Abstract: A cyber-security analysis method uses machine learning (ML) technology to classify cyber-threat indicators, for example, as malicious or benign, by generating a threat score. The method includes receiving, at a compute device, a cyber-threat indicator (IUE) and associated verdicts from a set of sources. Augmenting the verdicts associated with the IUE with verdicts associated with at least one related indicator having a defined relationship with the IUE. The relationship between the IUE and the at least one related indicator can be operational, e g., based on an administrative domain, or functional, e.g., based on a protocol specification. The cyber-threat score is generated for the IUE based on the ML model and the combined verdicts of the IUE and the at least one related indicator.

Abstract: Provided is a malware detection system that provides structure-aware neural networks for performing malware detection. In particular, rather than treat the entire computer file as one large input to a deep neural network, the malware detection system can break the file up based on the internal file structure. Each portion of the computer file can then be processed using individual neural networks and the outputs of these networks can be combined and similarly processed. In this way the overall system can evaluate the file with knowledge of the structure of the file, enabling the malware detection to have a higher-order understanding of the interoperation of different portions of the computer file.

Abstract: A cyber-security analysis method uses machine learning (ML) technology to classify cyber-threat indicators, for example, as malicious or benign, by generating a threat score. The method includes receiving, at a compute device, a data set including cyber-threat indicators and verdicts serving as votes from each source in the set of sources. Each of the votes is associated with one of the cyber-threat indicators. An ML model is trained based on at least one of agreements among the sets of votes, and disagreements among the sets of votes to produce a trained ML model. In response to receiving a new cyber-threat indicator, votes are identified for each source from a subset of the sources, to define a second set of votes. The cyber-threat score is generated for the new cyber-threat indicator based on the trained ML model and the second set of votes.

Abstract: A cybersecurity threat hunting system deploys a model generation subsystem and a threat detection subsystem. The model generation subsystem includes a function evaluator associated with hunt pack(s) containing hunting function(s) to extract features from a training dataset to achieve a prescribed operating level. The model generation subsystem conducts training of a Machine Learning (ML) model by adjusting weighing parameters associated with the hunting function(s) and/or hunt pack(s) to optimize accuracy of threat scores formed by the ML model. Each hunting function may conduct analytics in reaching a verdict for the extracted feature(s), and the verdicts are compared across hunting functions during training to form quality metrics. The quality metrics assess the effectiveness of the hunting functions and set weighting parameters for the ML model.

Abstract: A non-transitory storage medium includes logic associated with a cybersecurity threat hunting system. Upon execution, the logic analyzes input event data to detect whether the input event data constitutes a cyberthreat. The logic includes a function evaluator, which is configured to extract features from the input event data that is relevant, based on experiential knowledge or past analyses, for use in determining whether one or more cyberthreats are associated with the input event data. The function evaluator includes one or more hunt packs, each of the one or more hunt packs includes one or more hunting functions, and each hunting function of the one or more hunting functions is configured to analyze the input event data received from at least one cybersecurity source.

Abstract: A method for performing cyber-security analysis includes generating a semantic graph in which each object is represented as a node, and each event associated with an object is represented as an edge. A cyber-threat related alert, with an associated alert type, is received from a source. A first object from the plurality of objects is modified based on the alert. A plurality of threat scores, each associated with an object, are calculated, substantially concurrently, based on the alert type. Subsequently, a plurality of modified threat scores are determined for each object, based on: (1) the threat score for that object, (2) a connectivity of that object to each of the remaining objects within the semantic graph; and (3) the threat score for each remaining object from the plurality of objects. A subgraph of the semantic graph is identified based on normalized versions of the modified threat scores.

Abstract: A system for detecting whether a file including content s associated with a cyber-attack is described. The content may include an executable file for example. The system includes an intelligence-driven analysis subsystem and a computation analysis subsystem. The intelligence-driven analysis subsystem is configured to (i) receive the file, (ii) inspect and compute features of the file for indicators associated with a cyber-attack, and (iii) produce a first output representing the detected indicators. The computational analysis subsystem includes an artificial neural network to (i) receive a network input being a first representation of at least one section of binary code from the file as input, and (ii) process the first representation of the section to produce a second output. The first output and the second output are used in determination a classification assigned to the file.

Abstract: A method includes training a first machine learning model with a first dataset, to produce a first trained machine learning model to infer cybersecurity-oriented file properties and/or detect cybersecurity threats within a first domain. The first dataset includes labeled files associated with the first domain. The first trained machine learning model includes multiple layers, some of which are trainable. A second trained machine learning model is generated, via a transfer learning process, using (1) at least one trainable layer from the multiple trainable layers of the first trained machine learning model, and (2) a second dataset different from the first dataset. The second dataset includes labeled files associated with a second domain. The first domain has a different syntax, different semantics, and/or a different structure than that of the second domain. The second trained machine learning model (e.g.

Abstract: A method for performing cyber-security analysis includes generating a semantic graph in which each object is represented as a node, and each event associated with an object is represented as an edge. A cyber-threat related alert, with an associated alert type, is received from a source. A first object from the plurality of objects is modified based on the alert. A plurality of threat scores, each associated with an object, are calculated, substantially concurrently, based on the alert type. Subsequently, a plurality of modified threat scores are determined for each object, based on: (1) the threat score for that object, (2) a connectivity of that object to each of the remaining objects within the semantic graph; and (3) the threat score for each remaining object from the plurality of objects. A subgraph of the semantic graph is identified based on normalized versions of the modified threat scores.

