Abstract: A method and system for detecting malicious threat activity or event sequences is disclosed. In an embodiment, the method may include receiving security data from a plurality of data sources and normalizing the security data. The method may include generating one or more statistical profiles for one or more entities based on the normalized data. The method may include generating one or more detectors based on one or more subsequences organized in a plurality of threat chains. The method may include monitoring, via the one or more detectors, telemetric data in real time for the one or more subsequences. The method may include aggregating each detected one or more subsequences. The method may include generating a score based on a correlation of aggregated detected subsequences to the one or more statistical profiles. The method may include, if the score of exceeds a threshold, generating a high severity alert.

Abstract: The present disclosure provides systems and methods for generation of parsing scripts or rules for unstructured or semi-structured system log messages, including systems and methods for identifying and clustering of same or substantially similar system log messages using machine learning. Patterns indicative of the same or substantially similar types system log messages can be generated based on the clustering of the system log messages and calculated similarities of attributes or distances between common features/fields of the system log messages, with the results of the clustering presented for analysis and development or adjustment of parsing scripts.

Abstract: The present disclosure provides systems and methods for substantially continuous and dynamic vulnerability scoring. According to the present disclosure, the method includes detecting one or more vulnerabilities. The method includes determining a contextual prioritization score (CPS) for each of the one or more vulnerabilities based on historical data, the historical data including a series of contextual features corresponding to each one of the one or more vulnerabilities. The method may include, in response to detection of an event, determining a partial CPS score by an agent. The method may include, if a new partial CPS is determined, generating an updated CPS based on the CPS and the new partial CPS and transmitting the updated CPS to each of one or more computing devices.

Abstract: The present disclosure provides systems and methods for generation of parsing scripts or rules for unstructured or semi-structured system log messages, including systems and methods for identifying and clustering of same or substantially similar system log messages using machine learning. Patterns indicative of the same or substantially similar types system log messages can be generated based on the clustering of the system log messages and calculated similarities of attributes or distances between common features/fields of the system log messages, with the results of the clustering presented for analysis and development or adjustment of parsing scripts.

Abstract: The present disclosure provides systems and methods for predicting attack types and likelihood the attack types will occur for new vulnerabilities. According to the present disclosure, the method includes receiving a disclosure of a new vulnerability, the disclosure comprising a plurality of vulnerability details. The method includes developing a series of vulnerability features associated with the details of the new vulnerability. The method includes extracting each of the vulnerability features into intermediate inputs. The method includes providing each of the intermediate inputs to one or more attack type classifiers to thereby determine if an attack type is associated with the new vulnerability. The method includes determining ranking for each of the one or more attacks occurring for the new vulnerability. The method finally includes assigning one or more attack type labels to the new vulnerability based on each attack type associated with the new vulnerability. Other aspects are also described.

Abstract: A method for detecting unauthorized and/or malicious hands-on-keyboard activity in an information handling system derived from the telemetry from one or more client systems, tokenizing a plurality of partial values/idiosyncrasies detected in the telemetry to form a plurality of tokens, aggregating the plurality of tokens or features over a selected time window to at least partially develop an aggregate feature vector, submitting the aggregate feature vector to one or more machine learning subsystems, and applying an ensemble model to one or more outputs from the one or more machine learning subsystems to generate an overall behavioral threat score of the potentially malicious hands-on-keyboard activity.

Abstract: The present disclosure provides systems and methods for utilizing a blockchain network configured to receive threat intelligence requests and validate or invalidate such threat intelligence requests based on a consensus response from a series of nodes on the blockchain network. According to the present disclosure, the method includes receiving a threat intelligence request at one or more smart contracts of a blockchain network. The method includes broadcasting, via the one or more smart contracts, the threat intelligence request to one or more oracles. The one or more oracles may broadcast the threat intelligence request to one or more nodes. The one or more nodes may gather threat intelligence data based on the threat intelligence request. The one or more oracles may determine if consensus is reached by the one or more nodes. If consensus is reached, then a threat entry may be submitted to the one or more smart contracts.

Abstract: Systems and methods for reversibly remediating security risks, which monitor a network or system for security risks, and upon detection of one or more of risks, apply a remedial action applicable to at least partially remedy or mitigate the one or more detected risk. The network or system is monitored for a change to the detected risk(s), and upon detection of a change to the detected risk(s), the applied remediation action is automatically reversed.

Abstract: Methods and systems for building security applications can be provided. Data policies for accessing security data can be set, and a module pipeline including one or more modules selected from a plurality of modules can be generated. The modules can include at least one module operable to apply a predictive security application or model for detection or identification of security threats. Module execution policies governing execution of the one or more modules in the module pipeline also can be set. Upon receipt of a request to initiate execution of the module pipeline, it can be determined if the execution thereof would violate the data policies or the module execution policies. If so, execution of the module pipeline can be blocked, otherwise the module pipeline can be executed to process the portion of the security data.

