Abstract: Systems and methods are disclosed to infer, using a machine learned model, a service protocol of a server based on the banner data produced by the server. In embodiments, the machine learned model is implemented by a network scanner configured to receive banner data from open ports on servers. A received banner is parsed into a set of features, such as the counts or presence of particular characters or strings in the banner. In embodiments, certain types of banner content such as network addresses, hostnames, dates, and times, are replaced with special characters. The machine learned model is applied to the features to infer a most likely protocol of the server port that produced the banner. Advantageously, the model can be trained to perform the inference task with high accuracy and without using human-specified rules, which can be brittle for unconventional banner data and carry undesired biases.

Abstract: Systems and methods are provided to build a machine learned exploitability risk model that predicts, based on the characteristics of a set of machines, a normalized risk score quantifying the risk that the machines are exploitable by a set of attacks. To build the model, a training dataset is constructed by labeling characteristic data of a population of machines with exploitation test results obtained by simulating a set of attacks on the population. The model is trained using the training data to accurately predict a probability that a given set of machines is exploitable by the set of attacks. In embodiments, the model may be used to make quick assessments about how vulnerable a set of machines are to the set of attacks. In embodiments, the model may be used to compare the effectiveness of different remediation actions to protect against the set of attacks.

Abstract: Disclosed herein are methods, systems, and processes for automated log entry identification and alert management. A log statement that includes a log format string and is part of program code associated with a computer program is accessed at a log management server. The execution of the log statement generates a log string that is associated with a trigger pattern of an alert configuration. A fixed part of the log format string that remains unchanged during execution of the log statement when the program code associated with the computer program is executed is extracted and a template is generated for the log statement to track changes to the fixed part of the log format string that causes a mismatch between the trigger pattern of the alert configuration and the log string. The template is then stored.

Abstract: Methods and systems for training a language processing model. The methods may involve receiving a first log record in a first format, wherein the first log record includes annotations describing items in the first log record, and then creating a second log record in a second format comprising data from the first log record utilizing the annotations in the first log record and a conversion rule set. The second log record may then be used to train a language processing model so that a trained model can identify items in a third log record and the relationships therebetween.

Abstract: Methods and systems for generating a search expression. The system begins with an empty search expression, and iteratively expands the search expression until some terminating condition is reached.

Abstract: Systems and methods are disclosed for an approximate string searching technique to search for match results that have character differences with the search string. A cost is computed to measure the amount of character differences, and a match is recognized if the cost is below a threshold. The match is determined based on an inferred state machine, whose states are iteratively generated in computer memory for successive characters in the input text. States are added to represent modifications to the string needed to account for character differences and track the costs of the modifications. States are removed when their costs become excessive. Advantageously, the search process never generates the full state machine in memory, retaining only a selected set of best states to continue with the approximate match process. The technique thus enables a practicable implementation of approximate searching that can tolerate an arbitrary number of character deviations.

Abstract: Disclosed herein are methods, systems, and processes for automated log entry identification and alert management. A log statement that includes a log format string and is part of program code associated with a computer program is accessed at a log management server. The execution of the log statement generates a log string that is associated with a trigger pattern of an alert configuration. A fixed part of the log format string that remains unchanged during execution of the log statement when the program code associated with the computer program is executed is extracted and a template is generated for the log statement to track changes to the fixed part of the log format string that causes a mismatch between the trigger pattern of the alert configuration and the log string. The template is then stored.

Abstract: Systems and methods are disclosed to implement a self-learning machine assessment system that automatically tunes what data is collected from remote machines. In embodiments, agents are deployed on remote machines to collect machine characteristics data according to collection rule sets, and to report the collected data to the machine assessment system. The machine assessment system assesses the remote machines using the collected data, and automatically determines, based on what data was or was not needed during the assessment, whether an agent's collection rule set should be changed. Any determined changes are sent back to the agent, causing the agent to update its scope of collection. The auto-tuning process may continue over multiple iterations until the agent's collection scope is stabilized. In embodiments, the assessment process may be used to analyze the remote machine to determine security vulnerabilities, and recommend possible actions to take to mitigate the vulnerabilities.

Abstract: Methods and systems for identifying a vulnerability on a network are disclosed. The methods described herein may involve executing a first scanning function to obtain a first view of a network and then filtering the first view of the network for at least one point of exposure of a first entity that originates from a second entity. The methods described herein may further involve executing a secondary scanning function to identify any vulnerabilities of the first entity based on the point of exposure of the first entity that originates from the second entity and implementing a threat prevention procedure upon identifying a vulnerability of the first entity based on the point of exposure of the first entity that originates from the second entity.

