Abstract: A system for suspending a computing device suspected of being infected by a malicious code is configured to receive a signal to initiate a suspension procedure of the computing device. The system captures states of instructions that are being executed by a processor of the computing device, where the instructions comprise the malicious code. The system prioritizes the operation of a kill switch button over the instructions being executed by the processor. The system sends notification signals to servers managing a user account associated with a user currently logged in at the computing device, indicating that the computing device is suspected of having been infected by the malicious code. In response to sending the notification signals to the servers, the user account is suspended. The system terminates network connections of the computing device such that the computing device is disconnected from other devices.

Abstract: There is provided data-efficient threat detection method in a computer network. The method can include: receiving raw data related to a network node, generating local 5 behaviour models related to the network node; generating at least one common model of normal behaviour on the basis of local behaviour models related to multiple network nodes; filtering input events by using a measure for estimating the likelihood that the input event is produced by the generated common model of normal behaviour and/or by the generated one or more local behaviour models, wherein only input events having a 10 likelihood below a predetermined threshold of being produced by any one of the models are passed through the filtering; and processing input events passed through the filtering for generating a security related decision.

Abstract: Techniques for detecting and mitigating Denial of Service (DoS) attacks in distributed networking environment are disclosed. In certain embodiments, a DoS detection and mitigation system is disclosed that automatically monitors and analyzes network traffic data in a distributed networking environment using a set of pre-defined threshold criteria. The system includes capabilities for automatically invoking various mitigation techniques that take actions on malicious traffic based on the analysis and the pre-defined threshold criteria. The system includes capabilities for automatically detecting and mitigating “outbound” DoS attacks by analyzing network traffic data originating from an entity within the network to a public network (e.g., the Internet) outside the network as well as detect and mitigate “east-west” DoS attacks by analyzing network traffic data originating from a first entity located in a first data center of the network to a second entity located in a second data center of the network.

Abstract: The methods and system described herein automatically generate network router access control entities (ACEs) that are used to filter internet traffic and more specifically to block malicious traffic. The rules are generated by an ACE engine that processes incoming internet packets and examines existing ACEs and a statistical profile of the captured packets to produce one or more recommended ACEs with a quantified measure of confidence. Preferably, a recommended ACE is identified in real time of the attack, and preferably selected from a library of pre-authored ACEs. It is then deployed automatically or alternatively sent to system personnel for review and confirmation.

Abstract: Artificial Intelligence (“AI”) apparatus and method are provided that correlate and consolidate operation of discrete vendor tools for detecting cyberthreats on a network. An AI engine may filter false positives and eliminate duplicates within cyberthreats detected by multiple vendor tools. The AI engine provides machine learning solutions to complexities associated with translating vendor-specific cyberthreats to known cyberthreats. The AI engine may ingest data generated by the multiple vendor tools. The AI engine may classify hardware devices or software applications scanned by each vendor tool. The AI engine may decommission vendor tools that provide redundant cyberthreat detection. The AI engine may display operational results on a dashboard directing cyberthreat defense teams to corroborated cyberthreats and away from false positives.

Abstract: A device may receive a malicious file associated with a network of network devices and may identify a file type and file characteristics associated with the malicious file. The device may determine one or more rules to apply to the malicious file based on the file type and the file characteristics associated with the malicious file and may apply the one or more rules to the malicious file to generate a partial file signature for the malicious file. The device may provide the partial file signature for the malicious file to one or more of the network devices of the network. The partial file signature may cause the one or more of the network devices to block the malicious file.

Abstract: There is provided a system and a computerized method of remediating one or more operations linked to a given program running in an operating system, the method comprising: querying a stateful model to retrieve a group of entities related to the given program; terminating at least a sub set of the group of entities related to the given program; generating a remediation plan including one or more operations linked to the given program, the one or more operations being retrieved based on the group in the stateful model; and executing the remediation plan by undoing at least part of the one or more operations linked to the given program thereby restoring state of the operating system to a state prior to the given program being executed. There is further provided a computerized method of detecting malicious code related to a program in an operating system in a live environment.

