Abstract: Methods and systems for detecting malicious activity on a network. The methods described herein involve gathering data regarding a first state of a computing environment, executing an attack tool to simulate malicious activity in the computing environment, and then gathering data regarding a second state of the computing environment. The methods described herein may then involve generating a signature based on changes between the first and second states, and then using the generated signature to detect malicious activity in a target network.

Abstract: Methods and systems for classifying a device on a network. The systems and methods may receive network activity data associated with an unknown device. A classifier executing one or more machine learning models may then classify the device as an internet of things (IoT) device or a non-IoT device.

Abstract: Disclosed herein are methods, systems, and processes to facilitate and perform dynamic best path determination for penetration testing. An action path that includes a kill chain that involves performance of exploit actions for a phase of a penetration test is generated by identifying the exploit actions based on a penetration parameter, a detection parameter, and/or a time parameter associated with the exploit actions. Performance of the identified exploit actions permits successful completion of the phase of the penetration test and designates the action path for inclusion as part of a best path for the penetration test.

Abstract: Methods and systems for detecting anomalous network device activity. The system may include an interface for receiving an identification label associated with a host device and pre-existing traffic data associated with the host device. The system may further detect that the pre-existing traffic data associated with the host device is anomalous based on the identification label. The system may then issue an alert upon detecting that the pre-existing traffic data associated with the host device is anomalous.

Abstract: Methods and systems for detecting anomalous network activity. The system may receive network metadata regarding activity on a network and generate at least one of a z-score and a directionality magnitude related to the network activity. The system may then issue an alert upon detecting an anomaly exists on the network based upon at least one of the generated z-score exceeding a z-score threshold and the generated directionality magnitude deviating from a baseline directionality magnitude.

Abstract: Disclosed herein are methods, systems, and processes to facilitate and perform dynamic best path determination for penetration testing. An action path that includes a kill chain that involves performance of exploit actions for a phase of a penetration test is generated by identifying the exploit actions based on a penetration parameter, a detection parameter, and/or a time parameter associated with the exploit actions. Performance of the identified exploit actions permits successful completion of the phase of the penetration test and designates the action path for inclusion as part of a best path for the penetration test.

Abstract: Disclosed herein are methods, systems, and processes to facilitate and perform dynamic best path determination for penetration testing. An action path that includes a kill chain that involves performance of exploit actions for a phase of a penetration test is generated by identifying the exploit actions based on a penetration parameter, a detection parameter, and/or a time parameter associated with the exploit actions. Performance of the identified exploit actions permits successful completion of the phase of the penetration test and designates the action path for inclusion as part of a best path for the penetration test.

Abstract: Methods and systems for classifying a device on a network. The systems and methods may receive network activity data associated with an unknown device. A classifier executing one or more machine learning models may then classify the device as an internet of things (IoT) device or a non-IoT device.

Abstract: Methods and systems for detecting malicious activity on a network. The methods described herein involve gathering data regarding a first state of a computing environment, executing an attack tool to simulate malicious activity in the computing environment, and then gathering data regarding a second state of the computing environment. The methods described herein may then involve generating a signature based on changes between the first and second states, and then using the generated signature to detect malicious activity in a target network.

Abstract: Disclosed herein are methods, systems, and processes for detecting data exfiltration. A data exfiltration event in a network is detected. Traffic data regarding outgoing traffic of a source in the network associated with the data exfiltration event is received. A logarithmic transformation is applied to the traffic data to generate transformed data. An outlier identification technique is selected based on the transformed data and is executed on the transformed data to determine that the outgoing traffic is indicative of the data exfiltration event. An alert is generated in response to the determination that the outgoing traffic is indicative of the data exfiltration event.

Abstract: Methods and systems for classifying a device on a network. The systems and methods may receive network activity data associated with an unknown device. A classifier executing one or more machine learning models may then classify the device as an internet of things (IoT) device or a non-IoT device.

Abstract: Methods and systems for detecting malicious activity on a network. The methods described herein involve gathering data regarding a first state of a computing environment, executing an attack tool to simulate malicious activity in the computing environment, and then gathering data regarding a second state of the computing environment. The methods described herein may then involve generating a signature based on changes between the first and second states, and then using the generated signature to detect malicious activity in a target network.

Abstract: Methods and systems for detecting a data exfiltration event on a network. The method includes receiving traffic data and applying a transformation to transform the traffic data at least closer to a normal distribution. The method further includes selecting at least one outlier identification technique based on a property of the transformed data, and then executing the at least one selected identification technique to determine whether the traffic data is indicative of a data exfiltration event.

Abstract: Methods and systems for detecting anomalous network device activity. The system may include an interface for receiving an identification label associated with a host device and pre-existing traffic data associated with the host device. The system may further detect that the pre-existing traffic data associated with the host device is anomalous based on the identification label. The system may then issue an alert upon detecting that the pre-existing traffic data associated with the host device is anomalous.

Abstract: Methods and systems for detecting anomalous network activity. The system may receive network metadata regarding activity on a network and generate at least one of a z-score and a directionality magnitude related to the network activity. The system may then issue an alert upon detecting an anomaly exists on the network based upon at least one of the generated z-score exceeding a z-score threshold and the generated directionality magnitude deviating from a baseline directionality magnitude.

Abstract: Methods and systems for detecting anomalous network device activity. The system may include an interface for receiving an identification label associated with a host device and pre-existing traffic data associated with the host device. The system may further detect that the pre-existing traffic data associated with the host device is anomalous based on the identification label. The system may then issue an alert upon detecting that the pre-existing traffic data associated with the host device is anomalous.

Abstract: Disclosed herein are methods, systems, and processes to facilitate and perform dynamic best path determination for penetration testing. An action path that includes a kill chain that involves performance of exploit actions for a phase of a penetration test is generated by identifying the exploit actions based on a penetration parameter, a detection parameter, and/or a time parameter associated with the exploit actions. Performance of the identified exploit actions permits successful completion of the phase of the penetration test and designates the action path for inclusion as part of a best path for the penetration test.