Abstract: A system and method for detecting abnormal device traffic behavior. The method includes creating a baseline clustering model for a device based on a training data set including traffic data for the device, wherein the baseline clustering model includes a plurality of clusters, each cluster representing a discrete state and including a plurality of first data points of the training data set; sampling a plurality of second data points with respect to windows of time in order to create at least one sample, each sample including at least a portion of the plurality of second data points, wherein the plurality of second data points are related to traffic involving the device; and detecting anomalous traffic behavior of the device based on the at least one sample and the baseline clustering model.

Abstract: A system and method for inferring an operating system version for a device based on communications security data. A method includes identifying a plurality of sequences in communications security data sent by the device; determining an operating system type of an operating system used by the device based on the identified plurality of sequences; applying a version-identifying model to the identified plurality of sequences, wherein the version-identifying model is a machine learning model trained to output a version identifier, wherein the applied version-identifying model is associated with the determined operating system type; and determining the operating system version of the device based on the output of the version-identifying model.

Abstract: A system and method for mitigating cyber security threats by devices using risk factors. The method includes determining a plurality of risk factors for a device based on a plurality of risk behaviors indicated by network activity and information of the device, wherein the plurality of risk behaviors includes observed risk behaviors and assumed risk behaviors, wherein the observed risk behaviors are indicated by data related to network activity by the device, wherein the assumed risk behaviors are extrapolated based on known contextual information related to the device; determining a risk score for the device based on the plurality of risk factors and a plurality of weights, wherein each of the plurality of weights is applied to one of the plurality of risk factors; and performing at least one mitigation action based on the risk score.

Abstract: A system and method for detecting deviations from baseline behavior patterns for categorical features. A method includes determining a first discrete probability distribution for a categorical variable based on a first set of network activity data; determining a second discrete probability distribution for a unique observation based on a second set of network activity data; comparing the second discrete probability distribution to the first discrete probability distribution by applying a distance function to the first and second discrete probability distributions, wherein an output of the distance function is a scalar value representing a difference between the first and second discrete probability distributions; determining whether the scalar value is above a threshold; detecting an anomaly with respect to the categorical variable when the scalar value is above the threshold; and determining that a behavior with respect to the categorical variable is normal when the scalar value is not above the threshold.

Abstract: A system and method for mitigating cyber security threats by devices using risk factors. The method includes determining a plurality of risk factors for a device based on a plurality of risk behaviors indicated by network activity and information of the device; determining a risk score for the device based on the plurality of risk factors and a plurality of weights, wherein each of the plurality of weights is applied to one of the plurality of risk factors; and performing at least one mitigation action based on the risk score.

Abstract: A system and method for anomaly interpretation and mitigation. A method includes extracting at least one input feature vector from observation data related to an observation; applying an isolation forest to the at least one input feature vector, wherein the isolation forest includes a plurality of estimators, wherein each estimator is a decision tree, wherein the output of each estimator is a split-path of a plurality of split-paths, each split-path having a path-length and including name and a corresponding value for a respective output feature of a plurality of output features; generating a mapping object based on the application of the isolation forest to the at least one feature vector, wherein the mapping object includes the plurality of split-paths; clipping the mapping object based on the path-length of each split-path; and determining at least one mitigation action based on the clipped mapping object.

Abstract: A system and method for inferring device models. The method includes determining block statistics for each block of a plurality of blocks of a plurality of media access control (MAC) addresses, the plurality of blocks having a plurality of respective prefixes, wherein the plurality of blocks are grouped based on commonalities among the plurality of respective prefixes; generating an aggregated statistical model for the plurality of blocks based on the plurality of MAC addresses and the block statistics, wherein each block is a string of digits included in one of the plurality of MAC addresses; and applying the aggregated statistical model to the block statistics of at least one block of the plurality of blocks in order to determine at least one inferred device model, wherein each of the at least one block is grouped into the same group.

Abstract: A system and method for determining device attributes using a classifier hierarchy. The method includes: determining at least one exploitation condition for a manufacturing device based on at least one first device attribute of the manufacturing device and a plurality of second device attributes indicated in a vulnerabilities database, wherein the vulnerabilities database further indicates a plurality of known exploits for the plurality of second device attributes; analyzing behavior and configuration of the medical device to detect an exploitable vulnerability for the manufacturing device, wherein the exploitable vulnerability is a behavior or configuration of the manufacturing device which meets the at least one exploitation condition; and performing at least one mitigation action based on the exploitable vulnerability.

Abstract: A system and method for determining device attributes using a classifier hierarchy. The method includes: determining at least one exploitation condition for a medical device based on at least one first device attribute of the medical device and a plurality of second device attributes indicated in a vulnerabilities database, wherein the vulnerabilities database further indicates a plurality of known exploits for the plurality of second device attributes; analyzing behavior and configuration of the medical device to detect an exploitable vulnerability for the medical device, wherein the exploitable vulnerability is a behavior or configuration of the medical device which meets the at least one exploitation condition; and performing at least one mitigation action based on the exploitable vulnerability.

Abstract: A method and system for detecting vulnerable wireless devices operating in a wireless environment of an organization are provided. The method includes identifying a plurality of wireless devices operable in the wireless environment; for each identified wireless device: receiving intercepted traffic transmitted by the wireless device, wherein the intercepted traffic is transported using at least one type of wireless protocol; analyzing the intercepted traffic to determine if the wireless device is vulnerable, wherein the analysis is performed using an at least one investigation action; computing a risk score based on results of each of the least one investigation action; determining, based on the computed risk scores, if the wireless device is as vulnerable; and generating an alert, when it is determined that the wireless device is vulnerable.

