Abstract: A method of constructing a set of motifs for use in detecting messages of interest in a network of nodes is provided, the method comprising controlling circuitry to: acquire target data, the target data comprising a set of messages which have been exchanged between nodes in the network, the set of messages including a number of messages of interest; acquire control data, the control data comprising a set of messages which have been produced based on a random exchange of messages between nodes in the network; detect motifs within the target data and the control data, each motif being a repeated pattern of messages appearing within either the target data and/or the control data; generate a set of values indicative of a significance of the motifs which have been detected in the target data and the motifs which have been detected in the control data using a frequency with which these motifs have been detected; and construct a set of motifs for use in detecting messages of interest in the network using the set of

Abstract: The present disclosure concerns a computer-implemented method for reconstructing a dataset after detection of a network security threat in a network. The method comprises: determining a maximum flow for returning data associated with the network security threat to a source dataset via each of a plurality of paths through which the data has passed from the source dataset to the destination dataset; starting from the destination dataset, determining the data to be transferred to each dataset in the plurality of paths between the destination dataset and the one or more source datasets such that the data can be returned to the one or more source datasets, the data transferred in each path not exceeding the determined maximum flow for the path; adding the details of the determined amount of data to be transferred to a forensic report; and outputting the forensic report.

Abstract: The present disclosure concerns a computer-implemented method for reconstructing a dataset after detection of a network security threat in a network. The method comprises: determining a maximum flow for returning data associated with the network security threat to a source dataset via each of a plurality of paths through which the data has passed from the source dataset to the destination dataset; starting from the destination dataset, determining the data to be transferred to each dataset in the plurality of paths between the destination dataset and the one or more source datasets such that the data can be returned to the one or more source datasets, the data transferred in each path not exceeding the determined maximum flow for the path; adding the details of the determined amount of data to be transferred to a forensic report; and outputting the forensic report.

Abstract: The present disclosure concerns a computer-implemented method for reconstructing a dataset after detection of a network security threat in a network. The method comprises: determining a maximum flow for returning data associated with the network security threat to a source dataset via each of a plurality of paths through which the data has passed from the source dataset to the destination dataset; starting from the destination dataset, determining the data to be transferred to each dataset in the plurality of paths between the destination dataset and the one or more source datasets such that the data can be returned to the one or more source datasets, the data transferred in each path not exceeding the determined maximum flow for the path; adding the details of the determined amount of data to be transferred to a forensic report; and outputting the forensic report.

Abstract: The present disclosure concerns a computer-implemented method for forensically analysing and determining a network associated with a network security threat. The method comprises: obtaining details of a flagged network event comprising data associated with a network security threat, the network event being between a first dataset and a destination dataset; tracing the data associated with the network security threat from the first dataset to a further dataset, the tracing involving obtaining details of at least one past network event between the first dataset and the further dataset; comparing details of the further dataset to predefined criteria to identify whether the further dataset is an intermediate dataset or a source dataset from which the data originated and adding the details of the further dataset to a forensic report; outputting the forensic report.

Abstract: A computer-implemented method for training a machine learning model to identify one or more network events associated with a network and representing a network security threat, the one or more network events being within a population comprising a plurality of network events, the method comprising: obtaining a dataset comprising data representative of the plurality of network events; defining a machine learning model associated with a type of network event and having an associated first feature vector; generating a training dataset comprising a fraction of the dataset, the fraction associated with network events corresponding to the type of network event; and training the machine learning model using the training dataset to produce a trained machine learning model.

Abstract: A data processing method comprising: recording a plurality of electronic value transfers occurring between a plurality of parties; performing an optimisation process on a matrix indicative of a value of each of net electronic value transfers between each of the parties, wherein the matrix is indicative of a relationship between a first electronic store of value held by each of the parties before execution of the net electronic value transfers and a second electronic store of value held by each of the parties after execution of the net electronic value transfers, and the optimisation process comprises selecting a portion of the electronic value transfers for determining the net electronic value transfers indicated by the matrix so as to minimise a difference between the first and second electronic stores of value held by each of the parties; and outputting the selected portion of the electronic value transfers for processing.