Abstract: In various implementations, a security management and control system for monitoring and management of security for cloud services can include automated techniques for identifying the privileged users of a given cloud service. In various examples, the security management and control system can obtain activity logs from the cloud service, where the activity logs record actions performed by users of an organization in using the cloud service. In various examples, the security management and control system can identify actions in the activity logs that are privileged with respect to the cloud service. In these and other examples, the security management and control system can use the actions in the activity log to identify privileged users. Once the privileged users are identified, the security management and control system can monitor the privileged users with a higher degree of scrutiny.

Abstract: According to one aspect, uncertainty prediction based deep learning may include receiving, using a memory, a trained neural network policy ? trained based on a first dataset in a first environment, implementing, via a controller, the trained neural network policy ? in a second environment by receiving an input and generating an output y, calculating an uncertainty array U[T] for a time window T, wherein the uncertainty array is indicative of a level of uncertainty associated with an output sample distribution of the output across the time window T based on a temporal divergence, an entropy H, a variational ratio VR, and a standard deviation SD of the output y, and executing, via the controller and one or more systems, an action based on the uncertainty array U[T], such as discontinuing use of the trained neural network policy ?.

Abstract: Adaptive normal profiles are generated at a hierarchical scope corresponding to a set of endpoints and a process. Abnormal endpoint activity is detected by verifying whether event data tracking activity on the set of endpoints conforms to the adaptive normal profiles. False positives are reduced by verifying alarms correspond to normal endpoint activity. Abnormal event data is forwarded to a causality chain identifier that identifies abnormal chains of processes for the abnormal endpoint activity. A trained threat detection model receives abnormal causality chains from the causality chain identifier and indicates a likelihood of corresponding to a malicious attack that indicates abnormal endpoint behavior.

Abstract: Systems and methods enable automated and scalable obfuscation detection in programming scripts, including processing devices that receive software programming scripts and a symbol set. The processing devices determine a frequency of each symbol and an average frequency of the symbols in the script text. The processing devices determine a normal score of each symbol based on the frequency of each symbol and the average frequency to create a symbol feature for each symbol including the normal score. The processing devices utilize an obfuscation machine learning model including a classifier for binary obfuscation classification to detect obfuscation in the script based on the symbol features. The processing devices cause to display an alert indicting an obfuscated software programming script on a screen of a computing device associated with an administrative user to recommend security analysis of the software programming script based on the binary obfuscation classification.

Abstract: The system and methods described herein aids in the defense of unmanned vehicles, such as aerial vehicles, from wifi cyber attacks. Such attacks usually do not last long and in the case of many point-to-point command and control systems, the attacks originate from close proximity to the unmanned vehicle. The system and methods described herein allow a team to rapidly identify and physically respond to an adversary trying to take control of the unmanned vehicle. Another aspect of the embodiment taught herein is to allow for the location of a wifi signal in a hands-free manner by able to visualize the source of the signal using an augmented reality display coupled to an antenna array.

Abstract: Methods and systems for the detection, identification, analysis of cybersecurity events in order to support prevention of the persistence of threats, malware or other harmful events are provided. The methods and systems of the present invention enable a user to find similar anomalous network traffic within a single network or across multiple networks. The methods and systems identify and correlate activity in order to analyze potential threats within a network by providing broader contextual information about how those threats relate to other activity within the network or across a sector or country.

Abstract: Systems and methods include training a machine learning model with data for identifying features in monitored traffic in a network; analyzing the trained machine learning model to identify information overhead therein, wherein the information overhead is utilized in part for the training; removing the information overhead in the machine learning model; and providing the machine learning model for runtime use for identifying the features in the monitored traffic, with the removed information overhead from the machine learning model.

Abstract: An alert that is generated by a first orchestrator associated with a first subsystem or received from one or more distributed orchestrators that are associated with one or more corresponding subsystems is analyzed. The alert is triggered by a change in behavior determined by a behavioral analysis algorithm associated with the first orchestrator or corresponding behavior analysis algorithms associated with the one or more distributed orchestrators. It is determined whether an alert is indicative of a false positive based on an objective associated with the first orchestrator, an algorithm associated with the first orchestrator and one or more constraints associated with the first orchestrator. The alert is filtered in response to determining that the alert is indicative of the false positive.