Abstract: A system, method, and computer-readable medium are disclosed for performing a security operation. The security operation includes: monitoring an entity, the monitoring observing an electronically-observable data source; deriving an observable based upon the monitoring of the electronically-observable data source; identifying a security related activity, the security related activity being based upon the observable from the electronic data source; analyzing the security related activity, the analyzing the security related activity using a security risk persona; associating the security risk persona with a phase of a cyber kill chain; and, performing a security operation on the security related activity via a security system, the security operation disrupting performance of the phase of the cyber kill chain.

Abstract: Aspects of the disclosure relate to generating threat intelligence information. A computing platform may receive forensics information corresponding to message attachments. For each message attachment, the computing platform may generate a feature representation. The computing platform may input the feature representations into a neural network, which may result in a numeric representation for each message attachments. The computing platform may apply a clustering algorithm to cluster each message attachments based on the numeric representations, which may result in clustering information. The computing platform may extract, from the clustering information, one or more indicators of compromise indicating that one or more attachments corresponds to a threat campaign.

Abstract: Systems, methods, and computer-readable media for performing threat remediation through a switch fabric of a virtualized network environment. Data traffic passing into a virtualized network environment including a plurality of virtual machines running on a switch fabric is monitored. A network threat introduced through at a least a portion of the data traffic is identified at the switch fabric. One or more remedial measures are performed in the network environment based on the identification of the network threat in the virtualized network environment.

Abstract: Aspects of the present invention disclose a method, computer program product, and system for detecting a malicious process by a selected instance of an anti-malware system. The method includes one or more processors examining a process for indicators of compromise to the process. The method further includes one or more processors determining a categorization of the process based upon a result of the examination. In response to determining that the categorization of the process does not correspond to a known benevolent process and a known malicious process, the method further includes one or more processors executing the process in a secure enclave. The method further includes one or more processors collecting telemetry data from executing the process in the secure enclave. The method further includes one or more processors passing the collected telemetry data to a locally trained neural network system.

Abstract: Cryptocurrency based malware and ransomware detection systems and methods are disclosed herein. An example method includes analyzing a plurality of malware or ransomware attacks to determine cryptocurrency payment address of malware or ransomware attacks, building a malware or ransomware attack database with the cryptocurrency payment addresses of the plurality of malware or ransomware attacks, identifying a proposed cryptocurrency transaction that includes an address that is included in the malware or ransomware attack database, and denying the proposed cryptocurrency transaction.

Abstract: Adaptive normal profiles are generated at a hierarchical scope corresponding to a set of endpoints and a process. Abnormal endpoint activity is detected by verifying whether event data tracking activity on the set of endpoints conforms to the adaptive normal profiles. False positives are reduced by verifying alarms correspond to normal endpoint activity. Abnormal event data is forwarded to a causality chain identifier that identifies abnormal chains of processes for the abnormal endpoint activity. A trained threat detection model receives abnormal causality chains from the causality chain identifier and indicates a likelihood of corresponding to a malicious attack that indicates abnormal endpoint behavior.

Abstract: An enhanced threat disposition analysis technique is provided. In response to receipt of a security threat, a threat disposition score (TDS) is retrieved. The threat disposition score is generated from a machine learning scoring model that is built from information about historical security threats, including historical disposition of one or more alerts associated with the historical security threats. The system augments an alert to include the threat disposition score, optionally together with a confidence level, to generate an enriched alert. The enriched alert is then presented to the security analyst for handling directly. Depending on the TDS (and its confidence level), the analyst may be able to respond to the threat immediately, i.e., without further detailed investigation. Preferably, the machine learning model is updated continuously as the system handles security threats, thereby increasing the predictive benefit of the TDS scoring.

Abstract: Realized is a configuration that monitors a behavior of a visitor and issues an alert or performs some other action in the case where a suspicious behavior is detected. The configuration includes a data processing section configured to monitor the behavior of the visitor. The data processing section identifies the visitor, acquires profile information of the identified visitor, determines a behavior monitoring mode of the visitor on the basis of the profile information, and monitors the behavior of the visitor according to the determined behavior monitoring mode.

