Abstract: An authentication packet including a user identifier is received. The user identifier identifies a user of a second computing device being monitored by the first computing device. Authentication data is parsed from the authentication packet. A peer group identifier is determined that identifies a peer group to which the user is assigned. Members of the peer group are identified based on an expected network activity behavior. The authentication data and the peer group identifier are buffered into a first event block object and into a second event block object. The first event block object is sent to a first source window of an event stream processing engine (ESPE) that processes a netflow packet. The second event block object is sent to a second source window of the ESPE that processes the authentication packet. The first source window and the second source window are different source windows of the ESPE.

Abstract: An authentication packet including a user identifier is received. The user identifier identifies a user of a second computing device being monitored by the first computing device. Authentication data is parsed from the authentication packet. A peer group identifier is determined that identifies a peer group to which the user is assigned. Members of the peer group are identified based on an expected network activity behavior. The authentication data and the peer group identifier are buffered into a first event block object and into a second event block object. The first event block object is sent to a first source window of an event stream processing engine (ESPE) that processes a netflow packet. The second event block object is sent to a second source window of the ESPE that processes the authentication packet. The first source window and the second source window are different source windows of the ESPE.

Abstract: A computing device computes a risk score for a user using a device based on a peer group identifier. Network activity measures characterize use of the device by the user. For each unique peer group identifier included in netflow records, a mean value is computed of each network activity measure. For each unique IP address and user identifier combination included in the netflow records, the mean value of each network activity measure is selected for a peer group identifier of the user; a risk score is computed by comparing each network activity measure for the unique IP address and user identifier combination to the selected mean value for the respective network activity measure; and when the risk score exceeds a predefined alert threshold, a high risk alert indicator is set indicating that the device is being used in an anomalous manner relative to other devices monitored by the computing device.

Abstract: A computing device generates a simulated attack for testing a cybersecurity system. A user of a networked system of computers is selected. A user definition defines a normal network usage behavior of the selected user. A current simulation time is initialized. Netflow data is generated and written to an output file for the selected user based on a profile definition of the selected user until a user simulation is complete. The profile definition is selected based on the current simulation time. Attack netflow data is generated and written to the output file based on the selected attack until an attack simulation is complete. The written netflow data is sorted in time order. The sorted netflow data is streamed to a cybersecurity system to determine a response by the cybersecurity system to the streamed data.

Abstract: A computing device generates a simulated attack for testing a cybersecurity system. A user of a networked system of computers is selected. A user definition defines a normal network usage behavior of the selected user. A current simulation time is initialized. Netflow data is generated and written to an output file for the selected user based on a profile definition of the selected user until a user simulation is complete. The profile definition is selected based on the current simulation time. Attack netflow data is generated and written to the output file based on the selected attack until an attack simulation is complete. The written netflow data is sorted in time order. The sorted netflow data is streamed to a cybersecurity system to determine a response by the cybersecurity system to the streamed data.

Abstract: A computing device computes a risk score for a user using a device based on a peer group identifier. Network activity measures characterize use of the device by the user. For each unique peer group identifier included in netflow records, a mean value is computed of each network activity measure. For each unique IP address and user identifier combination included in the netflow records, the mean value of each network activity measure is selected for a peer group identifier of the user; a risk score is computed by comparing each network activity measure for the unique IP address and user identifier combination to the selected mean value for the respective network activity measure; and when the risk score exceeds a predefined alert threshold, a high risk alert indicator is set indicating that the device is being used in an anomalous manner relative to other devices monitored by the computing device.