Abstract: A system and method for resolving contradictory device profiling data. The method includes: determining a set of non-contradicting values and a set of contradicting values in device profiling data related to a device based on a plurality of conflict rules; merging values of the set of non-contradicting values in device profiling data into at least one first value; selecting at least one second value from the set of contradicting values, wherein selecting one of the at least one second value from each set of contradicting values further includes generating a certainty score corresponding to each value of the set of contradicting values, wherein each certainty score indicates a likelihood that the corresponding value is accurate, wherein the at least one second value is selected based on the certainty scores; and creating a device profile based on the at least one first value and the at least one second value.

Abstract: A system and method for anomaly detection. A method includes recursively partitioning a sample of device activity data including deterministic characteristics of a population of devices over iterations in order to create partitions. Each iteration includes determining a split density metric for a candidate subpopulation created by splitting a portion of the population with respect to a corresponding type of deterministic characteristic. The split density metric for the candidate subpopulation is determined based on a density value of the candidate subpopulation and a coverage value of the corresponding type of deterministic characteristic. The partitions include each candidate subpopulation meeting a split density metric threshold. A baseline for each of the partitions is established based on device activity for devices represented in device activity data of the partition. An anomaly is detected based on behavior of a device and the baseline established for a partition corresponding to the device.

Abstract: A system and method for malicious lateral movement detection. A method includes identifying atomic tunnels in packets sent between devices; identifying tunnel constructs; determining a potentially malicious atomic tunnel among the atomic tunnels by comparing edges of each of the atomic tunnels to edges of previously observed tunnel constructs; determining a potentially malicious tunnel including the potentially malicious atomic tunnel; and mitigating the potentially malicious tunnel. Each atomic tunnel is a structure representing communications among the devices defined with respect to at least three nodes and at least two edges. Each node represents a respective device, and each edge represents a connection between two of the devices. Each atomic tunnel has two hops, where each hop is a level of communication in which a packet is sent from one device to another device. Each tunnel construct is a structure including at least one of the atomic tunnels.

Abstract: A system and method for determining device attributes using a classifier hierarchy. The method includes: determining at least one exploitation condition for a manufacturing device based on at least one first device attribute of the manufacturing device and a plurality of second device attributes indicated in a vulnerabilities database, wherein the vulnerabilities database further indicates a plurality of known exploits for the plurality of second device attributes; analyzing behavior and configuration of the medical device to detect an exploitable vulnerability for the manufacturing device, wherein the exploitable vulnerability is a behavior or configuration of the manufacturing device which meets the at least one exploitation condition; and performing at least one mitigation action based on the exploitable vulnerability.

Abstract: A system and method for determining device attributes based on host configuration protocols. A method includes identifying queries of interest among an application data set including queries for computer address data sent by at least one device, wherein each query of interest meets a respective threshold of at least one threshold for each of the at least one score output by a machine learning model, wherein the machine learning model is trained to output at least one score with respect to statistical properties of queries for computer address data; determining prediction thresholds by applying the machine learning model to a validation data set, wherein each prediction threshold corresponds to a respective output of the machine learning model; and determining, based on the prediction thresholds and the scores output by the machine learning model for the identified queries of interest when applied to the application dataset, device attributes for the device.

Abstract: A system and method for anomaly interpretation and mitigation. A method includes extracting at least one input feature vector from observation data related to an observation; applying an isolation forest to the at least one input feature vector, wherein the isolation forest includes a plurality of estimators, wherein each estimator is a decision tree, wherein the output of each estimator is a split-path of a plurality of split-paths, each split-path having a path-length and including name and a corresponding value for a respective output feature of a plurality of output features; generating a mapping object based on the application of the isolation forest to the at least one feature vector, wherein the mapping object includes the plurality of split-paths; clipping the mapping object based on the path-length of each split-path; and determining at least one mitigation action based on the clipped mapping object.

