Abstract: A privacy protection component can automatically comply with a set of privacy requirements when displaying input data. An ingestion module collects input data describing network activity executed by a network entity. A clustering module identifies data fields with data values within the input data as data identifiable to the network entity using machine-learning models trained on known data fields and their data. The clustering module also clusters the data values with other data values having similar characteristics using machine-learning models to infer a privacy level associated with each data field. The privacy level is utilized to indicate whether a data value in that data field should be anonymized. A permission module determines a privacy status of that data field by comparing the privacy level from the clustering module to a permission threshold. An aliasing module applies an alias transform to the data value of that data field with a privacy alias to anonymize that data value in that data field.

Abstract: An analyzer module forms a hypothesis on what are a possible set of cyber threats that could include the identified abnormal behavior and/or suspicious activity with AI models trained with machine learning on possible cyber threats. The Analyzer analyzes a collection of system data, including metric data, to support or refute each of the possible cyber threat hypotheses that could include the identified abnormal behavior and/or suspicious activity data with the AI models. A formatting and ranking module outputs supported possible cyber threat hypotheses into a formalized report that is presented in 1) printable report, 2) presented digitally on a user interface, or 3) both.

Abstract: An expert interface component can automatically connect a system user with a system support expert. A user interface module can present a threat-tracking graphical user interface and a query interface component integrated into the threat-tracking graphical user interface to a system user belonging to a client team to review a potential cyber threat and receive a query for assistance. The query interface component can allow the system user to digitally grab a visual data container displaying information and containing a data object. The query interface component can collect the visual data container from the threat-tracking graphical user interface into a collection window of the query interface component. A communication module provides an incident ticket containing the query and the visual data container to a system support expert at a remote platform.

Abstract: A traffic manager module of a cyber threat defense platform that can differentiate between data flows to a client device. A registration module can register a connection between devices within a client network to transmit a series of data packets. A classifier module can execute a comparison of features of the connection to a set of interest criteria to determine an interest level for the cyber threat defense platform in the connection. The classifier module can apply an interest classifier describing the interest level to the connection based on the comparison. A deep packet inspection engine can examine the data packets of the connection for cyber threats if the interest classifier indicates interest. A diverter can shunt the data packets of the connection away from the deep packet inspection engine if the interest classifier indicates no interest.

Abstract: The appliance extension is designed and constructed to be a secure extension of the threat visualizer user interface of the cyber security appliance installed in the system with a limited set of functions including monitoring, investigating, and taking actions to counter the detected cyber threat, all of which an operator can securely take from the appliance extension; rather than, needing to log into the cyber security appliance and investigate potential cyber threats at a location where the cyber security appliance is installed in the system.

Abstract: Disclosed herein is a method for detection of a cyber-threat to a computer system. The method is arranged to be performed by a processing apparatus. The method comprises receiving input data associated with a first entity associated with the computer system, deriving metrics from the input data, the metrics representative of characteristics of the received input data, analysing the metrics using one or more models, and determining, in accordance with the analysed metrics and a model of normal behavior of the first entity, a cyber-threat risk parameter indicative of a likelihood of a cyber-threat. A computer readable medium, a computer program and a threat detection system are also disclosed.

Abstract: Disclosed herein is a method for use in detection of anomalous behavior of a device of a computer system. The method is arranged to be performed by a processing system. The method includes deriving values, m1, . . . , mN, of a metric, M, representative of data associated with the device; modeling a distribution of the values; and determining, in accordance with the distribution of the values, the probability of observing a more extreme value of the metric than a given value, in, of the metric, wherein the probability is used to determine whether the device is behaving anomalously.

Abstract: A multivariate anomaly detector can detect a cyber-attack using incremental malicious actions distributed across multiple devices in a network. A multivariate anomaly detector can collect input data describing communication connections between devices in the network. The multivariate anomaly detector can group the input data into a graph data batch based on a fixed batch increment of time to identify incremental actions. The multivariate anomaly detector can calculate a multivariate centrality score for two or more devices based on the graph data batch describing device centrality to the network. The multivariate anomaly detector can identify whether the two or more devices are in an anomalous state from normal device network interactions based on the multivariate centrality score to identify malicious activity distributed across multiple devices in the network.

Abstract: Disclosed herein is a method for use in detection of anomalous behavior of a device of a computer system. The method is arranged to be performed by a processing system. The method includes deriving values, m1, . . . , mN, of a metric, M, representative of data associated with the device; modeling a distribution of the values; and determining, in accordance with the distribution of the values, the probability of observing a more extreme value of the metric than a given value, m, of the metric, wherein the probability is used to determine whether the device is behaving anomalously.

Abstract: A multivariate anomaly detector can detect a cyber-attack using incremental malicious actions distributed across multiple devices in a network. A multivariate anomaly detector can collect input data describing communication connections between devices in the network. The multivariate anomaly detector can group the input data into a graph data batch based on a fixed batch increment of time to identify incremental actions. The multivariate anomaly detector can calculate a multivariate centrality score for two or more devices based on the graph data batch describing device centrality to the network. The multivariate anomaly detector can identify whether the two or more devices are in an anomalous state from normal device network interactions based on the multivariate centrality score to identify malicious activity distributed across multiple devices in the network.

