Abstract: A cap extractor for a welding gun includes a housing, a pair of springs, and first and second arms that are arranged between the springs. Each of the first and second arms have teeth that are configured to engage a welding cap. The first and second arms are configured to move relative to the housing in first and second directions that are transverse to one another by deflecting the springs.

Abstract: A robotic cleaner includes a housing, a suction conduit with an opening, and a leading roller mounted in front of a brush roll. An inter-roller air passageway may be defined between the leading roller and the brush roll wherein the lower portion of the leading roller is exposed to a flow path to the suction conduit and an upper portion of the leading roller is outside of the flow path. Optionally, a combing unit includes a plurality of combing protrusions extending into the leading roller and having leading edges not aligned with a center of the leading roller. Optionally, a sealing strip is located along a rear side of the opening and along a portion of left and right sides of the opening. The underside may define side edge vacuum passageways extending from the sides of the housing partially between the leading roller and the sealing strip towards the opening.

Abstract: A value is assigned to a rate threshold for adding child nodes to a distinct parent node in a tree data structure. A first datum comprising a first variable assigned a first value and a second variable assigned a first value is added to the tree at a first timestamp, by adding to the first level in the tree a first parent node representing the first variable assigned the first value and adding to the second level in the tree a first child node representing the second variable assigned the first value and connected by a first directed edge from the first parent node. A second datum comprising the first variable assigned the first value and the second variable assigned a second value is received at a second timestamp. The method blocks adding to the second level in the tree a second child node representing the second variable assigned the second value and connected by a second directed edge from the first parent node when a rate based on the first timestamp and the second timestamp exceeds the rate threshold.

Abstract: A security agent implemented on a monitored computing device is described herein. The security agent has access to parametric behavioral pattern definitions that, in combination with canonical patterns of behavior, configure the security agent to match observed behavior with known computing behavior that is benign or malignant. This arrangement of the definitions and the pattern of behavior allow the security agent's behavior to be updated by a remote security service without updating a configuration of the security agent. The remote security service can create, modify, and disseminate these definitions and patterns of behavior, giving the security agent real-time ability to respond to new behaviors exhibited by the monitored computing device.

Abstract: Methods and systems for detecting malicious attacks in a network and preventing lateral movement in the network by identity control are disclosed. According to an implementation, a security appliance may receive telemetry data from an endpoint device collected during a period of time. The security appliance may determine a threat behavior based on the telemetry data. The threat behavior may be associated with a user identity or user account. The security appliance further determines one or more additional user identities based on the user identity connected to the threat behavior. The security appliance may enforce one or more security actions on the user identity and the one or more additional user identities to prevent attacks to a plurality of computing domains from the endpoint device using the one or more additional user identities. The security appliance may be implemented on any network participants including servers, cloud device, cloud-based services/platforms, etc.

Abstract: Techniques and systems to provide a more intuitive user overview of events data by mapping unbounded incident scores to a fixed range and aggregating incident scores by different schemes. The system may detect possible malicious incidents associated with events processing on a host device. The events data may be gathered from events detected on the host device. The incident scores for incidents may be determined from the events data. The incident scores may be mapped to bins of a fixed range to highlight the significance of the incident scores. For instance, a first score mapped to a first bin may be insignificant while a second score mapped to a last bin may require urgent review. The incident scores may also be aggregated at different levels (e.g., host device, organization, industry, global, etc.) and at different time intervals to provide insights to the data.

Abstract: Techniques to provide visualizations of possible malicious incidents associated with an event on a host device may include causing presentation of graphics of a process or thread in a user interface. Information about detected events may be transmitted to a computing device that generates the visualizations for presentation to an analyst to verify the malicious incidents. Based on patterns and information conveyed in the visualizations, the computer device or host device may take action to protect operation of the host device caused by the event.

Abstract: Techniques and systems to provide a more intuitive user overview of events data by mapping unbounded incident scores to a fixed range and aggregating incident scores by different schemes. The system may detect possible malicious incidents associated with events processing on a host device. The events data may be gathered from events detected on the host device. The incident scores for incidents may be determined from the events data. The incident scores may be mapped to bins of a fixed range to highlight the significance of the incident scores. For instance, a first score mapped to a first bin may be insignificant while a second score mapped to a last bin may require urgent review. The incident scores may also be aggregated at different levels (e.g., host device, organization, industry, global, etc.) and at different time intervals to provide insights to the data.

Abstract: Example techniques detect incidents based on events from or at monitored computing devices. A control unit can detect events of various types within a time interval and aggregate the detected events into an incident. The control unit can detect patterns within the events based at least in part on predetermined criterion. In examples, the control unit can determine pattern scores for the patterns based on the probability of occurrence for the patterns and determine a composite score based on the pattern scores. The control unit can determine that an incident indicating malicious activity has been detected based in part determining that the composite score is above a predetermined threshold score. In some examples, the control unit can classify and rank the incidents. The control unit can determine if an incident indicates malicious activity including malware or targeted attack.

Abstract: Example techniques locate or identify malware based on events from or at monitored computing devices. A control unit can detect a sequence of events of various types. The control unit can locate a loop within the sequence of events based at least in part on relative frequencies of the event types. The control unit can determine a distribution of event types of the events within the loop, and determining that software running the sequence is associated with malware based at least in part on the distribution of event types within the loop. In some examples, the control unit can locate a point of commonality among a plurality of stack traces associated with respective events within the loop. The control unit can determine a malware module comprising the point of commonality.

