Abstract: Various embodiments include systems and methods to implement a security platform providing cyberattack detection using multiple stages of classifiers. The security platform may use a first stage of classifiers to analyze multiple requests from a client device to a service. The first stage of classifiers may determine an initial indication of whether a request is indicative of a cyberattack and provide the initial indication to a second stage of classifiers. The second stage of classifiers may, based on initial indication of a cyberattack over a period of time, determine whether a cyberattack is underway.

Abstract: A server determines vulnerabilities associated with components of a computing device. The server determines attributes associated with individual vulnerabilities. The server determines a subset of the vulnerabilities that includes unexploited vulnerabilities. The server executes a machine learning model to predict a probability of an exploit being created for a particular unexploited vulnerability in the subset. The server sends to a device: information identifying the particular unexploited vulnerability, particular attributes associated with the particular unexploited vulnerability, and the probability of an exploit being created for the particular unexploited vulnerability.

Abstract: Various embodiments include systems and methods to implement a security posture recommender system. The security posture recommender system may improve the security posture of a deployment of assets by generating recommendation data indicating how to modify the deployment of assets. A deployment may be described by deployment data. The recommendation data may be based on similarities and/or differences between deployment data for a particular user and deployment data associated with users that are within a cluster of users similar to the particular user.

Abstract: Various embodiments include systems and methods pertaining to a security service platform that detects security threats based on a security service that operates on structurally deduplicated network data. The security service performs a security analysis that includes rule matching to detect threats to a network, where the rule matching operates on the structurally deduplicated data. The security service may compile one or more rulesets into an executable binary that efficiently operates over the format of the structurally deduplicated data.

Abstract: An access policy analysis system may use stored policy summaries to efficiently perform access analysis. A request that causes an access analysis of an entity in a cloud service provider with respect to a resource hosted in the cloud service provider may be received. An access policy summary generated for the entity based on a set of access policies applied by an access management system of the cloud service provider may be obtained. An access policy summary generated for the resource based on the set of access policies may be obtained. A tree structure that describes a hierarchy of entities in the cloud service provider may be traversed to identify a parent node of the entity in the hierarchy of entities. The access analysis may then be generated based on the access policy summaries for the identified node in the tree structure, for the entity and for the resource.

Abstract: An entity tracking system and method for a computer network employs proactive data collection and enrichment driven by configurable rules and workflows responsive to the discovery of new entities, changes to existing entities, and specifics about the entities' attributes. The data collection is used in conjunction with graph technologies to map interactions and relationships between various entities interacting in the computer environment and deduce interactions and relationships between the entities. The method and system provides for abstract entity types and collation nodes.

Abstract: Various embodiments include systems and methods pertaining to a security service platform that detects security threats based on a security service that operates on structurally deduplicated network data. The security service may operate within a cloud environment and perform the security analysis that includes compiling a ruleset to generate an executable, where the executable is run over the structurally deduplicated event data. If the executable identifies a rule match for a given portion of structurally deduplicated event data, then the security service platform may reconstruct the structurally deduplicated event data to access all portions of a network event associated with the structurally deduplicated event data that triggered the rule match. The security service platform may use the reconstructed event data to generate and provide an alert that indicates a detected cyberattack.

Abstract: Systems and methods are disclosed to implement a distributed query execution system that performs statistical operations on specified time windows over time-based datasets. In embodiments, the query system splits a statistical function into a set of parallel accumulator tasks that correspond to different portions of the dataset and/or function time windows. The accumulator tasks are executed in parallel by individual accumulator nodes to generate individual statistical result structures. The structures are then combined by an aggregator node to produce an aggregate result structure that indicates the results of the statistical function over the time windows. In embodiments, the accumulator and aggregator tasks are implemented and executed using a programmable task execution framework that allows developers to define custom accumulator and aggregator tasks.

Abstract: Techniques for verifying correctness of associations between assets related to events detected in at least one computer network and assets in an asset catalog for the at least one computer network. The techniques include: obtaining information specifying a first asset and a first set of assets with which the first asset was previously associated; generating a signature of the first asset from computer network addressing information for the first asset using at least one trained machine learning model; associating the first asset with a second set of assets using the signature and at least one signature of the at least one asset, wherein the at least one signature was previously determined using the at least one trained machine learning model; and when it is determined that the second set includes the first set, outputting an indication that the first asset was correctly associated with the first set of assets.

Abstract: An access policy analysis system may use visual exploration to efficiently perform access analysis. A request to display an effective access of an entity with respect to a resource hosted in a cloud provider may be received via a visual exploration user interface element. An analysis of a set of access policies applied by an access management system to determine an effective access of the entity with respect to the resource may be performed. One or more selectable access policy interface elements may be generated that correspond to one or more access policies of the set of access policies that are used to determine the effective access of the entity with respect to the resource. The one or more selectable access policy interface elements may be included in a display of the visual exploration user interface element along with the determined effective access of the entity with respect to the resource.

Abstract: A method includes obtaining a command captured at a computing device to start a process on the computing device submitted via a command line interface. The command is of a plurality of commands captured at respective computing devices that triggered respective alerts to review the plurality of commands. The method includes parsing the command to generate a plurality of tokens that represent the command according to dictionary of features of commands submitted via the command line interface, generating a feature vector based, at least in part, on the plurality of tokens, applying a classification model, trained on other commands submitted via the command line interface to predict benign commands, to the feature vector to determine a score indicative of a probability that the command is benign, and, responsive to a determination that the score is above a confidence threshold, removing the command from the plurality of commands to be reviewed.