Abstract: A system for detecting whether a file including content s associated with a cyber-attack is described. The content may include an executable file for example. The system includes an intelligence-driven analysis subsystem and a computation analysis subsystem. The intelligence-driven analysis subsystem is configured to (i) receive the file, (ii) inspect and compute features of the file for indicators associated with a cyber-attack, and (iii) produce a first output representing the detected indicators. The computational analysis subsystem includes an artificial neural network to (i) receive a network input being a first representation of at least one section of binary code from the file as input, and (ii) process the first representation of the section to produce a second output. The first output and the second output are used in determination a classification assigned to the file.

Abstract: A method for performing cyber-security analysis includes storing a semantic graph with nodes representing monitored computer-based entities, and edges representing monitored relationships. Each edge has an associated tally. A set of threat scores associated with multiple computer-based entities is stored in the memory. The semantic graph is updated in response to receiving event data. The updating includes decomposing the event data into a set of entities and a set of associated relationships, updating the tally of one of the edges based on the set of relationships, modifying an alert attribute of a monitored computer-based entity when the event data includes an applicable alert, and modifying a threat score of at least one computer-based entity based on the event data when the event data includes an applicable alert, to define a set of modified threat scores. The updated semantic graph is monitored for cyber-security risks within the multiple computer-based entities.

Abstract: A method includes training a first machine learning model with a first dataset, to produce a first trained machine learning model to infer cybersecurity-oriented file properties and/or detect cybersecurity threats within a first domain. The first dataset includes labeled files associated with the first domain. The first trained machine learning model includes multiple layers, some of which are trainable. A second trained machine learning model is generated, via a transfer learning process, using (1) at least one trainable layer from the multiple trainable layers of the first trained machine learning model, and (2) a second dataset different from the first dataset. The second dataset includes labeled files associated with a second domain. The first domain has a different syntax, different semantics, and/or a different structure than that of the second domain. The second trained machine learning model (e.g.

Abstract: A system for detecting whether a file including content is associated with a cyber-attack is described. The content may include an executable file for example. The system includes an intelligence-driven analysis subsystem and a computation analysis subsystem. The intelligence-driven analysis subsystem is configured to (i) receive the file, (ii) inspect and compute features of the file for indicators associated with a cyber-attack, and (iii) produce a first output representing the detected indicators. The computational analysis subsystem includes an artificial neural network to (i) receive a network input being a first representation of at least one section of binary code from the file as input, and (ii) process the first representation of the section to produce a second output. The first output and the second output are used in determination a classification assigned to the file.

Abstract: A method includes training a first machine learning model with a first dataset, to produce a first trained machine learning model to infer cybersecurity-oriented file properties and/or detect cybersecurity threats within a first domain. The first dataset includes labeled files associated with the first domain. The first trained machine learning model includes multiple layers, some of which are trainable. A second trained machine learning model is generated, via a transfer learning process, using (1) at least one trainable layer from the multiple trainable layers of the first trained machine learning model, and (2) a second dataset different from the first dataset. The second dataset includes labeled files associated with a second domain. The first domain has a different syntax, different semantics, and/or a different structure than that of the second domain. The second trained machine learning model (e.g.

Abstract: A method for performing cyber-security analysis includes generating a semantic graph in which each object is represented as a node, and each event associated with an object is represented as an edge. A cyber-threat related alert, with an associated alert type, is received from a source. A first object from the plurality of objects is modified based on the alert. A plurality of threat scores, each associated with an object, are calculated, substantially concurrently, based on the alert type. Subsequently, a plurality of modified threat scores are determined for each object, based on: (1) the threat score for that object, (2) a connectivity of that object to each of the remaining objects within the semantic graph; and (3) the threat score for each remaining object from the plurality of objects. A subgraph of the semantic graph is identified based on normalized versions of the modified threat scores.

Abstract: A system for detecting whether a file including content s associated with a cyber-attack is described. The content may include an executable file for example. The system includes an intelligence-driven analysis subsystem and a computation analysis subsystem. The intelligence-driven analysis subsystem is configured to (i) receive the file, (ii) inspect and compute features of the file for indicators associated with a cyber-attack, and (iii) produce a first output representing the detected indicators. The computational analysis subsystem includes an artificial neural network to (i) receive a network input being a first representation of at least one section of binary code from the file as input, and (ii) process the first representation of the section to produce a second output. The first output and the second output are used in determination a classification assigned to the file.

Abstract: A method includes training a first machine learning model with a first dataset, to produce a first trained machine learning model to infer cybersecurity-oriented file properties and/or detect cybersecurity threats within a first domain. The first dataset includes labeled files associated with the first domain. The first trained machine learning model includes multiple layers, some of which are trainable. A second trained machine learning model is generated, via a transfer learning process, using (1) at least one trainable layer from the multiple trainable layers of the first trained machine learning model, and (2) a second dataset different from the first dataset. The second dataset includes labeled files associated with a second domain. The first domain has a different syntax, different semantics, and/or a different structure than that of the second domain. The second trained machine learning model (e.g.

Abstract: A system for detecting whether a file including content s associated with a cyber-attack is described. The content may include an executable file for example. The system includes an intelligence-driven analysis subsystem and a computation analysis subsystem. The intelligence-driven analysis subsystem is configured to (i) receive the file, (ii) inspect and compute features of the file for indicators associated with a cyber-attack, and (iii) produce a first output representing the detected indicators. The computational analysis subsystem includes an artificial neural network to (i) receive a network input being a first representation of at least one section of binary code from the file as input, and (ii) process the first representation of the section to produce a second output. The first output and the second output are used in determination a classification assigned to the file.