Abstract: A cloud based implemented method (and apparatus) includes receiving input data including bipartite graph data in a format of source MAC (Media Access Control) address data versus destination IP (Internet Protocol) data and timestamp information, and providing the input bipartite graph data into a first processing to detect malicious beaconing activities using a lockstep detection module on the input bipartite graph data, as executed in a cloud environment, to detect possible synchronized attacks against a targeted infrastructure.

Abstract: An automated technique for security monitoring leverages a labeled semi-directed temporal graph derived from system-generated events. The temporal graph is mined to derive process-centric subgraphs, with each subgraph consisting of events related to a process. The subgraphs are then processed to identify atomic operations shared by the processes, wherein an atomic operation comprises a sequence of system-generated events that provide an objective context of interest. The temporal graph is then reconstructed by substituting the identified atomic operations derived from the subgraphs for the edges in the original temporal graph, thereby generating a reconstructed temporal graph. Using graph embedding, the reconstructed graph is converted into a representation suitable for further machine learning, e.g., using a deep neural network. The network is then trained to learn the intention underlying the temporal graph.

Abstract: An automated method for processing security events. It begins by building an initial version of a knowledge graph based on security information received from structured data sources. Using entities identified in the initial version, additional security information is then received. The additional information is extracted from one or more unstructured data sources. The additional information includes text in which the entities (from the structured data sources) appear. The text is processed to extract relationships involving the entities (from the structured data sources) to generate entities and relationships extracted from the unstructured data sources. The initial version of the knowledge graph is then augmented with the entities and relationships extracted from the unstructured data sources to build a new version of the knowledge graph that consolidates the intelligence received from the structured data sources and the unstructured data sources. The new version is then used to process security event data.

Abstract: USB traffic is intercepted between a USB device and a computer system. It is determined whether the USB device has previously had a policy associated with it as to whether USB traffic from the device should be blocked, allowed, or sanitized. In response to not having a previous policy for the USB device, a request is made for a user to be prompted to provide a policy of one of block, allow, or sanitize for the USB device. In response to a user-provided-policy, one of the following are performed: blocking the traffic, allowing the traffic, or sanitizing the traffic between the USB device and the computer system. Apparatus, methods, and computer program products are disclosed.

Abstract: Optimizing ingestion of security structured data into a graph database for security analytics is provided. A plurality of streams of information is received from a plurality of security information sources. Respective subsets of information are ingested from each of the plurality of security information sources to generate small subgraphs of security information. Each of the small subgraphs comply to a schema used by a master knowledge graph. A batch process is performed to ingest a plurality of small subgraphs into the master knowledge graph.

Abstract: A computer-implemented method, a computer program product, and a computer system. The computer system installs and configures a virtual imitating resource in the computer system, wherein the virtual imitating resource imitates a set of resources in the computer system. Installing and configuring the virtual imitating resource includes modifying respective values of an installed version of the virtual imitating resource for an environment of the computer system, determining whether the virtual imitating resource is a static imitating resource or a dynamic imitating resource, and comparing a call graph of the evasive malware with patterns of dynamic imitating resources on a database. The computer system returns a response from an appropriate element of the virtual imitating resource, in response to a call from the evasive malware to a real computing resource, return, by the computer system.

Abstract: This disclosure provides for a signal flow analysis-based exploration of security knowledge represented in a graph structure comprising nodes and edges. “Conductance” values are associated to each of a set of edges. Each node has an associated “toxicity” value representing a degree of maliciousness associated with the node. The conductance value associated with an edge is a function of at least the toxicity values of the nodes to which the edge is incident. A signal flow analysis is conducted with respect to an input node representing an observable associated with an offense. The flow analysis seeks to identify a subset of the nodes that, based on their conductance values, are reached by flow of a signal representing a threat, wherein signal flow over a path in the graph continues until a signal threshold is met. Based on the analysis, nodes within the subset are designated as hypothesis nodes for further examination.

