Abstract: Various embodiments include systems and methods of anomalous data transfer detection, including determining hotspots for an asset of an organization. The hotspots correspond to one or more periods of time in which outbound data from the asset satisfies a hotspot threshold determined to be indicative of high outbound data traffic activity. A subset of data that does not correspond to the hotspots is filtered out from the outbound data. The remaining data corresponds to a hotspot dataset associated with the hotspots. The hotspot dataset may be utilized to detect anomalous data transfer activity associated with the asset. Detecting the anomalous data transfer activity includes computing one or more statistics on the hotspot dataset. Responsive to detecting the anomalous data transfer activity, an alert associated with the asset may be generated.

Abstract: Disclosed herein are methods, systems, and processes for detecting data exfiltration. A data exfiltration event in a network is detected. Traffic data regarding outgoing traffic of a source in the network associated with the data exfiltration event is received. A logarithmic transformation is applied to the traffic data to generate transformed data. An outlier identification technique is selected based on the transformed data and is executed on the transformed data to determine that the outgoing traffic is indicative of the data exfiltration event. An alert is generated in response to the determination that the outgoing traffic is indicative of the data exfiltration event.

Abstract: Systems and methods are disclosed to implement a cyberattack detection system that monitors a computer network for suspected lateral movement. In embodiments, the system employs multiple machine learning models to analyze connection data of a network to identify anomalies in the network's connection behavior. The models are updated incrementally using online machine learning methods that can be performed in constant time and memory. In embodiments, the system uses an incremental matrix factorization model and a connection count fitting model to generate anomaly scores for each connection. Connection paths are constructed for acyclic sequences of time-ordered connections observed in the stream. The paths are evaluated based on the anomalies scores of their individual connections. Paths that meet a detection criterion are reported to analysts for further review.

Abstract: Various embodiments include systems and methods to implement a password requirement conformity check. During a password reset process, a proposed password is received. A homomorphic encryption operation may be performed on the proposed password to generate a first character string. The first character string may be compared to a previous character string associated with a previous password to determine a password similarity metric. The password similarity metric may or may not satisfy at least a distance threshold. Responsive to determining that the password similarity metric does not satisfy the distance threshold, there may be a rejection of the proposed password and a prompt to receive an alternative proposed password during the password reset process.

Abstract: Methods and systems for assessing a vulnerability of a network device. The systems and methods described herein combine data regarding locally discovered vulnerabilities and exposed services with data regarding what executables are provided by software installed on the network device.

Abstract: Approaches provide for securing an electronic environment. A threat analysis service can obtain data for devices, users, and threats from disparate sources and can correlate users to devices and threats to build an understanding of an electronic environment's operational, organizational, and security concerns in order to provide customized security strategies and remediations. Additionally, the threat analysis service can develop a model of an electronic environment's behavior by monitoring and analyzing various the data from the data sources. The model can be updated such that the threat analysis service can tailor its orchestration to complement existing operational processes.

Abstract: Methods and systems for classifying network users. The system may receive a classification of a user account on a network and network activity data associated with the user account. Upon detecting a discrepancy between the expected behavior of the user account based on its classification and the present behavior of the user account, the system may obtain a corroborating result from one or more directory sources. An alert may then be issued based on the detected discrepancy and the corroborating result.

Abstract: Systems and methods for determining an extent of a vulnerability on a computer and remediating the vulnerability. An installed resource set comprising shared software resources installed on the computer is enumerated. A vulnerable resource is identified in the installed resource set. A vulnerable process set including at least one vulnerable process that uses the vulnerable resource is enumerated. And, the vulnerable process is remediated.

Abstract: Disclosed herein are methods, systems, and processes to detect valid clusters and eliminate spurious clusters in cybersecurity-based computing environments. A cluster detection and elimination model is trained by accessing a dataset with raw data that includes data points associated with computing devices in a network and applying two or more different clustering methodologies independently to the dataset. The resulting cluster detection and elimination model is used to compare two or more clusters to determine whether a cluster from one clustering methodology matches another cluster from another clustering methodology based on centroid locations and shared data points.

Abstract: Methods and systems for monitoring activity on a network. The systems may include a host computer executing a non-honeypot service. The host computer may also include a control module configured to enable or disable a honeypot service on the host computer in response to at least one of computational resource availability and configured tolerance for degraded service.

