Abstract: Various embodiments include systems and methods pertaining to a network sensor host configured to implement a receive side scaling (RSS) configuration component in a security environment. The RSS configuration component may be used to automatically generate an RSS configuration comprising one or more settings customized for the network sensor host based at least in part on hardware information of the network sensor host. In some embodiments, the RSS configuration may be applied to change settings of a network interface driver of the network sensor host, e.g., to implement RSS and multithreading for network sensor tasks.

Abstract: Various embodiments include systems and methods of implementing automated assessment scheduling. A particular automated assessment may be automatically performed based at least in part on an assessment configuration and scan engine resource(s) of an organization. Based at least in part on performance of the particular automated assessment, a scan engine utilization assessment may be performed to determine a scan engine utilization value that represents utilization of the scan engine resource(s) with respect to resource requirements that are based at least in part on the set of attributes of the assessment configuration. Based at least in part on the scan engine utilization assessment, a particular resource utilization recommendation may be generated. The particular resource utilization recommendation may correspond to a first resource utilization recommendation to allocate additional scan engine resources or a second resource utilization recommendation to allocate fewer scan engine resources.

Abstract: Systems and methods are disclosed to implement a delta data collection technique for collecting machine characteristics data from client machines. In embodiments, the collected data is used by a machine assessment service to maintain a virtual representation of the client machine for assessments. To initialize the collection process, the client uploads an initial copy of the data in full. Subsequently, the client determines periodic deltas between a current baseline of the data and a last reported baseline, and the deltas are uploaded as patches. The machine assessment service then applies these patches to update the virtual representation of the client machine. In embodiments, to facilitate the generation or uploading of the patches, the client may generate the baselines in a different encoding format as used by the data. For example, baselines in the new encoding format may be more easily compared and manipulated during the patch generation process.

Abstract: Various embodiments include implementing an interceptor for application security testing. The interceptor may intercept traffic, including one or more traffic items, between a scan engine and a target application. The traffic item(s) may include a request directed to the target application from a scan engine implementing application security testing or a response from the target application responsive to request(s) from the scan engine. The interceptor may determine that a particular traffic item satisfies a particular traffic trigger associated with a particular traffic action comprising a manipulation to the traffic between the scan engine and the target application. The particular traffic action is one of a plurality of predefined traffic actions that the interceptor is configured to perform across different scan engine versions, different scan configurations, or both.

Abstract: Various embodiments include systems and methods to implement processing of web content for vulnerability assessments. A plurality of documents comprising web content may be obtained from multiple different web sources, and the documents may be parsed to determine a set of discrete document chunks. Parsing the documents includes determining whether a document satisfies a segmentation condition for segmenting the document into multiple discrete document chunks using a named-entity recognition system configured to segment the document based at least in part on a vulnerability identification. The discrete document chunks may be stored in a database, where vulnerability information is indexed such that each respective entry in the database corresponds to a respective vulnerability identification and a respective discrete document chunk.

Abstract: Disclosed herein are methods, systems, and processes for accepting and servicing interface agnostic validated unified platform queries. A request for shared data associated with web applications received from a user interface that is rendered by a client based on a specification is intercepted. The request is forwarded to a unified application programming interface (API) instead of a disparate unique API associated with the web applications. The request from the client is authenticated externally using the unified API and the request for the shared data is authorized to be displayed in the user interface based on the unified API instead of the specification.

Abstract: A software agent executing on a computing device receives a request from a client to provide data associated with neighboring devices to the computing device. The client includes a scan engine to perform a network scan of a network that includes the computing device. The software agent accesses device data in a cache of an operating system command, determines, based on the device data, an identifier associated with each device that is neighboring the computing device, converts the device data into a standardized format to create neighboring device data, and sends the neighboring device data to the client.

Abstract: Disclosed herein are methods, systems, and processes for containing compromised credentials using deception systems. A request to authenticate a credential is received at a honeypot and a determination is made that the request includes context information that correlates the credential with network components that are part of the network. A protected host in the network associated with the credential is identified and the credential is authenticated by validating the credential with the protected host. A determination is made that the credential is compromised and the credential is deactivated.

Abstract: Systems and methods are disclosed to implement a thread sensor generation system to generate thread sensors for extracting side channel information about other executing threads on a multithreading CPU. In embodiments, the system generates a set of sensors for evaluation. Each sensor may include a sequence of arithmetic or logic operations between variables or constants, which will cause a particular resource usage pattern by the CPU. The sensors are executed on the CPU in parallel with instances of a victim thread to measure an execution slowdown profile of the sensor thread caused by CPU resource conflicts with the victim thread. Based on the execution slowdown profiles, a sensitivity metric is calculated for each sensor, which is used to select the best sensor(s) for the victim thread. Sensors generated using the disclosed techniques can be used to extract secret information via side-channel attacks on currently available multithreaded processors.

Abstract: Various embodiments include systems and methods of automated scan engine assignment. Responsive to determining to initiate a scan of a target asset, a scan engine assignment strategy may be determined for automatically assigning one or more scan engines to perform the scan. Determining the scan engine assignment strategy may include implementing a strategy selection scheme that defines a hierarchy of scan engine assignment strategies, which may include at least one of a passive discovery strategy, an active discovery strategy, or a scan engine subnet strategy. Using the scan engine assignment strategy, the one or more scan engines may be automatically assigned to perform the scan. The scan may be performed using the one or more scan engines.

