Abstract: Systems and methods are disclosed to implement a bounded group by query system that computes approximate time-sliced statistics for groups of records in a dataset according to a group by query. In embodiments, a single pass scan of the dataset is performed to accumulate exact results for a maximum number of groups in a result grouping structure (RGS) and approximate results for additional groups in an approximate result grouping structure (ARGS). RGSs and ARGSs are accumulated by a set of accumulator nodes and provided to an aggregator node, which combines the received structures to generate exact or approximate statistical results for at least a subset of the groups in the dataset. Advantageously, the disclosed query system is able to produce approximate results for at least some of the groups in a single pass of the dataset using size-bounded data structures, without predetermining the actual number of groups in the dataset.

Abstract: Systems and methods are provided to build a machine learned exploitability risk model that predicts, based on the characteristics of a set of machines, a normalized risk score quantifying the risk that the machines are exploitable by a set of attacks. To build the model, a training dataset is constructed by labeling characteristic data of a population of machines with exploitation test results obtained by simulating a set of attacks on the population. The model is trained using the training data to accurately predict a probability that a given set of machines is exploitable by the set of attacks. In embodiments, the model may be used to make quick assessments about how vulnerable a set of machines are to the set of attacks. In embodiments, the model may be used to compare the effectiveness of different remediation actions to protect against the set of attacks.

Abstract: An access policy analysis system may use stored policy summaries to efficiently perform access analysis. A request that causes an access analysis of an entity in a cloud service provider with respect to a resource hosted in the cloud service provider may be received. An access policy summary generated for the entity based on a set of access policies applied by an access management system of the cloud service provider may be obtained. An access policy summary generated for the resource based on the set of access policies may be obtained. A tree structure that describes a hierarchy of entities in the cloud service provider may be traversed to identify a parent node of the entity in the hierarchy of entities. The access analysis may then be generated based on the access policy summaries for the identified node in the tree structure, for the entity and for the resource.

Abstract: Embodiments of a cyberattack monitoring system are disclosed to identify successful attacks on a service based on benign activities of the attacker performed after the initial attack attempt. In embodiments, the system identifies the initial attack by matching client actions to known attack patterns. Clients observed with attempted attacks are remembered as suspected attackers. The system will then monitor subsequent actions of suspected attackers for signs that the initial attack attempt was successful. In embodiments, a successful attack is recognized when the system observes one or more subsequent benign actions by the suspected attacker. In embodiments, the presence of follow-on benign actions is used as a filter to filter out unsuccessful attacks and false positives detected by the system. The filtering enables the system to better focus system resources and human attention on a small set of client activities that are likely successful attacks.

Abstract: Various embodiments include systems and methods to implement a password requirement conformity check. During a password reset process, a proposed password is received. A homomorphic encryption operation may be performed on the proposed password to generate a first character string. The first character string may be compared to a previous character string associated with a previous password to determine a password similarity metric. The password similarity metric may or may not satisfy at least a distance threshold. Responsive to determining that the password similarity metric does not satisfy the distance threshold, there may be a rejection of the proposed password and a prompt to receive an alternative proposed password during the password reset process.

Abstract: Disclosed herein are methods, systems, and processes for continuously renewing credentials in application development and testing environments that include application products from third-party vendors. A notification indicating that an existing credential associated with a developer account of a third-party application will expire is received via a webhook. A credential renewal request for a new set of credentials for the developer account is sent using a request method specified for the third-party application and the new set of credentials for the developer account are received within the expiration period via the webhook.

Abstract: Embodiments of a transactional database system are described to implement transaction processing over database objects stored in a strongly consistent object storage system. When a transaction is initiated, the system makes a private copy of data objects that are used by the transaction. Reads and writes of the transaction will be performed on the private copy. When the transaction is to be committed, the system verifies that the committed state of the data objects has not changed outside the transaction, and updates metadata object(s) in the data storage system to point to the private copy as the currently committed state of the data objects. If the committed state of any data objects has changed during the transaction, the private copy is abandoned and the transaction is rolled back and/or retried.

Abstract: A software agent executing on a computing device receives a high-level command from a client and converts the high-level command into multiple low-level commands. The software agent executes individual low-level command on the computing device and sends a result of executing the individual low-level command to the client until each low-level command has been executed.

Abstract: An anomaly detection system is disclosed capable of reporting anomalous processes or hosts in a computer network using machine learning models trained using unsupervised training techniques. In embodiments, the system assigns observed processes to a set of process categories based on the file system path of the program executed by the process. The system extracts a feature vector for each process or host from the observation records and applies the machine learning models to the feature vectors to determine an outlier metric each process or host. The processes or hosts with the highest outlier metrics are reported as detected anomalies to be further examined by security analysts. In embodiments, the machine learnings models may be periodically retrained based on new observation records using unsupervised machine learning techniques. Accordingly, the system allows the models to learn from newly observed data without requiring the new data to be manually labeled by humans.

Abstract: Various embodiments include systems and methods of implementing vulnerability check synchronization. Vulnerability check synchronization may occur between computing resources at multiple different locations including a first location and a second location. Custom vulnerability check information associated with a particular security vulnerability may be received via a security console user interface that is located at the first location. A selection may be received, via the security console user interface, of a particular distributed engine to be utilized to perform a scan of one or more assets based at least in part on the custom vulnerability check information. Responsive to a determination to initiate the scan of the one or more assets, transfer of the custom vulnerability check information to the particular distributed engine via one or more networks may be automatically initiated.

