Abstract: Techniques described herein can perform obfuscation detection on command lines used at computing devices in a network. In response to detecting obfuscation in a command line, the disclosed techniques can output a notification for use in connection with network security analysis. The command line obfuscation detection techniques include pre-processing command line input data and converting command lines into token groups. The token groups are then provided as an input to a natural language processor or other machine learned model, which is trained to identify obfuscation probabilities associated with token groups can corresponding command lines. A notification is generated to trigger further analysis in response to an obfuscation probability exceeding a threshold obfuscation probability.

Abstract: In one embodiment, a device obtains input features for a neural network-based model. The device pre-defines a set of neurons of the model to represent known behaviors associated with the input features. The device constrains weights for a plurality of outputs of the model. The device trains the neural network-based model using the constrained weights for the plurality of outputs of the model and by excluding the pre-defined set of neurons from updates during the training.

Abstract: In one embodiment, a device obtains input features for a neural network-based model. The device pre-defines a set of neurons of the model to represent known behaviors associated with the input features. The device constrains weights for a plurality of outputs of the model. The device trains the neural network-based model using the constrained weights for the plurality of outputs of the model and by excluding the pre-defined set of neurons from updates during the training.

Abstract: Techniques and architecture are described for automated threat response and remediation of incidents generated by single or multiple security products. The techniques and architecture provide a framework for automated threat response and remediation of incidents generated by single or multiple security products, especially for extended detection and response (XDR) systems. In particular, the techniques and architecture provide for an automated threat response that is handled by an auto-analyst engine emulating security analysts' steps during incident response and remediation. The automated threat response automatically confirms or disapproves of detection verdicts thereby reducing false positives that analysts usually have to deal with. If any actions are needed from a security analyst, a concise report of actions taken, gathered information and recommended next steps are provided by the automated threat response, significantly reducing the time and resources needed to resolve an incident.

Abstract: Techniques described herein for extended detection and response to security anomalies in computing networks can perform automated analysis of anomalies occurring in different telemetry sources in a computer network, in order to synthesize the anomalies into analyst work units that are surfaced for further analysis by security response teams. Anomalies can initially be processed in order to identify and collect extended anomaly data. The extended anomaly data can then be used to group the anomalies according to a multi-stage grouping process which produces analyst work units. The analyst work units can be processed to produce analyst summaries that assist with analysis and response. Furthermore, the analyst work units can be prioritized for further analysis, and analyst interactions with the prioritized analyst work units can be used to influence subsequent anomaly grouping operations.

Abstract: Techniques described herein for extended detection and response to security anomalies in computing networks can perform automated analysis of anomalies occurring in different telemetry sources in a computer network, in order to synthesize the anomalies into analyst work units that are surfaced for further analysis by security response teams. Anomalies can initially be processed in order to identify and collect extended anomaly data. The extended anomaly data can then be used to group the anomalies according to a multi-stage grouping process which produces analyst work units. The analyst work units can be processed to produce analyst summaries that assist with analysis and response. Furthermore, the analyst work units can be prioritized for further analysis, and analyst interactions with the prioritized analyst work units can be used to influence subsequent anomaly grouping operations.

Abstract: Techniques described herein for extended detection and response to security anomalies in computing networks can perform automated analysis of anomalies occurring in different telemetry sources in a computer network, in order to synthesize the anomalies into analyst work units that are surfaced for further analysis by security response teams. Anomalies can initially be processed in order to identify and collect extended anomaly data. The extended anomaly data can then be used to group the anomalies according to a multi-stage grouping process which produces analyst work units. The analyst work units can be processed to produce analyst summaries that assist with analysis and response. Furthermore, the analyst work units can be prioritized for further analysis, and analyst interactions with the prioritized analyst work units can be used to influence subsequent anomaly grouping operations.

Abstract: Techniques for combining threat-related events associated with different modalities to provide a complete insight into cyber attack life cycles. The techniques may include receiving telemetry data associated with one or more modalities and detecting, based at least in part on the telemetry data, one or more abnormal events associated with security incidents. The one or more abnormal events may include at least a first abnormal event associated with a first modality and a second abnormal event associated with a second modality. The techniques may also include determining that an entity associated with the abnormal events is a same entity and, based at least in part on the entity comprising the same entity, determining that a correlation between the abnormal events is indicative of a security incident. Based at least in part on the correlation, an indication associated with the security incident may be output.

Abstract: In one embodiment, a device in a network detects an encrypted traffic flow associated with a client in the network. The device captures contextual traffic data regarding the encrypted traffic flow from one or more unencrypted packets associated with the client. The device performs a classification of the encrypted traffic flow by using the contextual traffic data as input to a machine learning-based classifier. The device generates an alert based on the classification of the encrypted traffic flow.

Abstract: Techniques for combining threat-related events associated with different modalities to provide a complete insight into cyber attack life cycles. The techniques may include receiving telemetry data associated with one or more modalities and detecting, based at least in part on the telemetry data, one or more abnormal events associated with security incidents. The one or more abnormal events may include at least a first abnormal event associated with a first modality and a second abnormal event associated with a second modality. The techniques may also include determining that an entity associated with the abnormal events is a same entity and, based at least in part on the entity comprising the same entity, determining that a correlation between the abnormal events is indicative of a security incident. Based at least in part on the correlation, an indication associated with the security incident may be output.

