Abstract: An access policy analysis system may use stored policy summaries to efficiently perform access analysis. A request that causes an access analysis of an entity in a cloud service provider with respect to a resource hosted in the cloud service provider may be received. An access policy summary generated for the entity based on a set of access policies applied by an access management system of the cloud service provider may be obtained. An access policy summary generated for the resource based on the set of access policies may be obtained. A tree structure that describes a hierarchy of entities in the cloud service provider may be traversed to identify a parent node of the entity in the hierarchy of entities. The access analysis may then be generated based on the access policy summaries for the identified node in the tree structure, for the entity and for the resource.

Abstract: An anomaly detection system is disclosed capable of reporting anomalous processes or hosts in a computer network using machine learning models trained using unsupervised training techniques. In embodiments, the system assigns observed processes to a set of process categories based on the file system path of the program executed by the process. The system extracts a feature vector for each process or host from the observation records and applies the machine learning models to the feature vectors to determine an outlier metric each process or host. The processes or hosts with the highest outlier metrics are reported as detected anomalies to be further examined by security analysts. In embodiments, the machine learnings models may be periodically retrained based on new observation records using unsupervised machine learning techniques. Accordingly, the system allows the models to learn from newly observed data without requiring the new data to be manually labeled by humans.

Abstract: Techniques for associating assets related to events detected in at least one computer network with respective assets in an asset catalog for the at least one computer network. The techniques comprising: obtaining information about an event related to a first asset, the information specifying computer network addressing information for the first asset; generating a signature of the first asset from the computer network addressing information using at least one trained machine learning model, wherein the signature comprises a numeric representation of the first asset; associating the first asset with at least one asset in the asset catalog using the signature and at least one signature of the at least one asset in the asset catalog, wherein the at least one signature was previously determined using the at least one trained machine learning model; and outputting information identifying the at least one asset with which the first asset was associated.

Abstract: Systems and methods are disclosed for an approximate string searching technique to search for match results that have character differences with the search string. A cost is computed to measure the amount of character differences, and a match is recognized if the cost is below a threshold. The match is determined based on an inferred state machine, whose states are iteratively generated in computer memory for successive characters in the input text. States are added to represent modifications to the string needed to account for character differences and track the costs of the modifications. States are removed when their costs become excessive. Advantageously, the search process never generates the full state machine in memory, retaining only a selected set of best states to continue with the approximate match process. The technique thus enables a practicable implementation of approximate searching that can tolerate an arbitrary number of character deviations.

Abstract: Systems and methods are disclosed to implement a cyberattack detection system that monitors a computer network for suspected lateral movement. In embodiments, the system employs multiple machine learning models to analyze connection data of a network to identify anomalies in the network's connection behavior. The models are updated incrementally using online machine learning methods that can be performed in constant time and memory. In embodiments, the system uses an incremental matrix factorization model and a connection count fitting model to generate anomaly scores for each connection. Connection paths are constructed for acyclic sequences of time-ordered connections observed in the stream. The paths are evaluated based on the anomalies scores of their individual connections. Paths that meet a detection criterion are reported to analysts for further review.

Abstract: Methods and systems for training a language processing model. The methods may involve receiving a first log record in a first format, wherein the first log record includes annotations describing items in the first log record, and then creating a second log record in a second format comprising data from the first log record utilizing the annotations in the first log record and a conversion rule set. The second log record may then be used to train a language processing model so that a trained model can identify items in a third log record and the relationships therebetween.

Abstract: Methods and systems for identifying a network threat are disclosed. The methods described herein may involve receiving at least one permutation of a domain name, wherein the at least one permutation is registered with a domain name registrar. The methods described herein may further involve executing a scanning function to identify an active service on the at least one permutation registered with the domain name registrar and implementing a threat prevention procedure upon identifying an active service on the at least one permutation.

