Abstract: Various embodiments include systems and methods to implement a password requirement conformity check. During a password reset process, a proposed password is received. A homomorphic encryption operation may be performed on the proposed password to generate a first character string. The first character string may be compared to a previous character string associated with a previous password to determine a password similarity metric. The password similarity metric may or may not satisfy at least a distance threshold. Responsive to determining that the password similarity metric does not satisfy the distance threshold, there may be a rejection of the proposed password and a prompt to receive an alternative proposed password during the password reset process.

Abstract: Approaches provide for securing an electronic environment. A threat analysis service can obtain data for devices, users, and threats from disparate sources and can correlate users to devices and threats to build an understanding of an electronic environment's operational, organizational, and security concerns in order to provide customized security strategies and remediations. Additionally, the threat analysis service can develop a model of an electronic environment's behavior by monitoring and analyzing various the data from the data sources. The model can be updated such that the threat analysis service can tailor its orchestration to complement existing operational processes.

Abstract: Methods and systems for assessing a vulnerability of a network device. The systems and methods described herein combine data regarding locally discovered vulnerabilities and exposed services with data regarding what executables are provided by software installed on the network device.

Abstract: Methods and systems for classifying network users. The system may receive a classification of a user account on a network and network activity data associated with the user account. Upon detecting a discrepancy between the expected behavior of the user account based on its classification and the present behavior of the user account, the system may obtain a corroborating result from one or more directory sources. An alert may then be issued based on the detected discrepancy and the corroborating result.

Abstract: Systems and methods for determining an extent of a vulnerability on a computer and remediating the vulnerability. An installed resource set comprising shared software resources installed on the computer is enumerated. A vulnerable resource is identified in the installed resource set. A vulnerable process set including at least one vulnerable process that uses the vulnerable resource is enumerated. And, the vulnerable process is remediated.

Abstract: Disclosed herein are methods, systems, and processes to detect valid clusters and eliminate spurious clusters in cybersecurity-based computing environments. A cluster detection and elimination model is trained by accessing a dataset with raw data that includes data points associated with computing devices in a network and applying two or more different clustering methodologies independently to the dataset. The resulting cluster detection and elimination model is used to compare two or more clusters to determine whether a cluster from one clustering methodology matches another cluster from another clustering methodology based on centroid locations and shared data points.

Abstract: Methods and systems for monitoring activity on a network. The systems may include a host computer executing a non-honeypot service. The host computer may also include a control module configured to enable or disable a honeypot service on the host computer in response to at least one of computational resource availability and configured tolerance for degraded service.

Abstract: Disclosed herein are methods, systems, and processes to optimize role level identification for computing resource allocation to perform security operations in networked computing environments. A role level classifier to process a training dataset that corresponds to a clean title is generated from a subset of entities associated with the clean title. An initial effective title determined by the role level classifier based on processing the training dataset is assigned to an entity. A new effective title based on feature differences between the initial effective title and the clean title is re-assigned to the entity. Performance of the generating, the assigning, and the re-assigning is repeated using the new effective title instead of the clean title.

Abstract: Methods and systems for identifying a network vulnerability. The system may gather data regarding a new or previously unknown network device, and compare the gathered data to one or more known devices that are scanned by a vulnerability assessment device. The vulnerability assessment device may then scan the previously unknown device upon a processor determining the previously unknown device shares at least one feature with a known device that is scanned.

Abstract: Systems and methods are disclosed to infer, using a machine learned model, a service protocol of a server based on the banner data produced by the server. In embodiments, the machine learned model is implemented by a network scanner configured to receive banner data from open ports on servers. A received banner is parsed into a set of features, such as the counts or presence of particular characters or strings in the banner. In embodiments, certain types of banner content such as network addresses, hostnames, dates, and times, are replaced with special characters. The machine learned model is applied to the features to infer a most likely protocol of the server port that produced the banner. Advantageously, the model can be trained to perform the inference task with high accuracy and without using human-specified rules, which can be brittle for unconventional banner data and carry undesired biases.

