Abstract: A system and method for anomaly detection. A method includes recursively partitioning a sample of device activity data including deterministic characteristics of a population of devices over iterations in order to create partitions. Each iteration includes determining a split density metric for a candidate subpopulation created by splitting a portion of the population with respect to a corresponding type of deterministic characteristic. The split density metric for the candidate subpopulation is determined based on a density value of the candidate subpopulation and a coverage value of the corresponding type of deterministic characteristic. The partitions include each candidate subpopulation meeting a split density metric threshold. A baseline for each of the partitions is established based on device activity for devices represented in device activity data of the partition. An anomaly is detected based on behavior of a device and the baseline established for a partition corresponding to the device.

Abstract: A system and method for malicious lateral movement detection. A method includes identifying atomic tunnels in packets sent between devices; identifying tunnel constructs; determining a potentially malicious atomic tunnel among the atomic tunnels by comparing edges of each of the atomic tunnels to edges of previously observed tunnel constructs; determining a potentially malicious tunnel including the potentially malicious atomic tunnel; and mitigating the potentially malicious tunnel. Each atomic tunnel is a structure representing communications among the devices defined with respect to at least three nodes and at least two edges. Each node represents a respective device, and each edge represents a connection between two of the devices. Each atomic tunnel has two hops, where each hop is a level of communication in which a packet is sent from one device to another device. Each tunnel construct is a structure including at least one of the atomic tunnels.

Abstract: A system and method for determining device attributes based on host configuration protocols. A method includes applying at least one machine learning model to a test data set extracted from host configuration protocol data including at least one test options sequence, wherein each test options sequence is an ordered series of options requested by a first device, wherein each of the at least one machine learning model is trained based on a train data set including a plurality of training options sequences and a plurality of device attributes, wherein each training options sequence and each device attribute of the train data set corresponds to a respective second device; and determining, based on the output of the at least one machine learning model, at least one device attribute for the first device.

Abstract: Systems and methods for device profile enrichment. A method includes determining a plurality of distributions of device attributes with respect to a plurality of fields of a predefined device profile schema; generating a plurality of inference rules based on the plurality of distributions of device attributes, wherein each inference rule indicates at least one required device attribute and at least one inferred device attribute; creating an ordered set of inference rules including the plurality of inference rules organized with respect to a plurality of scores, each score corresponding to one of the plurality of inference rules, wherein the score for each inference rule is determined based on the at least one required device attribute of the inference rule; and enriching at least one device profile by iterating the ordered set of inference rules, wherein enriching a device profile includes adding at least one device attribute value to the device profile.

Abstract: A system and method for inferring an operating system version for a device based on communications security data. A method includes identifying a plurality of sequences in communications security data sent by the device; determining an operating system type of an operating system used by the device based on the identified plurality of sequences; applying a version-identifying model to the identified plurality of sequences, wherein the version-identifying model is a machine learning model trained to output a version identifier, wherein the applied version-identifying model is associated with the determined operating system type; and determining the operating system version of the device based on the output of the version-identifying model.

Abstract: A system and method for vulnerability detection. A method includes: tokenizing device attribute data for a device into at least one set of first tokens, wherein each of the first tokens is formatted according to a token schema; creating at least one device attribute string, each device attribute string including one of the first tokens; matching each of the at least one device attribute string to combinations of device attributes stored in a vulnerabilities database in order to identify at least one matching combination of device attributes for the device, wherein the vulnerabilities database stores mappings between combinations of device attributes and vulnerabilities, wherein each combination of device attributes in the vulnerabilities database includes second tokens formatted according to the token schema; detecting at least one vulnerability of the device based on the at least one matching combination of device attributes and the mappings in the vulnerabilities database.