Abstract: Systems, methods, and software can be used to cluster software codes in a scalable manner. In some aspects, a computer-implemented method comprises: obtaining a plurality of software samples; computing one or more first hash results for each of the plurality of software samples; computing one or more second hash results for each of the plurality of software samples based on the one or more first hash results, wherein an amount of the one or more second hash results is less than an amount of the one or more first hash results; determining a similarity output based on the one or more second hash results of two of the plurality of software samples; and clustering the plurality of software samples based on the similarity output to generate one or more software sample clusters.

Abstract: Embodiments are directed toward a non-transitory processor-readable medium for providing a zero-day attack prevention cybersecurity system, including an agent and an orchestrator. The agent is configured to be installed at an endpoint within a network to be evaluated. The endpoint has a cybersecurity solution to be tested. The orchestrator is enables standardized tactics, techniques, and procedures (“TTPs”) and non-standard TTPs to be sent across the network to the endpoint. The agent is configured to limit network communication outgoing from the endpoint to predefined or selected communications while the agent is installed at the endpoint. Accordingly, the agent and the orchestrator cooperatively enable testing the cybersecurity solution of the endpoint with respect to both the standardized TTPs and the non-standard TTPs without exposing other endpoints in communication with the network to security risks posed by the standardized TTPs and the non-standard TTPs sent to the endpoint.

Abstract: A method including transmitting, by an infrastructure device, a current fingerprint associated with a first instance of a source application; receiving, by the infrastructure device, respective results associated with comparing the current fingerprint with respective verification fingerprints, which are associated with instances of the source application other than the first instance; determining, by the infrastructure device based at least in part on the respective results, a determination result indicating whether the first instance of the source application is to be utilized for transmitting a transmission packet; and transmitting, by the infrastructure device, the determination result to indicate whether the first instance of the source application is to be utilized for transmitting the transmission packet. Various other aspects are contemplated.

Abstract: A local buffer is integrated with a witness generator and a proof generator on a cryptographic processor and is separate from host memory accessed by a host processor operating with the cryptographic processor in a proving computing system. The witness generator: receives, from software program running on the host processor, compiled code of a zero-knowledge-proof (ZKP) program and specific input to the ZKP program; executes the ZKP program by way of executing the compiled code; records specific output generated from the ZKP program with the specific input, intermediate variable values, and the specific input, as a specific witness of executing the ZKP program; stores the specific witness in the local buffer. The proof generator: receives, from the software program running on the host processor, a proving key; accesses the specific witness in the local buffer; generates a specific zero-knowledge proof for executing the ZKP program with the specific input.

Abstract: A gearbox including a gear and a gutter. The gear is rotatable about a rotational axis in a rotational direction. The gear has a radial direction and an axial direction, and the gear expels oil radially outward when the gear rotates. The gutter is positioned radially outward of the gear in the radial direction of the gear to collect oil expelled by the gear when the gear rotates. The gutter includes an axial surface, a plurality of radial surfaces including a first radial surface and a second radial surface, and at least one opening to allow the oil collected in the gutter to flow therethrough. Each of the first radial surface and the second radial surface is oriented in a direction intersecting the axial surface, and the at least one opening is formed on both the axial surface and one of the first radial surface and the second radial surface.

Abstract: A method (600) for identifying malicious software includes receiving and executing a software application (210), identifying a plurality of uniform resource identifiers (220) the software application interacts with during execution of the software application, and generating a vector representation (260) for the software application using a feed-forward neural network (170) configured to receive the plurality of uniform resource identifiers as feature inputs. The method also includes determining similarity scores (262) for a pool of training applications, each similarity score associated with a corresponding training application and indicating a level of similarity between the vector representation for the software application and a respective vector representation for the corresponding training application.