Abstract: A cognitive security analytics platform is enhanced by providing a technique for automatically inferring temporal relationship data for cybersecurity events. In operation, a description of a security event is received, typically as unstructured security content or data. Information such as temporal data or cues, are extracted from the description, along with security entity and relationship data. Extracted temporal information is processing according to a set of temporal markers (heuristics) to determine a time value marker (i.e., an established time) of the security event. This processing typically involves retrieval of information from one or more structured data sources. The established time is linked to the security entities and relationships. The resulting security event, as augmented with the identified temporal data, is then subjected to a management operation.

Abstract: A method to detect anomalous behavior in an execution environment. A set of system events captured from a monitored computing system are received. Using the received system events, a model is then trained using machine learning. The model is trained to automatically extract one or more features for the received set of system events, wherein a system event feature is determined by a semantic analysis and represents a semantic relationship between or among a grouping of system events that are observed to co-occur in an observation sample. An observation sample is associated with an operating scenario that has occurred in the execution environment. Once trained, and using the features, the model is used to detect anomalous behavior. As an optimization, prior to training, the set of system events are pre-processed into a reduced set of system events. The modeler may comprise a component of a malware detection system.

Abstract: An automated technique for security monitoring leverages a labeled semi-directed temporal graph derived from system-generated events. The temporal graph is mined to derive process-centric subgraphs, with each subgraph consisting of events related to a process. The subgraphs are then processed to identify atomic operations shared by the processes, wherein an atomic operation comprises a sequence of system-generated events that provide an objective context of interest. The temporal graph is then reconstructed by substituting the identified atomic operations derived from the subgraphs for the edges in the original temporal graph, thereby generating a reconstructed temporal graph. Using graph embedding, the reconstructed graph is converted into a representation suitable for further machine learning, e.g., using a deep neural network. The network is then trained to learn the intention underlying the temporal graph.

Abstract: A computer system trains an Artificial Intelligence (AI) model to generate a key generated as a same key based on multiple different feature vectors, which are based on specified target environment attributes of a target environment domain. The computer system uses the key to encrypt concealed information as an encrypted payload and distributes the encrypted payload and the trained AI model to another computer system. The other computer system extracts environment attributes based on an environment domain accessible by the other computer system and decodes a candidate key by using the trained AI model that uses the extracted environment attributes of the environment domain as input. The trained AI model is trained to generate a key that is generated as a same key from multiple different feature vectors corresponding to specified target environment attributes of a target environment domain. The other computer system determines whether the candidate key is correct.

Abstract: A cloud based implemented method (and apparatus) includes receiving input data including bipartite graph data in a format of source MAC (Media Access Control) address data versus destination IP (Internet Protocol) data and timestamp information, and providing the input bipartite graph data into a first processing to detect malicious beaconing activities using a lockstep detection module on the input bipartite graph data, as executed in a cloud environment, to detect possible synchronized attacks against a targeted infrastructure.

Abstract: A computer-implemented method (and apparatus) includes receiving input data comprising bipartite graph data in a format of source MAC (Machine Access Code) data versus destination IP (Internet Protocol) data and timestamp information. The input bipartite graph data is provided into a first processing to detect malicious beaconing activities using a lockstep detection method on the input bipartite graph data to detect possible synchronized attacks against a targeted infrastructure. The input bipartite graph data is also provided into a second processing, the second processing initially converting the bipartite graph data into a co-occurrence graph format that indicates in a graph format how devices in the targeted infrastructure communicate with different external destination servers over time. The second processing detects malicious beaconing activities by analyzing data exchanges with the external destination servers to detect anomalies.

Abstract: A cognitive security analytics platform is enhanced by providing a technique for automatically inferring temporal relationship data for cybersecurity events. In operation, a description of a security event is received, typically as unstructured security content or data. Information such as temporal data or cues, are extracted from the description, along with security entity and relationship data. Extracted temporal information is processing according to a set of temporal markers (heuristics) to determine a time value marker (i.e., an established time) of the security event. This processing typically involves retrieval of information from one or more structured data sources. The established time is linked to the security entities and relationships. The resulting security event, as augmented with the identified temporal data, is then subjected to a management operation.