Abstract: A system and method for malicious lateral movement detection. A method includes identifying atomic tunnels in packets sent between devices; identifying tunnel constructs; determining a potentially malicious atomic tunnel among the atomic tunnels by comparing edges of each of the atomic tunnels to edges of previously observed tunnel constructs; determining a potentially malicious tunnel including the potentially malicious atomic tunnel; and mitigating the potentially malicious tunnel. Each atomic tunnel is a structure representing communications among the devices defined with respect to at least three nodes and at least two edges. Each node represents a respective device, and each edge represents a connection between two of the devices. Each atomic tunnel has two hops, where each hop is a level of communication in which a packet is sent from one device to another device. Each tunnel construct is a structure including at least one of the atomic tunnels.

Abstract: A system and method for mitigating cyber security threats by devices using risk factors. The method includes determining a plurality of risk factors for a device based on a plurality of risk behaviors indicated by network activity and information of the device, wherein the plurality of risk behaviors includes observed risk behaviors and assumed risk behaviors, wherein the observed risk behaviors are indicated by data related to network activity by the device, wherein the assumed risk behaviors are extrapolated based on known contextual information related to the device; determining a risk score for the device based on the plurality of risk factors and a plurality of weights, wherein each of the plurality of weights is applied to one of the plurality of risk factors; and performing at least one mitigation action based on the risk score.

Abstract: A system and method for detecting abnormal device traffic behavior. The method includes creating a baseline clustering model for a device based on a training data set including traffic data for the device, wherein the baseline clustering model includes a plurality of clusters, each cluster representing a discrete state and including a plurality of first data points of the training data set; sampling a plurality of second data points with respect to windows of time in order to create at least one sample, each sample including at least a portion of the plurality of second data points, wherein the plurality of second data points are related to traffic involving the device; and detecting anomalous traffic behavior of the device based on the at least one sample and the baseline clustering model.

Abstract: A system and method for identifying device attributes based on string field conventions. A method includes applying at least one machine learning model to an application data set extracted based on a string indicated in a field of device data corresponding to a device, wherein each of the at least one machine learning model is trained based on a training data set including a plurality of second strings and a plurality of device attribute labels, wherein each device attribute label corresponds to a respective second string of the plurality of second strings, wherein each of the at least one machine learning model is configured to output a predicted device attribute for the device based on the first string; and identifying, based on the output of the at least one machine learning model, a device attribute of the device.

Abstract: A system and method for anomaly detection. A method includes recursively partitioning a sample of device activity data including deterministic characteristics of a population of devices over iterations in order to create partitions. Each iteration includes determining a split density metric for a candidate subpopulation created by splitting a portion of the population with respect to a corresponding type of deterministic characteristic. The split density metric for the candidate subpopulation is determined based on a density value of the candidate subpopulation and a coverage value of the corresponding type of deterministic characteristic. The partitions include each candidate subpopulation meeting a split density metric threshold. A baseline for each of the partitions is established based on device activity for devices represented in device activity data of the partition. An anomaly is detected based on behavior of a device and the baseline established for a partition corresponding to the device.

Abstract: A system and method for resolving contradictory device profiling data. The method includes: determining a set of non-contradicting values and a set of contradicting values in device profiling data related to a device based on a plurality of conflict rules; merging values of the set of non-contradicting values in device profiling data into at least one first value; selecting at least one second value from the set of contradicting values, wherein selecting one of the at least one second value from each set of contradicting values further includes generating a certainty score corresponding to each value of the set of contradicting values, wherein each certainty score indicates a likelihood that the corresponding value is accurate, wherein the at least one second value is selected based on the certainty scores; and creating a device profile based on the at least one first value and the at least one second value.

Abstract: A system and method for inferring an operating system version for a device based on communications security data. A method includes identifying a plurality of sequences in communications security data sent by the device; determining an operating system type of an operating system used by the device based on the identified plurality of sequences; applying a version-identifying model to the identified plurality of sequences, wherein the version-identifying model is a machine learning model trained to output a version identifier, wherein the applied version-identifying model is associated with the determined operating system type; and determining the operating system version of the device based on the output of the version-identifying model.

