Abstract: Disclosed herein are systems and methods for training a model to identify a user to a predetermined degree of reliability. In one aspect, an exemplary method comprises, parameterizing gathered data on behavior of a user in a form of a first vector, deriving a second vector from the first vector by removing noise and low-priority information from the first vector, providing the second vector to a training algorithm, and generating a trained model for the user, the generated trained model being different for each user such that only the trained model generated for the user satisfies the predetermined degree of reliability.

Abstract: Disclosed herein are systems and methods for generating individual content for a user of a service. In one aspect, an exemplary method comprises, gathering data on behavior of a user of a computing device, training a model of a user behavior based of the gathered data, wherein the trained data identifies the user to a predetermined degree of reliability, and generating an individual content for the user of the service based on a predetermined service environment in accordance with a trained model received from a model transmitter.

Abstract: A method for processing information security events of a computer system includes receiving information related to a plurality of information security events occurred in the computer system. Each of the events includes an event related to a possible violation of information security of the computer system. A verdict is determined for each of the events. The verdict includes: i) information security incident or ii) false positive. The verdict is false positive if the probability of a false positive for the corresponding event is greater than a first threshold. Verdicts are changed for a subset of the events from the false positive to the information security incident. A number of events in the subset is lower than a second threshold. An analysis of the events having a verdict of the information security incident is performed to determine if the computer system is under a cyberattack.

Abstract: Disclosed herein are systems and methods for granting access to data of a user. In one aspect, an exemplary method comprises, blocking the processing of data of a user, transferring the data of the user to a storage device, receiving a request for data processing from a collected data processor of a device, redirecting the received request to the storage device, determining, by the storage device, data access rights for the collected data processor of the device from which the request for data processing is received in accordance with data access rights established by a data access rights manager, and providing access to the data in accordance with the determined data access rights.

Abstract: A method for defending a network of electronic devices from cyberattacks includes obtaining information about a plurality of devices and information about communication links between the plurality of devices and surrounding environment and determining types of the communication links using heuristic rules. The types of communication links are compared using corresponding link profiles. One or more similar communication links are identified based on the comparison. A cluster of devices is generated by combining a subset of the plurality of devices. The cluster includes one or more devices having one or more similar communication links. A surrounding environment profile is generated for the generated cluster of devices. When a cyberattack is detected on one of the devices in the cluster, the surrounding environment profile is modified for the cluster of devices in order to defend all devices in the cluster from the cyberattack.

Abstract: Systems and methods for determining a source of anomaly in a cyber-physical system (CPS). A forecasting tool can obtain a plurality of CPS feature values during an input window and forecast the plurality of CPS feature values for a forecast window. An anomaly identification tool can determine a total forecast error for the plurality of CPS features in the forecast window, identify an anomaly in the cyber-physical system when the total forecast error exceeds a total error threshold, and identify at least one CPS feature as the source of the anomaly.

Abstract: Disclosed herein are systems and method for correlating events to detect an information security incident, a correlation module may receive a plurality of network events indicating potential security violations, wherein each network event of the plurality of network events has a respective timestamp. The correlation module may identify, from the plurality of network events, a subset of network events that have occurred within a period of time, based on each respective timestamp. The correlation module may determine a plurality of potential orders of occurrence for the subset of network events. The correlation module may apply at least one correlation rule to each respective potential order of the plurality of potential orders. In response to determining that the at least one correlation rule is fulfilled, the correlation module may detect the information security incident.

Abstract: A method for analyzing relationships between clusters of devices includes selecting a first device from a first cluster of devices and selecting a second device from a second cluster of devices. Information related to a first communication link associated with the first device and information related to a second communication link associated with the second device is obtained. A similarity metric is computed based on the obtained information. The similarity metric represents a similarity between the first communication link and the second communication link associated with the second device. A relationship between the first and second clusters is determined using the computed similarity metric. When a cyberattack is detected on the devices in the first cluster or the second cluster, protection of all devices in the first cluster and the second cluster is modified based on the determined relationship in order to defend the respective clusters from the cyberattack.

Abstract: Disclosed herein are systems and methods for granting a user data processor access to a cryptocontainer of user data. In one aspect, an exemplary method comprises, creating a cryptocontainer for user's data, wherein the cryptocontainer receives at least one element of the user's data and encrypts the element; for the user data processor, establishing rights for accessing the element using a first key, and forming at least one access structure, the forming including, placing the first key in the access structure based on the established rights, receiving, from the user data processor, a second key linked to the user data processor which is to be used for accessing the first key, and encrypting the first key with the second key; and when a request for access to the cryptocontainer is received, granting, to the user data processor, access to the cryptocontainer based on the formed at least one access structure.

Abstract: Disclosed herein are systems and methods for granting access to data of a user. In one aspect, an exemplary method comprises, blocking the processing of data of a user, transferring the data of the user to a storage device, receiving a request for data processing from a collected data processor of a device, redirecting the received request to the storage device, determining, by the storage device, data access rights for the collected data processor of the device from which the request for data processing is received in accordance with data access rights established by a data access rights manager, and providing access to the data in accordance with the determined data access rights.

