Abstract: A system and method of using generative AI to recommend and validate asset and/or cloud configurations. The method includes acquiring a set of parameters associated with one or more network entities of a computing network. The method includes providing the set of parameters to a configuration model trained to generate, based on semantic matching, recommended configurations for network entities and validated configurations for the network entities. The method includes generating, by a processing device using the configuration model, one or more recommended configurations for the one or more network entities based on the set of parameters.

Abstract: A deterministic finite automata (DFA) is used by an extended Berkley packet filter (or “eBPF”) to monitor file system operations and non-file system operations. The DFA is stored as an eBPF map. Before a kernel of an operating system executes any file system operation, the kernel runs an eBPF program that queries the DFA for a filename associated with the system operation. The DFA represents safe/suspicious filenames associated with computer files. If the filename matches the DFA, then the kernel notifies a cybersecurity agent. The cybersecurity agent may then block or allow the file system operation, depending on whether the filename is safe or suspicious. The DFA stored in the extended BPF thus greatly improves computer functioning by very quickly and simply identifying safe/suspicious operations.

Abstract: The present disclosure provides an approach of analyzing multiple modalities of a file to produce multiple analysis tokens. Each one of the analysis tokens corresponds to a respective modality of the file. The approach provides the multiple analysis tokens to an artificial intelligence model, which is trained to produce an intermediate representation vector based on the plurality of analysis tokens. In turn the approach uses the artificial intelligence model to produce, based on the intermediate representation vector, a classification that indicates whether the file corresponds to a cybersecurity threat.

Abstract: The present disclosure provides techniques for sensor event based activity hour modelling. A processing device obtains, via a sensor application installed on a user device, a plurality of events occurring on the user device, where each event in the plurality of events includes a respective day and a respective time. The processing device aggregates, based on the respective day and the respective time, the plurality of events to generate time series data. The processing device performs a smoothing operation on the time series data to generate a curve. The processing device classifies an event on the user device as usual or unusual based on a baseline level of activity on the user device and the curve.

Abstract: Techniques for aggregating data usable for generating security recommendations are discussed herein. A system can aggregate detection data from host devices associated with different organizations based on profile information describing each organization. The system can analyze the aggregated data to identify potential security threats in a data stream, and generate recommendation data usable for defending the data stream from future malicious events.

Abstract: Techniques, systems, and computer-readable media for dynamic behavior-based asset classification are described herein. An asset classification system can detect and receive data associated with a host computer, determine, based on the data, a behavior associated with the host computer, assign the host computer a server classification based on the determination that the behavior represents a behavior of focus, and record the assigned server classification associated with the host computer. In various examples, the asset classification system can determine the behavior is a behavior of focus based on one or more of: a number of connections to other computers associated with a shared customer identifier, a number of unique other host computers connecting to the host computer, and/or a number of unique non-local accounts that have logged in to the host computer, and that the host computer has had an inbound connection on a common port.

Abstract: Prediction of CPEs using banners greatly improves computer functioning. Many web services have an unknown common platform enumeration (CPE). When the CPE is unknown, a computer system is unable to obtain cybersecurity flaws and software fixes for a software product or web service. A CPE, though, is predicted by banner-prompting a large language model using a web service banner. Once the CPE is predicted, vulnerabilities may be identified.

Abstract: Malicious indicators rule generation using historical data is provided. A method includes receiving, from threat detection engines of a plurality of vendor systems, a plurality of threat detection indications for a dataset. Each threat detection indication of the plurality of threat detection indications receives a vendor-specific tokenization based on historical data associated with the plurality of vendor systems. The method further includes identifying, from the plurality of threat detection indications, a lead detection from a first vendor system of the plurality of vendor systems and an accuracy detection from at least one second vendor system of the plurality of vendor systems. The lead detection and the accuracy detection have overlapping data from the dataset.

Abstract: A cybersecurity model assessment service assesses machine learning and/or artificial intelligence models for cybersecurity threats. When an endpoint client device encounters an ML/AI model, the client device may stop processing the ML/AI model and determine its provenance. The provenance identifies a base, foundational, or origin model from which the ML/AI model derives. The provenance, for example, determines whether the ML/AI model originates from, derives from, or is sufficiently similar to a known good/safe model or to a known bad/unsafe model. The cybersecurity model assessment service may then predict a computer behavior of the ML/AI model, based on the provenance. Similarity to a known good/safe model, for example, may be safe to run, while similarity to a known bad/unsafe model is unsafe to run.

Abstract: Systems and methods of utilizing a large language model (LLM) to reverse engineer software is provided. The method includes obtaining sample assembly language from coded information or data. The sample assembly language is input to a machine learning (ML) model trained to recognize when the sample assembly language includes malicious code. The method further includes identifying, from the sample assembly language, a functionality implemented by the sample assembly language, where the functionality is indicative of whether the sample assembly language includes the malicious code. The method further includes generating, by a processing device, a natural language indication of the functionality implemented by the sample assembly language. The natural language indication is an output of the ML model.