Abstract: Systems and methods for identifying attack patterns or suspicious activity can include a profile builder, a primitive creator, and a compromise detector. The profile builder can populate one or more baseline activity profiles for each client of the plurality of clients or entities associated therewith. The primitive creator can create primitives by comparing identified or extracted features to information in the one or more baseline activity profiles. The compromise detector can receive primitives, and based on identified combinations or sequences of primitives, generate compromise events to be provided to clients.

Abstract: With the systems and methods described herein, one or more security counter measures can be applied to received security data, e.g., by an initial detector, for identifying signatures or patterns in the received security data and determining whether to promote identifiers (e.g., URLs, IP addresses, domains, etc.) to an attacker learning system. If the identified signatures or patterns and/or the identifiers related thereto are determined to meet a threshold criterion, the identifiers are promoted to the attacker learning system. At the attacker learning system, a machine learning model is applied to promoted identifiers and security data associated therewith for determining whether the identifiers are malicious and should be added or otherwise included in an attacker database. Other aspects also are described.

Abstract: A system for providing secure authentication between a service provider and at least one user device having a storage. The system having a processor managed by the service provider, which processor manages authentication between the at least one device and the service provider. The processor is configured to generate a block including at least user account information upon receipt of an authentication request from the at least one device; apply a cryptographic hash function to the block to create a hash; transmit the hash to the at least one device for storage in the memory of the at least one device; and upon receipt of the hash, validate the hash prior to providing access to the service provider.

Abstract: In one aspect, the present disclosure is directed to systems and methods for validating and securely storing security entry updates. The security entry update is received from a contributor, and broadcast to a plurality of computing nodes. It then is determined whether to validate the received security update at each computing node of the plurality of computing nodes. If the received security entry update is validated, information relating to the received security update is added as transaction information in a current block, the current block is included in a blockchain that is stored in a datastore of each computing node of the plurality of computing nodes. Other aspects also are described.

Abstract: The present disclosure provides systems and methods for classifying or determined whether a request for a user's information is malicious or safe/legitimate. Request information related to a request for a user's information can be received, and one or more screenshots associated with the request can be obtained and provided to a machine learning model. The machine learning model can generate a probability or confidence level that the request is malicious.

Abstract: A method and system for parsing and identifying security log message data, which can include receiving system generated unstructured or partially semi-structured security log data from a plurality of source systems and devices, including a variety of different source systems and/or devices. The message data is received from the various sources in the form of raw log message data, as a stream of bytes received by a parsing system that identifies and extracts character features of the incoming raw messages. The extracted character features are compiled into data structures that are evaluated by a model(s) to determine segmentation boundaries thereof and generate message tokens, which are further classified as including variable data field(s) or as a template text string. Template categorized message tokens are used to provide message fingerprint information for characterizing the overall form of the message, and for comparison to a collection of previously stored/evaluated message fingerprints by a classifier.

Abstract: An information handling system monitors events of a first time period, forms sequences from the events (first sequences), and determines normal sequences of the events. In one embodiment, it may also form sequences based upon events of a second time period (second sequences), the second time period later than the first time period, match the first sequences against the second sequences, and remove events of the second sequences from the events of the second time period. The information handling systems may then search for anomalous events in the remaining events. In another embodiment, the normal sequences may represent purchases. The information handling systems may compare purchases of a customer to the normal sequences and determine products of possible interest to the customer based upon the comparison.

Abstract: The present disclosure provides systems and methods for organizations to use security date to generate a risk scores associated with potential compromise based on clustering and/or similarities with other organizations that have or may have been compromised. For example, indicators of compromise can be used to create a similarity score rank over time that may be used as a similarity and risk measurement to generate a continual/dynamic score, which can change and/or be updated as new data is created or arrives to detect or prevent threats and/or malicious attacks.

Abstract: A system can enable a global search of security data of a client base. The system can include a processor operable to record anonymity values set by clients of the client base, and to receive search requests including one or more search parameters from the clients. Upon receipt of a search request, processor can generate a result set for the received search request and determine an aggregated anonymity value for the result set. The processor further may compare the aggregated anonymity value of the results set with a set anonymity value for each of the clients for filtering or removing the data points or information of the one or more clients with the set anonymity value that is greater than the aggregate anonymity value from the result set.

Abstract: A method of normalizing security log data can include receiving one or more security logs including unstructured data from a plurality of devices and reviewing unstructured data of the one or more security logs. The method also can include automatically applying a probabilistic model of one or more engines to identify one or more attributes or features of the unstructured data, and determine whether the identified attributes or features are indicative of identifiable entities, and tagging one or more identifiable entities of the identifiable entities, as well as organizing tagged entities into one or more normalized logs having a readable format with a prescribed schema. In addition, the method can include reviewing the one or more normalized logs for potential security events.

Abstract: Systems and methods for reversibly remediating security risks, which monitor a network or system for security risks, and upon detection of one or more of risks, apply a remedial action applicable to at least partially remedy or mitigate the one or more detected risk. The network or system is monitored for a change to the detected risk(s), and upon detection of a change to the detected risk(s), the applied remediation action is automatically reversed.