Abstract: This disclosure is directed to detecting cybersecurity attacks in data processing systems. Methods, systems, and computer program products perform operations including determining baseline event clusters using baseline event data obtained from deterministic target systems. The operations also include determining a baseline cumulative trajectory of an event over time based on the baseline event clusters. The operations further include determining operational event clusters using operational event data from the deterministic target systems. Additionally, the operations include determining an operational cumulative trajectory of the event over time based on the operational event clusters. Further, the operations include detecting a cyber-attack by comparing the baseline cumulative trajectory of the event with the operational cumulative trajectory of the event.

Abstract: According to various embodiments, techniques for anticipatory cyber defense are disclosed. The techniques includes receiving cyber incident reports, extracting keywords from the reports, applying a shallow machine learning technique to obtain an identification of a first subset of the networked assets vulnerable to at least a first threat scenario and an identification of the first threat scenario, applying a deep machine learning technique to at least the first subset, the first threat scenario, the keywords, and the plurality of networked assets, to obtain a second subset of the networked assets vulnerable to at least a second threat scenario and the second threat scenario, simulating the networked assets and the second threat scenario to identify at least one path through the networked assets vulnerable to at least a third threat scenario, and outputting an identification of the at least one path and an identification of the third threat scenario.

Abstract: According to various embodiments, techniques for anticipatory cyber defense are disclosed. The techniques includes receiving cyber incident reports, extracting keywords from the reports, applying a shallow machine learning technique to obtain an identification of a first subset of the networked assets vulnerable to at least a first threat scenario and an identification of the first threat scenario, applying a deep machine learning technique to at least the first subset, the first threat scenario, the keywords, and the plurality of networked assets, to obtain a second subset of the networked assets vulnerable to at least a second threat scenario and the second threat scenario, simulating the networked assets and the second threat scenario to identify at least one path through the networked assets vulnerable to at least a third threat scenario, and outputting an identification of the at least one path and an identification of the third threat scenario.

Abstract: According to various embodiments, a system for, and method of, predicting and remediating malware threats in an electronic computer network, is provided. The disclosed techniques include storing in an electronic persistent storage library data representing a plurality of malware threats, randomizing, by a computer-implemented evolution engine communicatively coupled to the electronic persistent storage library, data representing malware threats to generate data representing randomized malware threats, and evaluating, by a computer-implemented evaluation engine communicatively coupled to an output of the evolution engine and to the electronic persistent storage library, the data representing the randomized malware threats, where the evaluation engine adds data representing positively evaluated randomized malware threats to the library for proactive detection of future malware threats in the electronic computer network.

Abstract: An improved cyber security protection system with differentiated capacity to deal with complex cyber attacks in complex, highly-connected industries. The system architecture is goal-oriented and separates security goals and concerns by layers that are assigned specific functions to address only those goals. The functions operate concurrently within the layers and provide insight on their respective layers. The layers are interconnected with connection modules using bi-directional interfacing to establish a feedback look within the entire system. Complex adaptive systems (CAS) algorithms are used to identify the probably threats to the system.

Abstract: A system, method, and computer readable media for using principal components analysis (PCA) to graphically display cyber event information about an aircraft or fleet of aircraft. A ground-based security module collects historical cyber log data about the aircraft and performs PCA on the historical data to derive two principal components and their corresponding loading vectors. The loading vectors are transmitted to an air-based security module on the aircraft. The air-based security module collects real time cyber log data, computes numerical scores associated with the loading vectors on board the aircraft while the aircraft is in flight, and transmits the numerical scores to the ground-based module. The ground-based module graphically displays a comparison of the numerical scores to the corresponding loading vectors for the historical log data on a biplot to reveal trends in the cyber health of the aircraft.

Abstract: This disclosure is directed to detecting cybersecurity attacks in data processing systems. Methods, systems, and computer program products perform operations including determining baseline event clusters using baseline event data obtained from deterministic target systems. The operations also include determining a baseline cumulative trajectory of an event over time based on the baseline event clusters. The operations further include determining operational event clusters using operational event data from the deterministic target systems. Additionally, the operations include determining an operational cumulative trajectory of the event over time based on the operational event clusters. Further, the operations include detecting a cyber-attack by comparing the baseline cumulative trajectory of the event with the operational cumulative trajectory of the event.

Abstract: An improved cyber security protection system with differentiated capacity to deal with complex cyber attacks in complex, highly-connected industries. The system architecture is goal-oriented and separates security goals and concerns by layers that are assigned specific functions to address only those goals. The functions operate concurrently within the layers and provide insight on their respective layers. The layers are interconnected with connection modules using bi-directional interfacing to establish a feedback look within the entire system. Complex adaptive systems (CAS) algorithms are used to identify the probably threats to the system.

Abstract: A system, method, and computer readable media for detecting and mitigating the effects of a cyber event on an aircraft's network including an air-based security module and a ground-based security module that monitor the aircraft's networks and detect cyber events. A collaboration module facilitates communications between the air-based security module and the ground-based security module, and also switches the communications between the modules to an alternate, secure channel when a cyber event is detected. A simulation module that is independent from, but functionally substantially equivalent to, the air-based security module simulates network events that are detected on board the aircraft while the aircraft is in flight. A cyber agent module mitigates the effect of a cyber event on the aircraft's network while the aircraft is in flight based on information from the simulation module that is communicated by the ground-based security module to the air-based security via the collaboration module.

Abstract: A system, method, and computer readable media for using principal components analysis (PCA) to graphically display cyber event information about an aircraft or fleet of aircraft. A ground-based security module collects historical cyber log data about the aircraft and performs PCA on the historical data to derive two principal components and their corresponding loading vectors. The loading vectors are transmitted to an air-based security module on the aircraft. The air-based security module collects real time cyber log data, computes numerical scores associated with the loading vectors on board the aircraft while the aircraft is in flight, and transmits the numerical scores to the ground-based module. The ground-based module graphically displays a comparison of the numerical scores to the corresponding loading vectors for the historical log data on a biplot to reveal trends in the cyber health of the aircraft.

Abstract: A system, method, and computer readable media for detecting and mitigating the effects of a cyber event on an aircraft's network including an air-based security module and a ground-based security module that monitor the aircraft's networks and detect cyber events. A collaboration module facilitates communications between the air-based security module and the ground-based security module, and also switches the communications between the modules to an alternate, secure channel when a cyber event is detected. A simulation module that is independent from, but functionally substantially equivalent to, the air-based security module simulates network events that are detected on board the aircraft while the aircraft is in flight. A cyber agent module mitigates the effect of a cyber event on the aircraft's network while the aircraft is in flight based on information from the simulation module that is communicated by the ground-based security module to the air-based security via the collaboration module.