Abstract: A cognitive security analytics platform is enhanced by providing a computationally- and storage-efficient data mining technique to improve the confidence and support for one or more hypotheses presented to a security analyst. The approach herein enables the security analyst to more readily validate a hypothesis and thereby corroborate threat assertions to identify the true causes of a security offense or alert. The data mining technique is entirely automated but involves an efficient search strategy that significantly reduces the number of data queries to be made against a data store of historical data. To this end, the algorithm makes use of maliciousness information attached to each hypothesis, and it uses a confidence schema to sequentially test indicators of a given hypothesis to generate a rank-ordered (by confidence) list of hypotheses to be presented for analysis and response by the security analyst.

Abstract: An automated method for processing security event data in association with a cybersecurity knowledge graph having nodes and edges. It begins by receiving from a security system (e.g., a SIEM) information representing an offense. An offense context graph is built. Thereafter, and to enhance the offense context graph, given nodes and edges of the knowledge graph are prioritized for traversal based on an encoding captured from a security analyst workflow. This prioritization is defined in a set of weights associated to the graph nodes and edges, and these weights may be derived using machine learning. The offense context graph is then refined by traversing the nodes and edges of the knowledge graph according to a prioritization tailored at least in part by the encoding. In addition to using security analyst workflow to augment generation of weights, preferably the machine learning system provides recommendations back to the security analysts to thereby influence their workflow.

Abstract: This disclosure provides for a signal flow analysis-based exploration of security knowledge represented in a graph structure comprising nodes and edges. “Conductance” values are associated to each of a set of edges. Each node has an associated “toxicity” value representing a degree of maliciousness associated with the node. The conductance value associated with an edge is a function of at least the toxicity values of the nodes to which the edge is incident. A signal flow analysis is conducted with respect to an input node representing an observable associated with an offense. The flow analysis seeks to identify a subset of the nodes that, based on their conductance values, are reached by flow of a signal representing a threat, wherein signal flow over a path in the graph continues until a signal threshold is met. Based on the analysis, nodes within the subset are designated as hypothesis nodes for further examination.

Abstract: A computer-implemented method, a computer program product, and a computer system. The computer system installs and configures a virtual imitating resource in the computer system, wherein the virtual imitating resource imitates a set of resources in the computer system. Installing and configuring the virtual imitating resource includes modifying respective values of an installed version of the virtual imitating resource for an environment of the computer system, determining whether the virtual imitating resource is a static imitating resource or a dynamic imitating resource, and comparing a call graph of the evasive malware with patterns of dynamic imitating resources on a database. The computer system returns a response from an appropriate element of the virtual imitating resource, in response to a call from the evasive malware to a real computing resource, return, by the computer system.

Abstract: Approaches to deactivating evasive malware. In an approach, a computer system installs an imitating resource in the computer system and the imitating resource creates an imitating environment of malware analysis, wherein the imitating resource causes the evasive malware to respond to the imitating environment of the malware analysis as to a real environment of the malware analysis. In the imitating environment of malware analysis, the evasive malware determines not to perform malicious behavior. In another approach, a computer system intercepts a call from the evasive malware to a resource on the computer system and returns a virtual resource to the call, wherein in the virtual resource one or more values of the resource on the computer system are modified.

Abstract: This disclosure provides for a signal flow analysis-based exploration of security knowledge represented in a graph structure comprising nodes and edges. “Conductance” values are associated to each of a set of edges. Each node has an associated “toxicity” value representing a degree of maliciousness associated with the node. The conductance value associated with an edge is a function of at least the toxicity values of the nodes to which the edge is incident. A signal flow analysis is conducted with respect to an input node representing an observable associated with an offense. The flow analysis seeks to identify a subset of the nodes that, based on their conductance values, are reached by flow of a signal representing a threat, wherein signal flow over a path in the graph continues until a signal threshold is met. Based on the analysis, nodes within the subset are designated as hypothesis nodes for further examination.