Abstract: Providing an isolation system that allows analysts to analyze suspicious information in way that aids in preventing harmful information from spreading to other applications and systems on a network. A plurality of virtual containers may be used by analysts to analyze the suspicious information. The analyst may utilize a non-native application to analyze the suspicious information within the virtual container. The non-native application may be used to analyze the suspicious information in an analysis format instead of an original format for which the suspicious information, and any harmful information therein, were intended to be accessed. Additionally, the virtual containers may be accessed through the use of an API that allows an analyst to analyze the suspicious information in the virtual container without transferring information from the virtual container back to the analyst user computer system.

Abstract: Disclosed herein are systems, methods, and storage media for thwarting cyber-attacks and data theft. A computing system receives packets and compares with a configuration resource. The computing system determines that the packet does not match the configuration resource and transmits a packet to a decoy environment via an SDN switch. The decoy environment is configured to generate time-out, service unavailable, or restricted access messages. In some embodiments, the computing system determines the packet does match the configuration and transmits the packet to a production network via an SDN switch. The SDN switch is communicatively connected to the decoy environment through a first channel and communicatively connected to a production environment through a separate second channel. The computing system is further configured to create and transmit to the SDN switch, rules to manage transmitting the packet to either the decoy environment or the production environment.

Abstract: The present disclosure provides a data processing method for coping with ransomware, which encrypts data with a malicious intent and blocks an access to the data, to protect the data, and a program for executing the data processing method. In a computer apparatus that loads an application program stored in a memory onto a processor and carries out a predetermined processing according to the application program, on an operating system (OS) kernel which controls an access of the application program to hardware components of the computer apparatus, the processor reads the data stored in the memory, performs the predetermined processing at the request of the application program, determines whether a ransomware attack occurred for the data before storing the processed data back to the memory, and stores the processed data to the memory according to a determination result, thereby preventing the damage caused by the ransomware attack.

Abstract: Logic may assign a customer identification to a model to associate a first customer with the model to detect fraudulent transactions. Logic may determine one or more clusters to associate with the first customer based on characteristics associated with the first customer. Logic may associate one or more cluster identifications with the first customer. Each cluster identification may identify one cluster of the one or more clusters. Each cluster may identify a group of customers based on characteristics associated with the group of customers. Logic may cause the model to transmit to a customer device associated with the first customer. Logic may receive transaction data for a transaction for one customer of the group of customers associated with a first cluster. And logic may communicate modified transaction data to customer devices of more than one customer of the group of customers associated with the first cluster.

Abstract: A method of detecting a malicious node in a bus network system includes pre-storing, by a receiving node, autocorrelation characteristics and node identifiers for each signal received from nodes excluding than the receiving node in a bus network system, receiving, by the receiving node, a target signal from any one of the nodes, generating, by the receiving node, an autocorrelation characteristic of the target signal, searching for an autocorrelation characteristic, which is identical to the autocorrelation characteristic of the target signal or similar to the autocorrelation characteristic of the target signal by a reference level or more, among the autocorrelation characteristics of each of the signals stored by the receiving node, determining, by the receiving node, whether a first node identifier matching the searched autocorrelation characteristic and a second node identifier extracted from a packet transmitted to the target signal are the same.

Abstract: A security framework for life-critical and safety-critical devices, specifically medical devices, using: a) runtime, adaptive methods that dynamically assess the risk of newly discovered vulnerabilities and threats, and b) automatic mitigation methods that reduce system risk by seamlessly reconfiguring the device to operate within different execution modes. This technology automatically isolates threats by disabling affected system components. A multi-modal software design uses adaptive software in which operational modes have monotonically decreasing cumulative risk. Formal risk models are used to model the individual risk of accessing or controlling system components and to automatically calculate the cumulative risk of software modes. The automated detection of potential threats by the system or reporting of known vulnerabilities will dynamically change the system risk.

