Abstract: Disclosed is an improved method, system, and computer program product for identifying malicious payloads. The disclosed approach identifies potentially malicious payload exchanges which may be associated with payload injection or root-kit magic key usage.

Abstract: Disclosed is an approach for analyzing a computer network to identify attack paths using a software representation that embodies network configuration and policy data for security management. The software representation comprises a state machine where different states can be reached using respective transitions or properties which are possible as determined based on the network configuration and network policy data. The states correspond to respective entities on the network which may comprise resources that are identifiable for protection in the software representation using crash statements. The software representation can then be stimulated using software analysis tools such as fuzzers to identify sequences of state-to-state transitions that could be used to compromise a protected resource on the computer network.

Abstract: Disclosed is an approach for generating detection signatures based on analysis of a software representation of what is possible in a computer network based on network configuration data and network policy data. In some embodiments, the process includes maintaining a plurality of detection signature templates, generation of detection signatures (detection signature instances) using respective detection signature templates that are selected based on the analysis of the software representation. In some embodiments, detection signatures templates are of different type and may be deployed at different locations based on their respective type(s), such as at source, destination.

Abstract: Disclosed is an approach for analyzing attack paths in computer network generated using a software representation that embodies network configuration and policy data for security management. In some embodiments, the approach includes a process to analyze attack paths in a computer network to determine which attack paths might be most productively covered using a corresponding detection signature. In some embodiments, the attack paths are identified using a software representation that embodies network configuration and policy data. The software representation comprises a state machine where different states can be reached using respective transitions or properties. The states correspond to respective entities on the network which may comprise resources that are identifiable for protection in the software representation using crash statements.

Abstract: Disclosed herein is an approach that includes providing a system for managing and expanding knowledge in a knowledge base. In some embodiments, the system comprises an expert system which performs a number of functions including data ingestion, application of a data retention policy, monitoring of a network system including deployments of detection signatures on the network system, response and alert management, posturing, and relevant automation. In some embodiments, the expert system interconnects with a war gaming engine to identify attack vectors to protected resources. In some embodiments, a collection of functions or modules is provided in place of the expert system—e.g., traditional programing techniques are used to provide functions or modules to perform similar processes using one or more function calls between the provided functions or modules.

Abstract: Disclosed is an approach for solving arbitrary constraint satisfaction problems. In some embodiments, the approach includes a process to generate a software representation of what is possible based on a system corresponding to the constraint satisfaction problem. The software representation comprises a state machine where different states can be reached using respective transitions or properties which are possible as determined based on a current state of the system and parameters thereof whether global or otherwise.

Abstract: Disclosed is an approach for generating a software representation that embodies network configuration and policy data of a computer network for use in security management. The software representation comprises a state machine where different states can be reached using respective transitions or properties which are possible as determined based on the network configuration and network policy data. The states correspond to respective entities on the network which may comprise resources that are identifiable for protection. The software representation can then be stimulated with various inputs to identify sequences of state-to-state transitions which may in turn be processed to generate corresponding detection signatures for use in monitoring the network.

Abstract: Disclosed is an approach for network security management using software representation that embodies network configuration and policy data. In some embodiments, the approach includes a process to generate a software representation of what is possible based on a network configuration and policy data. The software representation comprises a state machine where different states can be reached using respective transitions or properties why are possible as determined based on the network configuration and policy data. The states correspond to respective entities on the network which may comprise resources that are identifiable for protection. The software representation can then be stimulated to identify sequences of state-to-state transitions which may in turn be processed to generate corresponding detection signatures for use in monitoring the network.

Abstract: Disclosed is an improved approach for identifying security risks and breaches in a network by applying machine learning methods that learn resource access patterns in the network. Specifically, by observing the access pattern of the network entities (e.g. accounts, services, and hosts) from authorization requests/responses, the model through unsupervised learning, organizes the entity relationships into an ensemble of hierarchical models. The ensemble of hierarchical models can then be leveraged to create a series of metrics that can be used to identify various types of abnormalities in the access of a resource on the network. For instance, by further classifying the access request for a resource using abnormality scores into detection scenarios, the model is able to detect both an abnormality and the type of abnormality and include such information in a corresponding alarm when a security breach happens.

