Abstract: A cyber security system includes an importance node module to compute and use graphs to compute an importance of a node based on factors including a hierarchy and a job title of the user, aggregated account privileges from network domains and a level of shared resource access for the user. The graphs are supplied into an attack path modeling component to understand an importance of the network nodes and determine key pathways within the network that a cyber-attack would use, via a modeling the cyber-attack on a simulated and a virtual device version of the network. The cyber security system provides an intelligent prioritization of remediation action to a remediation suggester module to analyze results of the modeling the cyber-attack for each node and suggest how to perform intelligent prioritization of remediation action on a network node in one of a report and an autonomous remediation action.

Abstract: An apparatus features processor(s) and a non-transitory storage medium including an intelligent-adversary simulator and a formatting modules. The simulator calculates path(s) of least resistance for a cyber threat in a cyber-attack scenario to compromise 1) a first virtualized instance (source device), 2) a second virtualized instance (targeted device), and 3) virtualized instances of components of a virtualized instance of a network associated with selected pathways of the cyber-attack scenario through the virtualized instance of the network. The virtualized instances may be based on historical knowledge of connectivity and behaviour patterns of users and devices within an actual network under analysis. The formatting module generates a report with identified devices that are communicatively coupled to the virtualized instance of the network and prioritized to allocate security resources.

Abstract: A cyber security appliance can inoculate a fleet of network devices by analyzing each endpoint of a secure connection. The appliance can receive a hostname for a malicious web server. The appliance can generate an unencrypted target fingerprint based on sending a series of unencrypted connection protocol requests to the malicious web server and an encrypted target fingerprint based on sending a series of encrypted secure connection protocol requests to the malicious web server. The appliance can build a combined web server fingerprint for the malicious web server based on both the encrypted target fingerprint derived and the unencrypted target fingerprint. The appliance can determine a set of suspicious IP addresses based on the combined web server fingerprint for the malicious web server. The appliance can inoculate a fleet of network devices against a cyberattack using the IP addresses to preemptively alert the fleet of cyber-attack.

Abstract: A cyber security appliance can inoculate a fleet of network devices by analyzing each endpoint of a secure connection. The appliance can receive a hostname for a malicious web server. The appliance can generate an unencrypted target fingerprint based on sending a series of unencrypted connection protocol requests to the malicious web server and an encrypted target fingerprint based on sending a series of encrypted secure connection protocol requests to the malicious web server. The appliance can build a combined web server fingerprint for the malicious web server based on both the encrypted target fingerprint derived and the unencrypted target fingerprint. The appliance can determine a set of suspicious IP addresses based on the combined web server fingerprint for the malicious web server. The appliance can inoculate a fleet of network devices against a cyberattack using the IP addresses to preemptively alert the fleet of cyber-attack.

Abstract: An AI adversary red team configured to pentest email and/or network defenses implemented by a cyber threat defense system used to protect an organization and all its entities. AI model(s) trained with machine learning on contextual knowledge of the organization and configured to identify data points from the contextual knowledge including language-based data, email/network connectivity and behavior pattern data, and historic knowledgebase data. The trained AI models cooperate with an AI classifier in producing specific organization-based classifiers for the AI classifier. A phishing email generator generates automated phishing emails to pentest the defense systems, where the phishing email generator cooperates with the AI models to customize the automated phishing emails based on the identified data points of the organization and its entities. The customized phishing emails are then used to initiate one or more specific attacks on one or more specific users associated with the organization and its entities.

Abstract: A cyber threat defense system and a method for detecting a cyber threat may use a predictor, e.g. a Transformer deep learning model, which is configured to predict a next item in the sequence of events and to detect one or more anomalies in the sequence of events. This provides a notification comprising (i) information about the one or more anomalies; and (ii) a prediction of what would have been expected.

Abstract: An AI adversary red team configured to pentest email and/or network defenses implemented by a cyber threat defense system used to protect an organization and all its entities. AI model(s) trained with machine learning on contextual knowledge of the organization and configured to identify data points from the contextual knowledge including language-based data, email/network connectivity and behavior pattern data, and historic knowledgebase data. The trained AI models cooperate with an AI classifier in producing specific organization-based classifiers for the AI classifier. A phishing email generator generates automated phishing emails to pentest the defense systems, where the phishing email generator cooperates with the AI models to customize the automated phishing emails based on the identified data points of the organization and its entities. The customized phishing emails are then used to initiate one or more specific attacks on one or more specific users associated with the organization and its entities.

Abstract: A cyber threat defense system and a method for detecting a cyber threat may use a predictor, e.g. a Transformer deep learning model, which is configured to predict a next item in the sequence of events and to detect one or more anomalies in the sequence of events. This provides a notification comprising (i) information about the one or more anomalies; and (ii) a prediction of what would have been expected.

Abstract: An intelligent-adversary simulator can construct a graph of a virtualized instance of a network including devices connecting to the virtualized instance of the network as well as connections and pathways through the virtualized instance of the network. Running a simulated cyber-attack scenario on the virtualized instance of the network in order to identify one or more critical devices connecting to the virtualized instance of the network from a security standpoint, and then put this information into a generated report to help prioritize which devices should have a priority. During a simulation, the intelligent-adversary simulator calculates paths of least resistance for a cyber threat in the cyber-attack scenario to compromise a source device through to other components until reaching an end goal of the cyber-attack scenario in the virtualized network, all based on historic knowledge of connectivity and behaviour patterns of users and devices within the actual network under analysis.

