Abstract: A computing system identifies an evidence set associated with a detected cybersecurity attack. The evidence set includes logs representing security alerts associated with the detected cybersecurity attack. The computing system analyzes the evidence set to predict actions taken by a malicious actor, the actions comprising historical actions and future actions. The computing system analyzes the predicted actions to classify the historical actions and future actions taken by the malicious actor. The computing system generates a query for analyzing the evidence set based on the classified historical actions and future actions.

Abstract: Disclosed is a computer-implemented method for correlating user information can include receiving, from a user device, a login log associated with a user; receiving an intrusion detection system (IDS) log; receiving a domain name system (DNS) log; receiving, from a computing device, a log; enriching at least one of the login log, the IDS log, or the DNS log; and correlating an identity with one or more of the login log, the IDS log, and the DNS log. In some embodiments, correlating the identity with one or more of the login log, the IDS log, and the DNS log can include generating a graph representation and saving the graph representation as a sparse graph representation.

Abstract: A method for predicting a future stage of an attack on a computer system. The method comprises performing, by the computer system, linguistic analysis on threat intelligence reports, where the threat intelligence reports comprise known stages of the attack. The method also comprises processing, by the computer system, the linguistic analysis with a transition matrix to determine probabilities of cause-and-effect relationships between the known stages of the attack, updating, by the computer system, a probability model based on the probabilities determined by the transition matrix, and predicting, by the computer system, the future stage of the attack based on the probability model and attack classifications.

Abstract: A system and method for optimizing a defense model using available security capabilities are provided. The method includes obtaining a defense model and an optimal security application implementation associated with the defense model; evaluating available security capabilities deployed in an enterprise environment to determine a plurality of variant security applications implementing the defense model; determining a quality score for each of the plurality of the variant security applications; selecting, from the plurality of variant security applications, a variant security application having a highest quality score; and executing the selected variant security application.

Abstract: A system and method for optimizing a defense model using available security capabilities are provided. The method includes obtaining a defense model and an optimal security application implementation associated with the defense model; evaluating available security capabilities deployed in an enterprise environment to determine a plurality of variant security applications implementing the defense model; determining a quality score for each of the plurality of the variant security applications; selecting, from the plurality of variant security applications, a variant security application having a highest quality score; and executing the selected variant security application.

Abstract: A method and system for scoring performance of a security product are provided. The method includes receiving security product performance data of the security product configured to handle a specific cyber threat; classifying the performance data into a product profile associated with the security product; computing at least one security product performance score for the product profile based on the classified product security performance data; and associating the at least one security performance score with the product profile. In an embodiment, the method also includes selecting the at least one security product from a plurality of security products based on their respective performance scores for the respective cyber threat.

Abstract: Systems and methods are provided for making predictions relating to the attack sequence of an attacker or other malicious entity.

Abstract: A method and system for classification of cyber-threats is provided. The method includes receiving a request for classifying a cyber-threat detected by a cyber-security system, wherein the request includes initial information about the detected cyber-threat; enriching the initial information about the detected cyber-threat to provide textual information about at least one perceived threat related to the detected cyber-threat; and classifying each of the at least one perceived threat into a security service, wherein the classification is performed based on the respective textual information.

Abstract: A method and system for adaptively securing a protected entity against a potential advanced persistent threat (APT) are provided. The method includes probing a plurality of resources in a network prone to be exploited by an APT attacker; operating at least one security service configured to output signals indicative of APT related activity of each of the plurality of probed resources; generating at least one security event respective of the output signals; determining if the at least one security event satisfies at least one workflow rule; and upon determining that the at least one security event satisfies the at least one workflow rule, generating at least one action with respect to the potential APT attack.

Abstract: A method and system for scoring performance of a security product are provided. The method includes receiving security product performance data of the security product configured to handle a specific cyber threat; classifying the performance data into a product profile associated with the security product; computing at least one security product performance score for the product profile based on the classified product security performance data; and associating the at least one security performance score with the product profile. In an embodiment, the method also includes selecting the at least one security product from a plurality of security products based on their respective performance scores for the respective cyber threat.

Abstract: A system and method for method for generating a security rule classification model comprises receiving at least one security rule from at least one attack database of a first security product of a plurality of different security products; normalizing each of the at least one security rule; generating a vector for each of the least one normalized security rule; classifying each generated vector to a security engine within a security service using a classification sub-model to generate a preliminary classification model, wherein the classification sub-model is provided from previous classification of security rules for a security product of the plurality of different security products that is different than the first security product; determining a score for the preliminary classification model; and validating the preliminary classification model as the security rule classification model, when the score is over a predefined threshold.

