Abstract: Methods, systems, and computer storage media for providing data security posture management using an application discovery engine in a security management system. Application discovery supports identifying and mapping various applications within a computing environment. In particular, application discovery can be provided as part of security management operations to assess security posture of applications, identify vulnerabilities, and ensure compliance with regulations. In operation, application discovery data associated with a plurality computing resources of a computing environment is accessed. An annotated application discovery graph comprising a plurality of entities that represent the plurality of computing resources is generated. The annotated application discovery graph is deployed to support generating security postures for computing environments. A request is received for a security posture of the computing environment.

Abstract: According to examples, an apparatus includes a processor that may obtain and parse a pipeline code to determine how variables of the pipeline code relate to each other, and replace the variables in the parsed pipeline code with values to which the variables respectively represent, in which the values correspond to pipeline run sources and pipeline run targets of API calls. The processor may also identify how the pipeline run targets interact with the pipeline run sources of the API calls and build a dependency graph that maps the pipeline run sources with the pipeline run targets. Runtime resources may thus be mapped to source code in a pipeline run to provide visibility into actions carried out by the pipeline. This visibility may be used to determine whether there are security vulnerabilities in the pipeline run sources and/or targets such that the vulnerabilities may be addressed/overcome.

Abstract: An approach to predicting the outcome of a computer security response. The approach can analyze an unlabeled set of network data and based on the analysis, create a language model of the network. The approach can process the language model to predict a reduction factor associated with network availability. The approach can further process the language model and a malicious sequence to predict an effectiveness factor associated with blocking the malicious sequence. The approach can output bot the reduction factor and the effectiveness factor to a network administrator for determining the applicability of the computer security response.

Abstract: Embodiments may provide techniques that may provide more accurate and actionable alerts by cloud workload security systems so as to improve overall cloud workload security. For example, in an embodiment, a method may be implemented in a computer system comprising a processor, memory accessible by the processor, and computer program instructions stored in the memory and executable by the processor, and the method may comprise generating performance and security information relating to a software system during development of the software system, generating performance and security information relating to the software system during deployed operation of the software system, matching the performance and security information generated during development of the software system with the performance and security information generated during deployed operation of the software system to determine performance and security alerts to escalate, and reporting the escalated performance and security alerts.

Abstract: An approach to predicting the outcome of a computer security response. The approach can analyze an unlabeled set of network data and based on the analysis, create a language model of the network. The approach can process the language model to predict a reduction factor associated with network availability. The approach can further process the language model and a malicious sequence to predict an effectiveness factor associated with blocking the malicious sequence. The approach can output bot the reduction factor and the effectiveness factor to a network administrator for determining the applicability of the computer security response.

Abstract: An approach to predicting the outcome of a computer security response. The approach can analyze an unlabeled set of network data and based on the analysis, create a language model of the network. The approach can process the language model to predict a reduction factor associated with network availability. The approach can further process the language model and a malicious sequence to predict an effectiveness factor associated with blocking the malicious sequence. The approach can output bot the reduction factor and the effectiveness factor to a network administrator for determining the applicability of the computer security response.

Abstract: Embodiments may provide techniques that that may automatically generate a customized SOC rule set for an organization. For example, in an embodiment, a method may be implemented in a computer comprising a processor, memory accessible by the processor, and computer program instructions stored in the memory and executable by the processor, the method may comprise simulating operation of a security incident and event management system by running a plurality of rules of the system on labeled data, determining fitness metrics of the plurality of rules, selecting at least one rule of the plurality of rules based on the determined fitness metrics; modifying the selected rule to form an updated rule, and repeating running the updated rule on the labeled data, determining fitness metrics of the updated rule, and mutating the updated rule.

Abstract: A method for automatically migrating infrastructure as code (IaC) from a first cloud infrastructure platform to a second cloud infrastructure platform is provided. The method may include receiving an original IaC comprising a first type of coding language. The method may further include using natural language processing to map a connection between the first type of coding language and a second type of coding language. The method may further include based on the mapped connection, using the NLP to automatically generate a partial translation of the first type of coding language to the second type of coding language. The method may further include using a machine learning algorithm to correct at least one inaccuracy in the partial translation. The method may further include generating a complete translation and implementing a second IaC on the second cloud infrastructure platform based on the complete translation.

Abstract: A method for automatically migrating infrastructure as code (IaC) from a first cloud infrastructure platform to a second cloud infrastructure platform is provided. The method may include receiving an original IaC comprising a first type of coding language. The method may further include using natural language processing to map a connection between the first type of coding language and a second type of coding language. The method may further include based on the mapped connection, using the NLP to automatically generate a partial translation of the first type of coding language to the second type of coding language. The method may further include using a machine learning algorithm to correct at least one inaccuracy in the partial translation. The method may further include generating a complete translation and implementing a second IaC on the second cloud infrastructure platform based on the complete translation.

Abstract: An example system includes a processor to receive a source code sample to be classified. The processor can execute a hybrid code analysis to generate an internal analysis state. The processor can extract features from the internal analysis state via a trained machine learning model modified using transfer learning. The processor can generate a label based on the extracted features via a machine learning classifier model trained on internal analysis states of hybrid code analyses.