Abstract: Disclosed herein is a method for use in detection of anomalous behavior of a device of a computer system. The method is arranged to be performed by a processing system. The method includes deriving values, m1, . . . , mN, of a metric, M, representative of data associated with the device; modeling a distribution of the values; and determining, in accordance with the distribution of the values, the probability of observing a more extreme value of the metric than a given value, m, of the metric, wherein the probability is used to determine whether the device is behaving anomalously. Also disclosed is an equivalent computer readable medium and anomalous behavior detection system.

Abstract: Disclosed herein is a method for use in detection of abnormal behavior of a group of a plurality of entities of a computer system. The method is arranged to be performed by a processing system and includes: creating a model of normal behavior of the group of entities; and determining, in accordance with the model of normal behavior of the group of entities, a parameter indicative of abnormal behavior of the group of entities. Also disclosed is an equivalent computer readable medium and anomalous behavior detection system.

Abstract: An expert interface component can automatically connect a system user with a system support expert. A user interface module can present a threat-tracking graphical user interface and a query interface component integrated into the threat-tracking graphical user interface to a system user belonging to a client team to review a potential cyber threat and receive a query for assistance. The query interface component can allow the system user to digitally grab a visual data container displaying information and containing a data object. The query interface component can collect the visual data container from the threat-tracking graphical user interface into a collection window of the query interface component. A communication module provides an incident ticket containing the query and the visual data container to a system support expert at a remote platform.

Abstract: A cyber security appliance has one or more modules to interact with entities in an operational technology network and potentially in an informational technology network. The operational technology module can reference various machine-learning models trained on a normal pattern of life of users, devices, and/or controllers of the operational technology network. A comparator module cooperates with the operational technology module to compare the received data on the operational technology network to the normal pattern of life of any of the users, devices, and controllers to detect anomalies in the normal pattern of life for these entities in order to detect a cyber threat. An autonomous response module can be programmed to respond to counter the detected cyber threat.

Abstract: An analyzer module forms a hypothesis on what are a possible set of cyber threats that could include the identified abnormal behavior and/or suspicious activity with AI models trained with machine learning on possible cyber threats. The Analyzer analyzes a collection of system data, including metric data, to support or refute each of the possible cyber threat hypotheses that could include the identified abnormal behavior and/or suspicious activity data with the AI models. A formatting and ranking module outputs supported possible cyber threat hypotheses into a formalized report that is presented in 1) printable report, 2) presented digitally on a user interface, or 3) both.

Abstract: The appliance extension is designed and constructed to be a secure extension of the threat visualizer user interface of the cyber security appliance installed in the system with a limited set of functions including monitoring, investigating, and taking actions to counter the detected cyber threat, all of which an operator can securely take from the appliance extension; rather than, needing to log into the cyber security appliance and investigate potential cyber threats at a location where the cyber security appliance is installed in the system.

Abstract: Embodiments of a cyber threat defense system protects a system from cyber threats with the following operations: Identifying unusual patterns of behavior within the plotted individual alerts and/or events in the multiple dimension space; Clustering the individual alerts and events that form the unusual pattern into a distinct item for cyber threat analysis of that cluster of distinct alerts and/or events; Applying machine learning models to infer for the cyber threat analysis what is possibly happening with the distinct item of the cluster, which came from the unusual pattern, and then assign a threat risk associated with that distinct item of the cluster; and Projecting on a user interface, based on the analysis by the one or more machine learning models, the assigned threat risk associated with that distinct item of the cluster of alerts and/or events forming the unusual pattern.

Abstract: The endpoint agent detects a cyber threat on an end-point computing device. The endpoint agent on the computing device has a communications module that communicates with a cyber defense appliance. A collections module monitors and collects pattern of life data on processes executing on the end-point computing-device and users of the end-point computing-device. The communications module sends the pattern of life data to the cyber defense appliance installed on a network. The cyber defense appliance at least contains one or more machine-learning models to analyze the pattern of life data for each endpoint agent connected to that cyber defense appliance. The endpoint agent and the cyber defense appliance may trigger one or more actions to be autonomously taken to contain a detected cyber threat when a cyber-threat risk score is indicative of a likelihood of a cyber-threat is equal to or above an actionable threshold.

Abstract: A cyber threat defense system can leverage identifying threats by spotting deviations from normal behavior to create a system-wide inoculation regimen. The cyber threat defense system can have a comparison module to execute a comparison of input data for a network entity to at least one machine-learning model of a generic network entity using a normal behavior benchmark to spot behavior deviating from normal benign behavior. The comparison module can identify whether the network entity is in a breach state. The cyber threat defense system can have a cyber threat module to identify whether the breach state and a chain of relevant behavioral parameters correspond to a cyber threat. The cyber threat defense system can have an inoculation module to send an inoculation notice to warn of a potential cyber threat to a target device.

Abstract: A privacy protection component can automatically comply with a set of privacy requirements when displaying input data. An ingestion module collects input data describing network activity executed by a network entity. A clustering module identifies data fields with data values within the input data as data identifiable to the network entity using machine-learning models trained on known data fields and their data. The clustering module also clusters the data values with other data values having similar characteristics using machine-learning models to infer a privacy level associated with each data field. The privacy level is utilized to indicate whether a data value in that data field should be anonymized. A permission module determines a privacy status of that data field by comparing the privacy level from the clustering module to a permission threshold. An aliasing module applies an alias transform to the data value of that data field with a privacy alias to anonymize that data value in that data field.