Abstract: Methods, systems, and apparatus are disclosed for an Artificial Intelligence based cyber security system. An Artificial Intelligence based cyber analyst can make use of a data structure containing multiple tags to assist in creating a consistent, expanding modeling of an ongoing cyber incident. The Artificial Intelligence based cyber analyst can make use of a cyber incident graph database when rendering that incident to an end user. The Artificial Intelligence based cyber analyst can also be used as a mechanism to evaluate the quality of the alerts coming from 3rd parties' security tools both when the system being protected by the cyber security appliance is not actually under attack by a cyber threat as well as during an attack by a cyber threat.

Abstract: A cyber threat defense system can incorporate data from a Software-as-a-Service (SaaS) application hosted by a third-party operator platform to identify cyber threats related to that SaaS application. The cyber threat defense module can have a SaaS module to collect third-party event data from the third-party operator platform. The cyber threat defense system can have a comparison module to compare third-party event data for a network entity to at least one machine-learning model of a network entity using a normal behavior benchmark to spot behavior deviating from normal benign behavior. The comparison module can identify whether the network entity is in a breach state. The cyber threat defense system can have a cyber threat module to identify whether the breach state and a chain of relevant behavioral parameters correspond to a cyber threat. An autonomous response module can execute an autonomous response in response to the cyber threat.

Abstract: Disclosed herein is a method for detection of a cyber-threat to a computer system. The method is arranged to be performed by a processing apparatus. The method comprises receiving input data associated with a first entity associated with the computer system, deriving metrics from the input data, the metrics representative of characteristics of the received input data, analysing the metrics using one or more models, and determining, in accordance with the analysed metrics and a model of normal behavior of the first entity, a cyber-threat risk parameter indicative of a likelihood of a cyber-threat. A computer readable medium, a computer program and a threat detection system are also disclosed.

Abstract: A coordinator module, a cyber threat analyst module, and AI models trained to model a normal pattern of life for entities in a wireless domain and a normal pattern of life for entities in a second domain cooperate with a combination of wireless sensors with RF protocol adapters to monitor and analyze wireless activity and probes to monitor activity in the second domain in order to analyze an anomaly of interest in a wider view of another domain's activity. These modules and models understand and assess the wireless activity and the activity from the second domain in light of the AI models modelling the pattern of life for entities in a wireless domain and/or a in the second domain in order to detect a cyber threat indicated by at least by the anomaly of interest. A formatting model generates an alert and/or a report.

Abstract: A cyber security appliance can inoculate a fleet of network devices by analyzing each endpoint of a secure connection. The appliance can receive a hostname for a malicious web server. The appliance can generate an unencrypted target fingerprint based on sending a series of unencrypted connection protocol requests to the malicious web server and an encrypted target fingerprint based on sending a series of encrypted secure connection protocol requests to the malicious web server. The appliance can build a combined web server fingerprint for the malicious web server based on both the encrypted target fingerprint derived and the unencrypted target fingerprint. The appliance can determine a set of suspicious IP addresses based on the combined web server fingerprint for the malicious web server. The appliance can inoculate a fleet of network devices against a cyberattack using the IP addresses to preemptively alert the fleet of cyber-attack.

Abstract: Disclosed herein is a method for use in detection of anomalous behavior of a device of a computer system. The method is arranged to be performed by a processing system. The method includes deriving values, m1, . . . , mN, of a metric, M, representative of data associated with the device; modeling a distribution of the values; and determining, in accordance with the distribution of the values, the probability of observing a more extreme value of the metric than a given value, in, of the metric, wherein the probability is used to determine whether the device is behaving anomalously. Also disclosed is an equivalent computer readable medium and anomalous behavior detection system.

Abstract: Cyber threat defense systems and methods are provided. The system includes a network module, an analyzer module and a classifier. The network module ingests network data, which is provided to one or more machine learning models included in the analyzer module. Each machine learning model identifies metrics associated with the network data and outputs a score indicative of whether anomalous network data metrics are caused by a cyber threat. These output scores are provided to the classifier, which determines a probability that a cybersecurity breach has occurred.