Abstract: A method and system for classification of cyber-threats is provided. The method includes receiving a request for classifying a cyber-threat detected by a cyber-security system, wherein the request includes initial information about the detected cyber-threat; enriching the initial information about the detected cyber-threat to provide textual information about at least one perceived threat related to the detected cyber-threat; and classifying each of the at least one perceived threat into a security service, wherein the classification is performed based on the respective textual information.

Abstract: A system and method for generating policies for investigating cyber-security attacks are provided. The method includes selecting at least one entity of interest (EoI); determining at least one detection event associated with the at least one EoI; processing the at least one detection event to create a plurality of investigation rules, wherein each of the plurality of investigation rules includes a set of filters utilized to identify malicious activity related the at least one EoI; and defining an investigation policy for the EoI, wherein the defined investigation policy includes the plurality of investigation rules.

Abstract: A cyber-security system and method for proactively predicting cyber-security threats are provided. The method comprises receiving a plurality of security events classified to different groups of events; correlating the plurality of received security events to classify potential cyber-security threats to a set of correlation types; determining a correlation score for each classified potential cyber-security threat; and determining a prediction score for each classified potential cyber-security threat, wherein the prediction score is determined based in part on the correlation score.

Abstract: A method and system for configuring a behavioral network intelligence system using a network monitoring programming language are provided. The method includes defining at least one target of a traffic segment to be monitored using at least one application path attribute of an application, wherein the application is accessed via at least one user device connected to a network, wherein the at least one application path attribute is defined respective of an application path keyword and an application path assessment keyword; and defining at least one condition representing the behavior of the at least one application path attribute of the application, the at least one target and the at least one condition can be interpreted by a monitoring system to allow for determining a behavioral impact of the application on the network.

Abstract: A method and system for determining the behavioral impact of applications and their respective users on a network carrier are provided. The method includes receiving data collected by at least one deep packet inspection (DPI) engine; classifying the received data at least per an application path respective of each of the applications; generating an application path profile data structure using the collected data; and generating, responsive to at least one behavioral rule, at least one degree of fulfillment (DoF) for the application path based on contents of the application path profile data structure, wherein the at least DoF defines an association of the application path with at least one behavior group, wherein the behavior group determines the behavioral impact of an application represented by the application path.

Abstract: A system and method for classifying security rules of a plurality of different security products into a security decision engine in a service. The method comprises receiving at least one security rule from at least one attack database of a security product of the plurality of different security products; normalizing each of the at least one security rule; generating a vector for each of the least one normalized security rule, wherein each vector is generated based on a set of terms indicative of a cyber-solution; mapping each of the generated vector to a security service, wherein the security service represents a cyber-solution category, wherein the mapping is performed using a classification model; and associating each of the respective security rule with the security service, when an evaluation threshold is met.

Abstract: A method and system for cyber threat risk-chain generation are provided. The method includes obtaining a plurality of events; mapping each event of the plurality of obtained events to a global threat type, wherein each global threat type is associated with a risk-chain group; correlating among the mapped plurality of events to determine at least a transition between one global threat type to another; and updating a data structure maintaining data of at least one risk-chain, when the transition is determined, wherein the at least one risk-chain is a lifecycle of a cyber-attack.

Abstract: A system and method for optimizing a defense model using available security capabilities are provided. The method includes obtaining a defense model and an optimal security application implementation associated with the defense model; evaluating available security capabilities deployed in an enterprise environment to determine a plurality of variant security applications implementing the defense model; determining a quality score for each of the plurality of the variant security applications; selecting, from the plurality of variant security applications, a variant security application having a highest quality score; and executing the selected variant security application.

Abstract: A system and method for classifying security rules of a plurality of different security products into a security decision engine in a service. The method comprises receiving at least one security rule from at least one attack database of a security product of the plurality of different security products; normalizing each of the at least one security rule; generating a vector for each of the least one normalized security rule, wherein each vector is generated based on a set of terms indicative of a cyber-solution; mapping each of the generated vector to a security service, wherein the security service represents a cyber-solution category, wherein the mapping is performed using a classification model; and associating each of the respective security rule with the security service, when an evaluation threshold is met.