Abstract: Various embodiments include systems and methods pertaining to a security service platform that detects security threats based on a security service that operates on structurally deduplicated network data. The security service performs a security analysis that includes rule matching to detect threats to a network, where the rule matching operates on the structurally deduplicated data. The security service may compile one or more rulesets into an executable binary that efficiently operates over the format of the structurally deduplicated data.

Abstract: An access policy analysis system may use stored policy summaries to efficiently perform access analysis. A request that causes an access analysis of an entity in a cloud service provider with respect to a resource hosted in the cloud service provider may be received. An access policy summary generated for the entity based on a set of access policies applied by an access management system of the cloud service provider may be obtained. An access policy summary generated for the resource based on the set of access policies may be obtained. A tree structure that describes a hierarchy of entities in the cloud service provider may be traversed to identify a parent node of the entity in the hierarchy of entities. The access analysis may then be generated based on the access policy summaries for the identified node in the tree structure, for the entity and for the resource.

Abstract: Systems and methods are disclosed to implement a distributed query execution system that performs statistical operations on specified time windows over time-based datasets. In embodiments, the query system splits a statistical function into a set of parallel accumulator tasks that correspond to different portions of the dataset and/or function time windows. The accumulator tasks are executed in parallel by individual accumulator nodes to generate individual statistical result structures. The structures are then combined by an aggregator node to produce an aggregate result structure that indicates the results of the statistical function over the time windows. In embodiments, the accumulator and aggregator tasks are implemented and executed using a programmable task execution framework that allows developers to define custom accumulator and aggregator tasks.

Abstract: Techniques for verifying correctness of associations between assets related to events detected in at least one computer network and assets in an asset catalog for the at least one computer network. The techniques include: obtaining information specifying a first asset and a first set of assets with which the first asset was previously associated; generating a signature of the first asset from computer network addressing information for the first asset using at least one trained machine learning model; associating the first asset with a second set of assets using the signature and at least one signature of the at least one asset, wherein the at least one signature was previously determined using the at least one trained machine learning model; and when it is determined that the second set includes the first set, outputting an indication that the first asset was correctly associated with the first set of assets.

Abstract: An access policy analysis system may use visual exploration to efficiently perform access analysis. A request to display an effective access of an entity with respect to a resource hosted in a cloud provider may be received via a visual exploration user interface element. An analysis of a set of access policies applied by an access management system to determine an effective access of the entity with respect to the resource may be performed. One or more selectable access policy interface elements may be generated that correspond to one or more access policies of the set of access policies that are used to determine the effective access of the entity with respect to the resource. The one or more selectable access policy interface elements may be included in a display of the visual exploration user interface element along with the determined effective access of the entity with respect to the resource.

Abstract: A method includes obtaining a command captured at a computing device to start a process on the computing device submitted via a command line interface. The command is of a plurality of commands captured at respective computing devices that triggered respective alerts to review the plurality of commands. The method includes parsing the command to generate a plurality of tokens that represent the command according to dictionary of features of commands submitted via the command line interface, generating a feature vector based, at least in part, on the plurality of tokens, applying a classification model, trained on other commands submitted via the command line interface to predict benign commands, to the feature vector to determine a score indicative of a probability that the command is benign, and, responsive to a determination that the score is above a confidence threshold, removing the command from the plurality of commands to be reviewed.

Abstract: A method for authenticated asset assessment is provided. The method involves executing a scan assistant on an asset to allow a remote scan engine to execute one or more scan operations on the asset for determining a state of the asset. The scan assistant may verify the identity of the scan engine by checking that a certificate received from the scan engine is signed with a private key associated with the scan engine. In some embodiments, the authentication may be performed as part of a TLS handshake process that establishes a TLS connection between the scan engine and the scan assistant. Once the scan engine is authenticated, the scan engine may communicate with the scan assistant according to a communication protocol to collect data about the asset. Advantageously, the disclosed technique reduces security risks associated with authenticated scans and improves the performance of authenticated scans.

Abstract: An anomaly detection system is disclosed capable of reporting anomalous processes or hosts in a computer network using machine learning models trained using unsupervised training techniques. In embodiments, the system assigns observed processes to a set of process categories based on the file system path of the program executed by the process. The system extracts a feature vector for each process or host from the observation records and applies the machine learning models to the feature vectors to determine an outlier metric each process or host. The processes or hosts with the highest outlier metrics are reported as detected anomalies to be further examined by security analysts. In embodiments, the machine learnings models may be periodically retrained based on new observation records using unsupervised machine learning techniques. Accordingly, the system allows the models to learn from newly observed data without requiring the new data to be manually labeled by humans.

Abstract: Various embodiments include systems and methods to implement predictive scan engine runtime durations by a security platform to predict runtime durations associated with computing resources. Predictive scan engine runtime durations may be determined by training a prediction model using a multiple linear regression analysis. For example, the security platform may determine a prediction model using training data that associates runtime durations with configuration inputs associated with a security service that operates with respect to a computing resource. Based on the prediction model, the security platform may determine a runtime estimate for a security service run that is configured similarly to a previous security service run used to train the prediction model.

Abstract: Various embodiments include systems and methods of implementing radio frequency (RF) capture analysis reporting. The implementing may include receiving RF data captured by RF capture component(s) positioned at location(s) within a physical environment. The captured RF data includes RF device metrics associated with RF device(s) identified by the RF capture component(s) as being located within the physical environment. One or more analysis operations may be performed with respect to the RF device(s) based at least in part on the RF device metrics. Based at least in part on a result of the analysis operation(s), a potential security vulnerability associated with a particular RF device may be identified. A report may be generated that identifies at least the potential security vulnerability associated with the particular RF device.