Abstract: Disclosed is an improved approach for detecting potentially malicious activity on a network. The present improved approach generates a multi-dimensional activity model based on captured network activity. Additional network activity is captured, and relative activity values are determined therefor. Determination of whether the additional network activity corresponds to potentially malicious activity is obtained by fitting the relative activity values of the additional network activity to the multi-dimensional relative activity model.

Abstract: Disclosed is an improved method, system, and computer program product for detecting hosts and connections between hosts that are being used as relays by an actor to gain control of hosts in a network. It can further identify periods of time within the connection when the relay activities occurred. In some embodiments, the invention can also chain successive relays to identify the true source and true target of the relay.

Abstract: Disclosed is an improved method, system, and computer program product for identifying malicious payloads. The disclosed approach identifies potentially malicious payload exchanges which may be associated with payload injection or root-kit magic key usage.

Abstract: Disclosed is an improved approach for identifying security risks and breaches in a network by applying machine learning methods that learn resource access patterns in the network. Specifically, by observing the access pattern of the network entities (e.g. accounts, services, and hosts) from authorization requests/responses, the model through unsupervised learning, organizes the entity relationships into an ensemble of hierarchical models. The ensemble of hierarchical models can then be leveraged to create a series of metrics that can be used to identify various types of abnormalities in the access of a resource on the network. For instance, by further classifying the access request for a resource using abnormality scores into detection scenarios, the model is able to detect both an abnormality and the type of abnormality and include such information in a corresponding alarm when a security breach happens.

Abstract: Disclosed is an improved approach for detecting potentially malicious activity on a network. The present improved approach generates a multi-dimensional activity model based on captured network activity. Additional network activity is captured, and relative activity values are determined therefor. Determination of whether the additional network activity corresponds to potentially malicious activity is obtained by fitting the relative activity values of the additional network activity to the multi-dimensional relative activity model.

Abstract: Disclosed is an improved approach for identifying suspicious administrative host activity within a network. Network traffic is examined to learn the behavior of hosts within a network. This provides an effective way of determining whether or not a host is performing suspicious activity over an administrative protocol.

Abstract: Disclosed is an improved method, system, and computer program product for detecting hosts and connections between hosts that are being used as relays by an actor to gain control of hosts in a network. It can further identify periods of time within the connection when the relay activities occurred. In some embodiments, the invention can also chain successive relays to identify the true source and true target of the relay.

Abstract: An approach for detecting network threats is disclosed, that may involve receiving network traffic, plotting the network traffic in a n-dimensional feature space to form a network map, generating a client signature at least by placing new client points in the map, setting a threshold, and generating an alarm if one or more client activity points exceed the threshold. In some embodiments, the network map and the client signature are updated using sliding windows and distance calculations.

Abstract: A bot detection engine to determine whether hosts in an organization's network are performing bot-related activities is disclosed. A bot detection engine can receive network traffic between hosts in a network, and/or between hosts across several networks. The bot engine may parse the network traffic into session datasets and discard the session datasets that were not initiated by hosts in a given network. The session datasets may be analyzed and state data may be accumulated. The state data may correspond to actions performed by the hosts, such as requesting a website or clicking ads, or requesting content within the website (e.g. clicking on a image which forms a HTTP request/response transaction for the image file).

Abstract: Disclosed is an improved method, system, and computer program product for identifying malicious payloads. The disclosed approach identifies potentially malicious payload exchanges which may be associated with payload injection or root-kit magic key usage.

Abstract: Disclosed is an improved approach for identifying suspicious administrative host activity within a network. Network traffic is examined to learn the behavior of hosts within a network. This provides an effective way of determining whether or not a host is performing suspicious activity over an administrative protocol.