Abstract: A method for processing information security events of a computer system includes receiving information related to a plurality of information security events occurred in the computer system. Each of the events includes an event related to a possible violation of information security of the computer system. A verdict is determined for each of the events. The verdict includes: i) information security incident or ii) false positive. The verdict is false positive if the probability of a false positive for the corresponding event is greater than a first threshold. Verdicts are changed for a subset of the events from the false positive to the information security incident. A number of events in the subset is lower than a second threshold. An analysis of the events having a verdict of the information security incident is performed to determine if the computer system is under a cyberattack.

Abstract: Disclosed herein are systems and methods for selection of a model to describe a user. In one aspect, an exemplary method comprises, creating data on preferences of the user based on previously gathered data on usage of a computing device by the user and a base model that describes the user, wherein the base model is previously selected from a database of models including a plurality of models, determining an accuracy of the data created on the preferences of the user, wherein the determination is based on observed behaviors of the user, when the accuracy of the data is determined as being less than a predetermined threshold value, selecting a correcting model related to the base model, and retraining the base model, and when the accuracy of the data is determined as being greater than or equal to the predetermined threshold value, selecting the base model to describe the user.

Abstract: The present disclosure provides systems and methods of early determination of anomalies using a graphical user interface. In one aspect such a method comprises: receiving information about one or more features of a cyber-physical system, receiving information about a period of time for monitoring the one or more features, generating a forecast of values of the one or more features of the cyber-physical system over the period of time based on a forecasting model for graphing in a graphical user interface, determining a total error of the forecast for all of the one or more features and determining an error for each of the one or more features over the period of time, determining that the error for one feature of the one or more features is greater than a predetermined threshold and identifying the one feature as a source of an anomaly in the cyber-physical system.

Abstract: Disclosed herein are systems and methods for generating individual content for a user of a service. In one aspect, an exemplary method comprises, gathering data on behavior of a user of a computing device, training a model of a user behavior based of the gathered data, wherein the trained data identifies the user to a predetermined degree of reliability, and generating an individual content for the user of the service based on a predetermined service environment in accordance with a trained model received from a model transmitter.

Abstract: A method for analyzing relationships between clusters of devices includes selecting a first device from a first cluster of devices and selecting a second device from a second cluster of devices. Information related to a first communication link associated with the first device and information related to a second communication link associated with the second device is obtained. A similarity metric is computed based on the obtained information. The similarity metric represents a similarity between the first communication link and the second communication link associated with the second device. A relationship between the first and second clusters is determined using the computed similarity metric. When a cyberattack is detected on the devices in the first cluster or the second cluster, protection of all devices in the first cluster and the second cluster is modified based on the determined relationship in order to defend the respective clusters from the cyberattack.

Abstract: A method for defending a network of electronic devices from cyberattacks includes obtaining information about a plurality of devices and information about communication links between the plurality of devices and surrounding environment and determining types of the communication links using heuristic rules. The types of communication links are compared using corresponding link profiles. One or more similar communication links are identified based on the comparison. A cluster of devices is generated by combining a subset of the plurality of devices. The cluster includes one or more devices having one or more similar communication links. A surrounding environment profile is generated for the generated cluster of devices. When a cyberattack is detected on one of the devices in the cluster, the surrounding environment profile is modified for the cluster of devices in order to defend all devices in the cluster from the cyberattack.

Abstract: Disclosed herein are systems and method for correlating events to detect an information security incident, a correlation module may receive a plurality of network events indicating potential security violations, wherein each network event of the plurality of network events has a respective timestamp. The correlation module may identify, from the plurality of network events, a subset of network events that have occurred within a period of time, based on each respective timestamp. The correlation module may determine a plurality of potential orders of occurrence for the subset of network events. The correlation module may apply at least one correlation rule to each respective potential order of the plurality of potential orders. In response to determining that the at least one correlation rule is fulfilled, the correlation module may detect the information security incident.

Abstract: Systems and methods for determining a source of anomaly in a cyber-physical system (CPS). A forecasting tool can obtain a plurality of CPS feature values during an input window and forecast the plurality of CPS feature values for a forecast window. An anomaly identification tool can determine a total forecast error for the plurality of CPS features in the forecast window, identify an anomaly in the cyber-physical system when the total forecast error exceeds a total error threshold, and identify at least one CPS feature as the source of the anomaly.

Abstract: The present disclosure provides systems and methods of early determination of anomalies using a graphical user interface. In one aspect such a method comprises: receiving information about one or more features of a cyber-physical system, receiving information about a period of time for monitoring the one or more features, generating a forecast of values of the one or more features of the cyber-physical system over the period of time based on a forecasting model for graphing in a graphical user interface, determining a total error of the forecast for all of the one or more features and determining an error for each of the one or more features over the period of time, determining that the error for one feature of the one or more features is greater than a predetermined threshold and identifying the one feature as a source of an anomaly in the cyber-physical system.