Abstract: Methods and systems for identifying targets on a network. The disclosed methods involve classifying data as valuable or non-valuable, and then classifying an asset associated with the retrieved data as a target or a non-target based in part on the classification of the data.

Abstract: A method for authenticated asset assessment is provided. The method includes authenticating, by a scan assistant, a scan engine with the scan assistant for executing one or more scan operations on the asset to determine a state of the asset. The asset includes at least one computing resource. The method also includes receiving, by the scan assistant, a plurality of scan requests associated with the one or more scan operations from the scan engine. The method further includes responding, by the scan assistant, to at least one scan request of the plurality of scan requests by transmitting one or more scan responses to the scan engine after receiving the plurality of scan requests. The scan assistant and the scan engine implement an asynchronous communication protocol that permits the scan engine to send the scan requests without waiting for scan responses for previous scan requests.

Abstract: In some examples, a server identifies a first and second microservice. The server creates a first mirror to mirror first traffic sent to the first microservice and a second mirror to mirror second traffic sent to the second microservice. The server configures the first and second mirror service to create mirrored traffic out-of-band of a critical request path of the first and second microservice. The server configures the first and second mirror service to modify a header of a mirrored request to indicate: the mirrored request is a mirrored copy of a request, an original source of the request, and an original destination of the request. The server configures the first and second mirror service to send the mirrored traffic to a traffic analyzer that uses artificial intelligence, automated vulnerability scans, or both to identify an anomalous behavior of an offending microservice in the cluster.

Abstract: Systems and methods are disclosed to implement a bounded group by query system that computes approximate time-sliced statistics for groups of records in a dataset according to a group by query. In embodiments, a single pass scan of the dataset is performed to accumulate exact results for a maximum number of groups in a result grouping structure (RGS) and approximate results for additional groups in an approximate result grouping structure (ARGS). RGSs and ARGSs are accumulated by a set of accumulator nodes and provided to an aggregator node, which combines the received structures to generate exact or approximate statistical results for at least a subset of the groups in the dataset. Advantageously, the disclosed query system is able to produce approximate results for at least some of the groups in a single pass of the dataset using size-bounded data structures, without predetermining the actual number of groups in the dataset.

Abstract: Systems and methods are provided to build a machine learned exploitability risk model that predicts, based on the characteristics of a set of machines, a normalized risk score quantifying the risk that the machines are exploitable by a set of attacks. To build the model, a training dataset is constructed by labeling characteristic data of a population of machines with exploitation test results obtained by simulating a set of attacks on the population. The model is trained using the training data to accurately predict a probability that a given set of machines is exploitable by the set of attacks. In embodiments, the model may be used to make quick assessments about how vulnerable a set of machines are to the set of attacks. In embodiments, the model may be used to compare the effectiveness of different remediation actions to protect against the set of attacks.

Abstract: Various embodiments include systems and methods to implement a password requirement conformity check. During a password reset process, a proposed password is received. A homomorphic encryption operation may be performed on the proposed password to generate a first character string. The first character string may be compared to a previous character string associated with a previous password to determine a password similarity metric. The password similarity metric may or may not satisfy at least a distance threshold. Responsive to determining that the password similarity metric does not satisfy the distance threshold, there may be a rejection of the proposed password and a prompt to receive an alternative proposed password during the password reset process.

Abstract: An access policy analysis system may use stored policy summaries to efficiently perform access analysis. A request that causes an access analysis of an entity in a cloud service provider with respect to a resource hosted in the cloud service provider may be received. An access policy summary generated for the entity based on a set of access policies applied by an access management system of the cloud service provider may be obtained. An access policy summary generated for the resource based on the set of access policies may be obtained. A tree structure that describes a hierarchy of entities in the cloud service provider may be traversed to identify a parent node of the entity in the hierarchy of entities. The access analysis may then be generated based on the access policy summaries for the identified node in the tree structure, for the entity and for the resource.

Abstract: Embodiments of a cyberattack monitoring system are disclosed to identify successful attacks on a service based on benign activities of the attacker performed after the initial attack attempt. In embodiments, the system identifies the initial attack by matching client actions to known attack patterns. Clients observed with attempted attacks are remembered as suspected attackers. The system will then monitor subsequent actions of suspected attackers for signs that the initial attack attempt was successful. In embodiments, a successful attack is recognized when the system observes one or more subsequent benign actions by the suspected attacker. In embodiments, the presence of follow-on benign actions is used as a filter to filter out unsuccessful attacks and false positives detected by the system. The filtering enables the system to better focus system resources and human attention on a small set of client activities that are likely successful attacks.

Abstract: Disclosed herein are methods, systems, and processes for continuously renewing credentials in application development and testing environments that include application products from third-party vendors. A notification indicating that an existing credential associated with a developer account of a third-party application will expire is received via a webhook. A credential renewal request for a new set of credentials for the developer account is sent using a request method specified for the third-party application and the new set of credentials for the developer account are received within the expiration period via the webhook.

Abstract: Various embodiments include systems and methods of implementing vulnerability check synchronization. Vulnerability check synchronization may occur between computing resources at multiple different locations including a first location and a second location. Custom vulnerability check information associated with a particular security vulnerability may be received via a security console user interface that is located at the first location. A selection may be received, via the security console user interface, of a particular distributed engine to be utilized to perform a scan of one or more assets based at least in part on the custom vulnerability check information. Responsive to a determination to initiate the scan of the one or more assets, transfer of the custom vulnerability check information to the particular distributed engine via one or more networks may be automatically initiated.