Abstract: A method and system for detecting vulnerable wireless networks coexisting in a wireless environment of an organization are provided. The method includes receiving intercepted traffic, wherein the intercepted traffic is transmitted by at least one wireless device operable in an airspace of the wireless environment, wherein the intercepted traffic is transported using at least one type of wireless protocol; analyzing the received traffic to detect at least one active connection between a legitimate wireless device of the at least one wireless device and at least one unknown wireless device, wherein the legitimate wireless device is at least legitimately authorized to access a protected computing resource of the organization; and determining if the at least one detected active connection forms a vulnerable wireless network.

Abstract: A system and method for vulnerability detection. A method includes: tokenizing device attribute data for a device into at least one set of first tokens, wherein each of the first tokens is formatted according to a token schema; creating at least one device attribute string, each device attribute string including one of the first tokens; matching each of the at least one device attribute string to combinations of device attributes stored in a vulnerabilities database in order to identify at least one matching combination of device attributes for the device, wherein the vulnerabilities database stores mappings between combinations of device attributes and vulnerabilities, wherein each combination of device attributes in the vulnerabilities database includes second tokens formatted according to the token schema; detecting at least one vulnerability of the device based on the at least one matching combination of device attributes and the mappings in the vulnerabilities database.

Abstract: A system and method for determining device attributes based on host configuration protocols. A method includes applying at least one machine learning model to a test data set extracted from host configuration protocol data including at least one test options sequence, wherein each test options sequence is an ordered series of options requested by a first device, wherein each of the at least one machine learning model is trained based on a train data set including a plurality of training options sequences and a plurality of device attributes, wherein each training options sequence and each device attribute of the train data set corresponds to a respective second device; and determining, based on the output of the at least one machine learning model, at least one device attribute for the first device.

Abstract: A system and method for determining device attributes based on protocol string conventions. A method includes applying at least one machine learning model to an application data set extracted based on at least one first pair of strings, each first pair of strings including a protocol string and a key string indicated in respective fields of communications session data corresponding to a device, wherein each machine learning model is trained based on a training data set including second pairs of strings device attribute labels, wherein each device attribute label corresponds to one of the second pairs of strings, wherein each of the at least one machine learning model is configured to output a predicted device attribute for the device based on the first pair of strings; and determining, based on the output of the at least one machine learning model, at least one device attribute of the device.

Abstract: A system and method for inferring device types. A method includes selecting a device type inference model from among a plurality of device type inference models based on a manufacturer of a device, wherein each device type inference model corresponds to a respective manufacturer and is trained using training data of devices manufactured by the respective manufacturer, wherein each device type inference model is trained to output a device type prediction; and determining an inferred device type for the device, wherein determining the inferred device type for the device further comprises applying the selected device type inference model to a plurality of features, wherein the plurality of features is extracted from device activity data indicating ports used by the device and at least one volume of traffic communicated via each port used by the device.

Abstract: Systems and methods for device profile enrichment. A method includes determining a plurality of distributions of device attributes with respect to a plurality of fields of a predefined device profile schema; generating a plurality of inference rules based on the plurality of distributions of device attributes, wherein each inference rule indicates at least one required device attribute and at least one inferred device attribute; creating an ordered set of inference rules including the plurality of inference rules organized with respect to a plurality of scores, each score corresponding to one of the plurality of inference rules, wherein the score for each inference rule is determined based on the at least one required device attribute of the inference rule; and enriching at least one device profile by iterating the ordered set of inference rules, wherein enriching a device profile includes adding at least one device attribute value to the device profile.

Abstract: A system and method for machine learning model validation. A method includes: determining a first score distribution for a first run of a machine learning model and a second score distribution for a second run of the machine learning model, wherein the first run includes applying the machine learning model to a first test dataset, wherein the second run includes applying the machine learning model to a second test dataset, wherein the second test dataset is collected after the first test dataset; comparing the first score distribution to the second score distribution; determining, based on the comparison, whether the machine learning model is validated; continuing use of the machine learning model when it is determined that the machine learning model is validated; and performing at least one rehabilitative action with respect to the machine learning model when it is determined that the machine learning model is not validated.

