Abstract: A method for performing cyber-security analysis includes generating a semantic graph in which each object is represented as a node, and each event associated with an object is represented as an edge. A cyber-threat related alert, with an associated alert type, is received from a source. A first object from the plurality of objects is modified based on the alert. A plurality of threat scores, each associated with an object, are calculated, substantially concurrently, based on the alert type. Subsequently, a plurality of modified threat scores are determined for each object, based on: (1) the threat score for that object, (2) a connectivity of that object to each of the remaining objects within the semantic graph; and (3) the threat score for each remaining object from the plurality of objects. A subgraph of the semantic graph is identified based on normalized versions of the modified threat scores.

Abstract: A system for detecting whether a file including content s associated with a cyber-attack is described. The content may include an executable file for example. The system includes an intelligence-driven analysis subsystem and a computation analysis subsystem. The intelligence-driven analysis subsystem is configured to (i) receive the file, (ii) inspect and compute features of the file for indicators associated with a cyber-attack, and (iii) produce a first output representing the detected indicators. The computational analysis subsystem includes an artificial neural network to (i) receive a network input being a first representation of at least one section of binary code from the file as input, and (ii) process the first representation of the section to produce a second output. The first output and the second output are used in determination a classification assigned to the file.

Abstract: A method for performing cyber-security analysis includes storing a semantic graph with nodes representing monitored computer-based entities, and edges representing monitored relationships. Each edge has an associated tally. A set of threat scores associated with multiple computer-based entities is stored in the memory. The semantic graph is updated in response to receiving event data. The updating includes decomposing the event data into a set of entities and a set of associated relationships, updating the tally of one of the edges based on the set of relationships, modifying an alert attribute of a monitored computer-based entity when the event data includes an applicable alert, and modifying a threat score of at least one computer-based entity based on the event data when the event data includes an applicable alert, to define a set of modified threat scores. The updated semantic graph is monitored for cyber-security risks within the multiple computer-based entities.

Abstract: A system for detecting whether a file including content is associated with a cyber-attack is described. The content may include an executable file for example. The system includes an intelligence-driven analysis subsystem and a computation analysis subsystem. The intelligence-driven analysis subsystem is configured to (i) receive the file, (ii) inspect and compute features of the file for indicators associated with a cyber-attack, and (iii) produce a first output representing the detected indicators. The computational analysis subsystem includes an artificial neural network to (i) receive a network input being a first representation of at least one section of binary code from the file as input, and (ii) process the first representation of the section to produce a second output. The first output and the second output are used in determination a classification assigned to the file.

Abstract: A method for performing cyber-security analysis includes generating a semantic graph in which each object is represented as a node, and each event associated with an object is represented as an edge. A cyber-threat related alert, with an associated alert type, is received from a source. A first object from the plurality of objects is modified based on the alert. A plurality of threat scores, each associated with an object, are calculated, substantially concurrently, based on the alert type. Subsequently, a plurality of modified threat scores are determined for each object, based on: (1) the threat score for that object, (2) a connectivity of that object to each of the remaining objects within the semantic graph; and (3) the threat score for each remaining object from the plurality of objects. A subgraph of the semantic graph is identified based on normalized versions of the modified threat scores.

Abstract: A system for detecting whether a file including content s associated with a cyber-attack is described. The content may include an executable file for example. The system includes an intelligence-driven analysis subsystem and a computation analysis subsystem. The intelligence-driven analysis subsystem is configured to (i) receive the file, (ii) inspect and compute features of the file for indicators associated with a cyber-attack, and (iii) produce a first output representing the detected indicators. The computational analysis subsystem includes an artificial neural network to (i) receive a network input being a first representation of at least one section of binary code from the file as input, and (ii) process the first representation of the section to produce a second output. The first output and the second output are used in determination a classification assigned to the file.

Abstract: A system for detecting whether a file including content s associated with a cyber-attack is described. The content may include an executable file for example. The system includes an intelligence-driven analysis subsystem and a computation analysis subsystem. The intelligence-driven analysis subsystem is configured to (i) receive the file, (ii) inspect and compute features of the file for indicators associated with a cyber-attack, and (iii) produce a first output representing the detected indicators. The computational analysis subsystem includes an artificial neural network to (i) receive a network input being a first representation of at least one section of binary code from the file as input, and (ii) process the first representation of the section to produce a second output. The first output and the second output are used in determination a classification assigned to the file.