Abstract: An automated framework provides security monitoring and analysis in a network by autonomously detecting actual and potential threats to the network. In response to detection of a threat, the framework instantiates a Situation to provide directed monitoring of the threat. The Situation invokes specific skills based on the state of the Situation to monitor network traffic for activity specific to the threat that instantiated the Situation. As data is collected, additional skills may be invoked based on the additional data to collect new data, and previously invoked skills may be terminated depending on the additional data to avoid collecting information that is no-longer relevant.

Abstract: System and method for detecting a likely threat from a malicious attack is disclosed. Communication between a user computer and a destination computer is monitored by a security appliance. Selective information from the communication is extracted. One or more weak signals of a threat is detected based on the selective information. One or more weak signals are evaluated for a likely threat based on a threshold value. A corrective action is initiated for the likely threat, based on the evaluation.

Abstract: System and method for evaluating communication between a plurality of computing devices is disclosed. A plurality of communication between a user computer and at least one a destination computer is monitored by a security appliance. Selective information from the plurality of communication is extracted by the security appliance. Extracted selective information between a pair of communication is compared for a match. An activity record is generated for the user computer and at least one destination computer, based on the match.

Abstract: System and method for detecting a likely threat from a malicious attack is disclosed. Communication between a user computer and a destination computer is monitored by a security appliance. Selective information from the communication is extracted. Selective information is associated to one or more attributes of a security entity. A knowledge graph is generated for a plurality of security entities based on the associated selective information.

Abstract: A method of detecting intrusions on a computer includes the step of identifying an internet protocol field range describing fields within internet protocol packets received by a computer. A connectivity range is also established which describes a distribution of network traffic received by the computer. An internet protocol field threshold and a connectivity threshold are then determined from the internet protocol field range and connectivity range, respectively. During the operation of the computer, values are calculated for the internet protocol field range and connectivity range. These values are compared to the internet protocol metric threshold and connectivity metric threshold so as to identify an intrusion on the computer.