Abstract: A method for authenticated asset assessment is provided. The method includes authenticating, by a scan assistant, a scan engine with the scan assistant for executing one or more scan operations on the asset to determine a state of the asset. The asset includes at least one computing resource. The method also includes receiving, by the scan assistant, a plurality of scan requests associated with the one or more scan operations from the scan engine. The method further includes responding, by the scan assistant, to at least one scan request of the plurality of scan requests by transmitting one or more scan responses to the scan engine after receiving the plurality of scan requests. The scan assistant and the scan engine implement an asynchronous communication protocol that permits the scan engine to send the scan requests without waiting for scan responses for previous scan requests.

Abstract: A software agent executing on a computing device receives a high-level command from a client and converts the high-level command into multiple low-level commands. The software agent executes individual low-level command on the computing device and sends a result of executing the individual low-level command to the client until each low-level command has been executed.

Abstract: Various embodiments include systems and methods to implement a process for determining expected exploitability of security vulnerabilities. Vulnerability information corresponding to a security vulnerability is input into a multi-headed neural network. A first feature vector is output via a probability of exploitation head of the multi-headed neural network. The first feature vector is extracted from the vulnerability information and comprises a first set of features. A second feature vector is extracted from code snippets and an abstract syntax tree analyzer, with the second feature vector including a second set of features related to the security vulnerability. The two feature vectors are concatenated to produce a third feature vector, and a regression model is used to determine a probability of exploitation for the security vulnerability based at least in part on the third feature vector.

Abstract: Various embodiments include systems and methods of implementing a machine learning model for calculating confidence scores associated with potential security vulnerabilities. The machine learning model is trained using vulnerability data associated with a set of previously identified vulnerabilities, where the vulnerability data indicates whether a previously identified vulnerability is a true positive or a false positive. In some embodiments, scan traffic data may be obtained. The scan traffic data may be associated with potential security vulnerabilities detected via scan engine(s) that implement application security testing. The machine learning model may be used to determine respective confidence scores for each potential security vulnerability. According to some embodiments, responsive to a request for scan findings associated with a particular application, the respective confidence scores may be displayed via a vulnerability analysis graphical user interface.

Abstract: A software agent executing on a computing device receives a request from a client to provide data associated with neighboring devices to the computing device. The client includes a scan engine to perform a network scan of a network that includes the computing device. The software agent accesses device data in a cache of an operating system command, determines, based on the device data, an identifier associated with each device that is neighboring the computing device, converts the device data into a standardized format to create neighboring device data, and sends the neighboring device data to the client.

Abstract: Various embodiments include systems and methods of anomalous data transfer detection, including determining hotspots for an asset of an organization. The hotspots correspond to one or more periods of time in which outbound data from the asset satisfies a hotspot threshold determined to be indicative of high outbound data traffic activity. A subset of data that does not correspond to the hotspots is filtered out from the outbound data. The remaining data corresponds to a hotspot dataset associated with the hotspots. The hotspot dataset may be utilized to detect anomalous data transfer activity associated with the asset. Detecting the anomalous data transfer activity includes computing one or more statistics on the hotspot dataset. Responsive to detecting the anomalous data transfer activity, an alert associated with the asset may be generated.

Abstract: An anomaly detection system is disclosed capable of reporting anomalous processes or hosts in a computer network using machine learning models trained using unsupervised training techniques. In embodiments, the system assigns observed processes to a set of process categories based on the file system path of the program executed by the process. The system extracts a feature vector for each process or host from the observation records and applies the machine learning models to the feature vectors to determine an outlier metric each process or host. The processes or hosts with the highest outlier metrics are reported as detected anomalies to be further examined by security analysts. In embodiments, the machine learnings models may be periodically retrained based on new observation records using unsupervised machine learning techniques. Accordingly, the system allows the models to learn from newly observed data without requiring the new data to be manually labeled by humans.