Abstract: Disclosed herein are systems, methods, and processes for a machine learned alert triaging classification (ATC) system that uses machine learning techniques to generate an alert triage classification model that can be trained and deployed in modern security operation centers to optimize alert triaging and cyber threat classification. A training dataset of classified records is obtained. Each classified record in the training dataset includes detection characteristics data of a set of machines and threat classification results produced by performing alert triage classification of detection messages associated with the set of machines. An ATC model is trained using the training dataset according to a machine learning technique. The training tunes the ATC model to classify, based on at least the detection characteristics data, a new detection message associated with a machine from the set of machines as a threat or as not a threat.

Abstract: Various embodiments include systems and methods of implementing radio frequency (RF) capture analysis reporting. The implementing may include receiving RF data captured by RF capture component(s) positioned at location(s) within a physical environment. The captured RF data includes RF device metrics associated with RF device(s) identified by the RF capture component(s) as being located within the physical environment. One or more analysis operations may be performed with respect to the RF device(s) based at least in part on the RF device metrics. Based at least in part on a result of the analysis operation(s), a potential security vulnerability associated with a particular RF device may be identified. A report may be generated that identifies at least the potential security vulnerability associated with the particular RF device.

Abstract: Various embodiments include systems and methods to implement network scanner timeouts based at least in part on historical network conditions. The implementing comprises initiating, using one or more network scanners and according to a first set of timeout parameters, a first security assessment of one or more scan targets in a network, wherein the first set of timeout parameters comprises a first initial round trip time (RTT)-timeout parameter value to which a dynamic RTT-timeout value is initially set. The implementing comprises determining a first set of RTT statistics for the first security assessment. The implementing comprises determining, based at least in part on the first set of RTT statistics, a second set of timeout parameters for a second security assessment of the one or more scan targets. The implementing comprises initiating, according to the second set of timeout parameters, the second security assessment of the one or more scan targets.

Abstract: An anomaly detection system is disclosed capable of reporting anomalous processes or hosts in a computer network using machine learning models trained using unsupervised training techniques. In embodiments, the system assigns observed processes to a set of process categories based on the file system path of the program executed by the process. The system extracts a feature vector for each process or host from the observation records and applies the machine learning models to the feature vectors to determine an outlier metric each process or host. The processes or hosts with the highest outlier metrics are reported as detected anomalies to be further examined by security analysts. In embodiments, the machine learnings models may be periodically retrained based on new observation records using unsupervised machine learning techniques. Accordingly, the system allows the models to learn from newly observed data without requiring the new data to be manually labeled by humans.

Abstract: Various embodiments include systems and methods pertaining to a network sensor host configured to implement a receive side scaling (RSS) configuration component in a security environment. The RSS configuration component may be used to automatically generate an RSS configuration comprising one or more settings customized for the network sensor host based at least in part on hardware information of the network sensor host. In some embodiments, the RSS configuration may be applied to change settings of a network interface driver of the network sensor host, e.g., to implement RSS and multithreading for network sensor tasks.

Abstract: Systems and methods are disclosed to implement a time series anomaly detection system that uses configurable statistical control rules (SCRs) and a forecasting system to detect anomalies in a time series data (e.g. fluctuating values of a network activity metric). In embodiments, the system forecasts future values of the time series data along with a confidence interval based on seasonality characteristics of the data. The time series data is monitored for anomalies by comparing actual observed values in the time series with the predicted values and confidence intervals, according to the SCRs. The SCRs may be defined and tuned via a configuration interface that allows users to visually see how different SCRs perform over real data. Advantageously, the disclosed system allows users to create custom anomaly detection triggers for different types of time series data, without use of a monolithic detection model which can be difficult to tune.

Abstract: Systems and methods are disclosed to implement a network data interpretation pipeline to recognize machine operations (MOs) and machine activities (MAs) from network traffic data observed in a monitored network. In embodiments, a MO recognition engine is implemented in the network to recognize MOs from network sensor events (NSEs) based on defined recognition patterns. The MOs and any unrecognized NSEs are uploaded to a network monitoring system, where they are further analyzed by a MA recognition engine to recognize higher-level machine activities performed by machines. The NSEs, MOs, and MAs are used by the network monitoring system to implement a variety of security threat detection processes. Advantageously, the pipeline may be used to add rich contextual information about the raw network data to facilitate security threat detection processes. Additionally, the MOs and MAs can be used to present the raw network data in a variety of intuitive user interfaces.

