Abstract: A method of detecting anomalous behaviour in data traffic on a data communication network having a first host and a second host being connected to the data communication network in which the data traffic on the data communication network forms a link between the first host and the second host.

Abstract: Systems, methods, and related technologies for threat attribution are described. A method includes accessing network traffic to determine an incident based on a correlation of events as being associated with a same coordinated attack. The incident includes indicators of compromise (IoCs) and a Tactics, Techniques and Procedures (TTPs). The method also includes computing a first probability function based on the IoCs, wherein the first probability function comprises a first set of probability of attributions for a first list of known threat actors, and computing a second probability function based on the TTPs, wherein the second probability function comprises a second set of probability of attributions for a second list of known threat actors.

Abstract: A method includes accessing events associated with a network and determining an issue based on a correlation of a portion of the events, wherein the issue represents an incident associated with the portion of the events, and wherein the correlation of the portion of the events is based on information associated with the network and at least in part on an event type of the portion of the events. A priority associated with the issue is determined at least based on the event type of the portion of the events. A first event type that is associated with an operational technology (OT) entity has a higher priority than a second event type that is not associated with the OT entity. Data associated with the issue is stored.

Abstract: Systems, methods, and related technologies for determining fields of an unknown protocol are described. Network traffic capture is grouped into one or more clusters of packets based on similarity. Each of the one or more clusters are parsed to identify one or more fields of an unknown protocol. The network traffic capture is modified, including annotating the identified one or more fields of the unknown protocol. A protocol parser is generated without user input, including parsing each of the annotated one or more fields of the unknown protocol to generate a description of the unknown protocol comprising identified one or more fields of the unknown protocol and an order of the identified one or more fields of the unknown protocol, and compiling the description into the protocol parser.

Abstract: Systems and methods for automatic attack pattern generation from cyber threat intelligence are described. Attack pattern generation includes obtaining cyber threat intelligence including a set of methodologies used by a cyber threat and identifying a set of network detectable events associated with the set of methodologies used by the cyber threat. An attack pattern is generated including the plurality of detectable events associated with the plurality of methodologies.

Abstract: Systems, methods, and related technologies for determining an issue based on a plurality of events. The determining of an issue may include accessing network traffic from a network and accessing a plurality of events associated with the network traffic. An issue can be determined based on a correlation of a portion of the plurality of events, where the issue represents an incident associated with the portion of the plurality of events. The correlation of the portion of the plurality of events is based on network specific information. Information associated with the issue including the portion of the plurality of events may then be stored.

Abstract: Systems, methods, and related technologies for determining fields of an unknown protocol are described. One or more packets may be removed from a network traffic capture in response to the one or more packets having a known protocol. The remaining network traffic capture may be grouped into one or more clusters of packets based on similarity. Each of the one or more clusters may be parsed to identify one or more fields of an unknown protocol. The network traffic capture may be modified, including annotating the one or more fields of the unknown protocol.

Abstract: A method of detecting anomalous behaviour in data traffic includes parsing data traffic to extract protocol field values of a protocol message of data traffic, deriving attribute values of attributes of one of the first host, the second host, and the link. The method includes selecting a model relating to the one of the first host, the second host, and the link. The mode includes at least one semantic attribute expressing a semantic meaning for the first host, the second host, or the link. The method further includes updating the selected model with the derived attribute values, assessing whether the updated model complies with a set of attribute-based policies defining a security constraint of the data communication network, and generating an alert signal in case the attribute-based policies indicate that the updated model violates at least one of the attribute-based policies.

Abstract: Systems, methods, and related technologies for determining fields of an unknown protocol are described. One or more packets may be removed from a network traffic capture in response to the one or more packets having a known protocol. The remaining network traffic capture may be grouped into one or more clusters of packets based on similarity. Each of the one or more clusters may be parsed to identify one or more fields of an unknown protocol. The network traffic capture may be modified, including annotating the one or more fields of the unknown protocol.

Abstract: A method of detecting anomalous behaviour in data traffic on a data communication network having a first host and a second host being connected to the data communication network in which the data traffic on the data communication network forms a link between the first host and the second host.

Abstract: Systems, methods, and related technologies for classification are described. Entity attribute data associated with network entities is obtained. One or more entity attributes for classifying a set of entities is determined based on the entity attribute data. A set of entities coupled to a network are monitored. Values of the one or more entity attributes for the plurality of entities is identified. The set of entities are clustered into one or more entity clusters based on a similarity of the one or more entity attributes for the entities. An entity fingerprinting action is then performed based on the entity clusters.

Abstract: Systems, methods, and related technologies for determining an issue based on a plurality of events. The determining of an issue may include accessing network traffic from a network and accessing a plurality of events associated with the network traffic. An issue can be determined based on a correlation of a portion of the plurality of events, where the issue represents an incident associated with the portion of the plurality of events. The correlation of the portion of the plurality of events is based on network specific information. Information associated with the issue including the portion of the plurality of events may then be stored.

Abstract: A method of detecting anomalous behaviour in data traffic on a data communication network having a first host and a second host being connected to the data communication network in which the data traffic on the data communication network forms a link between the first host and the second host.