Abstract: Disclosed is an improved approach for translating entity prioritization rules to a continuous numerical space. In some embodiments, the approach provided is a system for using qualitative prioritization criteria to train a system that generates quantitative urgency scores for entities. In some embodiments, this comprises an embedding scheme that enables the translation of entity information and their related alerts to a set of qualitative labels based on at least quantitative information. Generally, the system includes a set of analyst actions that establish desired mappings which are used to train a more general model that maps entity embeddings to responses. In some embodiments, the approach comprises one or more models that receive an entity embedding as an input and outputs a score that characterizes the urgency of the response warranted for that entity. In some embodiments, this is performed using various features (e.g., importance, actor type, velocity, and breadth).

Abstract: Disclosed is an approach for detecting malicious network activity (e.g. based on a data hoarding activity identifies using a graph mixture density neural network (GraphMDN)). Generally, the approach includes generating embeddings using a graph convolution process and then processing the embeddings using a mixture density neural network. The approach may include collecting network activity data, generating a graph representing the network activity, or an aggregation thereof that maintains the inherent graphical nature and characteristics of the data, and training a GraphMDN in order to generate pluralities of distributions characterizing one or more aspects of the graph representing the network activity. The approach may also include capturing new network activity data, and evaluating that data using the distributions generated by the trained GraphMDN, and generation corresponding detection results.

Abstract: Disclosed herein is an approach that includes providing a system for managing and expanding knowledge in a knowledge base. In some embodiments, the system comprises an expert system which performs a number of functions including data ingestion, application of a data retention policy, monitoring of a network system including deployments of detection signatures on the network system, response and alert management, posturing, and relevant automation. In some embodiments, the expert system interconnects with a war gaming engine to identify attack vectors to protected resources. In some embodiments, a collection of functions or modules is provided in place of the expert system—e.g., traditional programing techniques are used to provide functions or modules to perform similar processes using one or more function calls between the provided functions or modules.

Abstract: Disclosed is an approach for network security management using software representation that embodies network configuration and policy data. In some embodiments, the approach includes a process to generate a software representation of what is possible based on a network configuration and policy data. The software representation comprises a state machine where different states can be reached using respective transitions or properties why are possible as determined based on the network configuration and policy data. The states correspond to respective entities on the network which may comprise resources that are identifiable for protection. The software representation can then be stimulated to identify sequences of state-to-state transitions which may in turn be processed to generate corresponding detection signatures for use in monitoring the network.

Abstract: Disclosed is an approach for analyzing a computer network to identify attack paths using a software representation that embodies network configuration and policy data for security management. The software representation comprises a state machine where different states can be reached using respective transitions or properties which are possible as determined based on the network configuration and network policy data. The states correspond to respective entities on the network which may comprise resources that are identifiable for protection in the software representation using crash statements. The software representation can then be stimulated using software analysis tools such as fuzzers to identify sequences of state-to-state transitions that could be used to compromise a protected resource on the computer network.

Abstract: Disclosed is an approach for generating a software representation that embodies network configuration and policy data of a computer network for use in security management. The software representation comprises a state machine where different states can be reached using respective transitions or properties which are possible as determined based on the network configuration and network policy data. The states correspond to respective entities on the network which may comprise resources that are identifiable for protection. The software representation can then be stimulated with various inputs to identify sequences of state-to-state transitions which may in turn be processed to generate corresponding detection signatures for use in monitoring the network.

Abstract: Disclosed is an approach for solving arbitrary constraint satisfaction problems. In some embodiments, the approach includes a process to generate a software representation of what is possible based on a system corresponding to the constraint satisfaction problem. The software representation comprises a state machine where different states can be reached using respective transitions or properties which are possible as determined based on a current state of the system and parameters thereof whether global or otherwise.

Abstract: Disclosed is an approach for analyzing attack paths in computer network generated using a software representation that embodies network configuration and policy data for security management. In some embodiments, the approach includes a process to analyze attack paths in a computer network to determine which attack paths might be most productively covered using a corresponding detection signature. In some embodiments, the attack paths are identified using a software representation that embodies network configuration and policy data. The software representation comprises a state machine where different states can be reached using respective transitions or properties. The states correspond to respective entities on the network which may comprise resources that are identifiable for protection in the software representation using crash statements.

Abstract: Disclosed is an approach for generating detection signatures based on analysis of a software representation of what is possible in a computer network based on network configuration data and network policy data. In some embodiments, the process includes maintaining a plurality of detection signature templates, generation of detection signatures (detection signature instances) using respective detection signature templates that are selected based on the analysis of the software representation. In some embodiments, detection signatures templates are of different type and may be deployed at different locations based on their respective type(s), such as at source, destination.

Abstract: Disclosed is an approach for detecting malicious network activity (e.g. based on a data hoarding activity identifies using a graph mixture density neural network (GraphMDN)). Generally, the approach includes generating embeddings using a graph convolution process and then processing the embeddings using a mixture density neural network. The approach may include collecting network activity data, generating a graph representing the network activity, or an aggregation thereof that maintains the inherent graphical nature and characteristics of the data, and training a GraphMDN in order to generate pluralities of distributions characterizing one or more aspects of the graph representing the network activity. The approach may also include capturing new network activity data, and evaluating that data using the distributions generated by the trained GraphMDN, and generation corresponding detection results.

Abstract: Disclosed is an improved method, system, and computer program product for learning representations or embeddings of network flow traffic. The disclosed invention operates on network flow data which are then used as inputs to a deep-learning architecture that learns to embed the data into a vector space.

Abstract: Disclosed is an improved method, system, and computer program product for learning representations or embeddings of network flow traffic. The disclosed invention operates on network flow data which are then used as inputs to a deep-learning architecture that learns to embed the data into a vector space.