Abstract: Various embodiments include implementing an interceptor for application security testing. The interceptor may intercept traffic, including one or more traffic items, between a scan engine and a target application. The traffic item(s) may include a request directed to the target application from a scan engine implementing application security testing or a response from the target application responsive to request(s) from the scan engine. The interceptor may determine that a particular traffic item satisfies a particular traffic trigger associated with a particular traffic action comprising a manipulation to the traffic between the scan engine and the target application. The particular traffic action is one of a plurality of predefined traffic actions that the interceptor is configured to perform across different scan engine versions, different scan configurations, or both.

Abstract: Disclosed herein are methods, systems, and processes to distribute and disperse search loads to optimize security event processing in cybersecurity computing environments. A search request that includes a domain specific language (DSL) query directed to a centralized search cluster by an event processing application is intercepted. The event processing application is inhibited from issuing the search request to the centralized search cluster if a structured or semi-structured document matches the DSL query.

Abstract: Various embodiments include systems and methods to implement a process for generating vulnerability check information for performing vulnerability assessments associated with security vulnerabilities. Vulnerability information corresponding to a security vulnerability is input into a multi-headed neural network. An extractive summary of the vulnerability information is output via a vulnerability check head of the multi-headed neural network. Synthetic scan results forming a set of positive examples are generated based at least in part on the extractive summary. An inductive logic programming system is implemented that uses the positive examples and predefined negative examples as inputs to determine, using a set covering algorithm, a general logic program that matches the positive examples and does not match the negative examples.

Abstract: Systems and methods are disclosed to implement a network data interpretation pipeline to recognize machine operations (MOs) and machine activities (MAs) from network traffic data observed in a monitored network. In embodiments, a MO recognition engine is implemented in the network to recognize MOs from network sensor events (NSEs) based on defined recognition patterns. The MOs and any unrecognized NSEs are uploaded to a network monitoring system, where they are further analyzed by a MA recognition engine to recognize higher-level machine activities performed by machines. The NSEs, MOs, and MAs are used by the network monitoring system to implement a variety of security threat detection processes. Advantageously, the pipeline may be used to add rich contextual information about the raw network data to facilitate security threat detection processes.

Abstract: Systems and methods are disclosed to implement a bounded group by query system that computes approximate time-sliced statistics for groups of records in a dataset according to a group by query. In embodiments, a single pass scan of the dataset is performed to accumulate exact results for a maximum number of groups in a result grouping structure (RGS) and approximate results for additional groups in an approximate result grouping structure (ARGS). RGSs and ARGSs are accumulated by a set of accumulator nodes and provided to an aggregator node, which combines the received structures to generate exact or approximate statistical results for at least a subset of the groups in the dataset. Advantageously, the disclosed query system is able to produce approximate results for at least some of the groups in a single pass of the dataset using size-bounded data structures, without predetermining the actual number of groups in the dataset.

Abstract: Methods and systems for identifying assets for review. The methods described herein involve generating an organizational statistical model describing assets associated with a first organization and generating a report identifying a discrepancy between the organizational statistical model and an identified asset of the first type associated with the first organization.

Abstract: Embodiments of a cyberattack monitoring system are disclosed to identify successful attacks on a service based on benign activities of the attacker performed after the initial attack attempt. In embodiments, the system identifies the initial attack by matching client actions to known attack patterns. Clients observed with attempted attacks are remembered as suspected attackers. The system will then monitor subsequent actions of suspected attackers for signs that the initial attack attempt was successful. In embodiments, a successful attack is recognized when the system observes one or more subsequent benign actions by the suspected attacker. In embodiments, the presence of follow-on benign actions is used as a filter to filter out unsuccessful attacks and false positives detected by the system. The filtering enables the system to better focus system resources and human attention on a small set of client activities that are likely successful attacks.

Abstract: Systems and methods are disclosed to implement a cyberattack detection system that monitors a computer network for lateral movement. In embodiments, the system uses network data from a computer network to build a baseline of connection behaviors for the network. Connection graphs are generated from new network data that indicate groups of nodes that made connections with one another during a last time interval. The graphs are analyzed for connection behavior anomalies and ranked to determine a subset of graphs with suspected lateral movement. Graphs with suspected lateral movement may be further analyzed to determine a set of possible attack paths in the lateral movements. The suspected attack paths are reported to network administrators via a notification interface. Advantageously, the disclosed system is able to detect potential lateral movements in localized portions of a network by monitoring for connection behavior anomalies in network data gathered from the network.

Abstract: Systems and methods are disclosed to implement a bounded group by query system that computes approximate time-sliced statistics for groups of records in a dataset according to a group by query. In embodiments, a single pass scan of the dataset is performed to accumulate exact results for a maximum number of groups in a result grouping structure (RGS) and approximate results for additional groups in an approximate result grouping structure (ARGS). RGSs and ARGSs are accumulated by a set of accumulator nodes and provided to an aggregator node, which combines the received structures to generate exact or approximate statistical results for at least a subset of the groups in the dataset. Advantageously, the disclosed query system is able to produce approximate results for at least some of the groups in a single pass of the dataset using size-bounded data structures, without predetermining the actual number of groups in the dataset.