Abstract: An autonomous email-report composer composes a type of report on cyber threats that is composed in a human-readable format with natural language prose, terminology, and level of detail on the cyber threats aimed at a target audience. The autonomous email-report composer cooperates with libraries with prewritten text templates with i) standard pre-written sentences written in the natural language prose and ii) prewritten text templates with fillable blanks that are populated with data for the cyber threats specific for a current report being composed, where a template for the type of report contains two or more sections in that template. Each section having different standard pre-written sentences written in the natural language prose.

Abstract: An AI adversary red team configured to pentest email and/or network defenses implemented by a cyber threat defense system used to protect an organization and all its entities. AI model(s) trained with machine learning on contextual knowledge of the organization and configured to identify data points from the contextual knowledge including language-based data, email/network connectivity and behavior pattern data, and historic knowledgebase data. The trained AI models cooperate with an AI classifier in producing specific organization-based classifiers for the AI classifier. A phishing email generator generates automated phishing emails to pentest the defense systems, where the phishing email generator cooperates with the AI models to customize the automated phishing emails based on the identified data points of the organization and its entities. The customized phishing emails are then used to initiate one or more specific attacks on one or more specific users associated with the organization and its entities.

Abstract: A traffic manager module of a cyber threat defense platform that can differentiate between data flows to a client device. A registration module can register a connection between devices within a client network to transmit a series of data packets. A classifier module can execute a comparison of features of the connection to a set of interest criteria to determine an interest level for the cyber threat defense platform in the connection. The classifier module can apply an interest classifier describing the interest level to the connection based on the comparison. A deep packet inspection engine can examine the data packets of the connection for cyber threats if the interest classifier indicates interest. A diverter can shunt the data packets of the connection away from the deep packet inspection engine if the interest classifier indicates no interest.

Abstract: A cyber defense system using machine learning models trained on the classification of structured documents, such as emails, in order to identify a cyber threat risk of the incoming or outgoing structured document and to cause one or more autonomous actions to be taken in relation to the structured document based on a comparison of a category the structured document is classified with, a score associated with the classification and a threshold score. For incoming structured documents, the autonomous actions of the cyber defense system may act to contain a malign nature of identified incoming structured documents. For outgoing structured documents, the autonomous actions of the cyber defense system may act to prevent the structured document from being sent to an unintended recipient.

Abstract: A multi-stage anomaly detector analyzes an anomalous process chain in real time and rapidly determines whether the process chain is indicative of a cyber threat on an endpoint computing device in a multi-host environment. The multi-stage anomaly detector is used in an analyzer module configured within a host endpoint agent on that device. The analyzer module generates an anomaly score to correlate a likelihood that the cyber threat detected is harmful to that device. The multi-stage anomaly detector includes multiple stages of anomaly detectors including a first stage, a second stage, and a third stage of the anomaly detectors. Each stage generates its own anomaly score to produce at least one rapidly determined anomaly score as well as one thoroughly determined anomaly score. Each anomaly score is generated from various computational processes and factors different from the computational processes and factors of the other stages of anomaly detectors.

Abstract: An endpoint agent extension of a cyber defense system for email that includes modules and machine learning models. An integration module integrates with an email client application to detect email cyber threats in emails in the email client application as well as regulate emails. An action module interfaces with the email client application to direct autonomous actions against an outbound email and/or its files when a cyber threat module determines the email and/or its files (a) to be a data exfiltration threat, (b) to be both malicious and anomalous behavior as compared to a user's modeled email behavior, and (c) any combination of these. The autonomous actions can include actions of logging a user off the email client application, preventing the sending of the email, stripping the attached files and/or disabling the link to the files from the email, and sending a notification to cyber security personnel regarding the email.

