Abstract: A system, method, and computer-readable medium are disclosed for performing a security operation. The security operation includes: monitoring an entity, the monitoring observing at least one electronically-observable data source; identifying a security related activity of the entity, the security related activity being of analytic utility; accessing an entity behavior catalog based upon the security related activity, the entity behavior catalog providing an inventory of entity behaviors; and performing a security operation via a distributed security analytics environment, the security operation using entity behavior catalog data stored within the entity behavior catalog based upon the security related activity.

Abstract: A system, method, and computer-readable medium are disclosed for implementing a cybersecurity system having security policy visualization. At least one embodiment is directed to a computer-implemented method for implementing security policies in a secured network, including: retrieving a set of rules of a security policy; analyzing the set of rules of the security policy using one or more Satisfiability Modulo Theory (SMT) operations to reduce a dimensionality of the security policy; and generating a visual presentation on a user interface using results of the SMT operations, where the visual presentation includes visual indicia representing one or more targeted policy dimensions with respect to one or more fixed policy dimensions. In at least one embodiment, two or more security policies are presented with visual indicia representing differences between the security policies, including representations of one or more targeted policy dimensions with respect to one or more fixed policy dimensions.

Abstract: A system, method, and computer-readable medium are disclosed for performing a security operation. The security operation includes: monitoring an entity, the monitoring observing at least one electronically-observable data source; identifying an event of analytic utility; analyzing the event of analytic utility, the analyzing the event of analytic utility identifying an entity behavior associated with the event of analytic utility; and, performing the security operation in response to the analyzing the event of analytic utility, where the monitoring, identifying, analyzing and performing are performed via a distributed security analytics framework.

Abstract: A system, method, and computer-readable medium are disclosed for performing a security analytics mapping operation.

Abstract: A system, method, and computer-readable medium are disclosed for performing a security operation. The security operation includes: monitoring a plurality of actions of an entity, the plurality of actions of the entity corresponding to a plurality of events enacted by the entity; maintaining information relating to the monitoring within a user edge component; identifying an event of analytic utility; analyzing the event of analytic utility at the user edge component, the analyzing generating a security risk assessment; and, providing the security risk assessment to a network edge component.

Abstract: A system, method, and computer-readable medium are disclosed for implementing a cybersecurity system having a digital certificate reputation system. At least one embodiment is directed to a computer-implemented method executing operations including receiving a communication having an internet protocol (IP) address and a digital certificate at a device within the secured network; determining whether the IP address is identified as having a high-security risk level; if the IP address has a high-security risk level, assigning a security risk level to the digital certificate based on the security risk level of the IP address; and using the security risk level for the digital certificate in executing the one or more security policies. Other embodiments include corresponding computer systems, apparatus, and computer programs recorded on one or more computer storage devices.

Abstract: A system, method, and computer-readable medium are disclosed for implementing a cybersecurity system having security policy visualization. At least one embodiment is directed to a computer-implemented method for implementing security policies in a secured network, including: retrieving a set of rules of a security policy; analyzing the set of rules of the security policy using one or more Satisfiability Modulo Theory (SMT) operations to reduce a dimensionality of the security policy; and generating a visual presentation on a user interface using results of the SMT operations, where the visual presentation includes visual indicia representing one or more targeted policy dimensions with respect to one or more fixed policy dimensions. In at least one embodiment, two or more security policies are presented with visual indicia representing differences between the security policies, including representations of one or more targeted policy dimensions with respect to one or more fixed policy dimensions.

Abstract: A system, method, and computer-readable medium are disclosed for implementing a cybersecurity system having a digital certificate reputation system. At least one embodiment is directed to a computer-implemented method executing operations including receiving a communication having an internet protocol (IP) address and a digital certificate at a device within the secured network; determining whether the IP address is identified as having a high-security risk level; if the IP address has a high-security risk level, assigning a security risk level to the digital certificate based on the security risk level of the IP address; and using the security risk level for the digital certificate in executing the one or more security policies. Other embodiments include corresponding computer systems, apparatus, and computer programs recorded on one or more computer storage devices.

Abstract: A system, method, and computer-readable medium are disclosed for implementing a security analytics system configured to instantiate user behavior baselines using historical data stored on an endpoint device. At least one embodiment is directed to a computer-implemented method including: accessing historical data stored on an endpoint device during an initialization of the endpoint device on the secured network, instantiating user behavior baselines for the endpoint device using the accessed historical data, and storing the instantiated user behavior baselines on a security system of the secured network for detecting instances of anomalous user behavior occurring at the endpoint device. Other embodiments of this aspect include corresponding computer systems, apparatus, and computer programs recorded on one or more computer storage devices, each configured to perform the actions of the methods.

