Abstract: Systems and methods are disclosed to implement an endpoint command invocation system (“ECIS”). In some embodiments, ECIS can quickly dispatch a command to a large number of endpoint components, where the endpoint components are online. ECIS can receive an invocation of a command, which can include the command recipients. In some embodiments, ECIS determines that some of the command recipients are online, while some of the command recipients are offline. ECIS determines connections to the online command recipients based on a connection map, which is updated whenever an endpoint component opens a connection to ask for a command. ECIS can deliver the command to the online command recipients using the connections. ECIS can also deliver the command to dispatch queues corresponding to the offline command recipients, where the dispatch queues store the command as a pending command that can be delivered to their respective command recipients whenever they come online.

Abstract: Disclosed herein are methods, systems, and processes to perform passive and realtime software identification and data collection for vulnerability management. Vulnerability management based on agent-collected event data involves monitoring a process start event associated with an application executing on a computing device that is part of a network, identifying a binary location of the process start event, and based on the binary location, identifying a software type of the application and a version of the software type. Vulnerability management based on event data in logs involves monitoring the process start event for configuration or file changes, generating fingerprint rules by mapping the configuration or files changes and the process start event associated with a software installation or an upgrade of the software, and processing log data to fingerprint the software type and the version of the software type.

Abstract: Systems and methods are disclosed to implement a cyberattack detection system that monitors a computer network for suspected lateral movement. In embodiments, the system employs multiple machine learning models to analyze connection data of a network to identify anomalies in the network's connection behavior. The models are updated incrementally using online machine learning methods that can be performed in constant time and memory. In embodiments, the system uses an incremental matrix factorization model and a connection count fitting model to generate anomaly scores for each connection. Connection paths are constructed for acyclic sequences of time-ordered connections observed in the stream. The paths are evaluated based on the anomalies scores of their individual connections. Paths that meet a detection criterion are reported to analysts for further review.

Abstract: Methods and systems for detecting anomalous network device activity. The system may include an interface for receiving an identification label associated with a host device and pre-existing traffic data associated with the host device. The system may further detect that the pre-existing traffic data associated with the host device is anomalous based on the identification label. The system may then issue an alert upon detecting that the pre-existing traffic data associated with the host device is anomalous.

Abstract: Systems and methods are disclosed to implement a chart recommendation system that recommends charts to users during a chart building process. In embodiments, when a new chart is being created, specified features of the chart are provided to a machine learned model such as a self-organizing map. The model will determine a previous chart that is the most similar to the new chart and recommend the previous chart to the user for recreation. In embodiments, newly created charts are added to a library and used to update the model. Charts that are highly popular or authored by expert users may be weighed more heavily during model updates, so that the model will be more influenced by these charts. Advantageously, the disclosed system allows novice users to easily find similar charts created by other users. Additionally, the disclosed system is able to automatically group similar charts without using human-defined classification rules.

Abstract: Disclosed herein are methods, systems, and processes for centralized containerized deployment of network traffic sensors to network sensor hosts for deep packet inspection (DPI) that supports various other cybersecurity operations. A network sensor package containing a pre-configured network sensor container is received by a network sensor host from a network sensor deployment server. Installation of the network sensor package on the network sensor host causes execution of the network sensor container that further causes deployment of an on-premise network sensor along with a network sensor management system, a DPI system, and an intrusion detection/prevention (IDS/IPS) system. The configurable on-premise network sensor is deployed on multiple operating system distributions of the network sensor host and generates actionable network metadata using DPI techniques for optimized log search and management and improved intrusion detection and response (IDR) operations.

Abstract: Disclosed herein are methods, systems, and processes for centralized containerized deployment of network traffic sensors to network sensor hosts for deep packet inspection (DPI) that supports various other cybersecurity operations. A network sensor package containing a preconfigured network sensor container is received by a network sensor host from a network sensor deployment server. Installation of the network sensor package on the network sensor host causes execution of the network sensor container that further causes deployment of an on-premise network sensor along with a network sensor management system, a DPI system, and an intrusion detection/prevention (IDS/IPS) system. The configurable on-premise network sensor is deployed on multiple operating system distributions of the network sensor host and generates actionable network metadata using DPI techniques for optimized log search and management and improved intrusion detection and response (IDR) operations.

Abstract: Disclosed herein are methods, systems, and processes for centralized containerized deployment of network traffic sensors to network sensor hosts for deep packet inspection (DPI) that supports various other cybersecurity operations. A network sensor package containing a pre-configured network sensor container is received by a network sensor host from a network sensor deployment server. Installation of the network sensor package on the network sensor host causes execution of the network sensor container that further causes deployment of an on-premise network sensor along with a network sensor management system, a DPI system, and an intrusion detection/prevention (IDS/IPS) system. The configurable on-premise network sensor is deployed on multiple operating system distributions of the network sensor host and generates actionable network metadata using DPI techniques for optimized log search and management and improved intrusion detection and response (IDR) operations.

Abstract: Systems and methods are disclosed to implement a delta data collection technique for collecting machine characteristics data from client machines. In embodiments, the collected data is used by a machine assessment service to maintain a virtual representation of the client machine for assessments. To initialize the collection process, the client uploads an initial copy of the data in full. Subsequently, the client determines periodic deltas between a current baseline of the data and a last reported baseline, and the deltas are uploaded as patches. The machine assessment service then applies these patches to update the virtual representation of the client machine. In embodiments, to facilitate the generation or uploading of the patches, the client may generate the baselines in a different encoding format as used by the data. For example, baselines in the new encoding format may be more easily compared and manipulated during the patch generation process.