Abstract: A system and method for inferring device operating systems. A method includes applying a sequence-based model to an option-types sequence in order to output a plurality of first features, wherein each of the first features is a value representing a probability that the options-type sequence is associated with a respective operating system; applying a distribution dissimilarity model to metadata field distribution data extracted from the headers of the packets sent by the device in order to output a plurality of second features, wherein the plurality of second features includes a plurality of distances, wherein each distance is based on a difference between a distribution of values of each metadata field indicated in the metadata field distribution data; and applying an operating system inference model to the plurality of first features and the plurality of second features in order to output an inferred operating system for the device.

Abstract: A system and method for determining device attributes using a classifier hierarchy. The method includes: sequentially applying a plurality of sub-models of a hierarchy to a plurality of features extracted from device activity data, wherein the sequential application ends with applying a last sub-model of the plurality of sub-models, wherein each sub-model includes a plurality of classifiers, wherein each sub-model outputs a class when applied to at least a portion of the plurality of features, wherein each class is a classifier output representing a device attribute, wherein applying the plurality of sub-models further comprises iteratively determining a next sub-model to apply based on the class output by a most recently applied sub-model and the hierarchy; and determining a device attribute based on the class output by the last sub-model.

Abstract: A system and method for resolving contradictory device profiling data. The method includes: determining a set of non-contradicting values and a set of contradicting values in device profiling data related to a device based on a plurality of conflict rules; merging values of the set of non-contradicting values in device profiling data into at least one first value; selecting at least one second value from the set of contradicting values, wherein selecting one of the at least one second value from each set of contradicting values further includes generating a certainty score corresponding to each value of the set of contradicting values, wherein each certainty score indicates a likelihood that the corresponding value is accurate, wherein the at least one second value is selected based on the certainty scores; and creating a device profile based on the at least one first value and the at least one second value.

Abstract: A system and method for mitigating cyber security threats by devices using risk factors. The method includes determining a plurality of risk factors for a device based on a plurality of risk behaviors indicated by network activity and information of the device; determining a risk score for the device based on the plurality of risk factors and a plurality of weights, wherein each of the plurality of weights is applied to one of the plurality of risk factors; and performing at least one mitigation action based on the risk score.

Abstract: A method and system for detecting vulnerable wireless devices operating in a wireless environment of an organization are provided. The method includes identifying a plurality of wireless devices operable in the wireless environment; for each identified wireless device: receiving intercepted traffic transmitted by the wireless device, wherein the intercepted traffic is transported using at least one type of wireless protocol; analyzing the intercepted traffic to determine if the wireless device is vulnerable, wherein the analysis is performed using an at least one investigation action; computing a risk score based on results of each of the least one investigation action; determining, based on the computed risk scores, if the wireless device is as vulnerable; and generating an alert, when it is determined that the wireless device is vulnerable.

Abstract: Certain embodiments disclosed herein include a method for detecting potential vulnerabilities in a wireless environment. The method comprises collecting, by a network sensor deployed in the wireless environment, at least wireless traffic data; analyzing the collected wireless traffic data to detect at least activity initiated by a wireless entity in the wireless environment; initiating at least one investigation actions to determine if any identified wireless network is a vulnerable network; determining a risk score based in part on the at least one investigation action; and enforcing a security policy on the identified vulnerable network, wherein the security policy is determined responsive to the risk score and instructions received from a control system.

Abstract: A method and system for detecting vulnerable wireless devices operating in a wireless environment of an organization are provided. The method includes identifying a plurality of wireless devices operable in the wireless environment; for each identified wireless device: receiving intercepted traffic transmitted by the wireless device, wherein the intercepted traffic is transported using at least one type of wireless protocol; analyzing the received traffic to determine if the wireless device is vulnerable, wherein the analysis is performed using at least a profile generated for the wireless device; and generating an alert, when it is determined that the wireless device is vulnerable.

Abstract: Certain embodiments disclosed herein include a method for detecting potential vulnerabilities in a wireless environment. The method comprises collecting, by a network sensor deployed in the wireless environment, at least wireless traffic data; analyzing the collected wireless traffic data to detect at least activity initiated by a wireless entity in the wireless environment; sending, to a control system, data indicating the detected wireless entity; and enforcing a security policy on the detected wireless entity based on instructions received from the control system.

Abstract: Certain embodiments disclosed herein include a method for detecting potential vulnerabilities in a wireless environment. The method comprises collecting, by a network sensor deployed in the wireless environment, at least wireless traffic data; analyzing the collected wireless traffic data to detect at least activity initiated by a wireless entity in the wireless environment; sending, to a control system, data indicating the detected wireless entity; and enforcing a security policy on the detected wireless entity based on instructions received from the control system.

Abstract: A method and system for detecting vulnerable wireless devices operating in a wireless environment of an organization are provided. The method includes identifying a plurality of wireless devices operable in the wireless environment; for each identified wireless device: receiving intercepted traffic transmitted by the wireless device, wherein the intercepted traffic is transported using at least one type of wireless protocol; analyzing the received traffic to determine if the wireless device is vulnerable, wherein the analysis is performed using at least a profile generated for the wireless device; and generating an alert, when it is determined that the wireless device is vulnerable.