Abstract: The present invention discloses a network connection managing system comprising one or more information devices, a network node data verifying device and a network node connection managing device. The information device is a network node installed with a mobile network card such that a MAC address of the mobile network card and network node identifying data of the network node are transmitted to the network node data verification device by a data reporting software, and are then compared by the network node data verifying device. The network node connection managing device is connected to the network node data verifying device and blocks a network connection for the network node according to a comparison result.

Abstract: To dynamically determine and apply WAF protections for an application deployed to the cloud, exposed entities, are identified. The identified entities are further evaluated to determine whether the application is eligible for WAF protection based on whether the application uses a protocol that is compatible with WAF protection. If the application is eligible for WAF protection, after instantiating a WAF, WAF protections that should be enabled or disabled are determined based on characteristics of the application that are identified at runtime. The WAF can then be configured based on the identified protections such that those which are pertinent to the application will be enabled, while those which are not applicable to the application and thus will not be used are disabled. As a result, security provided by the WAF for a cloud application is tailored to the application based on information about the application gathered in the cloud deployment environment.

Abstract: In order to identify an unknown IoT device type, behavioral or statistical data of the device is collected and analyzed. A functional group may be created using behavioral data of devices of a known type. A behavior profile for the functional group may be generated and stored in a database. The behavioral data of the device of an unknown type is compared to the behavior profile of the functional group. When the similarity of the behavioral data of the device of an unknown type and the behavior profile exceeds a predetermined or configurable threshold, a device type associated with the functional group can be assigned to the device of a previously unknown type.

Abstract: A technique is introduced for utilizing data associated with a monitored premises to determine a likelihood of a crime, or other activity, occurring at the premises. In an example embodiment, premises data is received from one or more sources including sensor devices located at the premises and other data sources including third-party databases. The premises data is processed using a machine learning model, such as an artificial neural network, to generate a risk score that is indicative of the likelihood of a crime occurring at the premises in real-time or in the future. The introduced technique for risk evaluation can be implemented in conjunction with a premises security system, for example, to route alarms generated by monitoring devices located at the premises.

Abstract: A method of computer security for a host computer system in communication with remote computer systems includes generating an attack map modelling individual events leading to an exploitation of the host computer system by collecting a log of each of a plurality of attack events occurring at the host, using stacked autoencoders to extract features from the log event in each attack, and generating a directed graph representation based on each of the extracted features. The method further includes determining a subset of nodes in the attack map corresponding to events in one or more attacks, determining a component of the host computer system involved in each attack event represented by each of the nodes in the subset, and deploying one or more security facilities at each of the determined components of the host computer system so as to mitigate attacks according to each of the attack patterns.

Abstract: Aspects of the disclosure relate to a data integrity system for transmission of data. A computing platform may detect transmission of data to a second enterprise computing device, and may intercept the data content in transmission. Then, the computing platform may convert the data content to an electronic file in a standardized textual format. Then, the computing platform may add an alert message to a message queue indicating that the electronic file is available for processing. Subsequently, the computing platform may cause one or more content processors to process the electronic file to identify a portion of the data content for review prior to transmission, and output a notification message to the message queue providing information related to the identified portion. Then, the computing platform may modify the data content, generate a link to the modified data content, and provide the generated link to the second enterprise computing device.

Abstract: The invention relates to an embedded system on board an aircraft for detection and response to incidents with log recording, the aircraft comprising a calculator comprising applications using and generating data and being configured to detect events based on these data and predefined information specifying these events. The system comprises, for the calculator, an agent and a collector. The agent is an application component dedicated to an identified application and is configured to apply an incident detection logic to the detected events in order to detect at least one incident and to send to the collector, through detection messages, each detected incident according to a configurable transmission logic. The collector is configured to receive the messages and to apply, to the messages, a configurable recording logic of the messages in one or several log(s).

Abstract: A method for using a malware and phishing detection and mediation platform is discussed. The method includes accessing data from one or more of a monitored portion of website data and a monitored portion of emails, the data indicating a respective potential malware or a suspect phishing element (e.g., Uniform Resource Locator (URL)). The method includes selecting one of a plurality of detection engines for processing the data, where the selecting is based on previous results of previous processing by one or more detection engines. Each of the plurality of detection engines can be for performing one or more respective investigation actions on the plurality of data to determine a particular issue with one of the monitored data. The method also includes determining a mediation action based on a result of processing of the detection engine and the previous processing.