Abstract: Rate limiting systems and methods for regulating access to a shared network resource in a computing device accessed through an application programming interface. A rate limit associated with a shared network resource is assigned to a user for a time period. During the time period, access to the shared network resource is granted or denied repeatedly based upon the rate limit; a cost is calculated using a cost function; and, the rate limit is updated based upon the cost.

Abstract: Analyzing and reporting anomalous internet traffic data by accepting a request for a connection to a virtual security appliance, collecting attribute data about the connection, applying an alert module to the data, and automatically generating an alert concerning an identified incident. An alert system for analyzing and reporting the anomalous internet traffic data. A processor to analyze and report anomalous internet traffic data.

Abstract: Disclosed herein are methods, systems, and processes for provisioning and deploying deception computing systems with dynamic and flexible personalities. A network connection is received from a source Internet Protocol (IP) address at a honeypot. In response to receiving the network connection, a personality state table is accessed and a determination is made as to whether a personality that corresponds to the source IP address exists in the personality state table. If the personality exists, the personality is designated to the source IP address. If the personality does not exist, an attack characteristic of the network connection is determined and an alternate personality that is substantially similar to the attack characteristic is designated to the source IP address.

Abstract: Disclosed herein are methods, systems, and processes to distribute and disperse search loads to optimize security event processing in cybersecurity computing environments. A search request that includes a domain specific language (DSL) query directed to a centralized search cluster by an event processing application is intercepted. The event processing application is inhibited from issuing the search request to the centralized search cluster if a structured or semi-structured document matches the DSL query.

Abstract: Disclosed herein are methods, systems, and processes for validating vulnerabilities using lightweight offensive payloads. An attack payload limited by an execution scope that includes pre-defined exploit features for validating code execution associated with a vulnerability is generated. The attack payload is transmitted to a target computing system and a confirmation of the code execution based on at least one pre-defined exploit feature is received, permitting a determination that the vulnerability has been validated.

Abstract: Methods and systems for identifying a network threat are disclosed. The methods described herein may involve receiving at least one permutation of a domain name, wherein the at least one permutation is registered with a domain name registrar. The methods described herein may further involve executing a scanning function to identify an active service on the at least one permutation registered with the domain name registrar and implementing a threat prevention procedure upon identifying an active service on the at least one permutation.

Abstract: Disclosed herein are methods, systems, and processes to perform self-dependent upgrades of Java Runtime Environments (JREs). A request to update a plugin to a new version with a new configuration that includes a location to download a new upgrader-executable is received from a platform computing device at an endpoint computing device. The plugin is uploaded to the new version. The new upgrader-executable that includes an executable with an executable table executed by the plugin is downloaded from the location. The executable is used to halt execution of a JRE application (e.g., a Collector) and download JRE files required for the upgrade. The JRE application (e.g., the Collector) is then re-started with the new configuration, which can be rolled back if the upgrade is unsuccessful.

Abstract: Disclosed herein are methods, systems, and processes to automate cluster interpretation in computing environments to develop targeted remediation security actions. To interpret clusters that are generated by a clustering methodology without subjecting clustered data to classifier-based processing, separation quantifiers that indicate a spread in feature values across clusters are determined and used to discover relative feature importances of features that drive the formation of clusters, permitting a security server to identify features that discriminate between clusters.

Abstract: Disclosed herein are methods, systems, and processes for monitoring scan attempts in a network. A virtual security appliance with multiple ports is deployed in a network. One or more ports are obfuscated via the virtual security appliance to make the various ports appear to be closed. An address of the virtual security appliance within the network is modified, the several ports are adjusted to assume a predetermined profile, a network neighbor's profile is discovered and emulated, and a received connection attempt intended for the virtual security appliance is monitored.

Abstract: Systems and methods are provided to build a machine learned exploitability risk model that predicts, based on the characteristics of a set of machines, a normalized risk score quantifying the risk that the machines are exploitable by a set of attacks. To build the model, a training dataset is constructed by labeling characteristic data of a population of machines with exploitation test results obtained by simulating a set of attacks on the population. The model is trained using the training data to accurately predict a probability that a given set of machines is exploitable by the set of attacks. In embodiments, the model may be used to make quick assessments about how vulnerable a set of machines are to the set of attacks. In embodiments, the model may be used to compare the effectiveness of different remediation actions to protect against the set of attacks.

Abstract: Systems and methods are disclosed to infer, using a machine learned model, a service protocol of a server based on the banner data produced by the server. In embodiments, the machine learned model is implemented by a network scanner configured to receive banner data from open ports on servers. A received banner is parsed into a set of features, such as the counts or presence of particular characters or strings in the banner. In embodiments, certain types of banner content such as network addresses, hostnames, dates, and times, are replaced with special characters. The machine learned model is applied to the features to infer a most likely protocol of the server port that produced the banner. Advantageously, the model can be trained to perform the inference task with high accuracy and without using human-specified rules, which can be brittle for unconventional banner data and carry undesired biases.