Abstract: Techniques for identifying attack behavior based on scripting language activity are disclosed. A security monitoring system generates a behavior profile for a first client device based on scripting language commands included in a first set of raw machine data received from the first client device, where the first client device is coupled to a network, and the first set of raw machine data is associated with network traffic received by or transmitted from the first client device. The security monitoring system analyzes a second set of raw machine data received from the first client device, where the second set of raw machine data is associated with subsequent network traffic received by or transmitted from the first client device. The security monitoring system detects an anomaly in the second set of raw machine data based on the behavior profile, and initiates a mitigation action in response to detecting the anomaly.

Abstract: Applications on a device are assigned scores based on their attributes, update status, and source. A device is a assigned a score based on its attributes and the scores of applications installed thereon. the device score may be combined with an evaluation of user behavior to obtain a user score. The scores may be used to invoke security actions with respect to data and services of an enterprise. Security reports for a network environment may be modified such that the severity of threats accounts for policies and attributes of the environment. Security of a device may be evaluated locally, including the training of a model to identify anomalous authentication or usage behavior. Security of a device may be reduced to a score lacking personal information that may be used by a server to select access controls for a device.

Abstract: An unauthorized message in an in-vehicle network is more accurately detected. A detection device includes: a monitoring unit configured to monitor, as target messages, an authorized message being periodically transmitted and the unauthorized message in the in-vehicle network, and monitor a reference message being periodically transmitted; a calculation unit configured to, based on a monitoring result of the monitoring unit, calculate a time difference between a time corresponding to a transmission time of the target message and a time corresponding to a transmission time of the reference message; and a detection unit configured to, based on the time difference calculated by the calculation unit, perform a detection process of detecting the unauthorized message.

Abstract: Embodiments described herein provide techniques to manage drivers in a user space in a data processing system. One embodiment provides a data processing system configured perform operations, comprising discovering a hardware device communicatively coupled to the communication bus, launching a user space driver daemon, establishing an inter-process communication (IPC) link between a first proxy interface for the user space driver daemon and a second proxy interface for a server process in a kernel space, receiving, at the first proxy interface, an access right to enable access to a memory buffer in the kernel space, and relaying an access request for the memory buffer from the user space driver daemon via a third-party proxy interface to enable the user space driver daemon to access the memory buffer, the access request based on the access right.

Abstract: A computer-implemented method, computer program product and computing system for: a computer-implemented method is executed on a computing device and includes: obtaining object information concerning one or more initial objects within a computing platform in response to a security event; identifying an event type for the security event; and executing a response script based, at least in part, upon the event type.

Abstract: A webshell detection method and apparatus are provided. The apparatus obtains first web traffic of a protected host; generates a web page visit record of the protected host based on the first web traffic, where the web page visit record is used to save at least one uniform resource locator (URL), an IP address visiting each URL, and a total quantity of visits to each URL; determines a suspicious URL from the at least one URL based on the web page visit record, where a total quantity of visits to the suspicious URL is less than a first threshold, and a ratio of a quantity of different IP addresses visiting the suspicious URL to the total quantity of visits to the suspicious URL is less than a second threshold; and determines whether a web page identified by the suspicious URL contains a webshell signature.

Abstract: In an embodiment, the disclosed technologies monitor electronic message traffic between a network and a recipient computer system. An embodiment includes obtaining, from an electronic message received from the network, a triple of a display name, email address, and sending domain, determining a name score for triple, and determining characteristics of the electronic message. The name score of the triple and the characteristics of the electronic message may be used to determine whether the electronic message is a spoofing attack such as a business email compromise (BEC) attack. In response to determining that the electronic message is malicious, an embodiment may cause the network to at least one of modify, delay, re-route, or block transmission of the electronic message to the recipient computer system.

Abstract: A system and a method are disclosed for determining that a first electronic communication, received in a first private repository of a user, has been identified (e.g., flagged) as including a threat, and determining a probability that the first electronic communication includes the threat. In response to determining that the probability exceeds a threshold probability, the system monitors monitoring for a second electronic communication, received in a second private repository, that includes contents that match the contents of the first electronic communication.