Abstract: A cyber-threat defense system for a network including its email domain protects this network from cyber threats. Modules utilize machine learning models as well communicate with a cyber threat module. Modules analyze the wide range of metadata from the observed email communications. The cyber threat module analyzes with the machine learning models trained on a normal behavior of email activity and user activity associated with the network and in its email domain in order to determine when a deviation from the normal behavior of email activity and user activity is occurring. A mass email association detector determines a similarity between highly similar emails being i) sent from or ii) received by a collection of two or more individual users in the email domain in a substantially simultaneous time frame. Mathematical models can be used to determine similarity weighing in order to derive a similarity score between compared emails.

Abstract: A cyber threat defense system and a method for detecting a cyber threat may use a predictor, e.g. a Transformer deep learning model, which is configured to predict a next item in the sequence of events and to detect one or more anomalies in the sequence of events. This provides a notification comprising (i) information about the one or more anomalies; and (ii) a prediction of what would have been expected.

Abstract: A cyber-defense appliance securely communicates and cooperates with a suite of different lightweight probes that can ingest onboard traffic from multiple different independent systems using protocols for at least one of a data link layer, a physical layer, and then one or more of an application layer, a transport layer, a network layer, and any combination of these layers when a protocol is used in that layer in the independent system. The lightweight probe ingests data and meta data with an independent system it resides within. The appliance has AI models to model a normal pattern of life in each of the independent systems using the data and/or meta data from protocols listed above. An analyzer module cooperates with the AI models that model a normal pattern of life in each of the independent systems to determine when abnormal behavior or suspicious activity is detected.

Abstract: An expert interface component can automatically connect a system user with a system support expert. A user interface module can present a threat-tracking graphical user interface and a query interface component integrated into the threat-tracking graphical user interface to a system user belonging to a client team to review a potential cyber threat and receive a query for assistance. The query interface component can allow the system user to digitally grab a visual data container displaying information and containing a data object. The query interface component can collect the visual data container from the threat-tracking graphical user interface into a collection window of the query interface component. A communication module provides an incident ticket containing the query and the visual data container to a system support expert at a remote platform.

Abstract: The network reachability module maps and dynamically tracks network reachability of network addresses and/or devices. The network reachability module can map and dynamically track network reachability of a response-orchestrator engine, via communicating and cooperating with the response-orchestrator engine. The network reachability module has a tracking module to 1) monitor network traffic and 2) keep a list of known devices and/or known subnets on the network, which is dynamically tracked and updated as previously unknown devices and subnets on the network are detected. A trigger module generates a spoofed transmission and/or response communication, supported by a network protocol used by the network. The spoofed transmission and/or response communication can be used to map network reachability of i) network devices, ii) network addresses, and iii) any combination of both, which either 1) can receive or 2) cannot receive protocol communications from a host for the network reachability module in the network.

Abstract: A cyber security appliance has one or more modules to interact with entities in an operational technology network and potentially in an informational technology network. The operational technology module can reference various machine-learning models trained on a normal pattern of life of users, devices, and/or controllers of the operational technology network. A comparator module cooperates with the operational technology module to compare the received data on the operational technology network to the normal pattern of life of any of the users, devices, and controllers to detect anomalies in the normal pattern of life for these entities in order to detect a cyber threat. An autonomous response module can be programmed to respond to counter the detected cyber threat.

Abstract: A cyber threat defense system can leverage identifying threats by spotting deviations from normal behavior to create a system-wide inoculation regimen. The cyber threat defense system can have a comparison module to execute a comparison of input data for a network entity to at least one machine-learning model of a generic network entity using a normal behavior benchmark to spot behavior deviating from normal benign behavior. The comparison module can identify whether the network entity is in a breach state. The cyber threat defense system can have a cyber threat module to identify whether the breach state and a chain of relevant behavioral parameters correspond to a cyber threat. The cyber threat defense system can have an inoculation module to send an inoculation notice to warn of a potential cyber threat to a target device.