Abstract: A control system (300) for controlling an active suspension system (104) of a vehicle (100), the control system comprising one or more controller (301), wherein the control system is configured to: obtain (908) information indicative of relative traction levels between different wheels (FL, FR, RL, RR) of the vehicle; and in dependence on the information, control (912) the active suspension system to increase normal force through a wheel (FR) of the vehicle having relatively high traction compared to one or more other wheels (FL, RL, RR) of the vehicle, and decrease normal force through a wheel (FL) of the vehicle having relatively low traction compared to one or more other wheels (FR, RL, RR) of the vehicle.

Abstract: In one aspect, a computer-implemented method of detecting network security threats comprises the following steps: receiving at an analysis engine events relating to a monitored network; analysing the received events to identify at least one event that meets a case creation condition and, in response, creating a case in an experience database, the case being populated with data of the identified at least one event; assigning a threat score to the created case based on the event data; matching at least one further event to the created case and populating the case with data of the at least one further event, the threat score assigned to that case being updated in response; and in response to the threat score for one of the cases meeting a significance condition, rendering that case accessible via a case interface.

Abstract: In one or more examples, an advanced form of network endpoint sensor is deployed to an endpoint device to provide local monitoring and reporting of network traffic flowing to and/or from the endpoint device. For example, such network endpoint sensors may reduce reliance on other types of monitoring component (such as mirrors/TAPs) and/or complement functionality of other type(s) of monitoring component (e.g. in a deployment with “roaming” endpoints). In one or more examples, network data may be linked or otherwise associated with endpoint data locally at an endpoint device. In one or more examples, such linking may be performed locally prior to reporting, response and/or remediation.

Abstract: In one or more examples, an advanced form of network endpoint sensor is deployed to an endpoint device to provide local monitoring and reporting of network traffic flowing to and/or from the endpoint device. For example, such network endpoint sensors may reduce reliance on other types of monitoring component (such as mirrors/TAPs) and/or complement functionality of other type(s) of monitoring component (e.g. in a deployment with “roaming” endpoints). In one or more examples, network data may be linked or otherwise associated with endpoint data locally at an endpoint device. In one or more examples, such linking may be performed locally prior to reporting, response and/or remediation.

Abstract: In one aspect, a computer-implemented method of detecting network security threats comprises the following steps: receiving at an analysis engine events relating to a monitored network; analysing the received events to identify at least one event that meets a case creation condition and, in response, creating a case in an experience database, the case being populated with data of the identified at least one event; assigning a threat score to the created case based on the event data; matching at least one further event to the created case and populating the case with data of the at least one further event, the threat score assigned to that case being updated in response; and in response to the threat score for one of the cases meeting a significance condition, rendering that case accessible via a case interface.

Abstract: An endpoint agent configured, when executed on an endpoint device, to: access outgoing and/or incoming packets via a local traffic access function of the endpoint device, the outgoing packets sent from a network interface of the endpoint device to a packet-switched network and carrying outbound payload data generated by one or more processes executed on the endpoint device, the incoming packets received at the network interface from the packet-switched network and carrying inbound payload data for processing by the one or more processes; extract network traffic telemetry from the outgoing and/or incoming packets, the extracted network traffic telemetry summarizing the outgoing and/or incoming packets; and transmit, to a cybersecurity service, a series of network telemetry records containing the extracted network traffic telemetry for use in performing a cybersecurity threat analysis. Further aspects pertain to the “deduplication” of telemetry records when network traffic is monitored by multiple sources.

Abstract: An endpoint agent configured, when executed on an endpoint device, to: access outgoing and/or incoming packets via a local traffic access function of the endpoint device, the outgoing packets sent from a network interface of the endpoint device to a packet-switched network and carrying outbound payload data generated by one or more processes executed on the endpoint device, the incoming packets received at the network interface from the packet-switched network and carrying inbound payload data for processing by the one or more processes; extract network traffic telemetry from the outgoing and/or incoming packets, the extracted network traffic telemetry summarizing the outgoing and/or incoming packets; and transmit, to a cybersecurity service, a series of network telemetry records containing the extracted network traffic telemetry for use in performing a cybersecurity threat analysis. Further aspects pertain to the “deduplication” of telemetry records when network traffic is monitored by multiple sources.

Abstract: In one aspect, a computer-implemented method of detecting network security threats comprises the following steps: receiving at an analysis engine events relating to a monitored network; analysing the received events to identify at least one event that meets a case creation condition and, in response, creating a case in an experience database, the case being populated with data of the identified at least one event; assigning a threat score to the created case based on the event data; matching at least one further event to the created case and populating the case with data of the at least one further event, the threat score assigned to that case being updated in response; and in response to the threat score for one of the cases meeting a significance condition, rendering that case accessible via a case interface.

Abstract: In one aspect, a computer-implemented method of detecting network security threats comprises the following steps: receiving at an analysis engine events relating to a monitored network; analysing the received events to identify at least one event that meets a case creation condition and, in response, creating a case in an experience database, the case being populated with data of the identified at least one event; assigning a threat score to the created case based on the event data; matching at least one further event to the created case and populating the case with data of the at least one further event, the threat score assigned to that case being updated in response; and in response to the threat score for one of the cases meeting a significance condition, rendering that case accessible via a case interface.