Abstract: A method for authenticated asset assessment is provided. The method involves executing a scan assistant on an asset to allow a remote scan engine to execute one or more scan operations on the asset for determining a state of the asset. The scan assistant may verify the identity of the scan engine by checking that a certificate received from the scan engine is signed with a private key associated with the scan engine. In some embodiments, the authentication may be performed as part of a TLS handshake process that establishes a TLS connection between the scan engine and the scan assistant. Once the scan engine is authenticated, the scan engine may communicate with the scan assistant according to a communication protocol to collect data about the asset. Advantageously, the disclosed technique reduces security risks associated with authenticated scans and improves the performance of authenticated scans.

Abstract: An anomaly detection system is disclosed capable of reporting anomalous processes or hosts in a computer network using machine learning models trained using unsupervised training techniques. In embodiments, the system assigns observed processes to a set of process categories based on the file system path of the program executed by the process. The system extracts a feature vector for each process or host from the observation records and applies the machine learning models to the feature vectors to determine an outlier metric each process or host. The processes or hosts with the highest outlier metrics are reported as detected anomalies to be further examined by security analysts. In embodiments, the machine learnings models may be periodically retrained based on new observation records using unsupervised machine learning techniques. Accordingly, the system allows the models to learn from newly observed data without requiring the new data to be manually labeled by humans.

Abstract: Various embodiments include systems and methods to implement predictive scan engine runtime durations by a security platform to predict runtime durations associated with computing resources. Predictive scan engine runtime durations may be determined by training a prediction model using a multiple linear regression analysis. For example, the security platform may determine a prediction model using training data that associates runtime durations with configuration inputs associated with a security service that operates with respect to a computing resource. Based on the prediction model, the security platform may determine a runtime estimate for a security service run that is configured similarly to a previous security service run used to train the prediction model.

Abstract: Various embodiments include systems and methods of implementing radio frequency (RF) capture analysis reporting. The implementing may include receiving RF data captured by RF capture component(s) positioned at location(s) within a physical environment. The captured RF data includes RF device metrics associated with RF device(s) identified by the RF capture component(s) as being located within the physical environment. One or more analysis operations may be performed with respect to the RF device(s) based at least in part on the RF device metrics. Based at least in part on a result of the analysis operation(s), a potential security vulnerability associated with a particular RF device may be identified. A report may be generated that identifies at least the potential security vulnerability associated with the particular RF device.

Abstract: Methods and systems for identifying targets on a network. The disclosed methods involve classifying data as valuable or non-valuable, and then classifying an asset associated with the retrieved data as a target or a non-target based in part on the classification of the data.

Abstract: A method for authenticated asset assessment is provided. The method includes authenticating, by a scan assistant, a scan engine with the scan assistant for executing one or more scan operations on the asset to determine a state of the asset. The asset includes at least one computing resource. The method also includes receiving, by the scan assistant, a plurality of scan requests associated with the one or more scan operations from the scan engine. The method further includes responding, by the scan assistant, to at least one scan request of the plurality of scan requests by transmitting one or more scan responses to the scan engine after receiving the plurality of scan requests. The scan assistant and the scan engine implement an asynchronous communication protocol that permits the scan engine to send the scan requests without waiting for scan responses for previous scan requests.

Abstract: In some examples, a server identifies a first and second microservice. The server creates a first mirror to mirror first traffic sent to the first microservice and a second mirror to mirror second traffic sent to the second microservice. The server configures the first and second mirror service to create mirrored traffic out-of-band of a critical request path of the first and second microservice. The server configures the first and second mirror service to modify a header of a mirrored request to indicate: the mirrored request is a mirrored copy of a request, an original source of the request, and an original destination of the request. The server configures the first and second mirror service to send the mirrored traffic to a traffic analyzer that uses artificial intelligence, automated vulnerability scans, or both to identify an anomalous behavior of an offending microservice in the cluster.

Abstract: Systems and methods are disclosed to implement a bounded group by query system that computes approximate time-sliced statistics for groups of records in a dataset according to a group by query. In embodiments, a single pass scan of the dataset is performed to accumulate exact results for a maximum number of groups in a result grouping structure (RGS) and approximate results for additional groups in an approximate result grouping structure (ARGS). RGSs and ARGSs are accumulated by a set of accumulator nodes and provided to an aggregator node, which combines the received structures to generate exact or approximate statistical results for at least a subset of the groups in the dataset. Advantageously, the disclosed query system is able to produce approximate results for at least some of the groups in a single pass of the dataset using size-bounded data structures, without predetermining the actual number of groups in the dataset.

Abstract: Systems and methods are provided to build a machine learned exploitability risk model that predicts, based on the characteristics of a set of machines, a normalized risk score quantifying the risk that the machines are exploitable by a set of attacks. To build the model, a training dataset is constructed by labeling characteristic data of a population of machines with exploitation test results obtained by simulating a set of attacks on the population. The model is trained using the training data to accurately predict a probability that a given set of machines is exploitable by the set of attacks. In embodiments, the model may be used to make quick assessments about how vulnerable a set of machines are to the set of attacks. In embodiments, the model may be used to compare the effectiveness of different remediation actions to protect against the set of attacks.