Abstract: A computerized method for analyzing an object is disclosed. The computerized method includes obtaining, by a cybersecurity system, an object and context information generated during a first malware analysis of the object conducted prior to obtaining the object. Thereafter, the cybersecurity system performs a second malware analysis of the object to determine a verdict indicating maliciousness of the object. The scrutiny of the second malware analysis is adjusted based, at least in part, the context information, which may include (i) activating additional or different monitors, (ii) adjusting thresholds for determining maliciousness, or (iii) applying a modified rule set during the second malware analysis based on the context information.

Abstract: Disclosed herein are methods, systems, and processes for context-based identification of anomalous log data. Log data with multiple original logs is received at an anomalous log data identification system. A context associated training dataset is generated by splitting a string in a log into multiple split strings, generating a context association between each split string and a unique key that corresponds to the log, and generating an input/output (I/O) string data batch that includes I/O string data for each split string in the log by training each split string against every other split string in the log. A context-based anomalous log data identification model is then trained according to a machine learning technique using the I/O string data batch that includes a list of unique strings in the context associated training dataset.

Abstract: Example methods and systems for correlation-based security threat analysis are described. In one example, a computer system may obtain event information that is generated by monitoring a virtualized computing instance supported by a host; and network alert information that is generated by monitoring network traffic associated with the virtualized computing instance. The network alert information may specify security threat signature(s) detected based on the network traffic. The computer system may map the network alert information to threat information that specifies indicator(s) of compromise associated with the signature(s) and perform a correlation analysis based on the event information, network alert information and threat information. Based on the correlation analysis, it is determined whether there is a potential security threat associated with the virtualized computing instance.

Abstract: Some examples relate generally to managing and storing data, and more specifically to the real-time detection of ransomware, system (or insider) threats, or the misappropriation of credentials by using file system audit events.

Abstract: Techniques are disclosed for building a dictionary of words from combinations of symbols generated based on input data. A neuro-linguistic behavior recognition system includes a neuro-linguistic module that generates a linguistic model that describes data input from a source (e.g., video data, SCADA data, etc.). To generate words for the linguistic model, a lexical analyzer component in the neuro-linguistic module receives a stream of symbols, each symbol generated based on an ordered stream of normalized vectors generated from input data. The lexical analyzer component determines words from combinations of the symbols based on a hierarchical learning model having one or more levels. Each level indicates a length of the words to be identified at that level. Statistics are evaluated for the words identified at each level. The lexical analyzer component identifies one or more of the words having statistical significance.

Abstract: A server interacts with a bot detection service to provide bot detection as a requesting client interacts with the server. In an asynchronous mode, the server injects into a page a data collection script configured to record interactions at the requesting client, to collect sensor data about the interactions, and to send the collected sensor data to the server. After the client receives the page, the sensor data is collected and forwarded to the server through a series of posts. The server forwards the posts to the detection service. During this data collection, the server also may receive a request from the client for a protected endpoint. When this occurs, and in a synchronous mode, the server issues a query to the detection service to obtain a threat score based in part on the collected sensor data that has been received and forwarded by the server. Based on the threat score returned, the server then determines whether the request for the endpoint should be forwarded onward for handling.

Abstract: A method and a system for identifying indicators of compromise are provided. The method comprises: obtaining a given malware carrier configured for execution a main malware module; generating, based on the given malware carrier, an attack roadmap, the attack roadmap including a plurality of malware carriers; determining a malware class of each one of the plurality of malware carriers; generating a current list of indicators of compromise of each of the plurality of malware carriers; searching a database to locate at least one stored attack roadmap including a plurality of stored malware carriers; retrieving from the database a stored list of indicators of compromise for each of the plurality of stored malware carriers; generating an amalgamated list of indicators of compromise based on the current list of indicators and the stored digital list of indicators of compromise; storing, in the database, the amalgamated list of indicators of compromise.

Abstract: Systems, methods, and related technologies for profiling an entity and classifying an entity based on a profile are described. In certain aspects, accessing data associated with one or more communications of an entity is accessed and one or more behaviors based on the data associated with the one or more communications of the entity are determined. One or more sequences of the one or more behaviors of the entity are determined and a profile is determined based on the one or more sequences of the one or more behaviors, wherein the profile comprises a classification of the entity. The profile may then be stored.