Abstract: The node exposure score generator and the attack path modeling component are configured to cooperate to analyze the actual detected vulnerabilities that exist for that network node in the network, the importance of network nodes in the network compared to other network nodes in the network, and the key pathways within the network and the vulnerable network nodes in the network that a cyber-attack would use during the cyber-attack in order to provide an intelligent prioritization of remediation actions to remediate the actual detected vulnerabilities for each network node from the network protected by a cyber security appliance.

Abstract: An intelligent-adversary simulator can construct a graph of a virtualized instance of a network including devices connecting to the virtualized instance of the network as well as connections and pathways through the virtualized instance of the network. Running a simulated cyber-attack scenario on the virtualized instance of the network in order to identify one or more critical devices connecting to the virtualized instance of the network from a security standpoint, and then put this information into a generated report to help prioritize which devices should have a priority. During a simulation, the intelligent-adversary simulator calculates paths of least resistance for a cyber threat in the cyber-attack scenario to compromise a source device through to other components until reaching an end goal of the cyber-attack scenario in the virtualized network, all based on historic knowledge of connectivity and behaviour patterns of users and devices within the actual network under analysis.

Abstract: A cyber security system includes an importance node module to compute and use graphs to compute an importance of a node based on factors including a hierarchy and a job title of the user, aggregated account privileges from network domains and a level of shared resource access for the user. The graphs are supplied into an attack path modeling component to understand an importance of the network nodes and determine key pathways within the network that a cyber-attack would use, via a modeling the cyber-attack on a simulated and a virtual device version of the network. The cyber security system provides an intelligent prioritization of remediation action to a remediation suggester module to analyze results of the modeling the cyber-attack for each node and suggest how to perform intelligent prioritization of remediation action on a network node in one of a report and an autonomous remediation action.

Abstract: An Artificial Intelligence AI-based cyber threat analyst protects a system from cyber threats. A cyber threat analyst module uses i) one or more AI models, ii) a set of scripts, and iii) any combination of both, to form and investigate hypotheses on what are a possible set of cyber threats that include abnormal behavior and/or a suspicious activity. An analyzer module uses one or more data analysis processes including i) an agent analyzer data analysis process; ii) an Ngram data analysis process; iii) an exfiltration data analysis process; and iv) a network scan data analysis process; in order to obtain any of the abnormal behavior and the suspicious activity to start the investigation on the possible set of cyber threats hypotheses, as well as, to obtain the collection of system data points to either support or refute the possible cyber threat hypotheses.

Abstract: A cyber security appliance can inoculate a fleet of network devices by analyzing each endpoint of a secure connection. The appliance can receive a hostname for a malicious web server. The appliance can generate an unencrypted target fingerprint based on sending a series of unencrypted connection protocol requests to the malicious web server and an encrypted target fingerprint based on sending a series of encrypted secure connection protocol requests to the malicious web server. The appliance can build a combined web server fingerprint for the malicious web server based on both the encrypted target fingerprint derived and the unencrypted target fingerprint. The appliance can determine a set of suspicious IP addresses based on the combined web server fingerprint for the malicious web server. The appliance can inoculate a fleet of network devices against a cyberattack using the IP addresses to preemptively alert the fleet of cyber-attack.

Abstract: A cyber threat defense system and a method for detecting a cyber threat may use a predictor, e.g. a Transformer deep learning model, which is configured to predict a next item in the sequence of events and to detect one or more anomalies in the sequence of events. This provides a notification comprising (i) information about the one or more anomalies; and (ii) a prediction of what would have been expected.

Abstract: An AI adversary red team configured to pentest email and/or network defenses implemented by a cyber threat defense system used to protect an organization and all its entities. AI model(s) trained with machine learning on contextual knowledge of the organization and configured to identify data points from the contextual knowledge including language-based data, email/network connectivity and behavior pattern data, and historic knowledgebase data. The trained AI models cooperate with an AI classifier in producing specific organization-based classifiers for the AI classifier. A phishing email generator generates automated phishing emails to pentest the defense systems, where the phishing email generator cooperates with the AI models to customize the automated phishing emails based on the identified data points of the organization and its entities. The customized phishing emails are then used to initiate one or more specific attacks on one or more specific users associated with the organization and its entities.

Abstract: An intelligent-adversary simulator can construct a graph of a virtualized instance of a network including devices connecting to the virtualized instance of the network as well as connections and pathways through the virtualized instance of the network. Running a simulated cyber-attack scenario on the virtualized instance of the network in order to identify one or more critical devices connecting to the virtualized instance of the network from a security standpoint, and then put this information into a generated report to help prioritize which devices should have a priority. During a simulation, the intelligent-adversary simulator calculates paths of least resistance for a cyber threat in the cyber-attack scenario to compromise a source device through to other components until reaching an end goal of the cyber-attack scenario in the virtualized network, all based on historic knowledge of connectivity and behaviour patterns of users and devices within the actual network under analysis.

Abstract: An AI-based cyber threat analyst protects a system from cyber threats. A cyber threat analyst module uses i) one or more AI models, ii) a set of scripts, and iii) any combination of both, to form and investigate hypotheses on what are a possible set of cyber threats that include abnormal behavior and/or the suspicious activity. The analyzer module uses one or more data analysis processes including i) an agent analyzer data analysis process; ii) an Ngram data analysis process; iii) an exfiltration data analysis process; and iv) a network scan data analysis process; in order to obtain any of the abnormal behavior and the suspicious activity to start the investigation on the possible set of cyber threats hypotheses, as well as, to obtain the collection of system data points to either support or refute the possible cyber threat hypotheses.