Abstract: This document describes a method for identifying anomaly constructs in real-time based on multimodal surveillance data, the identification being done using a multimodal sensory and cognitive abstraction module. Meta-descriptors are generated for the surveillance data and subsequently, meta-descriptor embeddings are generated for the meta-descriptors whereby the meta-descriptor embeddings are used by an anomaly assertion model to detect anomaly constructs within the surveillance data.

Abstract: This document discloses a method and system for just-in-time compression and optimization of raw unstructured in-line and in-transit data by identifying low entropy data blocks or duplicated information security information in raw computer security alerts within a series of time windows. In particular, the method and system automatically manages; processes; and optimizes in-line and in-transit data blocks or raw information security alerts received from a plurality of information surveillance sources and/or peripheral monitoring devices simultaneously. The data blocks or raw information security alerts that are found to be unique in the various time windows are transposed into meta-definition tables to be further processed while redundant data blocks or raw alerts contained within each particular time window are identified, marked and processed accordingly.

Abstract: This document discloses a heuristic data analytics method and system for analysing potential information security threats in information security events. In particular, the heuristic data analytics method and system analyses Binary Large Objects (BLOBs) of structured and unstructured information security events at high speed and in real-time to anticipate potential security breaches that will occur in the near future using algorithms and large scale computing systems.

Abstract: This document discloses a system and method for consolidating threat intelligence data for a computer and its related networks. Massive volumes of raw threat intelligence data are collected from a plurality of sources and are partitioned into a common format for cluster analysis whereby the clustering of the data is done using unsupervised machine learning algorithms. The resulting organized threat intelligence data subsequently undergoes a weighted asset based threat severity level correlation process. All the intermediary network vulnerabilities of a particular computer network are utilized as the critical consolidation parameters of this process. The final processed intelligence data gathered through this high speed automated process is then formatted into predefined formats prior to transmission to third parties.

Abstract: A system and method for disrupting an information security threat that constitutes an attack on a computer asset in a computer network is provided. The provided system and method disrupts this information security threat after the attack on the computer asset has been detected by at least one of the monitoring devices on the affected computer network. An intermediate upstream gateway of the affected computer network is then utilized to disrupt this information security threat. As the detected attack is being disrupted, a mitigation action will be automatically initiated if a mitigation action associated with the attack is stored in the system's database; else information about the attack will be sent to a central command centre for further assessment. At the central command centre, a mitigating action will be further developed and executed to address the intention of the attack.

Abstract: This document describes a system and method for quantitatively unifying and assimilating all unstructured, unlabelled and/or fragmented real-time and non-real-time cyber threat data generated by a plurality of sources. These sources may include cyber-security surveillance systems that are equipped with machine learning capabilities.

Abstract: This invention relates to a system and method for prioritizing an incident triage process in an autonomic manner. In particular, the system employs performance modifier indicators and temporal decay parameters to autonomously compile, adjust and demonstrate a list of prioritized incidents in a dynamic manner.

Abstract: This invention relates to a system and method for simultaneously displaying real-time information security threat posture of a plurality of computers and its intermediary networks that are under surveillance. In particular, the invention involves displaying a three-dimensional abstract object that has been scaled according to the size and orientation of a display screen so that the entirety of the three-dimensional abstract object may be simultaneously viewed by viewers of the display technology in its entirety. The displayed three-dimensional abstract object is made up of an amalgamation of semi-translucent three-dimensional shapes that are arranged together to achieve the unified shape and form of the three-dimensional abstract object.

Abstract: This document describes a system and method for quantitatively unifying and assimilating all unstructured, unlabelled and/or fragmented real-time and non-real-time cyber threat data generated by a plurality of sources. These sources may include cyber-security surveillance systems that are equipped with machine learning capabilities.

Abstract: This invention relates to a system and method for prioritizing an incident triage process in an autonomic manner. In particular, the system employs performance modifier indicators and temporal decay parameters to autonomously compile, adjust and demonstrate a list of prioritized incidents in a dynamic manner.

Abstract: A system and method for evaluating cyber-security threat incidents of a computer network is described in this document. In particular, it is described that cyber-security threat incidents of a computer network may be visualized by displaying these threat incidents as a plurality of graphical objects on a display of a device. A subset of these graphical objects or threat incidents may then be selected by applying a single continuous touch input to a touch interface of the device. A risk score will then be generated and displayed based on the threat incidents that are contained within the subset of graphical objects. Mitigation actions addressing the cyber-security threats that triggered these threat incidents are then implemented by the device.

