Abstract: With the systems and methods described herein, one or more security counter measures can be applied to received security data, e.g., by an initial detector, for identifying signatures or patterns in the received security data and determining whether to promote identifiers (e.g., URLs, IP addresses, domains, etc.) to an attacker learning system. If the identified signatures or patterns and/or the identifiers related thereto are determined to meet a threshold criterion, the identifiers are promoted to the attacker learning system. At the attacker learning system, a machine learning model is applied to promoted identifiers and security data associated therewith for determining whether the identifiers are malicious and should be added or otherwise included in an attacker database. Other aspects also are described.

Abstract: The present disclosure provides systems and methods for organizations to use security date to generate a risk scores associated with potential compromise based on clustering and/or similarities with other organizations that have or may have been compromised. For example, indicators of compromise can be used to create a similarity score rank over time that may be used as a similarity and risk measurement to generate a continual/dynamic score, which can change and/or be updated as new data is created or arrives to detect or prevent threats and/or malicious attacks.

Abstract: With the systems and methods described herein, one or more security counter measures can be applied to received security data, e.g., by an initial detector, for identifying signatures or patterns in the received security data and determining whether to promote identifiers (e.g., URLs, IP addresses, domains, etc.) to an attacker learning system. If the identified signatures or patterns and/or the identifiers related thereto are determined to meet a threshold criterion, the identifiers are promoted to the attacker learning system. At the attacker learning system, a machine learning model is applied to promoted identifiers and security data associated therewith for determining whether the identifiers are malicious and should be added or otherwise included in an attacker database. Other aspects also are described.

Abstract: A system can enable a global search of security data of a client base. The system can include a processor operable to record anonymity values set by clients of the client base, and to receive search requests including one or more search parameters from the clients. Upon receipt of a search request, processor can generate a result set for the received search request and determine an aggregated anonymity value for the result set. The processor further may compare the aggregated anonymity value of the results set with a set anonymity value for each of the clients for filtering or removing the data points or information of the one or more clients with the set anonymity value that is greater than the aggregate anonymity value from the result set.

Abstract: A method of normalizing security log data can include receiving one or more security logs including unstructured data from a plurality of devices and reviewing unstructured data of the one or more security logs. The method also can include automatically applying a probabilistic model of one or more engines to identify one or more attributes or features of the unstructured data, and determine whether the identified attributes or features are indicative of identifiable entities, and tagging one or more identifiable entities of the identifiable entities, as well as organizing tagged entities into one or more normalized logs having a readable format with a prescribed schema. In addition, the method can include reviewing the one or more normalized logs for potential security events.

Abstract: The present disclosure provides systems and methods for organizations to use security date to generate a risk scores associated with potential compromise based on clustering and/or similarities with other organizations that have or may have been compromised. For example, indicators of compromise can be used to create a similarity score rank over time that may be used as a similarity and risk measurement to generate a continual/dynamic score, which can change and/or be updated as new data is created or arrives to detect or prevent threats and/or malicious attacks.

Abstract: The present disclosure provides systems and methods for organizations to use forensic to generate a risk scores associated with potential compromise based on clustering and/or similarities with other organizations that have or may have been compromised. For example, specific attributes or marks, such as low fidelity indicators of compromise can be used to create a similarity score rank over time that may be used as a similarity and risk measurement to generate a continual/dynamic score, which can change and/or be updated as new data is created or arrives to detect or prevent threats and/or malicious attacks.

Abstract: A method of normalizing security log data can include receiving one or more security logs including unstructured data from a plurality of devices and reviewing unstructured data of the one or more security logs. The method also can include automatically applying a probabilistic model of one or more engines to identify one or more attributes or features of the unstructured data, and determine whether the identified attributes or features are indicative of identifiable entities, and tagging one or more identifiable entities of the identifiable entities, as well as organizing tagged entities into one or more normalized logs having a readable format with a prescribed schema. In addition, the method can include reviewing the one or more normalized logs for potential security events.

Abstract: A method of normalizing security log data can include receiving one or more security logs including unstructured data from a plurality of devices and reviewing unstructured data of the one or more security logs. The method also can include automatically applying a probabilistic model of one or more engines to identify one or more attributes or features of the unstructured data, and determine whether the identified attributes or features are indicative of identifiable entities, and tagging one or more identifiable entities of the identifiable entities, as well as organizing tagged entities into one or more normalized logs having a readable format with a prescribed schema. In addition, the method can include reviewing the one or more normalized logs for potential security events.

Abstract: Systems/method of securely propagating analytical models for detection of security threats and/or malicious actions among a threat intelligence community can be provided. Attributes of security data accessed members of the threat intelligence community can be determined and encoded. Analytical model(s) can be developed for detection of potential malicious actions using the encoded attributes of the security data and a derivation data schema, and this derivation data schema can be encrypted. The model(s) can be translated into common exchange formats for sharing the model with community members. The encrypted derivation data schema can be transmitted to the community members. After receipt, the derivation data schema can be decoded by the community members, and the derivation data schema can be applied to security data to determine if the encoded attributes are found. If the encoded attributes are derived, remedial or mitigating action can be taken.

Abstract: A system can enable a global search of security data of a client base. The system can include a processor operable to record anonymity values set by clients of the client base, and to receive search requests including one or more search parameters from the clients. Upon receipt of a search request, processor can generate a result set for the received search request and determine an aggregated anonymity value for the result set. The processor further may compare the aggregated anonymity value of the results set with a set anonymity value for each of the clients for filtering or removing the data points or information of the one or more clients with the set anonymity value that is greater than the aggregate anonymity value from the result set.

Abstract: The present disclosure provides systems and methods for organizations to use forensic to generate a risk scores associated with potential compromise based on clustering and/or similarities with other organizations that have or may have been compromised. For example, specific attributes or marks, such as low fidelity indicators of compromise can be used to create a similarity score rank over time that may be used as a similarity and risk measurement to generate a continual/dynamic score, which can change and/or be updated as new data is created or arrives to detect or prevent threats and/or malicious attacks.

Abstract: Systems/method of securely propagating analytical models for detection of security threats and/or malicious actions among a threat intelligence community can be provided. Attributes of security data accessed members of the threat intelligence community can be determined and encoded. Analytical model(s) can be developed for detection of potential malicious actions using the encoded attributes of the security data and a derivation data schema, and this derivation data schema can be encrypted. The model(s) can be translated into common exchange formats for sharing the model with community members. The encrypted derivation data schema can be transmitted to the community members. After receipt, the derivation data schema can be decoded by the community members, and the derivation data schema can be applied to security data to determine if the encoded attributes are found. If the encoded attributes are derived, remedial or mitigating action can be taken.

Abstract: A method of normalizing security log data can include receiving one or more security logs including unstructured data from a plurality of devices and reviewing unstructured data of the one or more security logs. The method also can include automatically applying a probabilistic model of one or more engines to identify one or more attributes or features of the unstructured data, and determine whether the identified attributes or features are indicative of identifiable entities, and tagging one or more identifiable entities of the identifiable entities, as well as organizing tagged entities into one or more normalized logs having a readable format with a prescribed schema. In addition, the method can include reviewing the one or more normalized logs for potential security events.