Abstract: Methods and systems for generating a search expression. The system begins with an empty search expression, and iteratively expands the search expression until some terminating condition is reached.

Abstract: Various embodiments include systems and methods to implement a password requirement conformity check. During a password reset process, a proposed password is received. A homomorphic encryption operation may be performed on the proposed password to generate a first character string. The first character string may be compared to a previous character string associated with a previous password to determine a password similarity metric. The password similarity metric may or may not satisfy at least a distance threshold. Responsive to determining that the password similarity metric does not satisfy the distance threshold, there may be a rejection of the proposed password and a prompt to receive an alternative proposed password during the password reset process.

Abstract: Systems and methods for concurrently performing multiple searches of a file system based on a plurality of search requests. Each search request belonging to the plurality of search requests has a search root. A common set of search roots is identified from the plurality of search roots. A first window function is generated based upon a first search root belonging to the common set of search roots. Candidates located in a plurality of directory trees are enumerated. Each of the directory trees belonging to the plurality of directory trees begins in a search root in the common set of search roots. The candidates are evaluated based upon a first search criteria and the first window function. And, the candidates that satisfy both the first search criteria and the first window function are reported as a result.

Abstract: Inter-chip communication data in an Internet-of-Things (IoT) device is manipulated and analyzed to identify and remediate security vulnerabilities. Inter-chip communication data in the IoT device is captured. Communication direction, address format, flow control, communication timing, and communication structure associated with the inter-chip communication data is identified. Based on the foregoing identification(s), portions of the inter-chip communication data that require modification are identified so that that inter-chip communication data can be replayed. Based on the modification and the replaying, security vulnerabilities in the IoT device are identified and remediated.

Abstract: Disclosed herein are methods, systems, and processes to detect rogue wireless access points and determine their approximate location in a geospatial location. Wireless access point data collected from wireless access points by fixed sensor nodes and agent-based sensor nodes in a geospatial location is received. A wireless site survey is performed at the geospatial location based on the wireless access point data. Based on the wireless site survey, an approximate location of a rogue wireless access point at the geospatial location is determined.

Abstract: Various embodiments include implementing an interceptor for application security testing. The interceptor may intercept traffic, including one or more traffic items, between a scan engine and a target application. The traffic item(s) may include a request directed to the target application from a scan engine implementing application security testing or a response from the target application responsive to request(s) from the scan engine. The interceptor may determine that a particular traffic item satisfies a particular traffic trigger associated with a particular traffic action comprising a manipulation to the traffic between the scan engine and the target application. The particular traffic action is one of a plurality of predefined traffic actions that the interceptor is configured to perform across different scan engine versions, different scan configurations, or both.

Abstract: Methods and systems for identifying assets for review. The methods described herein involve generating an organizational statistical model describing assets associated with a first organization and generating a report identifying a discrepancy between the organizational statistical model and an identified asset of the first type associated with the first organization.

Abstract: Techniques for verifying correctness of associations between assets related to events detected in at least one computer network and assets in an asset catalog for the at least one computer network. The techniques include: obtaining information specifying a first asset and a first set of assets with which the first asset was previously associated; generating a signature of the first asset from computer network addressing information for the first asset using at least one trained machine learning model; associating the first asset with a second set of assets using the signature and at least one signature of the at least one asset, wherein the at least one signature was previously determined using the at least one trained machine learning model; and when it is determined that the second set includes the first set, outputting an indication that the first asset was correctly associated with the first set of assets.

Abstract: Techniques for associating assets related to events detected in at least one computer network with respective assets in an asset catalog for the at least one computer network. The techniques comprising: obtaining information about an event related to a first asset, the information specifying computer network addressing information for the first asset; generating a signature of the first asset from the computer network addressing information using at least one trained machine learning model, wherein the signature comprises a numeric representation of the first asset; associating the first asset with at least one asset in the asset catalog using the signature and at least one signature of the at least one asset in the asset catalog, wherein the at least one signature was previously determined using the at least one trained machine learning model; and outputting information identifying the at least one asset with which the first asset was associated.

Abstract: Techniques for associating assets related to events detected in at least one computer network with respective assets in an asset catalog for the at least one computer network. The techniques include: while monitoring activity on the at least one computer network, obtaining information about an event related to a first asset, the information specifying computer network addressing information for the first asset; generating a signature of the first asset from the computer network addressing information; generating a hashed signature of the first asset by applying a locality sensitive hashing (LSH) technique to the signature; associating the first asset with at least one asset in the asset catalog using the hashed signature of the first asset and at least one hashed signature of the at least one asset in the asset catalog; and outputting information identifying the at least one asset with which the first asset was associated.

Abstract: Techniques for verifying correctness of associations between assets related to events detected in at least one computer network and assets in an asset catalog for the at least one computer network. The techniques include obtaining information specifying a first asset and a first set of assets with which the first asset was previously associated; generating a signature of the first asset from the computer network addressing information for the first asset; generating a hashed signature by applying a locality sensitive hashing (LSH) technique to the signature; associating the first asset with a second set of assets in the asset catalog using the hashed signature and at least one hashed signature of the at least one asset in the asset catalog; and when it is determined that the second set of includes the first set, outputting an indication that the first asset was correctly associated with the first set of assets.