Abstract: The present invention relates to novel techniques for monitoring changes to source code of Infrastructure as Code systems to detect attempted anomalous changes and block such changes from the code. For example, a method may comprise learning a security architecture and history of an infrastructure as code system to be deployed in at least one cloud account, monitoring changes to source code of the infrastructure as code system that are made before deployment of the infrastructure as code system to detect an anomaly, determining whether the detected anomaly affects regulated resources of the infrastructure as code system, and blocking changes to the source code of the infrastructure as code system that produce the detected anomaly that affects regulated resources of the infrastructure as code system.

Abstract: An approach to predicting the outcome of a computer security response. The approach can analyze an unlabeled set of network data and based on the analysis, create a language model of the network. The approach can process the language model to predict a reduction factor associated with network availability. The approach can further process the language model and a malicious sequence to predict an effectiveness factor associated with blocking the malicious sequence. The approach can output bot the reduction factor and the effectiveness factor to a network administrator for determining the applicability of the computer security response.

Abstract: The present invention relates to novel techniques for monitoring changes to source code of Infrastructure as Code systems to detect attempted anomalous changes and block such changes from the code. For example, a method may comprise learning a security architecture and history of an infrastructure as code system to be deployed in at least one cloud account, monitoring changes to source code of the infrastructure as code system that are made before deployment of the infrastructure as code system to detect an anomaly, determining whether the detected anomaly affects regulated resources of the infrastructure as code system, and blocking changes to the source code of the infrastructure as code system that produce the detected anomaly that affects regulated resources of the infrastructure as code system.

Abstract: In an approach for policy security shifting left of infrastructure as code compliance, a processor trains a neural network model to classify a code per policy and provide a policy vector score for the code associated with one or more policies. A processor enables the neural network model to scan and score a new code during a continuous integration and continuous deployment pipeline. A processor outputs a scanned score of the new code to a user. A processor retrains the neural network model by capturing a continuous integration and continuous deployment change and run-time compliance posture that occurs as a response by the user.

Abstract: An approach for detecting non-compliant methodologies in a repository. The approach can generate an abstract model of an Infrastructure as Code (IaC) repository based on security requirements of an IaC. The approach can compare the abstract model to one or more validated abstract models associated with other repositories of a hybrid multi-cloud system. The approach can generate an alert notifying the IaC repository of one or more non-compliant methodology measures. The approach can send the alert to the IaC repository.

Abstract: Embodiments may provide techniques that may provide more accurate and actionable alerts by cloud workload security systems so as to improve overall cloud workload security. For example, in an embodiment, a method may be implemented in a computer system comprising a processor, memory accessible by the processor, and computer program instructions stored in the memory and executable by the processor, and the method may comprise generating performance and security information relating to a software system during development of the software system, generating performance and security information relating to the software system during deployed operation of the software system, matching the performance and security information generated during development of the software system with the performance and security information generated during deployed operation of the software system to determine performance and security alerts to escalate, and reporting the escalated performance and security alerts.

Abstract: Deriving malware signatures by training a binary decision tree using known malware and benign software samples, each tree node representing a different software feature set and having one descending edge representing samples that are characterized by the node's software feature set and another descending edge representing samples that are not characterized thusly, selecting multiple continuous descending paths for multiple subsets of nodes, each path traversing a selected one of the edges descending from each of the nodes in its corresponding subset, deriving, based on the nodes and edges in any of the paths, a malware-associated software feature signature where the malware samples represented by leaves that directly or indirectly descend from an end of the continuous descending path meets a minimum percentage of the total number of samples represented by the leaves, and providing the malware signatures for use by a computer-based security tool configured to identify malware.

Abstract: An apparatus, a computer program product and a method for dimensionality reduction comprising: obtaining a set of Application Programming Interface (API) functions of a system invocable by a program, and a set of artifacts. Each artifact is associated with at least one API function and indicative of a functionality thereof. The method further comprising: clustering the API functions based on an analysis of the artifacts to create a set of clusters smaller than the set of API functions, such that each cluster comprises API functions having a similar functionality; and performing a dimensionality reduction to a feature vector using the set of clusters.

Abstract: An example system includes a processor to receive a source code sample to be classified. The processor can execute a hybrid code analysis to generate an internal analysis state. The processor can extract features from the internal analysis state via a trained machine learning model modified using transfer learning. The processor can generate a label based on the extracted features via a machine learning classifier model trained on internal analysis states of hybrid code analyses.

Abstract: Embodiments may provide techniques that that may automatically generate a customized SOC rule set for an organization. For example, in an embodiment, a method may be implemented in a computer comprising a processor, memory accessible by the processor, and computer program instructions stored in the memory and executable by the processor, the method may comprise simulating operation of a security incident and event management system by running a plurality of rules of the system on labeled data, determining fitness metrics of the plurality of rules, selecting at least one rule of the plurality of rules based on the determined fitness metrics; modifying the selected rule to form an updated rule, and repeating running the updated rule on the labeled data, determining fitness metrics of the updated rule, and mutating the updated rule.