Abstract: A computer-implemented method includes receiving CTI from a data source during a search of a system, and capturing the CTI in a STIX bundle. The method includes invoking an analytic pipeline on the STIX bundle that includes applying a classification model on the STIX bundle to classify features from the CTI and applying a clustering model on the STIX bundle to identify a cluster of features from the CTI. The output of the analytic pipeline is analyzed to identify suspicious features that include a combination of the classified features and the cluster of features. The suspicious features are annotated thereby highlighting risk and threat, and attack techniques are identified using existing domain expertise encoded as heuristics to provide additional machine learning features.

Abstract: A computer-implemented method according to one embodiment includes causing a search to be performed for data on at least one security endpoint and organizing information about the performed search into steps and variables. Security analytics are run on a dataset provided from the performed search, and based on results of the analytics, a response is invoked to protect a system that interacts with the analyzed dataset. A computer program product according to another embodiment includes a computer readable storage medium having program instructions embodied therewith. The program instructions are readable and/or executable by a computer to cause the computer to perform the foregoing method. A system according to another embodiment includes a processor, and logic integrated with the processor, executable by the processor, or integrated with and executable by the processor. The logic is configured to perform the foregoing method.

Abstract: A method, system, and computer-usable medium for analyzing security data formatted in STIX™ format. Data related to actions performed by one or more users is captured. Individual tasks, such as analytics or extract, transform, load (ETL) tasks related to the captured data is created. Individual tasks are registered to a workflow for executing particular security threat or incident analysis. The workflow is executed and visualized to perform the security threat or incident analysis.

Abstract: A method, system, and computer-usable medium for analyzing security data formatted in STIX™ format. Data related to actions performed by one or more users is captured. Individual tasks, such as analytics or extract, transform, load (ETL) tasks related to the captured data is created. Individual tasks are registered to a workflow for executing particular security threat or incident analysis. The workflow is executed and visualized to perform the security threat or incident analysis.

Abstract: A computer program product and a computer system for distributed dynamic sizing and load self-management for a relay infrastructure. Program instructions are executable to initiate, by the non-leaving relay in a relay infrastructure, an expansion process, in response to determining that a current load level reaches an expansion level and in response to determining that an overload condition of the relay infrastructure is satisfied; send to a server, by the non-leaving relay, an expansion message, in response to initiating the expansion process; send to the server, by the non-leaving relay, local statistics of endpoints of the non-leaving relay; shift, by the non-leaving relay, one or more endpoints of the non-leaving relay to a first new relay, in response to the server selecting from the endpoints an endpoint and converting the endpoint to the first new relay.

Abstract: Methods and systems for high-availability data processing include detecting, at a first data processing system, a change in link state between the first data processing system and a second data processing system. A link state between the first data processing system and a third data processing system is changed responsive to the detection in accordance with a first high availability policy stored at the first data processing system. An identifier of the first data processing system is changed in accordance with the first high availability policy to conform to a second high availability policy stored at the first data processing system. The detection, change of the link state, and change of the identifier are repeated in accordance with the second high availability policy.

Abstract: A network appliance is configured to provide inline traffic inspection for all flow through the device, to selectively intercept based on traffic content or policy, and to modify intercepted traffic content, all without connection termination and re-origination. Content modification may involve substitution of traffic content with smaller or larger content, in which case the device provides appropriate sequence number translations for acknowledgements to the endpoints. This streaming rewrite may occur on a byte-at-a-time basis, while keeping the session alive and without a need to proxy it. The appliance enables transmitted TCP data to be modified inline and then reliably delivered without the overhead of forwarding packets through a full-blown TCP stack. Rather, the approach relies upon an initiator entity's TCP stack for congestion control, as well as the receiving entity's re-transmission behavior to determine how the device manages packets internally.

Abstract: A computer program product and a computer system for distributed dynamic sizing and load self-management for a relay infrastructure. Program instructions are executable to initiate, by the non-leaving relay in a relay infrastructure, an expansion process, in response to determining that a current load level reaches an expansion level and in response to determining that an overload condition of the relay infrastructure is satisfied; send to a server, by the non-leaving relay, an expansion message, in response to initiating the expansion process; send to the server, by the non-leaving relay, local statistics of endpoints of the non-leaving relay; shift, by the non-leaving relay, one or more endpoints of the non-leaving relay to a first new relay, in response to the server selecting from the endpoints an endpoint and converting the endpoint to the first new relay.

