Abstract: Techniques, methods and/or apparatuses are disclosed that enable of cyber risks on assets of networks to be evaluated in presence of security controls on the assets. In this way, effect of security controls already in place may be quantified. A novel scoring technique is presented. Also, use of causal inference is in the context of security risk assessment is described.

Abstract: In an embodiment, a semantic model and a semantic model training method that obtains a textual description of one or more features associated with a first vulnerability that has been used in one or more attacks. Text is parsed from the first textual description in accordance with one or more rules. The system determines a first label for the first vulnerability that is associated with one or more of a plurality of stages of an attack chain taxonomy. The model is generated or refined to map the parsed text to the first label associated with the one or more stages of the attack chain taxonomy.

Abstract: Solutions for data unification include: receiving a data record, the data record comprising a plurality of data fields; selecting, from among the plurality of data fields, a subset of the data fields, the subset of the data fields being fewer in number than the plurality of data fields, wherein selecting the subset of the data fields comprises: applying a first rule to select at least a first one of the data fields within the data record for inclusion in the subset of the data fields; using content of the subset of the data fields, generating a stable identifier (stableID) for the data record; and inserting the stableID into a primary key data field of the data record.

Abstract: In an embodiment, a semantic model and a semantic model training method that obtains a textual description of one or more features associated with a first vulnerability that has been used in one or more attacks. Text is parsed from the first textual description in accordance with one or more rules. The system determines a first label for the first vulnerability that is associated with one or more of a plurality of stages of an attack chain taxonomy. The model is generated or refined to map the parsed text to the first label associated with the one or more stages of the attack chain taxonomy.

Abstract: Solutions for data unification include: receiving a data record, the data record comprising a plurality of data fields; selecting, from among the plurality of data fields, a subset of the data fields, the subset of the data fields being fewer in number than the plurality of data fields, wherein selecting the subset of the data fields comprises: applying a first rule to select at least a first one of the data fields within the data record for inclusion in the subset of the data fields; using content of the subset of the data fields, generating a stable identifier (stableID) for the data record; and inserting the stableID into a primary key data field of the data record.

Abstract: Solutions for data unification include: receiving a data record, the data record comprising a plurality of data fields; selecting, from among the plurality of data fields, a subset of the data fields, the subset of the data fields being fewer in number than the plurality of data fields, wherein selecting the subset of the data fields comprises: applying a first rule to select at least a first one of the data fields within the data record for inclusion in the subset of the data fields; using content of the subset of the data fields, generating a stable identifier (stableID) for the data record; and inserting the stableID into a primary key data field of the data record.

Abstract: Techniques, methods and/or apparatuses are disclosed that enable of cyber risks on assets of networks to be evaluated in presence of security controls on the assets. In this way, effect of security controls already in place may be quantified. A novel scoring technique is presented. Also, use of causal inference is in the context of security risk assessment is described.

Abstract: Methods and systems for identifying malicious applications and, more particularly, to identifying web shell applications. Embodiments described herein rely on machine learning tools to analyze static and dynamic features of a suspected file to determine whether the file is a web shell application.

Abstract: Methods and systems for identifying malicious applications and, more particularly, to identifying web shell applications. Embodiments described herein rely on machine learning tools to analyze static and dynamic features of a suspected file to determine whether the file is a web shell application.

Abstract: A method and system for classifying malicious locators where a processor is trained on a set of known malicious locators using a non-supervised learning procedure. Once trained, the processor may classify new locators as being generated by a particular generation kit.

Abstract: Identifying and protecting against an attack against an anomaly detector machine learning classifier (ADMLC). In some embodiments, a method may include identifying training data points in a manifold space for an ADMLC, dividing the manifold space into multiple subspaces, merging each of the training data points into one of the multiple subspaces, training a subclassifier for each of the multiple subspaces to determine a decision boundary for each of the multiple subspaces between normal training data points and anomalous training data points, receiving an input data point into the ADMLC, determining whether the input data point is an attack on the ADMLC due to a threshold number of the subclassifiers classifying the input data point as an anomalous input data point, and, in response to identifying the attack against the ADMLC, protecting against the attack.