Abstract: The present disclosure relates to systems and methods for determining comprehensive and asset vulnerability ratings using models such as artificial intelligence (AI) and machine learning (ML) models. These models can identify relevant attributes, optimize attribute values, and determine logical relationships between attributes. The term “model” encompasses various types of AI and ML models, including neural networks, language models, multimodal models, and others. Models can be trained using supervised learning with labeled data to predict or classify new data items. The models can be locally hosted, cloud-managed, or accessed via APIs, and can be implemented in electronic hardware such as computer processors.

Abstract: A system and method for inferring device types. A method includes selecting a device type inference model from among a plurality of device type inference models based on a manufacturer of a device, wherein each device type inference model corresponds to a respective manufacturer and is trained using training data of devices manufactured by the respective manufacturer, wherein each device type inference model is trained to output a device type prediction; and determining an inferred device type for the device, wherein determining the inferred device type for the device further comprises applying the selected device type inference model to a plurality of features, wherein the plurality of features is extracted from device activity data indicating ports used by the device and at least one volume of traffic communicated via each port used by the device.

Abstract: A system and method for vulnerability detection. A method includes: tokenizing device attribute data for a device into at least one set of first tokens, wherein each of the first tokens is formatted according to a token schema; creating at least one device attribute string, each device attribute string including one of the first tokens; matching each of the at least one device attribute string to combinations of device attributes stored in a vulnerabilities database in order to identify at least one matching combination of device attributes for the device, wherein the vulnerabilities database stores mappings between combinations of device attributes and vulnerabilities, wherein each combination of device attributes in the vulnerabilities database includes second tokens formatted according to the token schema; detecting at least one vulnerability of the device based on the at least one matching combination of device attributes and the mappings in the vulnerabilities database.

Abstract: A system and method for anomaly interpretation and mitigation. A method includes extracting at least one input feature vector from observation data related to an observation; applying an isolation forest to the at least one input feature vector, wherein the isolation forest includes a plurality of estimators, wherein each estimator is a decision tree, wherein the output of each estimator is a split-path of a plurality of split-paths, each split-path having a path-length and including name and a corresponding value for a respective output feature of a plurality of output features; generating a mapping object based on the application of the isolation forest to the at least one feature vector, wherein the mapping object includes the plurality of split-paths; clipping the mapping object based on the path-length of each split-path; and determining at least one mitigation action based on the clipped mapping object.

Abstract: A system and method for determining device attributes using a classifier hierarchy. The method includes: sequentially applying a plurality of sub-models of a hierarchy to a plurality of features extracted from device activity data, wherein the sequential application ends with applying a last sub-model of the plurality of sub-models, wherein each sub-model includes a plurality of classifiers, wherein each sub-model outputs a class when applied to at least a portion of the plurality of features, wherein each class is a classifier output representing a device attribute, wherein applying the plurality of sub-models further comprises iteratively determining a next sub-model to apply based on the class output by a most recently applied sub-model and the hierarchy; and determining a device attribute based on the class output by the last sub-model.

Abstract: A system and method for detecting abnormal device traffic behavior. The method includes creating a baseline clustering model for a device based on a training data set including traffic data for the device, wherein the baseline clustering model includes a plurality of clusters, each cluster representing a discrete state and including a plurality of first data points of the training data set; sampling a plurality of second data points with respect to windows of time in order to create at least one sample, each sample including at least a portion of the plurality of second data points, wherein the plurality of second data points are related to traffic involving the device; and detecting anomalous traffic behavior of the device based on the at least one sample and the baseline clustering model.

Abstract: A system and method for inferring device types. A method includes selecting a device type inference model from among a plurality of device type inference models based on a manufacturer of a device, wherein each device type inference model corresponds to a respective manufacturer and is trained using training data of devices manufactured by the respective manufacturer, wherein each device type inference model is trained to output a device type prediction; and determining an inferred device type for the device, wherein determining the inferred device type for the device further comprises applying the selected device type inference model to a plurality of features, wherein the plurality of features is extracted from device activity data indicating ports used by the device and at least one volume of traffic communicated via each port used by the device.