Abstract: Example techniques herein search a graph data structure and retrieve data associated with a result node or edge. The graph can include nodes and edges between them. A control unit can produce a discrete finite automaton (DFA) based on a query. The control unit can traverse the DFA in conjunction with the graph, from an initial DFA state and an entry-point graph node, to reach a result graph node associated with a DFA triggering state. Traversal can include, e.g., unwinding upon reaching a terminal state of the DFA. Some examples can determine a schema of output data. Some examples can store information associated with nodes while traversing, and discard the information when unwinding traversal. Some examples can process queries including edge types not members of a set of edge types associated with a graph. Some examples can apply traversal-limiting instructions specified in a query.

Abstract: Example techniques herein search a graph data structure and retrieve data associated with a result node or edge. The graph can include nodes representing, e.g., processes or files, and edges between the nodes. A control unit can produce a discrete finite automaton (DFA) based on a query. The control unit can traverse the DFA in conjunction with the graph, beginning at an initial state of the DFA and an entry-point node of the graph, to reach a result node of the graph associated with a triggering state of the DFA. Traversal can include unwinding upon reaching a terminal state of the DFA, in some examples. The control unit can retrieve data associated with the result node or an edge connected there to, and can provide the data via a communications interface. A data-retrieval system can communicate with a data-storage system via the communications interface, in some examples.

Abstract: Techniques and systems to provide a more intuitive user overview of events data by mapping unbounded incident scores to a fixed range and aggregating incident scores by different schemes. The system may detect possible malicious incidents associated with events processing on a host device. The events data may be gathered from events detected on the host device. The incident scores for incidents may be determined from the events data. The incident scores may be mapped to bins of a fixed range to highlight the significance of the incident scores. For instance, a first score mapped to a first bin may be insignificant while a second score mapped to a last bin may require urgent review. The incident scores may also be aggregated at different levels (e.g., host device, organization, industry, global, etc.) and at different time intervals to provide insights to the data.

Abstract: Techniques and systems to provide a more intuitive user overview of events data by mapping unbounded incident scores to a fixed range and aggregating incident scores by different schemes. The system may detect possible malicious incidents associated with events processing on a host device. The events data may be gathered from events detected on the host device. The incident scores for incidents may be determined from the events data. The incident scores may be mapped to bins of a fixed range to highlight the significance of the incident scores. For instance, a first score mapped to a first bin may be insignificant while a second score mapped to a last bin may require urgent review. The incident scores may also be aggregated at different levels (e.g., host device, organization, industry, global, etc.) and at different time intervals to provide insights to the data.

Abstract: Techniques to provide visualizations of possible malicious incidents associated with an event on a host device may include causing presentation of graphics of a process or thread in a user interface. Information about detected events may be transmitted to a computing device that generates the visualizations for presentation to an analyst to verify the malicious incidents. Based on patterns and information conveyed in the visualizations, the computer device or host device may take action to protect operation of the host device caused by the event.

Abstract: A security agent implemented on a monitored computing device is described herein. The security agent has access to parametric behavioral pattern definitions that, in combination with canonical patterns of behavior, configure the security agent to match observed behavior with known computing behavior that is benign or malignant. This arrangement of the definitions and the pattern of behavior allow the security agent's behavior to be updated by a remote security service without updating a configuration of the security agent. The remote security service can create, modify, and disseminate these definitions and patterns of behavior, giving the security agent real-time ability to respond to new behaviors exhibited by the monitored computing device.

Abstract: A security agent implemented on a monitored computing device is described herein. The security agent has access to parametric behavioral pattern definitions that, in combination with canonical patterns of behavior, configure the security agent to match observed behavior with known computing behavior that is benign or malignant. This arrangement of the definitions and the pattern of behavior allow the security agent's behavior to be updated by a remote security service without updating a configuration of the security agent. The remote security service can create, modify, and disseminate these definitions and patterns of behavior, giving the security agent real-time ability to respond to new behaviors exhibited by the monitored computing device.

Abstract: A security agent implemented on a computing device is described herein. The security agent is configured to detect file-modifying malware by detecting that a process is traversing a directory of the memory of the computing device and detecting that the process is accessing files in the memory according to specified file access patterns. The security agent can also be configured to correlate actions of multiple processes that correspond to a specified file access pattern and detect that one or more of the multiple processes are malware by correlating their behavior.

Abstract: A security agent can implement a least recently used (LRU)-based approach to suppressing events observed on a computing device. The security agent may observe events that occur on a computing device. These observed events may then be inserted into a LRU table that tracks, for a subset of the observed events maintained in the LRU table, a rate-based statistic for multiple event groups in which the subset of the observed events are classified. In response to a value of the rate-based statistic for a particular event group satisfying a threshold for the LRU-table, observed events that are classified in the event group can be sent to a remote security system with suppression by refraining from sending, to the remote security system, at least some of the observed events in the event group. The security agent may cease suppression after the rate-based statistic falls below a predetermined threshold level.

Abstract: Example techniques locate or identify malware based on events from or at monitored computing devices. A control unit can detect a sequence of events of various types. The control unit can locate a loop within the sequence of events based at least in part on relative frequencies of the event types. The control unit can determine a distribution of event types of the events within the loop, and determining that software running the sequence is associated with malware based at least in part on the distribution of event types within the loop. In some examples, the control unit can locate a point of commonality among a plurality of stack traces associated with respective events within the loop. The control unit can determine a malware module comprising the point of commonality.