Abstract: A system and method for predictive cyber-physical resource management, including a business operating system, parameter evaluation engine, at least one cyber-physical asset, at least one crypt-ledger, a network, and the ability to represent data in Markov State Models and finite state machines.

Abstract: A system and method for a highly scalable distributed connection interface for data capture from multiple network service sources. The connection interface is designed to enable simple to initiate, performant and highly available input/output from a large plurality of external networked service's and application's application programming interfaces (API) to the modules of an integrated predictive business operating system. To handle the high volume of information exchange, the connection interface is distributed and designed to be scalable and self-load-balancing. The connection interface possesses robust expressive scripting capabilities that allow highly specific handling rules to be generated for the routing, transformation, and output of data within the business operating system.

Abstract: A system and method for a highly scalable distributed connection interface for data capture from multiple network service sources. The connection interface is designed to enable simple to initiate, performant and highly available input/output from a large plurality of external networked service's and application's application programming interfaces (API) to the modules of an integrated predictive business operating system. To handle the high volume of information exchange, the connection interface is distributed and designed to be scalable and self-load-balancing. The connection interface possesses robust expressive scripting capabilities that allow highly specific handling rules to be generated for the routing, transformation, and output of data within the business operating system.

Abstract: A system and method for cyber exploitation path analysis and response using federated networks to minimize network exposure and maximize network resilience, with the ability to simulate complex and large scale network traffic through the use of federated training networks, by gathering network entity information, establishing baseline behaviors for each entity, and monitoring each entity for behavioral anomalies that might indicate cybersecurity concerns. Further, the system and method involve incorporating network topology information into the analysis by generating a model of the network, annotating the model with risk and criticality information for each entity in the model and with a vulnerability level between entities, and using the model to evaluate cybersecurity risks to the network.

Abstract: A system for multitemporal data analysis is provided, comprising a directed computation graph service module configured to receive input data from a plurality of sources, analyze the input data to determine a best course of action for analyzing the input data, and split the input data for queueing to a general transformer service module or a decomposable service module based at least in part by analysis of the input data; a general transformer service module configured to receive data from the directed computation graph service module, and perform analysis on the received data; and a general transformer service module configured to receive data from directed computational graph module, and perform analysis on the received data.

Abstract: A system and methods for network action classification and analysis using widely distributed lightweight honeypot sensor nodes, comprising a plurality of network traffic sensors each configured to monitor visible network traffic, analyze monitored traffic to identify patterns, communicate with other network sensors to correlate their respective traffic data, and produce a threat landscape based on the correlated traffic data. The system and method may comprise an emulation engine configured to simulate limited services or functionalities, emulating vulnerabilities or weak points in systems. Emulation engine may comprise one or more modules configured to provide use-case specific emulation capabilities. Emulation engine may receive network traffic data from network sensors, route the network traffic to an appropriate simulated destination service associated with the network traffic, and monitor the interactions between an attacker and the simulated destination.

Abstract: A system and method for cyber exploitation path analysis and task plan optimization to minimize network exposure and maximize network resilience. The system and method involve gathering network entity information, establishing baseline behaviors for each entity, and monitoring each entity for behavioral anomalies that might indicate cybersecurity concerns. Further, the system and method involve incorporating network topology information into the analysis by generating a model of the network, annotating the model with risk and criticality information for each entity in the model and with a vulnerability level between entities, and using the model to evaluate cybersecurity risks to the network. Lastly, network attack path analysis and automated task planning for minimizing network exposure and maximizing resiliency is performed with machine learning, generative adversarial networks, hierarchical task networks, and Monte Carlo search trees.

Abstract: A system for detecting and mitigating attacks using forged authentication objects within a domain is provided, comprising an authentication object inspector configured to observe a new authentication object generated by an identity provider, and retrieve the new authentication object; and a hashing engine configured to retrieve the new authentication object from the authentication object inspector, calculate a cryptographic hash for the new authentication object, and store the cryptographic hash for the new authentication object in a data store; wherein subsequent access requests accompanied by authentication objects are validated by comparing hashes for each authentication object to previous generated hashes.

Abstract: A system and methods for detecting and mitigating golden SAML attacks against federated services is provided, comprising an authentication object inspector configured to observe a new authentication object generated by an identity provider, and retrieve the new authentication object; and a hashing engine configured to create a security cookie for each valid authentication session; wherein subsequent access requests accompanied by authentication objects are validated by checking for a valid security cookie.

Abstract: A system and method for trigger-based scanning of cyber-physical assets, including a distributed operating system, parameter evaluation engine, at least one cyber-physical asset, at least one crypt-ledger, a network, and a scanner that detects trigger conditions and events and performs scans of cyber-physical assets based on the trigger and any relevant stored scan rules before storing scan results as time-series data.