Abstract: A computer-implemented method for detecting and protecting against malicious use of legitimate computing-system tools may include (i) identifying a computing-system tool that can perform benign actions and malicious actions on a computing system, (ii) creating a set of recorded actions by recording actions performed by the computing-system tool on the computing system over a predetermined period of time, (iii) analyzing the set of recorded actions via a machine learning method that, for each action in the set of recorded actions, determines whether the action is anomalous compared to other actions in the set, (iv) classifying an action in the set of recorded actions as malicious based at least in part on determining that the action is anomalous, and (v) initiating, in response to classifying the action as malicious, a security action related to the action. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: In an embodiment, a semantic model and a semantic model training method that obtains a textual description of one or more features associated with a first vulnerability that has been used in one or more attacks. Text is parsed from the first textual description in accordance with one or more rules. The system determines a first label for the first vulnerability that is associated with one or more of a plurality of stages of an attack chain taxonomy. The model is generated or refined to map the parsed text to the first label associated with the one or more stages of the attack chain taxonomy.

Abstract: The disclosed computer-implemented method for detecting anomalous behavior within computing sessions may include (i) identifying, by the computing device, a set of execution events that correspond to a computing session, (ii) providing, by the computing device, the set of execution events as input to an autoencoder, (iii) receiving, by the computing device and from the autoencoder, a reconstruction error associated with autoencoding the set of execution events, (iv) detecting, by the computing device and based on the reconstruction error, an anomaly within the computing session, and (v) performing, by the computing device, a security action to address the anomaly within the computing session. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: Methods and systems are provided for generating a security profile for a new computing system. One example method generally includes obtaining, over a network, information associated with a plurality of existing computing systems and generating, by a clustering algorithm, a set of clusters based on the information associated with the plurality of existing computing systems. The method further includes obtaining external data associated with the computing system and classifying the computing system into a cluster in the set of clusters based on the external data associated with the computing system. The method further includes determining the security profile based on statistics associated with the cluster and transmitting, over the network, an indication of the security profile.

Abstract: Methods and systems for neutralizing malicious locators. Threat actors may shut down their web pages or applications (i.e., resources) that serve malicious content upon receiving request(s) configured to be perceived by the resource as non-browser requests. Therefore, initiating (large-scale) non-browser requests, or requests that are at least perceived as non-browser requests, may effectively act to inhibit, or even nullify, intended attack vectors.

Abstract: The disclosed computer-implemented method for detecting anomalous behavior within computing sessions may include (i) identifying, by the computing device, a set of execution events that correspond to a computing session, (ii) providing, by the computing device, the set of execution events as input to an autoencoder, (iii) receiving, by the computing device and from the autoencoder, a reconstruction error associated with autoencoding the set of execution events, (iv) detecting, by the computing device and based on the reconstruction error, an anomaly within the computing session, and (v) performing, by the computing device, a security action to address the anomaly within the computing session. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: Methods and systems for neutralizing malicious locators. Threat actors may shut down their web pages or applications (i.e., resources) that serve malicious content upon receiving request(s) configured to be perceived by the resource as non-browser requests. Therefore, initiating (large-scale) non-browser requests, or requests that are at least perceived as non-browser requests, may effectively act to inhibit, or even nullify, intended attack vectors.

Abstract: Methods and systems for classifying malicious locators. A processor is trained on a set of known malicious locators using a non-supervised learning procedure. Once trained, the processor may classify new locators as being generated by a particular generation kit.

Abstract: Methods and systems for identifying malicious applications and, more particularly, to identifying web shell applications. Embodiments described herein rely on machine learning tools to analyze static and dynamic features of a suspected file to determine whether the file is a web shell application.