provide redundant cyberthreat detection. The AI engine may display operational results on a dashboard directing cyberthreat defense teams to corroborated cyberthreats and away from false positives.

Abstract: A device may receive a malicious file associated with a network of network devices and may identify a file type and file characteristics associated with the malicious file. The device may determine one or more rules to apply to the malicious file based on the file type and the file characteristics associated with the malicious file and may apply the one or more rules to the malicious file to generate a partial file signature for the malicious file. The device may provide the partial file signature for the malicious file to one or more of the network devices of the network. The partial file signature may cause the one or more of the network devices to block the malicious file.