Abstract: A system and method for operational and cyber risk assessment that utilizes a data-driven approach to evaluate the current security posture and identify areas for improvement based on the user's desired target profile. This process involves estimating the costs and benefits associated with various security program enhancements, increased, hiring, and control uplifts. The system and method then quantify these benefits in terms of reduction in tail value at risk, expected losses, cyber insurance premiums, and the amount of risk capital set aside. The system simulates attack paths associated with various risk scenarios and uses a risk scenario model to compute losses associated with each attack path for each risk scenario. The results of the simulation may be used to determine one or more business outcomes associated with the costs and benefits of implementing security enhancements.

Abstract: A system and method for scoring and enforcing authentication standards that actually enable zero trust network security principles when combined with stateful authentication object tracking, authentication object manipulation and forgery detection, and assessment of authentication and identity attack surface. The methodology involves gathering all authentication objects issued by a network, storing the authentication objects in a centralized location for use in stateful deterministic authentication object tracking, scoring the completeness of the authentication observations, assessing the quality of the authentication observations, and assigning organization-specific penalty functions.

Abstract: A system for network traffic classification using distributed sensor nodes is provided, comprising a plurality of network traffic sensors each configured to monitor visible network traffic, analyze the monitored traffic to identify patterns, communicate with other network sensors to correlate their respective traffic data, produce a threat landscape based on the correlated traffic data, identify a potential cybersecurity threat based on the threat landscape, and export the analyzed traffic and threat landscape for use by external systems.

Abstract: A system and method for trigger-based scanning of cyber-physical assets, including a distributed operating system, parameter evaluation engine, at least one cyber-physical asset, at least one crypt-ledger, a network, and a scanner that detects trigger conditions and events and performs scans of cyber-physical assets based on the trigger and any relevant stored scan rules before storing scan results as time-series data.

Abstract: A system and methods for mitigating golden ticket attacks within a domain is provided, comprising an authentication object inspector configured to observe a new authentication object generated by an identity provider, and retrieve the new authentication object; and a hashing engine configured to retrieve the new authentication object from the authentication object inspector, calculate a cryptographic hash for the new authentication object, and store the cryptographic hash for the new authentication object in a data store; wherein subsequent access requests accompanied by authentication objects are validated by comparing hashes for each authentication object to previous generated hashes.

Abstract: A system and method for automated cybersecurity defensive strategy analysis that predicts the evolution of new cybersecurity attack strategies and makes recommendations for cybersecurity improvements to networked systems based on a cost/benefit analysis. The system and method use machine learning algorithms to run simulated attack and defense strategies against a model of the networked system created using a directed graph. Recommendations are generated based on an analysis of the simulation results against a variety of cost/benefit indicators.

Abstract: A system and method that uses midservers located between the business enterprise computer infrastructure and the cloud-based infrastructure to collect, aggregate, analyze, transform, and securely transmit data from a multitude of computing devices and peripherals at an external network to a cloud-based service. The system and method make use of a plurality of virtual and physical worker agents which can be dynamically instantiated by a transformation engine to carry out one or more transformation sequences, based on pipeline instructions, to a received data stream to prepare the data for transmission as a target data stream format.

Abstract: A system for detecting and mitigating forged authentication attacks is provided, comprising an authentication inspector configured to observe a new authentication object generated by an identity provider, and retrieve the new authentication object; and a hashing engine configured to retrieve the new authentication object from the authentication object inspector, calculate a cryptographic hash for the new authentication object, and store the cryptographic hash for the new authentication object in a data store; wherein subsequent access requests accompanied by authentication objects are validated by comparing hashes for each authentication object to previous generated hashes.

Abstract: A system and methods for authentication attack detection with embedded authentication and delegation is provided, comprising an authentication object inspector configured to observe a new authentication object generated by an identity provider, and retrieve the new authentication object, wherein subsequent access requests accompanied by authentication objects are validated by comparing identifiers for each authentication object to previous identifiers.

Abstract: A system for analyzing graph databases using intelligent reasoning systems including scalable collection of, and transformation of, graph data into facts suitable for use with programming logic languages doing deductive reasoning. A graph analyzer ingests disparate graph data from across the Internet and transforms the graph data into a fact table. In order to reduce latency and processing congestion, a stream processing engine and sharding strategy are employed to ensure scalability through parallelized processing of programming logic queries. Transformed graph data, now relational data, is utilized with programming logic languages that allow for hypothetical queries whereby an inference engine can deduce new information to satisfy such a query. Furthermore, the self-contained nature of inputs, outputs, and transformations of the system means strict data provenance can be observed and adhered to.