Abstract: A system and method for determining device attributes using a classifier hierarchy. The method includes: determining at least one exploitation condition for a manufacturing device based on at least one first device attribute of the manufacturing device and a plurality of second device attributes indicated in a vulnerabilities database, wherein the vulnerabilities database further indicates a plurality of known exploits for the plurality of second device attributes; analyzing behavior and configuration of the medical device to detect an exploitable vulnerability for the manufacturing device, wherein the exploitable vulnerability is a behavior or configuration of the manufacturing device which meets the at least one exploitation condition; and performing at least one mitigation action based on the exploitable vulnerability.

Abstract: The technology disclosed relates to a method, system, and non-transitory computer-readable media that classifies cloud traffic between a client and cloud application as malicious command and control (C2) cloud traffic or benign cloud traffic. A cloud traffic classifier, in communication with a network security system, is provided intercepted cloud traffic as an input, and generate an output that classifies the cloud traffic as malicious command and control (C2) cloud traffic or benign cloud traffic. The classifier may use signals such as beaconing behavior, anomalous entity, anomalous agent, anomalous username, anomalous username, anomalous agent, cat's paw behavior of the client, anomalous hostname access patterns, and/or malicious task sequence execution.

Abstract: Systems and methods are described herein for providing a telecommunications network, such as a wireless network, LTE (Long Term Evolution) network, and so on, with blockchain nodes, agents, or sub-nodes. The blockchain nodes enable network components to access and maintain a blockchain for the network, such as a distributed ledger that tracks actions, activities, or other transaction associated with the telecommunications network.

Abstract: A cyber security appliance has one or more modules to interact with entities in an operational technology network and potentially in an informational technology network. The operational technology module can reference various machine-learning models trained on a normal pattern of life of users, devices, and/or controllers of the operational technology network. A comparator module cooperates with the operational technology module to compare the received data on the operational technology network to the normal pattern of life of any of the users, devices, and controllers to detect anomalies in the normal pattern of life for these entities in order to detect a cyber threat. An autonomous response module can be programmed to respond to counter the detected cyber threat.

Abstract: Systems and methods for providing an integrated or Smart NIC-based hardware accelerator for a network security device to facilitate identification and mitigation of DoS attacks is provided. According to one embodiment, a processor of a network security device receives an application layer protocol request from a client, directed to a domain hosted by various servers and protected by the network security device. The application layer protocol request is parsed to extract a domain name and a path string. The hardware acceleration sub-system updates rate-based counters based on the application layer protocol request by performing a longest prefix match on the domain name and the path string. When a rate threshold associated with the rate-based counters is exceeded, a challenge message is created and transmitted to the client, having embedded therein the application layer protocol request; otherwise the application layer protocol request is allowed to pass through the network security device.

Abstract: A cyber security system includes a plurality of event sensors to detect events, a plurality of inference servers, and a server in communication with the plurality of inference servers. Each inference server of the plurality is in communication with a subset of event sensors of the plurality of event sensors. Each inference server has a portion of an event lattice and is to compare the event detected by the subset of event sensors to the event lattice. Each inference server is to identify an originator having a behavior pattern indicative of an attack and communicating an identifier associated with the originator. The server is to provide an interface indicating the behavior pattern indicative of an attack and the identifier of the originator.

Abstract: Disclosed herein are methods and systems for detecting malicious files by a user computer. For example, in one aspect, the method comprises registering application programming interface (API) calls made by a file during an execution of the file on the user computer in a local call log, the local call log comprising control flow graphs of processes launched from the file, searching for a rule that matches behavioral rules a local database, when the behavioral rules are found, determining the file is malicious and halting execution of the file on the user computer, otherwise, transmitting the local call log to a remote server, receiving a verdict, when the verdict indicates the file is malicious, receiving a virus signature corresponding to the verdict, and updating the local call log based on the verdict and virus signature, wherein the updating enables detection of subsequently received malicious files.