Abstract: Methods for distributed dynamic sizing and load self-management for a relay infrastructure. In one method, a relay in a relay infrastructure determines whether a current load level of the relay reaches an expansion level of the relay and whether an overload condition of the relay infrastructure is satisfied, and the relay initiates an expansion process in response to the determination. In another method, a relay in a relay infrastructure determines whether in response to determining that an underload condition of the relay infrastructure is satisfied, and the relay initiates a contraction process in response to the determination. In yet another method, a relay in a relay infrastructure determines whether a tolerance-load condition of the relay infrastructure is satisfied, and the relay in initiates a load self-management process in response to the determination.

Abstract: A network appliance is configured to provide inline traffic inspection for all flow through the device, to selectively intercept based on traffic content or policy, and to modify intercepted traffic content, all without connection termination and re-origination. Content modification may involve substitution of traffic content with smaller or larger content, in which case the device provides appropriate sequence number translations for acknowledgements to the endpoints. This streaming rewrite may occur on a byte-at-a-time basis, while keeping the session alive and without a need to proxy it. The appliance enables transmitted TCP data to be modified inline and then reliably delivered without the overhead of forwarding packets through a full-blown TCP stack. Rather, the approach relies upon an initiator entity's TCP stack for congestion control, as well as the receiving entity's re-transmission behavior to determine how the device manages packets internally.

Abstract: Methods for distributed dynamic sizing and load self-management for a relay infrastructure. In one method, a relay in a relay infrastructure determines whether a current load level of the relay reaches an expansion level of the relay and whether an overload condition of the relay infrastructure is satisfied, and the relay initiates an expansion process in response to the determination. In another method, a relay in a relay infrastructure determines whether in response to determining that an underload condition of the relay infrastructure is satisfied, and the relay initiates a contraction process in response to the determination. In yet another method, a relay in a relay infrastructure determines whether a tolerance-load condition of the relay infrastructure is satisfied, and the relay in initiates a load self-management process in response to the determination.

Abstract: A network-based appliance includes a mechanism to intercept, decrypt and inspect secure network traffic flowing over SSL/TLS between a client and a server. The mechanism responds to detection of a session initiation request message from the client, the message being received following establishment of a TCP connection between the client and server. The mechanism responds by holding the session initiation request message, preferably by creating a fake socket to a local process, and then diverting the request message over that socket. The TCP connection is then terminated, and the mechanism initiates a new session in initiation request message, all while the original session initiation request message continues to be held. The server responds with its server certificate, which is then used by the mechanism to generate a new server certificate. The new server certificate is then returned to the requesting client as the response to the session initiation request message.

Abstract: Methods and systems for high-availability data processing include detecting, at a first data processing system, a change in link state between the first data processing system and a second data processing system. A link state between the first data processing system and a third data processing system is changed responsive to the detection in accordance with a first high availability policy stored at the first data processing system. An identifier of the first data processing system is changed in accordance with the first high availability policy to conform to a second high availability policy stored at the first data processing system. The detection, change of the link state, and change of the identifier are repeated in accordance with the second high availability policy.

Abstract: A network-based appliance includes a mechanism to intercept, decrypt and inspect secure network traffic flowing over SSL/TLS between a client and a server. The mechanism responds to detection of a session initiation request message from the client, the message being received following establishment of a TCP connection between the client and server. The mechanism responds by holding the session initiation request message, preferably by creating a fake socket to a local process, and then diverting the request message over that socket. The TCP connection is then terminated, and the mechanism initiates a new session in initiation request message, all while the original session initiation request message continues to be held. The server responds with its server certificate, which is then used by the mechanism to generate a new server certificate. The new server certificate is then returned to the requesting client as the response to the session initiation request message.

Abstract: A network appliance is configured to provide inline traffic inspection for all flow through the device, to selectively intercept based on traffic content or policy, and to modify intercepted traffic content, all without connection termination and re-origination. Content modification may involve substitution of traffic content with smaller or larger content, in which case the device provides appropriate sequence number translations for acknowledgements to the endpoints. This streaming rewrite may occur on a byte-at-a-time basis, while keeping the session alive and without a need to proxy it. The appliance enables transmitted TCP data to be modified inline and then reliably delivered without the overhead of forwarding packets through a full-blown TCP stack. Rather, the approach relies upon an initiator entity's TCP stack for congestion control, as well as the receiving entity's re-transmission behavior to determine how the device manages packets internally.

Abstract: Method for selecting a route within a wireless ad-hoc routing protocol using a QoS metric. The method begins by dynamically defining a routing zone that encompasses at least two of the network nodes. A communications link is established between the source node and a destination node. If the destination node is within the routing zone of the source node, the route is determined by a proactive routing protocol. If, however, the destination node is outside the routing zone, the route is determined using a reactive routing protocol. A QoS metric for each route is calculated by combining the individual QoS metrics for each hop within the particular route. Finally, the route with the best QoS metric is selected to use as the communications link between the source node and the destination node.