Abstract: Systems and methods are disclosed to implement a cyberattack detection system that monitors a computer network for suspected lateral movement. In embodiments, the system employs multiple machine learning models to analyze connection data of a network to identify anomalies in the network's connection behavior. The models are updated incrementally using online machine learning methods that can be performed in constant time and memory. In embodiments, the system uses an incremental matrix factorization model and a connection count fitting model to generate anomaly scores for each connection. Connection paths are constructed for acyclic sequences of time-ordered connections observed in the stream. The paths are evaluated based on the anomalies scores of their individual connections. Paths that meet a detection criterion are reported to analysts for further review.

Abstract: Analyzing and reporting anomalous internet traffic data by accepting a request for a connection to a virtual security appliance, collecting attribute data about the connection, applying an alert module to the data, and automatically generating an alert concerning an identified incident. An alert system for analyzing and reporting the anomalous internet traffic data. A processor to analyze and report anomalous internet traffic data.

Abstract: Disclosed herein are methods, systems, and processes to automate cluster interpretation in computing environments to develop targeted remediation security actions. To interpret clusters that are generated by a clustering methodology without subjecting clustered data to classifier-based processing, separation quantifiers that indicate a spread in feature values across clusters are determined and used to discover relative feature importances of features that drive the formation of clusters, permitting a security server to identify features that discriminate between clusters.

Abstract: Disclosed herein are methods, systems, and processes for monitoring scan attempts in a network. A virtual security appliance with multiple ports is deployed in a network. One or more ports are obfuscated via the virtual security appliance to make the various ports appear to be closed. An address of the virtual security appliance within the network is modified, the several ports are adjusted to assume a predetermined profile, a network neighbor's profile is discovered and emulated, and a received connection attempt intended for the virtual security appliance is monitored.

Abstract: Systems and methods are disclosed to infer, using a machine learned model, a service protocol of a server based on the banner data produced by the server. In embodiments, the machine learned model is implemented by a network scanner configured to receive banner data from open ports on servers. A received banner is parsed into a set of features, such as the counts or presence of particular characters or strings in the banner. In embodiments, certain types of banner content such as network addresses, hostnames, dates, and times, are replaced with special characters. The machine learned model is applied to the features to infer a most likely protocol of the server port that produced the banner. Advantageously, the model can be trained to perform the inference task with high accuracy and without using human-specified rules, which can be brittle for unconventional banner data and carry undesired biases.

Abstract: Methods and systems for scanning a network. The disclosed methods may involve receiving a list of a plurality of target devices and scanning a first device to determine if a particular port and protocol combination appears to be open on the first device. Upon determining that a particular port and protocol combination appears to be open on the first device, the method involves interrogating the first device before or during scanning of a second device to gather data regarding a service running on the first device.

Abstract: Analyzing and reporting anomalous internet traffic data by accepting a request for a connection to a virtual security appliance, collecting attribute data about the connection, applying an alert module to the data, and automatically generating an alert concerning an identified incident. An alert system for analyzing and reporting the anomalous internet traffic data. A processor to analyze and report anomalous internet traffic data.

Abstract: Methods and systems for scanning a network. The disclosed methods may involve receiving a list of a plurality of target devices and scanning a first device to determine if a particular port and protocol combination appears to be open on the first device. Upon determining that a particular port and protocol combination appears to be open on the first device, the method involves interrogating the first device before or during scanning of a second device to gather data regarding a service running on the first device.

Abstract: Methods and systems for scanning a network. The disclosed methods may involve receiving a list of a plurality of target devices and scanning a first device to determine if a particular port and protocol combination appears to be open on the first device. Upon determining that a particular port and protocol combination appears to be open on the first device, the method involves interrogating the first device before or during scanning of a second device to gather data regarding a service running on the first device.

Abstract: Approaches provide for monitoring attempted network activity such as network port connections and corresponding payloads of network data obtained by a network device and, based on the attempted connections and/or payloads, identifying malicious network activity in real time. For example, network activity obtained from a plurality of network devices in a service provider environment can be monitored to attempt to detect compliance with appropriate standards and/or any of a variety of resource usage guidelines (e.g., network behavioral standards or other such rules, guidelines, or network behavior tests) based at least in part on network port connection activity with respect to at least one network device. If it is determined that network activity is not in compliance with the usage guidelines, or other such network behavior test, the system can take one or more remedial actions, which can include generating a notification identifying the malicious network activity.