Abstract: A system includes one or more “BotMagnet” modules that are exposed to infection by malicious code. The BotMagnets may include one or more virtual machines hosting operating systems in which malicious code may be installed and executed without exposing sensitive data or other parts of a network. In particular, outbound traffic may be transmitted to a Sinkhole module that implements a service requested by the outbound traffic and transmits responses to the malicious code executing within the BotMagnet. Credentials for services implemented by a BotSink may be planted in an active directory (AD) server. The BotSink periodically uses the credentials thereby creating log entries indicating use thereof. When an attacker accesses the services using the credentials, the BotSink engages and monitors an attacker system and may generate an alert. Decoy services may be assigned to a domain and associated with names according to a naming convention of the domain.

Abstract: Techniques for detecting and mitigating Denial of Service (DoS) attacks in distributed networking environment are disclosed. In certain embodiments, a DoS detection and mitigation system is disclosed that automatically monitors and analyzes network traffic data in a distributed networking environment using a set of pre-defined threshold criteria. The system includes capabilities for automatically invoking various mitigation techniques that take actions on malicious traffic based on the analysis and the pre-defined threshold criteria. The system includes capabilities for automatically detecting and mitigating “outbound” DoS attacks by analyzing network traffic data originating from an entity within the network to a public network (e.g., the Internet) outside the network as well as detect and mitigate “east-west” DoS attacks by analyzing network traffic data originating from a first entity located in a first data center of the network to a second entity located in a second data center of the network.

Abstract: An electronic communication security system is typically configured for receiving historical data from one or more data sources, wherein the historical data comprises at least one of exposure data associated with one or more exposures, user data associated with one or more users, and resource entity data associated with one or more resource entities, storing the historical data in a historical database, analyzing, using one or more machine learning models, the historical data associated with the one or more exposures, the one or more users and the one or more resource entities, and generating, using the one or more machine learning models, an output associated with each of the one or more resource entities based on analyzing the historical data associated with the one or more resource entities, wherein the output comprises an exposure rating associated with the one or more resource entities.

Abstract: An abstraction system for generating a standard customer profile in a data processing system has a processing device and a memory. The abstraction system may receive customer data from a computing device over a network, perform unsupervised learning on the customer data to produce a plurality of clusters of customers with a plurality of features in common, and determine that a cluster represents a standard customer, and store a plurality of standard customer profiles based on the determined standard customers, wherein the standard customer profiles comprise a plurality of data distributions for the plurality of features in common. The abstraction system additionally provides the standard customer profiles and the additional standard customer profiles to a cognitive system for generating synthetic transaction data.

Abstract: The invention relates to a method for defending against a Denial of Service attack, the method comprises: monitoring data traffic; detecting that at least one source computer is involved in a Denial of Service attack; in response to the detection generating at least one data frame by modifying at least one data frame obtained from the data traffic transmitted from the at least one source computer so that a plurality of data fields representing address information of the host server as a source of the at least one generated data frame are set to correspond to address information of the at least one source computer; transmitting the generated data frame to the source computer. The invention relates also to a network device and a computer program product.

Abstract: A method for detecting malicious program behavior includes performing program verification based on system activity data, analyzing unverified program data identified from the program verification to detect abnormal events, including analyzing host-level events to detect abnormal host-level events by learning a program representation as a graph embedding through an attentional architecture based on an invariant graph between different system entities, generating detection results based on the analysis, and performing at least one corrective action based on the detection results.

Abstract: The disclosed computer-implemented method for producing adjustments to malware-detecting services may include (1) receiving, from a plurality of malware-detecting services executing on a plurality of client computing devices, a respective plurality of probability scores with corresponding model identifiers for an analyzed file and a plurality of respective identifiers describing the malware-detecting services, (2) building a training dataset from at least a portion of the received plurality of probability scores with corresponding model identifiers, and (3) performing a security action including (A) training, with the training dataset, a malware-detecting linear regression ensemble machine learning model that is specific to an identifier in the plurality of identifiers and (B) sending the trained linear regression ensemble machine learning model to one of the plurality of malware-detecting services executing on one of the client computing devices.

Abstract: Methods, systems and computer readable media for rogue access point detection are described.

