Abstract: A cyber-defense appliance securely communicates and cooperates with a suite of different lightweight probes that can ingest onboard traffic from multiple different independent systems using protocols for at least one of a data link layer, a physical layer, and then one or more of an application layer, a transport layer, a network layer, and any combination of these layers when a protocol is used in that layer in the independent system. The lightweight probe ingests data and meta data with an independent system it resides within. The appliance has AI models to model a normal pattern of life in each of the independent systems using the data and/or meta data from protocols listed above. An analyzer module cooperates with the AI models that model a normal pattern of life in each of the independent systems to determine when abnormal behavior or suspicious activity is detected.

Abstract: A cyber security restoration engine prioritizes nodes in a graph of nodes in a computer network or system that are involved in a cyber attack for remediation actions. The cyber security restoration engine performs this prioritization by, for each node, determining one or more edges linking the node to other nodes in the graph, the edges representing interactions between two nodes; obtaining metadata indicative of a type of interaction between two nodes connected by the edge and the roles of the two nodes in that interaction; determining how severe the interaction represented by that edge is within the context of the cyber attack, based on the metadata of that edge; and determining a severity score for the node by combining the severity score for each of the one or more edges connected to the node. The cyber security restoration engine prioritizes nodes for remediation action based on the severity scores for the nodes.

Abstract: A virtual computing environment cloning method is used to allow rapid repeatable testing of unsupervised machine learning (ML) architectures and algorithms. A virtual reference environment contains a set of virtual devices, user accounts and IP traffic as well as scripted activity and a cyber security appliance including unsupervised ML trained on the scripted activity. A clone creator makes a replica of the environment. Clones can be taken from the reference at any time and more than one can exist simultaneously. Testing that takes place within a clone environment has no effect on the reference environment, including having no effect on the unsupervised ML architectures and algorithms. Clones can be interacted with, and outcomes from testing a clone can be recorded. Clones can be discarded after tests are completed and tests are independent and repeatable.

Abstract: An apparatus may include a set of modules and artificial intelligence models to detect a cyber incident, a simulator to simulate an actual cyber attack of the cyber incident on a network including physical devices being protected by the set of modules and artificial intelligence models; and a feedback loop between i) the set of modules and artificial intelligence models and ii) the simulator, during an ongoing detected cyber incident. An attack path modeling module is configured to feed details of the detected incident by a cyber threat module into an input module of the simulator, and to run one or more hypothetical simulations of that detected incident in order to predict and control an autonomous response to the detected incident. Any software instructions forming part of the set of modules, the artificial intelligence models, and the simulator are stored in an executable form in memories and executed by processors.

Abstract: A coordinator module, a cyber threat analyst module, and AI models trained to model a normal pattern of life for entities in a wireless domain and a normal pattern of life for entities in a second domain cooperate with a combination of wireless sensors with RF protocol adapters to monitor and analyze wireless activity and probes to monitor activity in the second domain in order to analyze an anomaly of interest in a wider view of another domain's activity. These modules and models understand and assess the wireless activity and the activity from the second domain in light of the AI models modelling the pattern of life for entities in a wireless domain and/or a in the second domain in order to detect a cyber threat indicated by at least by the anomaly of interest. A formatting model generates an alert and/or a report.

Abstract: Endpoint agent cSensors can be used to extend network visibility and enhance tracking capabilities for a cyber security and threat defense environment. The cSensor may comprise a network module to monitor network information coming into and out of the endpoint computing device to ingest a first set of traffic data from network connections. The cSensor may have a collation module to collect the first set of traffic data and obtain input data related to observed network events. An analyzer module can receive the input data and use an intelligent DPI engine to perform predetermined levels of DPI from two or more possible levels of DPI on the input data based on network parameters. The cSensor may have a communication module to transmit a second set of traffic data to a cyber security appliance based on the specified DPI performed. Furthermore, the cSensor may have an autonomous action module to perform autonomous action(s) in response to autonomous action(s) correlated to the received second set of traffic data.

Abstract: A cyber-defense appliance securely communicates and cooperates with a suite of different lightweight probes that can ingest onboard traffic from multiple different independent systems using protocols for at least one of a data link layer, a physical layer, and then one or more of an application layer, a transport layer, a network layer, and any combination of these layers when a protocol is used in that layer in the independent system. The lightweight probe ingests data and meta data with an independent system it resides within. The appliance has AI models to model a normal pattern of life in each of the independent systems using the data and/or meta data from protocols listed above. An analyzer module cooperates with the AI models that model a normal pattern of life in each of the independent systems to determine when abnormal behavior or suspicious activity is detected.