Abstract: Methods and systems for identifying a network vulnerability. The system may gather data regarding a new or previously unknown network device, and compare the gathered data to one or more known devices that are scanned by a vulnerability assessment device. The vulnerability assessment device may then scan the previously unknown device upon a processor determining the previously unknown device shares at least one feature with a known device that is scanned.

Abstract: Disclosed herein are methods, systems, and processes to optimize role level identification for computing resource allocation to perform security operations in networked computing environments. A role level classifier to process a training dataset that corresponds to a clean title is generated from a subset of entities associated with the clean title. An initial effective title determined by the role level classifier based on processing the training dataset is assigned to an entity. A new effective title based on feature differences between the initial effective title and the clean title is re-assigned to the entity. Performance of the generating, the assigning, and the re-assigning is repeated using the new effective title instead of the clean title.

Abstract: Systems and methods are disclosed to infer, using a machine learned model, a service protocol of a server based on the banner data produced by the server. In embodiments, the machine learned model is implemented by a network scanner configured to receive banner data from open ports on servers. A received banner is parsed into a set of features, such as the counts or presence of particular characters or strings in the banner. In embodiments, certain types of banner content such as network addresses, hostnames, dates, and times, are replaced with special characters. The machine learned model is applied to the features to infer a most likely protocol of the server port that produced the banner. Advantageously, the model can be trained to perform the inference task with high accuracy and without using human-specified rules, which can be brittle for unconventional banner data and carry undesired biases.

Abstract: Systems and methods are disclosed to implement a cyberattack detection system that monitors a computer network for suspected lateral movement. In embodiments, the system employs multiple machine learning models to analyze connection data of a network to identify anomalies in the network's connection behavior. The models are updated incrementally using online machine learning methods that can be performed in constant time and memory. In embodiments, the system uses an incremental matrix factorization model and a connection count fitting model to generate anomaly scores for each connection. Connection paths are constructed for acyclic sequences of time-ordered connections observed in the stream. The paths are evaluated based on the anomalies scores of their individual connections. Paths that meet a detection criterion are reported to analysts for further review.

Abstract: Analyzing and reporting anomalous internet traffic data by accepting a request for a connection to a virtual security appliance, collecting attribute data about the connection, applying an alert module to the data, and automatically generating an alert concerning an identified incident. An alert system for analyzing and reporting the anomalous internet traffic data. A processor to analyze and report anomalous internet traffic data.

Abstract: Disclosed herein are methods, systems, and processes for monitoring scan attempts in a network. A virtual security appliance with multiple ports is deployed in a network. One or more ports are obfuscated via the virtual security appliance to make the various ports appear to be closed. An address of the virtual security appliance within the network is modified, the several ports are adjusted to assume a predetermined profile, a network neighbor's profile is discovered and emulated, and a received connection attempt intended for the virtual security appliance is monitored.

Abstract: Disclosed herein are methods, systems, and processes to automate cluster interpretation in computing environments to develop targeted remediation security actions. To interpret clusters that are generated by a clustering methodology without subjecting clustered data to classifier-based processing, separation quantifiers that indicate a spread in feature values across clusters are determined and used to discover relative feature importances of features that drive the formation of clusters, permitting a security server to identify features that discriminate between clusters.

Abstract: Systems and methods are disclosed to infer, using a machine learned model, a service protocol of a server based on the banner data produced by the server. In embodiments, the machine learned model is implemented by a network scanner configured to receive banner data from open ports on servers. A received banner is parsed into a set of features, such as the counts or presence of particular characters or strings in the banner. In embodiments, certain types of banner content such as network addresses, hostnames, dates, and times, are replaced with special characters. The machine learned model is applied to the features to infer a most likely protocol of the server port that produced the banner. Advantageously, the model can be trained to perform the inference task with high accuracy and without using human-specified rules, which can be brittle for unconventional banner data and carry undesired biases.

Abstract: Methods and systems for scanning a network. The disclosed methods may involve receiving a list of a plurality of target devices and scanning a first device to determine if a particular port and protocol combination appears to be open on the first device. Upon determining that a particular port and protocol combination appears to be open on the first device, the method involves interrogating the first device before or during scanning of a second device to gather data regarding a service running on the first device.

Abstract: Analyzing and reporting anomalous internet traffic data by accepting a request for a connection to a virtual security appliance, collecting attribute data about the connection, applying an alert module to the data, and automatically generating an alert concerning an identified incident. An alert system for analyzing and reporting the anomalous internet traffic data. A processor to analyze and report anomalous internet traffic data.