Abstract: This document discloses a method and system for just-in-time compression and optimization of raw unstructured in-line and in-transit data by identifying low entropy data blocks or duplicated information security information in raw computer security alerts within a series of time windows. In particular, the method and system automatically manages; processes; and optimizes in-line and in-transit data blocks or raw information security alerts received from a plurality of information surveillance sources and/or peripheral monitoring devices simultaneously. The data blocks or raw information security alerts that are found to be unique in the various time windows are transposed into meta-definition tables to be further processed while redundant data blocks or raw alerts contained within each particular time window are identified, marked and processed accordingly.

Abstract: A system and method for evaluating cyber-security threat incidents of a computer network is described in this document. In particular, it is described that cyber-security threat incidents of a computer network may be visualized by displaying these threat incidents as a plurality of graphical objects on a display of a device. A subset of these graphical objects or threat incidents may then be selected by applying a single continuous touch input to a touch interface of the device. A risk score will then be generated and displayed based on the threat incidents that are contained within the subset of graphical objects. Mitigation actions addressing the cyber-security threats that triggered these threat incidents are then implemented by the device.

Abstract: This document discloses a heuristic data analytics method and system for analysing potential information security threats in information security events. In particular, the heuristic data analytics method and system analyses Binary Large Objects (BLOBs) of structured and unstructured information security events at high speed and in real-time to anticipate potential security breaches that will occur in the near future using algorithms and large scale computing systems.

Abstract: This invention relates to a system and method for simultaneously displaying real-time information security threat posture of a plurality of computers and its intermediary networks that are under surveillance. In particular, the invention involves displaying a three-dimensional abstract object that has been scaled according to the size and orientation of a display screen so that the entirety of the three-dimensional abstract object may be simultaneously viewed by viewers of the display technology in its entirety. The displayed three-dimensional abstract object is made up of an amalgamation of semi-translucent three-dimensional shapes that are arranged together to achieve the unified shape and form of the three-dimensional abstract object.

Abstract: This document discloses a system and method for consolidating threat intelligence data for a computer and its related networks. Massive volumes of raw threat intelligence data are collected from a plurality of sources and are partitioned into a common format for cluster analysis whereby the clustering of the data is done using unsupervised machine learning algorithms. The resulting organized threat intelligence data subsequently undergoes a weighted asset based threat severity level correlation process. All the intermediary network vulnerabilities of a particular computer network are utilized as the critical consolidation parameters of this process. The final processed intelligence data gathered through this high speed automated process is then formatted into predefined formats prior to transmission to third parties.

Abstract: A system and method for disrupting an information security threat that constitutes an attack on a computer asset in a computer network is provided. The provided system and method disrupts this information security threat after the attack on the computer asset has been detected by at least one of the monitoring devices on the affected computer network. An intermediate upstream gateway of the affected computer network is then utilized to disrupt this information security threat. As the detected attack is being disrupted, a mitigation action will be automatically initiated if a mitigation action associated with the attack is stored in the system's database; else information about the attack will be sent to a central command centre for further assessment. At the central command centre, a mitigating action will be further developed and executed to address the intention of the attack.

Abstract: A computer security event monitoring system comprising a trigger for generating a security event alert when a security event occurs and an event manager responsive to the generation of a security event alert. The alert is converted to an incident record by the event manager. The incident record is stored in a storage means and forwarded to an event reaction means for investigation of a reaction to the security event.

Abstract: An anomaly detection system comprising, one or more distributed sensors for gathering network or log data; one or more generators for generating discovery rules based on a collective set of pattern discovery algorithms including one or more unsupervised machine learning algorithms; one or more detectors for detecting abnormal patterns in the network or log data gathered by the sensors based on the discovery rules generated by the generator; and one or more correlation engine for determining intrusion counter measures based on matching features of one or more detected abnormal patterns with correlation rules.

Abstract: A computer security event monitoring system comprising a trigger for generating a security event alert when a security event occurs and an event manager responsive to the generation of a security event alert. The alert is converted to an incident record by the event manager. The incident record is stored in a storage means and forwarded to an event reaction means for investigation of a reaction to the security event.