Abstract: A system and method for machine learning features validation. A method includes: performing statistical testing on a plurality of pairs of features, each pair of features including a test feature of a plurality of test features extracted from a first data set and a corresponding training feature extracted from a second data set during a training phase for a machine learning model, wherein the statistical testing is performed under a null hypothesis that the first data set and the second data set are drawn from a same continuous distribution, wherein performing the statistical testing further comprises determining a degree to which each test feature of the plurality of pairs of features deviates from the corresponding training feature; and determining, based on the degree to which each test feature of the plurality of pairs of features deviates from the corresponding training feature, whether the plurality of test features is validated.

Abstract: A system and method for determining device attributes using a classifier hierarchy. The method includes determining exploitation conditions for a manufacturing device based on a first set of device attributes of the manufacturing device and a second set of device attributes indicated in a vulnerabilities database; analyzing behavior and configuration of the manufacturing device to detect an exploitable vulnerability for the manufacturing device, wherein the exploitable vulnerability is a behavior or configuration of the manufacturing device which meets the exploitation conditions; and performing mitigation actions based on the exploitable vulnerability. The vulnerabilities database further indicates known exploits for the second set of device attributes.

Abstract: A system and method for identifying device attributes based on string field conventions. A method includes applying at least one machine learning model to an application data set extracted based on a string indicated in a field of device data corresponding to a device, wherein each of the at least one machine learning model is trained based on a training data set including a plurality of second strings and a plurality of device attribute labels, wherein each device attribute label corresponds to a respective second string of the plurality of second strings, wherein each of the at least one machine learning model is configured to output a predicted device attribute for the device based on the first string; and identifying, based on the output of the at least one machine learning model, a device attribute of the device.

Abstract: A system and method for inferring device models. The method includes determining block statistics for each block of a plurality of blocks of a plurality of media access control (MAC) addresses, the plurality of blocks having a plurality of respective prefixes, wherein the plurality of blocks are grouped based on commonalities among the plurality of respective prefixes; generating an aggregated statistical model for the plurality of blocks based on the plurality of MAC addresses and the block statistics, wherein each block is a string of digits included in one of the plurality of MAC addresses; and applying the aggregated statistical model to the block statistics of at least one block of the plurality of blocks in order to determine at least one inferred device model, wherein each of the at least one block is grouped into the same group.

Abstract: A system and method for determining device attributes using a classifier hierarchy. The method includes: determining at least one exploitation condition for a medical device based on at least one first device attribute of the medical device and a plurality of second device attributes indicated in a vulnerabilities database, wherein the vulnerabilities database further indicates a plurality of known exploits for the plurality of second device attributes; analyzing behavior and configuration of the medical device to detect an exploitable vulnerability for the medical device, wherein the exploitable vulnerability is a behavior or configuration of the medical device which meets the at least one exploitation condition; and performing at least one mitigation action based on the exploitable vulnerability.

Abstract: A system and method for determining device attributes using a classifier hierarchy. The method includes: determining at least one exploitation condition for a medical device based on at least one first device attribute of the medical device and a plurality of second device attributes indicated in a vulnerabilities database, wherein the vulnerabilities database further indicates a plurality of known exploits for the plurality of second device attributes; analyzing behavior and configuration of the medical device to detect an exploitable vulnerability for the medical device, wherein the exploitable vulnerability is a behavior or configuration of the medical device which meets the at least one exploitation condition; and performing at least one mitigation action based on the exploitable vulnerability.

Abstract: A system and method for detecting abnormal device traffic behavior. The method includes creating a baseline clustering model for a device based on a training data set including traffic data for the device, wherein the baseline clustering model includes a plurality of clusters, each cluster representing a discrete state and including a plurality of first data points of the training data set; sampling a plurality of second data points with respect to windows of time in order to create at least one sample, each sample including at least a portion of the plurality of second data points, wherein the plurality of second data points are related to traffic involving the device; and detecting anomalous traffic behavior of the device based on the at least one sample and the baseline clustering model.