Abstract: An automated login framework for dynamic application security testing is disclosed. A web application executing on a computing device is accessed and an automated login framework (ALF) is injected into an onload event of a web browser associated with the web application. The ALF is then accessed with a credential associated with the web application. A login page associated with application is identified by matching links or buttons with a user-defined regular expression and a user-defined wordlist. Then, a login form in the login page is detected by executing a signature technique, a dictionary technique, and a multistep signature technique. The login form is populated using the credential and submitted for authentication, and a status with a confidence score is received indicating whether the authentication was successful or failed.

Abstract: Various embodiments include systems and methods to implement predictive scan autoscaling using cluster-based prediction models by a security platform to predict scanning loads associated with computing resources. Predictive scan autoscaling using cluster-based prediction models may improve the security posture of computing resources by improving the speed by which a security platform may scan for threats of a cyberattack. The security platform may predict scanning loads based on data indicative of previous scanning loads over one or more periods of time for clusters of similar client networks, where similarity may be based on a comparison of deployment assets. The security platform may combine predicted scanning loads with requests for scans received from various client networks.

Abstract: Various embodiments include systems and methods to implement a graph analysis-based assessment to determine relative node significance. Network traffic data associated with a network may be obtained. A graph analysis-based assessment of the network may be performed to determine network traffic paths between a plurality of nodes in the network based at least in part on the network traffic data and to calculate, for each node and based at least in part on the network traffic paths, a respective centrality value. The respective centrality value may be indicative of a respective node being a potential source of disruption to the network relative to other nodes. At least one significant node in the network may be identified based at least in part on the centrality values, and a particular action to be performed with respect to the at least one significant node may be determined.

Abstract: Various embodiments include systems and methods of implementing vulnerability check synchronization. Vulnerability check synchronization may occur between computing resources at multiple different locations including a first location and a second location. Custom vulnerability check information associated with a particular security vulnerability may be received via a security console user interface that is located at the first location. A selection may be received, via the security console user interface, of a particular distributed engine to be utilized to perform a scan of one or more assets based at least in part on the custom vulnerability check information. Responsive to a determination to initiate the scan of the one or more assets, transfer of the custom vulnerability check information to the particular distributed engine via one or more networks may be automatically initiated.

Abstract: A method for authenticated asset assessment is provided. The method involves executing a scan assistant on an asset to allow a remote scan engine to execute one or more scan operations on the asset for determining a state of the asset. The scan assistant may verify the identity of the scan engine by checking that a certificate received from the scan engine is signed with a private key associated with the scan engine. In some embodiments, the authentication may be performed as part of a TLS handshake process that establishes a TLS connection between the scan engine and the scan assistant. Once the scan engine is authenticated, the scan engine may communicate with the scan assistant according to a communication protocol to collect data about the asset. Advantageously, the disclosed technique reduces security risks associated with authenticated scans and improves the performance of authenticated scans.

Abstract: Disclosed herein are methods, systems, processes, and machine learned models for performing opinionated threat assessments for cybersecurity vulnerabilities. An opinionated threat assessment system is implemented that obtains a training dataset that includes a codified opinionated threat assessment for security vulnerabilities. The codified opinionated threat assessment in the training dataset includes intrinsic attributes for the security vulnerabilities and subject attributes about the security vulnerabilities. The opinionated threat assessment system trains an opinionated threat assessment model using the training dataset and according to a machine learning technique where the training tunes the opinionated threat assessment model to generate a machined learned opinionated threat assessment for a new security vulnerability based on new intrinsic attributes associated with the new security vulnerability.

Abstract: Disclosed herein are systems, methods, and processes for a machine learned alert triaging classification (ATC) system that uses machine learning techniques to generate an alert triage classification model that can be trained and deployed in modern security operation centers to optimize alert triaging and cyber threat classification. A training dataset of classified records is obtained. Each classified record in the training dataset includes detection characteristics data of a set of machines and threat classification results produced by performing alert triage classification of detection messages associated with the set of machines. An ATC model is trained using the training dataset according to a machine learning technique. The training tunes the ATC model to classify, based on at least the detection characteristics data, a new detection message associated with a machine from the set of machines as a threat or as not a threat.

