Abstract: In some embodiments, a set of hashes that are associated with files of a user system, and a reference set of hashes that are associated with files of a reference system, may be obtained. An additional subset of hashes (included in the set of hashes and not included in the reference set of hashes) may be obtained based on a comparison between the set of hashes and the reference set of hashes. A file may be predicted to be exclusive for certain users or user systems, where the file is associated with a hash included in the additional subset of hashes. Other user systems may be scanned to determine what files are on the other user systems, where each of the other user systems is assigned to another user or is not one of the user systems. An alert indicating unauthorized activity may be generated based on the scan.

Abstract: In some embodiments, a set of hashes that are associated with files of a user system, and a reference set of hashes that are associated with files of a reference system, may be obtained. An additional subset of hashes (included in the set of hashes and not included in the reference set of hashes) may be obtained based on a comparison between the set of hashes and the reference set of hashes. A file may be predicted to be exclusive for certain users or user systems, where the file is associated with a hash included in the additional subset of hashes. Other user systems may be scanned to determine what files are on the other user systems, where each of the other user systems is assigned to another user or is not one of the user systems. An alert indicating unauthorized activity may be generated based on the scan.

Abstract: Systems and methods for facilitating data leakage and/or propagation tracking are provided. In some embodiments, a set of hashes associated with files of a user device and a reference set of hashes associated with files of a reference system may be obtained. An additional subset of hashes included in the set of hashes and not included in the reference set of hashes may be determined. The user device may be classified into a group based on the additional subset of hashes comprising a hash that is the same as a hash associated with a file of at least another user device classified into the group. A prediction that the file is exclusive for the group may be effectuated. Other user devices not classified into the group may be scanned. An alert indicating unauthorized activity may be generated responsive to the scan indicating that the other user devices contain the file.

Abstract: The disclosure relates to a log correlation engine that may cross-reference or otherwise leverage existing vulnerability data in an extensible manner to support network vulnerability and asset discovery. In particular, the log correlation engine may receive various logs that contain events describing observed network activity and discover a network vulnerability in response to the logs containing at least one event that matches a regular expression in at least one correlation rule that indicates a vulnerability. The log correlation engine may then obtain information about the indicated vulnerability from at least one data source cross-referenced in the correlation rule and generate a report that the indicated vulnerability was discovered in the network, wherein the report may include the information about the indicated vulnerability obtained from the at least one data source cross-referenced in the correlation rule.

Abstract: Systems and methods for facilitating data leakage and/or propagation tracking are provided. In some embodiments, a set of hashes associated with files of a user device and a reference set of hashes associated with files of a reference system may be obtained. An additional subset of hashes included in the set of hashes and not included in the reference set of hashes may be determined. The user device may be classified into a group based on the additional subset of hashes comprising a hash that is the same as a hash associated with a file of at least another user device classified into the group. A prediction that the file is exclusive for the group may be effectuated. Other user devices not classified into the group may be scanned. An alert indicating unauthorized activity may be generated responsive to the scan indicating that the other user devices contain the file.

Abstract: The system and method described herein may use file hashes to track data leakage and document propagation in a network. For example, file systems associated with known reference systems and various user devices may be compared to classify the user devices into various groups based on differences between the respective file systems, identify files unique to the various groups, and detect potential data leakage or document propagation if user devices classified in certain groups include any files that are unique to other groups. Additionally, various algorithms may track locations, movements, changes, and other events that relate to normal or typical activity in the network, which may be used to generate statistics that can be compared to subsequent activities that occur in the network to detect potentially anomalous activity that may represent potential data leakage or document propagation.

Abstract: The system and method described herein relates to a log correlation engine that may cross-reference or otherwise leverage existing vulnerability data in an extensible manner to support network vulnerability and asset discovery. In particular, the log correlation engine may receive various logs that contain events describing observed network activity and discover a network vulnerability in response to the logs containing at least one event that matches a regular expression in at least one correlation rule associated with the log correlation engine that indicates a vulnerability. The log correlation engine may then obtain information about the indicated vulnerability from at least one data source cross-referenced in the correlation rule and generate a report that the indicated vulnerability was discovered in the network, wherein the report may include the information about the indicated vulnerability obtained from the at least one data source cross-referenced in the correlation rule.

Abstract: The system and method described herein may use file hashes to track data leakage and document propagation in a network. For example, file systems associated with known reference systems and various user devices may be compared to classify the user devices into various groups based on differences between the respective file systems, identify files unique to the various groups, and detect potential data leakage or document propagation if user devices classified in certain groups include any files that are unique to other groups. Additionally, various algorithms may track locations, movements, changes, and other events that relate to normal or typical activity in the network, which may be used to generate statistics that can be compared to subsequent activities that occur in the network to detect potentially anomalous activity that may represent potential data leakage or document propagation.