Abstract: A method of detecting security threats comprises: in an enrichment stage, receiving events pertaining to a monitored private network; enriching the events by augmenting them with enrichment data; and receiving, at an analysis engine, the enriched events and analysing the enriched events to detect security threat conditions indicated by the enriched events; wherein at least one of the events is enriched based on external reconnaissance by: determining a related public network address on a network interface between the private network and a public network, and augmenting the event with external reconnaissance data, as determined by transmitting at least one reconnaissance message from an external reconnaissance device on the public network to the related public network address on the network interface between the public and the private networks.

Abstract: In one aspect, a computer-implemented method of detecting network security threats comprises the following steps: receiving at an analysis engine events relating to a monitored network; analysing the received events to identify at least one event that meets a case creation condition and, in response, creating a case in an experience database, the case being populated with data of the identified at least one event; assigning a threat score to the created case based on the event data; matching at least one further event to the created case and populating the case with data of the at least one further event, the threat score assigned to that case being updated in response; and in response to the threat score for one of the cases meeting a significance condition, rendering that case accessible via a case interface.

Abstract: A computer implemented method to determine whether a verification is to be performed of the satisfaction of one or more mapping conditions mapping a first state in a first pattern matching automaton to a second state in the first automaton, the verification being based on patterns matched by a second pattern matching automaton having states corresponding to wildcard symbols in the first automaton, the method comprising: associating, with the first state, a minimum number of patterns required to be matched by the second automaton to satisfy a mapping condition of the state; providing a pattern match counter in association with the second automaton, the counter being arranged to count a number of patterns matched by the second automaton; providing a verifier in association with the first automaton, the verifier being arranged to perform the verification, the verifier being responsive to the counter.

Abstract: A computer implemented method to determine the satisfaction of one or more mapping conditions conditionally mapping a first state in a first pattern matching automaton to a second state in the first automaton, each of the conditions being based on symbol patterns matched by a second pattern matching automaton having states corresponding to wildcard symbols in the first automaton, the method comprising: encoding the conditions in a condition tree data structure associated with the first state, the condition tree modeling sequences of symbol patterns for matching by the second automaton and corresponding to each of the conditions, wherein a node in the condition tree corresponding to a complete set of symbol patterns for a condition has associated an output symbol sequence to identify a pattern match by the first automaton.

Abstract: A computer implemented method for generating a pattern matching machine for identifying matches of a plurality of symbol patterns in a sequence of input symbols, the method comprising: providing a state machine of states and directed transitions between states corresponding to the plurality of patterns; applying an Aho-Corasick approach to identify one or more mappings between states in the event of a failure, of the state machine in a state and for an input symbol, to transition to a subsequent state based on the directed transitions of the state machine, characterised in that one of the symbol patterns includes a wildcard symbol, and a mapping for a state representing pattern symbols including the wildcard symbol is provided in a hash table referenced based on a key, the key being based on a unique identifier of the state and the input symbol to be received, by the pattern matching machine in use, to constitute the wildcard symbol.

Abstract: A method for generating a pattern matching machine for identifying matches of a symbol pattern in a sequence of in put symbols, the received symbol pattern including an indicator that one or more symbols in the symbol pattern repeat as repeated symbols, the method comprising: generating a plurality of symbol patterns for the received symbol pattern, each generated symbol pattern being equivalent to the symbol pattern for a different number of repetitions of the repeated symbols, wherein the plurality of generated symbol patterns comprise all possible symbol patterns equivalent to the received symbol pattern up to a predetermined maximum length of a generated symbol pattern.

Abstract: A method for generating a pattern matching machine for identifying matches of a plurality of symbol patterns in a sequence of input symbols, the method comprising: providing a state machine of states and directed transitions between states corresponding to the plurality of patterns; applying an Aho-Corasick approach to identify mappings between states in the event of a failure, of the state machine in a state and for an input symbol, to transition to a subsequent state based on the directed transitions of the state machine, characterized in that one of the symbol patterns includes a wildcard symbol, and mappings for one or more states representing pattern symbols including the wildcard symbol are based on an input symbol to be received, by the pattern matching machine in use, to constitute the wildcard.

Abstract: A computer implemented method to generate a pattern matching machine to identify matches of a plurality of symbol patterns in a sequence of input symbols, wherein one or more of the symbol patterns includes a plurality of wildcard symbols.

Abstract: A computer implemented method to generate a pattern matching machine to identify matches of a plurality of symbol patterns in a sequence of input symbols, wherein one or more of the symbol patterns includes a plurality of wildcard symbols.

Abstract: A computer implemented method to determine the satisfaction of one or more mapping conditions conditionally mapping a first state in a first pattern matching automaton to a second state in the first automaton, each of the conditions being based on symbol patterns matched by a second pattern matching automaton having states corresponding to wildcard symbols in the first automaton, the method comprising: encoding the conditions in a condition tree data structure associated with the first state, the condition tree modeling sequences of symbol patterns for matching by the second automaton and corresponding to each of the conditions, wherein a node in the condition tree corresponding to a complete set of symbol patterns for a condition has associated an output symbol sequence to identify a pattern match by the first automaton.

Abstract: A computer implemented method to determine whether a verification is to be performed of the satisfaction of one or more mapping conditions mapping a first state in a first pattern matching automaton to a second state in the first automaton, the verification being based on patterns matched by a second pattern matching automaton having states corresponding to wildcard symbols in the first automaton, the method comprising: associating, with the first state, a minimum number of patterns required to be matched by the second automaton to satisfy a mapping condition of the state; providing a pattern match counter in association with the second automaton, the counter being arranged to count a number of patterns matched by the second automaton; providing a verifier in association with the first automaton, the verifier being arranged to perform the verification, the verifier being responsive to the counter.