Abstract: An identification of an item that was misclassified by a classification model constructed in accordance with a machine learning technique is received. One example of such a machine learning technique is a random forest. A subset of training data, previously used to construct the model, and that is associated with the misclassified item is identified. At least a portion of the identified subset is provided as output.

Abstract: An authentication system determines a risk level for a client device impersonating a client device enrolled in authentication services by comparing device metadata for the impersonating client device to device metadata for the enrolled client device. As part of enrolling the enrolled client device, the authentication system associates one or more authentication credentials with the enrolled client device. In order to authenticate access requests associated with a client device identified as the enrolled client device, the authentication system obtains an authentication token from the client device generated using the authentication credentials and also obtains device metadata corresponding to the client device. Based on the device metadata comparison during authentication, the authentication system detects device metadata anomalies and uses detected device metadata anomalies to determine a risk level for the client device.

Abstract: A method to prevent or reduce cyberattacks can include analyzing information of users of a 5G network. The information can include user profile data and social media data. The method can further include ranking the users according to a network security ranking based on a social media ranking, to identify target users as potential hotspots for cyberattacks. The 5G network dynamically assigns computing resources based on the network security ranking to monitor computing device(s) associated with the target users and receives an indication of a malicious software of the computing device(s) as detected by the computing resources.

Abstract: Network-based, unsupervised classifiers are provided. The classifiers identify both known and unknown attacks aimed at industrial networks without the need to have a priori knowledge of known malicious attack patterns.

Abstract: A network device may receive, from a first network, one or more fragments of a first network packet of a first network packet type, where the first network packet encapsulates a second network packet of a second network packet type. The network device may buffer the one or more fragments in. The network device may, upon receiving a fragment of the first network packet that includes an indication of a source network address and a source port for the second network packet, perform an anti-spoof check of the fragment flow without assembling the first network packet. The network device may, based on the fragment flow passing the anti-spoof check, in response to receiving all fragments of the first network packet: assemble the first network packet, decapsulate the second network packet from the assembled first network packet, and forward, to a second network, the second network packet.

Abstract: Methods, apparatus, and processor-readable storage media for detecting security threats in storage systems using AI techniques are provided herein. An example computer-implemented method includes obtaining historical performance data and historical capacity data pertaining to one or more storage objects within a storage system; determining supervised datasets pertaining to security threat-related data and non-security threat-related data by processing at least a portion of the obtained data using a first set of AI techniques; configuring a second set of AI techniques based at least in part on the determined supervised datasets; detecting one or more security threats in connection with at least one storage object within the storage system by processing input data from the at least one storage object using the second set of AI techniques; and performing at least one automated action based at least in part on the one or more detected security threats.

Abstract: A method of computer security for a host computer system in communication with remote computer systems, including generating an attack map as a directed graph data structure modelling individual events leading to an exploitation of the host computer system and collecting a log of each of a plurality of attack events occurring at the host including network packets involved in each attack event, the attack map being generated in a training phase of the host computer system in which the host is subjected to attacks by one or more attacking remote computer systems, using stacked autoencoders to extract features from the log event in each attack; generating a directed graph representation based on each of the extracted features, using the attack map to identify a sequence of events indicative of an attack, and responsive to the identification, deploying one or more security facilities to mitigate the attack.

Abstract: A method is provided, comprising actively testing the access control policy of a software target using a probing logic. The method further comprises determining whether an intrusion in the software target has occurred based on monitored side effects. According to the method, the probing logic is to execute at least one operation that is forbidden by the access control policy. The probing logic is further to create at least one predetermined observable side effect based on the successful execution of the operation.

Abstract: A rule-based attribution mechanism analyzes documents having different types of data in different formats through the application of script-based rules that apply a tag to the document identifying the type of sensitive data that is contained in the document. Documents having similar tags are aggregated so that the sensitive data is scrubbed from the document leaving the telemetric data available for downstream processing. The scrubbing entails different actions, such as, eliminating the sensitive data, obfuscating the sensitive data, and converting the sensitive data into a non-sensitive value.

Abstract: In an embodiment, a process for automatic model monitoring for data streams includes receiving an input dataset, using a machine learning model to determine a model score for each data record of at least a portion of the input dataset, and determining monitoring values. Each monitoring value is associated with a measure of similarity between model scores for those data records of the input dataset within a corresponding moving reference window and model scores for those data records of the input dataset within a corresponding moving target window. The process includes outputting the determined monitoring values.