Abstract: A method includes, at a server in a network, detecting for a user device network incidents relating to one or more security threats in the network using a plurality of threat detectors over a predetermined time period, each of the network incidents including one or more behavior indicators; assigning the network incidents into one or more groups, wherein each group corresponds to a type of security threat; generating a graph for a particular group of the user device, wherein the graph includes a plurality of nodes each representing a behavior indicator in the particular group, and wherein generating the graph includes assigning an edge to connect two nodes of the plurality of nodes if the two nodes correspond to behavior indicators that belong to a same network incident; and displaying the graph on a graphical user interface for a user.

Abstract: In one embodiment, a device obtains input features for a neural network-based model. The device pre-defines a set of neurons of the model to represent known behaviors associated with the input features. The device constrains weights for a plurality of outputs of the model. The device trains the neural network-based model using the constrained weights for the plurality of outputs of the model and by excluding the pre-defined set of neurons from updates during the training.

Abstract: In one embodiment, a device in a network detects an encrypted traffic flow associated with a client in the network. The device captures contextual traffic data regarding the encrypted traffic flow from one or more unencrypted packets associated with the client. The device performs a classification of the encrypted traffic flow by using the contextual traffic data as input to a machine learning-based classifier. The device generates an alert based on the classification of the encrypted traffic flow.

Abstract: This disclosure describes techniques for matching entities across a computing network using data from different telemetries. The techniques include receiving telemetry data of the computing network, the telemetry data including identifying information corresponding to an entity, associated information of the computing network, and/or timestamps. The techniques also include establishing one or more time windows based at least in part on the timestamps. A particular time window may be determined to correspond to the associated information. The techniques may include attributing the associated information to the entity. In some cases, an address book may be maintained, including mappings of the identifying information, the associated information, and/or time windows.

Abstract: A charge support system includes: a manager information acquiring section that acquires manager information as information regarding a manager of a private charge facility; an applicant-for-use information acquiring section that acquires applicant-for-use information as information regarding an applicant for use who wants to use the private charge facility; and a permission-for-charge-facility-use determining section that determines whether or not a predetermined permission-for-use condition is established between the applicant for use and the manager based on the applicant-for-use information and the manager information upon receipt of application-for-charge-facility-use information from a user terminal, the application-for-charge-facility-use information being for applying for use of the private charge facility, and that transmits permission-for-use information to the user terminal when the permission-for-use condition is established, the permission-for-use information being for making notification of permi

Abstract: Techniques for identifying malicious actors across datasets of different origin. The techniques may include receiving input data indicative of network interactions between entities and modalities. Based at least in part on the input data, a maliciousness score associated with a first entity may be determined. In some instances, a value of the maliciousness score may be partially based on a number of the modalities that are interacting with the first entity and also interacting with one or more malicious entities. The techniques may further include determining whether the value of the maliciousness score exceeds a threshold value and, based at least in part on the value of the maliciousness score exceeding the threshold value, a request may be made to identify the first entity as a new malicious entity.

Abstract: In one embodiment, a device obtains input features for a neural network-based model. The device pre-defines a set of neurons of the model to represent known behaviors associated with the input features. The device constrains weights for a plurality of outputs of the model. The device trains the neural network-based model using the constrained weights for the plurality of outputs of the model and by excluding the pre-defined set of neurons from updates during the training.

Abstract: A laboratory system for a laboratory automation system is presented. The laboratory system comprises a sample container carrier. The sample container carrier is configured to carry a laboratory sample container and comprises a removal detector. The removal detector is configured to interact with the laboratory sample container to detect a removal of the carried laboratory sample container from the sample container carrier. Furthermore, the laboratory system is configured to determine based on the detected removal that a before valid logic assignment of the sample container carrier to the carried laboratory sample container is invalid.

Abstract: A power storage management system includes: a travel plan recognition unit for recognizing a travel plan of a user; a moving body waiting period estimation unit for estimating a waiting period based on the travel plan, the waiting period being a period through which the user is to leave an electric moving body in a predetermined moving body waiting area, the electric moving body being used by the user; and a moving body charge-discharge control unit for charging or discharging a storage battery in the waiting period, the storage battery being provided in the electric moving body left in the moving body waiting area.

Abstract: A electric power control system for controlling charge-discharge operation of a battery mounted on a vehicle includes: a plurality of computers, each operating so as to hold a distributed ledger identical to each other; a generation unit for generating transaction data including information related to charge-discharge operation of the battery; a ledger management unit for receiving the transaction data, and for recording the received transaction data in the distributed ledger; and a control unit for controlling charge-discharge operation of the battery, wherein: information related to the charge-discharge operation includes intention information that is information on an intention of a user of the vehicle regarding the charge-discharge operation; and the control unit executes the charge-discharge operation under an operating condition reflecting an intention of the user based on the intention information included in the transaction data recorded in the distributed ledger.