Abstract: Various embodiments include systems and methods of anomalous data transfer detection, including determining hotspots for an asset of an organization. The hotspots correspond to one or more periods of time in which outbound data from the asset satisfies a hotspot threshold determined to be indicative of high outbound data traffic activity. A subset of data that does not correspond to the hotspots is filtered out from the outbound data. The remaining data corresponds to a hotspot dataset associated with the hotspots. The hotspot dataset may be utilized to detect anomalous data transfer activity associated with the asset. Detecting the anomalous data transfer activity includes computing one or more statistics on the hotspot dataset. Responsive to detecting the anomalous data transfer activity, an alert associated with the asset may be generated.

Abstract: Various embodiments include systems and methods of implementing a machine learning model for calculating confidence scores associated with potential security vulnerabilities. The machine learning model is trained using vulnerability data associated with a set of previously identified vulnerabilities, where the vulnerability data indicates whether a previously identified vulnerability is a true positive or a false positive. In some embodiments, scan traffic data may be obtained. The scan traffic data may be associated with potential security vulnerabilities detected via scan engine(s) that implement application security testing. The machine learning model may be used to determine respective confidence scores for each potential security vulnerability. According to some embodiments, responsive to a request for scan findings associated with a particular application, the respective confidence scores may be displayed via a vulnerability analysis graphical user interface.

Abstract: Disclosed herein are methods, systems, and processes for probabilistically identifying anomalous levels of honeypot activity. A honeypot dataset associated with a honeypot network is received and a representative usage value is determined from the honeypot dataset. The representative usage value is identified as being associated with anomalous behavior if the representative usage value deviates from an expected probability distribution. A remediation operation is initiated in the honeypot network in response to the identification of the representative usage value as being associated with the anomalous behavior by virtue of the representative usage value deviating from the expected probability distribution.

Abstract: Various embodiments include systems and methods to implement a graph analysis-based assessment to determine relative node significance. Network traffic data associated with a network may be obtained. A graph analysis-based assessment of the network may be performed to determine network traffic paths between a plurality of nodes in the network based at least in part on the network traffic data and to calculate, for each node and based at least in part on the network traffic paths, a respective centrality value. The respective centrality value may be indicative of a respective node being a potential source of disruption to the network relative to other nodes. At least one significant node in the network may be identified based at least in part on the centrality values, and a particular action to be performed with respect to the at least one significant node may be determined.

Abstract: Disclosed herein are methods, systems, and processes for performing optimized batched packet processing in deep packet inspection (DPI) computing systems. A batch of network packets is received. A stateless processing operation is performed for the batch that includes updating a current time for the batch, decoding the network packets in the batch, creating a flow-hash lookup key for each decoded network packet, and generating a first output that includes the current time and corresponding flow-hash lookup keys for the decoded network packets. Next, a stateful processing operation is performed for the batch that includes accessing the first output of the stateless processing operation, dividing the batch into multiple sub-batches, performing a parallel flow-hash table lookup operation on the network packets that are part of the sub-batches, and generating a second output that includes the sub-batches with associated packet flows.

Abstract: An automated login framework for dynamic application security testing is disclosed. A web application executing on a computing device is accessed and an automated login framework (ALF) is injected into an onload event of a web browser associated with the web application. The ALF is then accessed with a credential associated with the web application. A login page associated with application is identified by matching links or buttons with a user-defined regular expression and a user-defined wordlist. Then, a login form in the login page is detected by executing a signature technique, a dictionary technique, and a multistep signature technique. The login form is populated using the credential and submitted for authentication, and a status with a confidence score is received indicating whether the authentication was successful or failed.

Abstract: Disclosed herein are methods, systems, and processes for detecting data exfiltration. A data exfiltration event in a network is detected. Traffic data regarding outgoing traffic of a source in the network associated with the data exfiltration event is received. A logarithmic transformation is applied to the traffic data to generate transformed data. An outlier identification technique is selected based on the transformed data and is executed on the transformed data to determine that the outgoing traffic is indicative of the data exfiltration event. An alert is generated in response to the determination that the outgoing traffic is indicative of the data exfiltration event.

Abstract: Disclosed herein are methods, systems, processes, and machine learned models for performing opinionated threat assessments for cybersecurity vulnerabilities. An opinionated threat assessment system is implemented that obtains a training dataset that includes a codified opinionated threat assessment for security vulnerabilities. The codified opinionated threat assessment in the training dataset includes intrinsic attributes for the security vulnerabilities and subject attributes about the security vulnerabilities. The opinionated threat assessment system trains an opinionated threat assessment model using the training dataset and according to a machine learning technique where the training tunes the opinionated threat assessment model to generate a machined learned opinionated threat assessment for a new security vulnerability based on new intrinsic attributes associated with the new security vulnerability.

Abstract: Various embodiments include systems and methods to implement predictive scan autoscaling using cluster-based prediction models by a security platform to predict scanning loads associated with computing resources. Predictive scan autoscaling using cluster-based prediction models may improve the security posture of computing resources by improving the speed by which a security platform may scan for threats of a cyberattack. The security platform may predict scanning loads based on data indicative of previous scanning loads over one or more periods of time for clusters of similar client networks, where similarity may be based on a comparison of deployment assets. The security platform may combine predicted scanning loads with requests for scans received from various client networks.

Abstract: Various embodiments include systems and methods of implementing automated assessment scheduling. A particular automated assessment may be automatically performed based at least in part on an assessment configuration and scan engine resource(s) of an organization. Based at least in part on performance of the particular automated assessment, a scan engine utilization assessment may be performed to determine a scan engine utilization value that represents utilization of the scan engine resource(s) with respect to resource requirements that are based at least in part on the set of attributes of the assessment configuration. Based at least in part on the scan engine utilization assessment, a particular resource utilization recommendation may be generated. The particular resource utilization recommendation may correspond to a first resource utilization recommendation to allocate additional scan engine resources or a second resource utilization recommendation to allocate fewer scan engine resources.