Abstract: Detecting and defending against password spraying attacks is provided. Information is received regarding failed attempts to login to user accounts located on a target system of a network. Each password used to attempt a failed login to any of the user accounts located on the target system is recorded. It is determined whether a common password is used in a failed login attempt to a number of different user accounts located on the target system greater than or equal to a predetermined threshold. In response to determining that the common password was used in the failed login attempt to the number of different user accounts on the target system greater than or equal to the predetermined threshold, an alert is sent regarding a password spraying attack corresponding to the common password that resulted in the failed login attempt to the number of different user accounts located on the target system.

Abstract: Web sites are crawled using multiple browser profiles to avoid malicious cloaking. Based on web page content returned from HTTP requests using the multiple browser profiles, web sites returning substantively different content to HTTP requests for different browser profiles are identified. Web sites are further filtered by common cloaking behavior, and redirect scripts are extracted from web page content that performed cloaking. Signatures comprising tokenized versions of the redirect scripts are generated and compared to a database of known cloaking signatures. URLs corresponding to signatures having approximate matches with signatures in the database are flagged for recrawling. Recrawled URLs are verified for malicious cloaking again using HTTP requests from multiple browser profiles.

Abstract: Systems, methods, and products comprise an analytic server, which improves security of a unified system of distributed network infrastructure comprising a plurality of cyber-physical systems. The analytic server may instantiate a sub attack tree for each cyber-physical system within the unified system. The analytic server may determine how the interconnection of the plurality of cyber-physical systems may affect the unified system security. The analytic server may monitor systems and receive electronic notifications of alerts in real-time from devices in the plurality of cyber-physical systems. The analytic server may follow the logic of the attack tree model by traversing the attack tree from bottom up and determine how the alerts from the cyber-physical systems may affect the distributed network infrastructure as a whole. The analytic server may generate reports comprising a list of the prioritized attacks and recommendation actions to mitigate the attacks.

Abstract: The disclosed embodiments are directed toward monitoring and classifying encrypted network traffic. In one embodiment, a method is disclosed comprising intercepting an encrypted network request, the network request transmitted by a client device to a network endpoint; identifying a network service associated with the network endpoint based on unencrypted properties of the encrypted network request; identifying, based on the encrypted network request and a series of subsequent network requests issued by the client device, an action taken by the client device, the action comprising an activity performed during a session established with the network service; and updating a catalog of network interactions using the network service and the action.

Abstract: A computer-implemented system and method of providing utility service network information for a utility service disturbance monitoring equipment management network and system. The system includes six components: an operating system with mirrors/feedback point, a local provider/USI DME application repositories, working snapshots, published snapshots, a quality control test system; and a dedicated provider/USI portion of the Cloud.

Abstract: Provided is a process that includes: obtaining, with one or more processors, a query identifying a user identification; retrieving, with one or more processors, via an application programming interface, from a database, one or more passwords associated with one or more user identification entries in the database that matches the user identification in response to the obtained query; determining, with one or more processors, whether the one or more passwords matches a password associated with the user identification; blocking, with one or more processors, access to a user account associated with the user identification and the password when the one or more passwords matches the password associated with the user identification; and notifying, with one or more processors, a user associated with the user account to reset the password when the one or more passwords matches the password associated with the user identification.

Abstract: A method, system and computer-usable medium for performing a feature generation operation. The performing a feature generation operation including: receiving a stream of events, the stream of events comprising a plurality of events; applying labels to applicable events from the plurality of events, the applying labels providing a labeled event; and, processing the labeled event to extract a feature from the labeled event, the processing providing a feature associated with an event.

Abstract: In accordance with an embodiment, described herein are systems and methods for use of a suffix tree to control blocking of blacklisted encrypted domains. A suffix tree includes encrypted hash keys corresponding to a plurality of domain nodes. A domain-related request packet is received, and a target domain name extracted from the packet. A pair of hash keys are generated for the request packet and target domain; and a hash table is searched with the generated hash key pair. If a corresponding entry is found in the hash table, then a corresponding hash suffix pointer is determined for the packet, and the suffix tree examined to determine whether the node identified by the query is part of a blacklisted node. If the suffix tree indicates the node to be part of a blacklisted node, then the system can perform a specified action associated with that node.