Abstract: A system, method, and computer-readable medium are disclosed for performing a security operation. The security operation includes: monitoring an entity, the monitoring observing at least one electronically-observable data source; identifying a security related activity of the entity, the security related activity being of analytic utility; accessing an entity behavior catalog based upon the security related activity, the entity behavior catalog providing an inventory of entity behaviors; and performing a security operation via a distributed security analytics environment, the security operation using entity behavior catalog data stored within the entity behavior catalog based upon the security related activity.

Abstract: A system, method, and computer-readable medium are disclosed for performing a security operation. The security operation includes: monitoring an entity, the monitoring observing at least one electronically-observable data source; identifying an event of analytic utility; analyzing the event of analytic utility, the analyzing the event of analytic utility identifying an entity behavior associated with the event of analytic utility; and, performing the security operation in response to the analyzing the event of analytic utility, where the monitoring, identifying, analyzing and performing are performed via a distributed security analytics framework.

Abstract: A system, method, and computer-readable medium are disclosed for performing a security operation. The security operation includes: monitoring a plurality of actions of an entity, the plurality of actions of the entity corresponding to a plurality of events enacted by the entity; maintaining information relating to the monitoring within a user edge component; identifying an event of analytic utility; analyzing the event of analytic utility at the user edge component, the analyzing generating a security risk assessment; and, providing the security risk assessment to a network edge component.

Abstract: A system, method, and computer-readable medium are disclosed for performing a security analytics mapping operation.

Abstract: A method for optimizing performance analysis of a plurality of network hosts associated with a communications network includes aggregating captured network performance data including a plurality of captured network performance metrics for a plurality of network flows. Each one of the plurality of network flows is associated with a plurality of network hosts. The aggregated captured network performance data is encoded by employing at least one data modification function. Dimensionality of the encoded captured network performance data is reduced using a neural network model. One or more reduced-dimensional clusters of the encoded captured network performance data are generated. Each of the one or more reduced-dimensional clusters is grouping one or more hosts of the plurality of network hosts based on the captured network performance metrics.

Abstract: A method for optimizing performance analysis of a plurality of network hosts associated with a communications network includes aggregating captured network performance data including a plurality of captured network performance metrics for a plurality of network flows. Each one of the plurality of network flows is associated with a plurality of network hosts. The aggregated captured network performance data is encoded by employing at least one data modification function. Dimensionality of the encoded captured network performance data is reduced using a neural network model. One or more reduced-dimensional clusters of the encoded captured network performance data are generated. Each of the one or more reduced-dimensional clusters is grouping one or more hosts of the plurality of network hosts based on the captured network performance metrics.

Abstract: A method to mitigate attack by an upstream service provider using cloud mitigation services. An edge detection device, which located at the subscriber's network edge, is able to communicate information via status messages about attacks to an upstream service provider. The service provider is then able to mitigate attacks based on the status messages. There is a feedback loop whereby the amount of dropped traffic by the service provider is added to the network traffic to keep the mitigation request open and prevent flapping. Likewise, the detection device includes time-to-engage and time-to-disengage timers to further prevent flapping.

Abstract: A system, method and computer readable storage medium that receives traffic/packets from external devices attempting to access protected devices in a protected network. A determination is made to whether a received packet belongs to one of a plurality of packet classifications. Each packet classification indicative of different classes of IP traffic. Countermeasures are applied to a received packet to prevent attack upon the protected devices. Applying a countermeasure to a received packet determined to belong to one of the plurality of packet classifications includes countermeasure modification/selection contingent upon the determined packet classification for the received packet.

Abstract: A system and method are provided to receive mirrored versions of transmissions sent by a node in response to initiating transmissions received by the node over a network. At least one mirrored response transmission sent from the node in response to at least one corresponding initiating transmission is analyzed to determine whether or not the corresponding at least one initiating transmission is malicious.

Abstract: A system, method and computer readable storage medium that receives traffic/packets from external devices attempting to access protected devices in a protected network. A determination is made to whether a received packet belongs to one of a plurality of packet classifications. Each packet classification indicative of different classes of IP traffic. Countermeasures are applied to a received packet to prevent attack upon the protected devices. Applying a countermeasure to a received packet determined to belong to one of the plurality of packet classifications includes countermeasure modification/selection contingent upon the determined packet classification for the received packet.

Abstract: A system and methods for mitigation slow HTTP, SSL/HTTPS, SMTP, and/or SIP attacks. A protection system monitors each TCP connection between a client and a server. The protection system monitors the header request time and minimum transfer rate for each client and TCP connection. If the client has not completed the data transfer in the minimum time or the data are not transferred at the minimum transfer rate, the protection system determines the connections are potentially a slow attack and resets the connections for the protected devices.