Abstract: Various embodiments include systems and methods to implement a process for determining expected exploitability of security vulnerabilities. Vulnerability information corresponding to a security vulnerability is input into a multi-headed neural network. A first feature vector is output via a probability of exploitation head of the multi-headed neural network. The first feature vector is extracted from the vulnerability information and comprises a first set of features. A second feature vector is extracted from code snippets and an abstract syntax tree analyzer, with the second feature vector including a second set of features related to the security vulnerability. The two feature vectors are concatenated to produce a third feature vector, and a regression model is used to determine a probability of exploitation for the security vulnerability based at least in part on the third feature vector.

Abstract: A method for authenticated asset assessment is provided. The method involves executing a scan assistant on an asset to allow a remote scan engine to execute one or more scan operations on the asset for determining a state of the asset. The scan assistant may verify the identity of the scan engine by checking that a certificate received from the scan engine is signed with a private key associated with the scan engine. In some embodiments, the authentication may be performed as part of a TLS handshake process that establishes a TLS connection between the scan engine and the scan assistant. Once the scan engine is authenticated, the scan engine may communicate with the scan assistant according to a communication protocol to collect data about the asset. Advantageously, the disclosed technique reduces security risks associated with authenticated scans and improves the performance of authenticated scans.

Abstract: Various embodiments include systems and methods of implementing automated assessment scheduling. A set of scheduling parameters may be received, including at least a frequency corresponding to how often assessments are to be completed via a particular automated assessment and a type of assessment to perform in the particular automated assessment. Based at least in part on the set of scheduling parameters, an assessment configuration may be generated. The assessment configuration includes a set of attributes defining how the particular automated assessment is to be performed. At least one scan engine resource of a set of scan engine resources may be identified for utilization in the particular automated assessment. Based at least in part on the assessment configuration and using the at least one scan engine resource, the particular automated assessment may be automatically initiated.

Abstract: A database system stores a table as a set of column files in a columnar format in a manner that improves the write performance of the table and avoids use of separate metadata repository. In embodiments, each column file groups values into entity chunks indexed by an entity index. Each chunk includes a live value index that determines which rows in chunk has live values. New values are written to the column file by appending an updated copy of the entity chunk. The entity index to refer to the newly written chunk as the latest version. This approach avoids expensive in-place updating of individual column values and allows the update to be performed much more quickly. In embodiments, the database system encodes metadata such as table schema information using file naming and placement conventions in the file store, so that a centralized metadata repository is not required.

Abstract: Embodiments of a transactional database system are described to implement transaction processing over database objects stored in a strongly consistent object storage system. When a transaction is initiated, the system makes a private copy of data objects that are used by the transaction. Reads and writes of the transaction will be performed on the private copy. When the transaction is to be committed, the system verifies that the committed state of the data objects has not changed outside the transaction, and updates metadata object(s) in the data storage system to point to the private copy as the currently committed state of the data objects. If the committed state of any data objects has changed during the transaction, the private copy is abandoned and the transaction is rolled back and/or retried.

Abstract: Various embodiments include systems and methods of anomalous data transfer detection. Hotspots for an asset of an organization may be determined, corresponding to period(s) of time in which outbound data from the asset satisfies a hotspot threshold determined to be indicative of high outbound data traffic activity. Based on the outbound data, a first set of days are identified as “quiet” day(s); a second set of days are identified as “active” day(s); and “quiet” hour(s) of the day, associated with “active” day(s), are identified. The “quiet” day(s) and the “quiet” hour(s) are identified as a warmspot dataset, which may be utilized to detect anomalous data transfer activity associated with the asset. Detecting the anomalous data transfer activity includes computing one or more statistics on the warmspot dataset. Responsive to detecting the anomalous data transfer activity, an alert associated with the asset may be generated.

Abstract: Various embodiments include systems and methods to implement predictive scan autoscaling by a security platform to predict scanning loads associated with computing resources. Predictive scan autoscaling may improve the security posture of computing resources by improving the speed by which a security platform may scan for threats of a cyberattack. The security platform may predict scanning loads based on data indicative of previous scanning loads over one or more periods of time. The security platform may combine predicted scanning loads with requests for scans received from various client networks.

Abstract: Various embodiments include systems and methods to implement a password requirement conformity check. During a password reset process, a proposed password is received. A homomorphic encryption operation may be performed on the proposed password to generate a first character string. The first character string may be compared to a previous character string associated with a previous password to determine a password similarity metric. The password similarity metric may or may not satisfy at least a distance threshold. Responsive to determining that the password similarity metric does not satisfy the distance threshold, there may be a rejection of the proposed password and a prompt to receive an alternative proposed password during the password reset process.

Abstract: A Uniform Resource Identifier (URI) discovery system is implemented that evaluates web configuration servers obtained from web servers to determine the existence and configuration of URIs hosted by the web servers. To discover URIs, the URI discovery system may obtain web server configuration files, and other metadata, from collection agents executing on web servers. The web server configuration files may then be parsed to evaluate the combinations of hosts, paths, and ports for the web server that may correspond to respective URIs. A URI discovery result may then be generated that describes the discovered URIs and includes configurations of the different URIs. The URI discovery result may be stored in an entry for the web server.

Abstract: Techniques for associating assets related to events detected in at least one computer network with respective assets in an asset catalog for the at least one computer network. The techniques comprising: obtaining information about an event related to a first asset, the information specifying computer network addressing information for the first asset; generating a signature of the first asset from the computer network addressing information using at least one trained machine learning model, wherein the signature comprises a numeric representation of the first asset; associating the first asset with at least one asset in the asset catalog using the signature and at least one signature of the at least one asset in the asset catalog, wherein the at least one signature was previously determined using the at least one trained machine learning model; and outputting information identifying the at least one asset with which the first asset was associated.