Abstract: Various embodiments include systems and methods of implementing radio frequency (RF) capture analysis reporting. The implementing may include receiving RF data captured by RF capture component(s) positioned at location(s) within a physical environment. The captured RF data includes RF device metrics associated with RF device(s) identified by the RF capture component(s) as being located within the physical environment. One or more analysis operations may be performed with respect to the RF device(s) based at least in part on the RF device metrics. Based at least in part on a result of the analysis operation(s), a potential security vulnerability associated with a particular RF device may be identified. A report may be generated that identifies at least the potential security vulnerability associated with the particular RF device.

Abstract: An anomaly detection system is disclosed capable of reporting anomalous processes or hosts in a computer network using machine learning models trained using unsupervised training techniques. In embodiments, the system assigns observed processes to a set of process categories based on the file system path of the program executed by the process. The system extracts a feature vector for each process or host from the observation records and applies the machine learning models to the feature vectors to determine an outlier metric each process or host. The processes or hosts with the highest outlier metrics are reported as detected anomalies to be further examined by security analysts. In embodiments, the machine learnings models may be periodically retrained based on new observation records using unsupervised machine learning techniques. Accordingly, the system allows the models to learn from newly observed data without requiring the new data to be manually labeled by humans.

Abstract: Disclosed herein are methods, systems, and processes for centralized containerized deployment of network traffic sensors to network sensor hosts for deep packet inspection (DPI) that supports various other cybersecurity operations. A network sensor package containing a pre-configured network sensor container is received by a network sensor host from a network sensor deployment server. Installation of the network sensor package on the network sensor host causes execution of the network sensor container that further causes deployment of an on-premise network sensor along with a network sensor management system, a DPI system, and an intrusion detection/prevention (IDS/IPS) system. The configurable on-premise network sensor is deployed on multiple operating system distributions of the network sensor host and generates actionable network metadata using DPI techniques for optimized log search and management and improved intrusion detection and response (IDR) operations.

Abstract: Systems and methods are disclosed to implement a network data interpretation pipeline to recognize machine operations (MOs) and machine activities (MAs) from network traffic data observed in a monitored network. In embodiments, a MO recognition engine is implemented in the network to recognize MOs from network sensor events (NSEs) based on defined recognition patterns. The MOs and any unrecognized NSEs are uploaded to a network monitoring system, where they are further analyzed by a MA recognition engine to recognize higher-level machine activities performed by machines. The NSEs, MOs, and MAs are used by the network monitoring system to implement a variety of security threat detection processes. Advantageously, the pipeline may be used to add rich contextual information about the raw network data to facilitate security threat detection processes. Additionally, the MOs and MAs can be used to present the raw network data in a variety of intuitive user interfaces.

Abstract: Techniques for associating assets related to events detected in at least one computer network with respective assets in an asset catalog for the at least one computer network. The techniques comprising: obtaining information about an event related to a first asset, the information specifying computer network addressing information for the first asset; generating a signature of the first asset from the computer network addressing information using at least one trained machine learning model, wherein the signature comprises a numeric representation of the first asset; associating the first asset with at least one asset in the asset catalog using the signature and at least one signature of the at least one asset in the asset catalog, wherein the at least one signature was previously determined using the at least one trained machine learning model; and outputting information identifying the at least one asset with which the first asset was associated.

Abstract: Various embodiments include systems and methods to implement network scanner timeouts based at least in part on historical network conditions. The implementing comprises initiating, using one or more network scanners and according to a first set of timeout parameters, a first security assessment of one or more scan targets in a network, wherein the first set of timeout parameters comprises a first initial round trip time (RTT)-timeout parameter value to which a dynamic RTT-timeout value is initially set. The implementing comprises determining a first set of RTT statistics for the first security assessment. The implementing comprises determining, based at least in part on the first set of RTT statistics, a second set of timeout parameters for a second security assessment of the one or more scan targets. The implementing comprises initiating, according to the second set of timeout parameters, the second security assessment of the one or more scan targets.