Abstract: The present disclosure describes a system, method, and computer program for detecting unmanaged and unauthorized assets on an IT network by identifying anomalously-named assets. A recurrent neural network (RNN) is trained to identify patterns in asset names in a network. The RNN learns the character distribution patterns of the names of all observed assets in the training data, effectively capturing the hidden naming structures followed by a majority of assets on the network. The RNN is then used to identify assets with names that deviate from the hidden naming structures. Specifically, the RNN is used to measure the reconstruction errors of input asset name strings. Asset names with high reconstruction errors are anomalous since they cannot be explained by learned naming structures. After filtering for attributes or circumstances that mitigate risk, such assets are associated with a higher cybersecurity risk.

Abstract: A computer-implemented method for dynamically identifying security threats comprising a cyber-attack chain composed of a sequence of partial cyber-attacks represented by attack patterns may be provided. The method comprises receiving a sequence of security events, determining, a first cyber-attack pattern by applying a set of predefined rules for detecting an indicator of compromise of a first partial cyber-attack of the cyber-attack chain—thereby, identifying a specific cyber-attack chain—and determining a type and an attribute in the pattern of the first partial cyber-attack. The method comprises further configuring at least one rule for a downstream partial cyber-attack in the specific cyber-attack chain based on the type and the attribute in the attack pattern of the first partial cyber-attack, and adding the at least one configured rule to the set of predefined rules to be used by the correlation engine for dynamically identifying security threats to information technology systems.

Abstract: Described are platforms, systems, and methods for actuating transmission control protocol/Internet protocol (TCP/IP) through a method comprises: identifying a computer workload during a handshake process for establishing a network connection with a remote host; configuring, based on the computer workload, one or more TCP/IP parameters of the network connection; and completing the handshake process to establish the network connection with the remote host.

Abstract: Embodiments are directed to monitoring network traffic over a network using one or more network monitoring computers. A monitoring engine may be instantiated to perform actions, including: monitoring network traffic to identify client requests provided by clients and server responses provided by servers in response to the client requests; determining request metrics associated with the client requests; and determining response metrics associated with the server responses. An analysis engine may be instantiated that performs actions, including: comparing the request metrics with the response metrics; determining atypical behavior associated with the clients based on the comparison such that the atypical behavior includes an absence of adaption by the clients to changes in the server responses; and providing alerts that may identify the clients be associated with the atypical behavior.

Abstract: A cybersecurity system, method, and computer program is provided for detecting whether an entity's collection of processes during an interval is abnormal compared to the historical collection of processes observed for the entity during previous intervals of the same length. Logs from a training period are used to calculate global and local risk probabilities for each process based on the process's execution history during the training period. Risk probabilities may be computed using a Bayesian framework. For each entity in a network, an entity risk score is calculated by summing the applicable risk probabilities of the unique processes executed by the entity during an interval. An entity's historical risk scores form a score distribution. If an entity's current score is an outlier on the historical score distribution, an alert of potentially malicious behavior is generated with respect to the entity. Additional post-processing may be performed to reduce false positives.

Abstract: At an artificial intelligence based service to detect violations of resource usage policies, an indication of a first data set comprising a plurality of network traffic flow records associated with at least a first device of a set of devices may be obtained. Using the first data set, a machine learning model may be trained to predict whether resource usage of a particular device of a particular network violates a first resource usage acceptability criterion. In response to determining, using a trained version of the model, that the probability that a second device has violated the acceptability criterion exceeds a threshold, one or more actions responsive to the violation may be initiated.

Abstract: Client-side attack detection via simulation for detecting and mitigating cross-site script code client-side attacks is disclosed. A system can receive, through a network interface from a web server, a first response having a first payload that includes an action based on a request to the web server and a second response having a corresponding payload that is received concurrently with the first response on a signal path from the web server that is different from that of the first response. The system can invoke the action from the first payload and detect malicious activity in the invoked action. The system can verify the detecting of the malicious activity and issue a message indicating a security incident relating to the malicious activity. The system can either allow or restrict passage of the second response to a network based on a mode of the system when the malicious activity is verified.

Abstract: Tuning a neural network may include selecting a portion of a first neural network for modification to increase computational efficiency and generating, using a processor, a second neural network based upon the first neural network by modifying the selected portion of the first neural network while offline.