Abstract: Disclosed herein are methods, systems, processes, and machine learning models for identifying ephemeral or short lived computing assets in a network. Data indicative of potential ephemeralness associated with the computing assets in the network is received. The received data is processed and provided as input to a logistic machine learning model trainer for classification based on logistic regression. The logistic machine learning model trainer classifies each computing asset as ephemeral or non-ephemeral based on one or more ephemeralness feature characteristics of each of the computing assets that are part of input data. The logistic machine learning model trainer generates a trained logistic machine learning model for identifying new ephemeral computing assets in the network and excluding these new ephemeral computing assets from security operations. The logistic machine learning model is then stored for automatically determining whether a new computing asset in the network is ephemeral.

Abstract: Disclosed herein are methods, systems, processes, and machine learning paradigms to implement a password semantic analysis pipeline.

Abstract: Disclosed herein are methods, systems, and processes to perform passive and realtime software identification and data collection for vulnerability management. Vulnerability management based on agent-collected event data involves monitoring a process start event associated with an application executing on a computing device that is part of a network, identifying a binary location of the process start event, and based on the binary location, identifying a software type of the application and a version of the software type. Vulnerability management based on event data in logs involves monitoring the process start event for configuration or file changes, generating fingerprint rules by mapping the configuration or files changes and the process start event associated with a software installation or an upgrade of the software, and processing log data to fingerprint the software type and the version of the software type.

Abstract: Disclosed herein are methods, systems, and processes for utilizing computing entity resolution for network asset correlation. A scanned dataset that includes newly scanned node information that identifies newly scanned nodes on a network is received from a security server. The newly scanned node information is extracted from the scanned dataset and indicates that the newly scanned nodes cannot be identified as being part of existing computing devices in the network. The newly scanned node information is processed with a network asset correlator and the processing results in a set of asset correlation results for the newly scanned nodes. An existing computing device is identified based on a highest disparate correlation probability in the set of asset correlation results and the security server is instructed to perform a security action on the identified existing computing device.

Abstract: Systems and methods are disclosed to implement a chart recommendation system that recommends charts to users during a chart building process. In embodiments, when a new chart is being created, specified features of the chart are provided to a machine learned model such as a self-organizing map. The model will determine a previous chart that is the most similar to the new chart and recommend the previous chart to the user for recreation. In embodiments, newly created charts are added to a library and used to update the model. Charts that are highly popular or authored by expert users may be weighed more heavily during model updates, so that the model will be more influenced by these charts. Advantageously, the disclosed system allows novice users to easily find similar charts created by other users. Additionally, the disclosed system is able to automatically group similar charts without using human-defined classification rules.

Abstract: Methods and systems for scanning a network. The disclosed methods may involve receiving a list of a plurality of target devices and scanning a first device to determine if a particular port and protocol combination appears to be open on the first device. Upon determining that a particular port and protocol combination appears to be open on the first device, the method involves interrogating the first device before or during scanning of a second device to gather data regarding a service running on the first device.

Abstract: Disclosed herein are methods, systems, and processes for performing optimized batched packet processing in deep packet inspection (DPI) computing systems. A batch of network packets is received. A stateless processing operation is performed for the batch that includes updating a current time for the batch, decoding the network packets in the batch, creating a flow-hash lookup key for each decoded network packet, and generating a first output that includes the current time and corresponding flow-hash lookup keys for the decoded network packets. Next, a stateful processing operation is performed for the batch that includes accessing the first output of the stateless processing operation, dividing the batch into multiple sub-batches, performing a parallel flow-hash table lookup operation on the network packets that are part of the sub-batches, and generating a second output that includes the sub-batches with associated packet flows.

Abstract: Methods, systems, and processes to simplify networking setup complexity for security agents implemented in cybersecurity computer environments are disclosed. A request with an intentionally bad Transport Layer Security (TLS) handshake is transmitted from an agent to a server. An indication is received from the server that the request has been rejected. A Round Trip Time (RTT) of the request and rejection of the request is determined. The server is then pinged based on the RTT. The subsequent pinging does not require whitelisting of an additional port and does not negatively interact with network intermediaries that support protocol detection.

Abstract: Methods and systems for initiating a workflow are disclosed. The systems and methods described herein may receive as input a data segment from an external source, and identify at least one type of data object present in the data segment. The systems and methods described herein may then autonomously generate an application programming interface (API) trigger to initiate a workflow, wherein the API trigger is based on the at least one type of data object present in the data segment.

Abstract: Disclosed herein are methods, systems, and processes for recovering opaque credentials in deception systems. A plaintext credential is received at a honeypot and a plaintext lookup table is accessed. It is determined that the plaintext credential does not exist in the plaintext lookup table and the plaintext credential is added to the plaintext lookup table and a protocol specific plaintext lookup table. An opaque credential is generated for the plaintext credential and the opaque credential is added to a protocol specific opaque lookup table.

Abstract: Methods and systems for detecting anomalous network activity. The system may receive network metadata regarding activity on a network and generate at least one of a z-score and a directionality magnitude related to the network activity. The system may then issue an alert upon detecting an anomaly exists on the network based upon at least one of the generated z-score exceeding a z-score threshold and the generated directionality magnitude deviating from a baseline directionality magnitude.