Abstract: Systems and methods are disclosed to implement a bounded group by query system that computes approximate time-sliced statistics for groups of records in a dataset according to a group by query. In embodiments, a single pass scan of the dataset is performed to accumulate exact results for a maximum number of groups in a result grouping structure (RGS) and approximate results for additional groups in an approximate result grouping structure (ARGS). RGSs and ARGSs are accumulated by a set of accumulator nodes and provided to an aggregator node, which combines the received structures to generate exact or approximate statistical results for at least a subset of the groups in the dataset. Advantageously, the disclosed query system is able to produce approximate results for at least some of the groups in a single pass of the dataset using size-bounded data structures, without predetermining the actual number of groups in the dataset.

Abstract: Disclosed herein are methods, systems, and processes for performing optimized batched packet processing in deep packet inspection (DPI) computing systems. A batch of network packets is received. A stateless processing operation is performed for the batch that includes updating a current time for the batch, decoding the network packets in the batch, creating a flowhash lookup key for each decoded network packet, and generating a first output that includes the current time and corresponding flow-hash lookup keys for the decoded network packets. Next, a stateful processing operation is performed for the batch that includes accessing the first output of the stateless processing operation, dividing the batch into multiple sub-batches, performing a parallel flow-hash table lookup operation on the network packets that are part of the sub-batches, and generating a second output that includes the sub-batches with associated packet flows.

Abstract: Various embodiments include systems and methods to implement processing of web content for vulnerability assessments. A plurality of documents comprising web content may be obtained from multiple different web sources, and the documents may be parsed to determine a set of discrete document chunks. Parsing the documents includes determining whether a document satisfies a segmentation condition for segmenting the document into multiple discrete document chunks using a named-entity recognition system configured to segment the document based at least in part on a vulnerability identification. The discrete document chunks may be stored in a database, where vulnerability information is indexed such that each respective entry in the database corresponds to a respective vulnerability identification and a respective discrete document chunk.

Abstract: An access policy analysis system may use stored policy summaries to efficiently perform access analysis. A request that causes an access analysis of an entity in a cloud service provider with respect to a resource hosted in the cloud service provider may be received. An access policy summary generated for the entity based on a set of access policies applied by an access management system of the cloud service provider may be obtained. An access policy summary generated for the resource based on the set of access policies may be obtained. A tree structure that describes a hierarchy of entities in the cloud service provider may be traversed to identify a parent node of the entity in the hierarchy of entities. The access analysis may then be generated based on the access policy summaries for the identified node in the tree structure, for the entity and for the resource.

Abstract: Inter-chip communication data in an Internet-of-Things (IoT) device is manipulated and analyzed to identify and remediate security vulnerabilities. Inter-chip communication data in the IoT device is captured. Communication direction, address format, flow control, communication timing, and communication structure associated with the inter-chip communication data is identified. Based on the foregoing identification(s), portions of the inter-chip communication data that require modification are identified so that that inter-chip communication data can be replayed. Based on the modification and the replaying, security vulnerabilities in the IoT device are identified and remediated.

Abstract: Techniques for monitoring assets in a cloud computing environment, comprising: collecting datasets for respective assets in the cloud computing environment, each of the datasets comprising at least some data stored by a respective one of the assets at one or multiple timepoints, the datasets including a first dataset for a first asset of the assets; determining priority scores for the assets using: feature values determined using data in the datasets, and feature values determined using data about the assets and stored in the cloud computing environment, wherein the determining comprises: determining, using data in the first dataset that was stored by the first asset at one or more timepoints, at least one first feature value for the first asset; determining, using data about the first asset and stored in the cloud computing environment, at least one second feature value for the first asset; and determining a priority score for the first asset using the at least one first feature value and the at least one se