Abstract: Systems and methods are presented for mitigating cyber threats. Cybersecurity-related data are stored in a semantic cybersecurity database. A user interface converts a user input to a command utterance. A command node that corresponds to the command utterance is identified in the cybersecurity database. The command node is resolved to one or more action nodes that are connected to the command node, and each action node is resolved to one or more parameter nodes that are connected to the action node. The command node has a command that implements actions indicated in the action nodes. Each action can have one or more required parameters indicated in the parameter nodes. The values of the required parameters are obtained from the command utterance, prompted from the user, or obtained from the cybersecurity database. Actions with their parameter values are executed to mitigate a cyber threat in accordance with the user input.

Abstract: Examples relate to identifying signatures for data sets. In one example, a computing device may: for each of a plurality of first data sets, obtain a data set signature; generate a first data structure for storing each data set signature that is distinct from each other data set signature; for each of a plurality of second data sets, obtain at least one data subset; generate a second data structure for storing each data subset; remove, from the first data structure, each data set signature that matches a data subset included in the second data structure; and for each data set signature removed from the first data structure, identify each first data set from which the data set signature was obtained; and for each identified first data set, obtain a new data set signature.

Abstract: In one embodiment, a network security device monitors network communications between a computer and another computer. A periodicity of transmissions made by one computer to the other computer is determined, with the periodicity being used to identify candidate time point pairs having intervals that match the periodicity. A graph is constructed with time points of the candidate time point pairs as nodes and with intervals of time point pairs as edges. A longest path that continuously links one time point to another time point on the graph is compared to a threshold length to verify that the transmissions are periodic, and are thus potentially indicative of malicious network communications.

Abstract: In one embodiment, local begin and end tags are detected by a network security device to determine a local context of a network traffic flow, and a local feature vector is obtained for that local context. At least one triggering machine learning model is applied by the network security device to the local feature vector, and the result determines whether or not deeper analysis is warranted. In most cases, very substantial resources are not required because deeper analysis is not indicated. If deeper analysis is indicated, one or more deeper machine learning model may then be applied to global and local feature vectors, and regular expressions may be applied to packet data, which may include the triggering data packet and one or more subsequent data packets. Other embodiments, aspects and features are also disclosed.

Abstract: Examples relate to identifying malicious activity using data complexity anomalies. In one example, a computing device may: receive a byte stream that includes a plurality of bytes; determine, for a least one subset of the byte stream, a measure of complexity of the subset; determine that the measure of complexity meets a predetermined threshold measure of complexity for a context associated with the byte stream; and in response to determining that the measure of complexity meets the threshold, provide an indication that the byte stream complexity is anomalous.

Abstract: Examples relate to identifying randomly generated character strings. In one example, a computing device may: receive a character string that includes two or more characters; identify a number of character transitions included in the character string, each character transition being a change in character type within an n-gram of the character string, where n is a positive integer; and determine, based on the number of character transitions, whether the character string was randomly generated.

Abstract: In one embodiment, local begin and end tags are detected by a network security device to determine a local context of a network traffic flow, and a local feature vector is obtained for that local context. At least one triggering machine learning model is applied by the network security device to the local feature vector, and the result determines whether or not deeper analysis is warranted. In most cases, very substantial resources are not required because deeper analysis is not indicated. If deeper analysis is indicated, one or more deeper machine learning model may then be applied to global and local feature vectors, and regular expressions may be applied to packet data, which may include the triggering data packet and one or more subsequent data packets. Other embodiments, aspects and features are also disclosed.

Abstract: Examples relate to identifying a signature for a data set. In one example, a computing device may: receive a data set that includes a plurality of data units; iteratively determine a measure of complexity for windows of data units included in the data set, each window including a distinct portion of the plurality of data units; identify, based on the iterative determinations, a most complex window of data units for the data set; and identify the most complex window as a data unit signature for the data set.

Abstract: Examples relate to identifying a signature for a data set. In one example, a computing device may: receive a data set that includes a plurality of data units; iteratively determine a measure of complexity for windows of data units included in the data set, each window including a distinct portion of the plurality of data units; identify, based on the iterative determinations, a most complex window of data units for the data set; and identify the most complex window as a data unit signature for the data set.

Abstract: Examples relate to identifying signatures for data sets. In one example, a computing device may: for each of a plurality of first data sets, obtain a data set signature; generate a first data structure for storing each data set signature that is distinct from each other data set signature; for each of a plurality of second data sets, obtain at least one data subset; generate a second data structure for storing each data subset; remove, from the first data structure, each data set signature that matches a data subset included in the second data structure; and for each data set signature removed from the first data structure, identify each first data set from which the data set signature was obtained; and for each identified first data set, obtain a new data set signature.

Abstract: Examples relate to identifying malicious activity using data complexity anomalies. In one example, a computing device may: receive a byte stream that includes a plurality of bytes; determine, for a least one subset of the byte stream, a measure of complexity of the subset; determine that the measure of complexity meets a predetermined threshold measure of complexity for a context associated with the byte stream; and in response to determining that the measure of complexity meets the threshold, provide an indication that the byte stream complexity is anomalous.

Abstract: Examples disclosed herein relate to confidence levels in reputable entities. Some of the examples enable identifying a particular reputable entity that is originated from a plurality of sources including a first source and a second source; determining a first level of confidence associated with the first source; determining a second level of confidence associated with the second source; determining an aggregate level of confidence associated with the plurality of sources based on the first and second levels of confidence, wherein the aggregate level confidence is higher than the first and second levels of confidence; and determining an entity score for the particular reputable entity based on the aggregate level of confidence.

Abstract: Examples relate to identifying randomly generated character strings. In one example, a computing device may: receive a character string that includes two or more characters; identify a number of character transitions included in the character string, each character transition being a change in character type within an n-gram of the character string, where n is a positive integer; and determine, based on the number of character transitions, whether the character string was randomly generated.

Abstract: Examples disclosed herein relate to potential blocking impacts. Some of the examples enable obtaining network traffic data of a network that is accessible by a plurality of users. The network traffic data may comprise occurrences of a reputable entity. Some of the examples further enable determining, based on the network traffic data, a potential blocking impact of blocking the reputable entity from the network. Some of the examples further enable providing the potential blocking impact to be used in an application of a network policy to the reputable entity.