Abstract: Estimating a cost of executing a query on a set of data involves executing logic to: estimate a size of each datum in the set of data; receive a query specifying a value for a first datum and a plurality of additional datum in the set of data associated with the first datum, and a maximum number of first datum to be retrieved from the set of data that have the specified value; estimate a cost of executing the query based on the maximum number of first datum to be retrieved from the set of data that have the specified value, the plurality of additional datum associated with the first datum, and the estimated size of the first datum and each of the additional datum associated with the first datum; and execute the query on the set of data responsive to the estimated cost.

Abstract: An approach is provided that trains an artificial intelligence model (AIM) using training data to produce a generalized AIM, wherein the training data comprises log-collected data corresponding to multiple application types and the generalized AIM is trained to detect one or more cross-platform cybersecurity threats. The approach identifies multiple application-specific training data sets, wherein each one of the application-specific training data sets includes labeled application logs corresponding to one of the multiple application types. The approach then fine-tunes the generalized AIM using the multiple application-specific training data sets to produce multiple dedicated AIMs, wherein each one of the dedicated AIMs is trained to detect one or more application-centric cybersecurity threats targeted at a corresponding one of the application types.

Abstract: A cybersecurity service assesses cybersecurity detections reported by endpoint client devices. The cybersecurity detections are compared to different groupings of historical cybersecurity detections. Each grouping of the historical cybersecurity detections shares common traits, features, and other characteristics. As each new cybersecurity detection is received, the cybersecurity service determines the best match between the new cybersecurity detection and the different groupings of the historical cybersecurity detections, based on similar traits, features, and other characteristics. The cybersecurity service may thus commonly assess the new cybersecurity detection based on the best match.

Abstract: A cybersecurity service assesses, scores, and/or prioritizes activities associated with a directory service. When the directory service is requested to change a directory service assignment, the directory service may first request a verdict from the cybersecurity service. The cybersecurity service may use profiling and/or machine learning to predict directory service assignments. The cybersecurity service may then score and prioritize requests to change/update directory service assignments. Small deviations from predicted directory service assignments, for example, may indicate harmless/normal directory service activity. Larger deviations, though, may indicate abnormal directory service activity. Larger deviations may even indicate malicious directory service activity, such as permission escalation and cyberbreaches. Scoring and prioritization allows for resource allocation and timely mitigations by human experts.

Abstract: Techniques to determining a program installed on a computing device may be indicative of performing a targeted intrusion of the computing device is described. A log file associated with the computing device may be generated. Various indicators from the log file may be determined. A security program may determine that the program may be indicative of performing the targeted intrusion based on at least one of the indicators. The security program may determine an action to take based on the indication of performing the targeted intrusion.

Abstract: Multi-modal query processing greatly improves computer functioning. A single cybersecurity sensory nodal server concurrently processes standing queries, agent point queries, and agent fleet queries. The single cybersecurity sensory nodal server is dedicated to locally storing electronic data associated with a cybersecurity sensory agent installed at a client device. Because the single cybersecurity sensory nodal server locally stores the single source of the electronic data, the single cybersecurity sensory nodal server answers the standing queries, agent point queries, and agent fleet queries using less hardware resources, less network resources, less electrical energy, and less time.

Abstract: A system method for application discovery in a computing environment utilize static analysis. The method includes receiving data of an application, the application deployed on a workload in a first computing environment; detecting a plurality of anchor points in the data; and generating an application graph, including a plurality of first nodes, based on the plurality of anchor points, wherein each anchor point corresponds to a first node, and wherein at least a first node of the plurality of nodes is connected to at least another node of the plurality of nodes.

Abstract: Prediction of cybersecurity breaches greatly improves computer functioning. When a client device reports a cybersecurity detection, the cybersecurity detection is compared to true positive cybersecurity detection characteristics. The true positive cybersecurity detection characteristics represent true positive cybersecurity detections that remain after applying a false positive pruning operation. If the cybersecurity detection conforms to the true positive cybersecurity detection characteristics, then the cybersecurity detection may be categorized as true positive and abnormal operation. The false positive pruning operation removes false positive influences to produce a more accurate detection of abnormal/suspicious/malicious computer usage/activity.

Abstract: Prediction of false positive cybersecurity detections greatly improves computer functioning. When a client device reports a cybersecurity detection, the cybersecurity detection is compared to a false positive cybersecurity detection profile. The false positive cybersecurity detection profile represents false positive characteristics associated with false positive cybersecurity detections. If the cybersecurity detection conforms to the false positive cybersecurity detection profile, then the cybersecurity detection may be categorized as false positive and normal operation. If, however, the cybersecurity detection fails to conform to the false positive cybersecurity detection profile, then the cybersecurity detection may be categorized as true positive and abnormal operation. The identification of false positive cybersecurity detections produces a more accurate detection of legitimate computer usage/activity.

Abstract: Prediction of matches between CPEs and banners greatly improves computer functioning. Many web services have an unknown common platform enumeration (CPE). When the CPE is unknown, a computer system is unable to obtain cybersecurity flaws and software fixes for a software product or web service. A similarity between the CPE and a service banner, though, accurately predicts a match the CPE and the web service. CPEs, for example, may thus be identified for old, obsolete, and uncomment software products and services.