Abstract: Systems and methods for risk assessment of a computer network are described. In one embodiment a first static risk score corresponding to a first computing device is computed. A connectivity map corresponding to the first computing device is determined. Communication performed by the first computing device via the connectivity map is analyzed, and a first dynamic risk score corresponding to the first computing device is computed. The first static risk score and the first dynamic risk score are combined to generate a first total risk score for the first computing device. A second total risk score for a second computing device is determined. The first total risk score and the second total risk score are aggregated into an aggregate risk score. A risk assessment of the computer network is determined based on the aggregate risk score.

Abstract: Computer network anomaly detection systems and methods are disclosed. One embodiment includes retrieving one or more learned profiles for a group of networked computing devices included in a computer network from a database. For each pair of computing devices in the group, a pairwise distance matrix may be computed. Each pairwise distance in the pairwise distance matrix is computed based on a statistical data profile associated with each computing device in each pair of computing devices from the group. The statistical data profiles may be included in the learned profiles. Any pairwise distances that are greater than a threshold may be removed from the pairwise distance matrix to generate a reduced pairwise distance matrix. One or more computing devices associated with the remaining pairwise distances in the reduced pairwise distance matrix may be sorted into a cluster of computing devices. An anomaly score may be computed for the cluster.

Abstract: Systems and methods for anomaly detection are described. One aspect includes defining a computing device group comprising a plurality of networked computing devices. The networked computing devices are associated with a computer network. One or more statistical parameters associated with the computing device group are calculated. A set of communication data associated with a networked computing device is received. An operating point geometric distance of the networked computing device relative to the one or more statistical parameters is computed. This operating point geometric distance is based at least in part on the set of communication data. An anomaly is detected based on the operating point geometric distance.

Abstract: Systems and methods for dynamic, hyper context-based microsegmentation are described. In one aspect, a computing device is detected on a network. A network hyper context is assigned to the computing device based on network properties and computing device properties associated with the computing device. A policy defining a segment identifier identifying a network segment and corresponding to the network hyper context is accessed. The segment identifier is assigned to the computing device. The computing device is segmented onto the network responsive to detecting the computing device.

Abstract: Systems and methods to determine an aggregate risk score are described. In one embodiment, a first dynamic risk factor and a second dynamic risk factor are generated associated with a first incident and a second incident respectively at a site. One or more static risk factors are retrieved from a database. The static risk factors and the dynamic risk factors are mapped to a first threat. A first threat risk score associated with the first threat is computed. A second risk score associated with a second threat is computed. A first total risk score associated with a first computing device included in a computer network associated with the site is computed. A second risk score associated with a second computing device included in the computer network is computed. The first total risk score and the second total risk score are aggregated to compute an aggregate risk score.

Abstract: Systems and methods for dynamic, hyper context-based microsegmentation are described. In one aspect, a computing device is detected on a network. A network hyper context is assigned to the computing device based on network properties and computing device properties associated with the computing device. A policy defining a segment identifier identifying a network segment and corresponding to the network hyper context is accessed. The segment identifier is assigned to the computing device. The computing device is segmented onto the network responsive to detecting the computing device.

Abstract: Systems and methods for computing device association are described. One aspect includes receiving first and second network communication data for a first and second computing device over a communication network, respectively. For each computing device, a first and second data set are extracted from the first and second network communication data, respectively. The first data set includes first spatial data and first temporal data associated with the first computing device. The second data set includes second spatial data and second temporal data associated with the second computing device. The first and second data sets are correlated. A first geometric distance between the first temporal data and the second temporal data and a second geometric distance between the first spatial data and the second spatial data are computed. The method identifies that the first computing device and the second computing device belong to a common user.

Abstract: An echo cancellation detector for controlling an acoustic echo canceller that is configured to cancel an echo of a far-end signal in a near-end signal in a telephony system, the echo cancellation detector comprising a comparison generator configured to compare the far-end signal with the near-end signal, a decision unit configured to make a determination about a first acoustic echo canceller based on that comparison and a controller configured to control an operation of a second acoustic echo canceller in dependence on the determination.

Abstract: Systems and methods to generate a device composite fingerprint associated with a computing device are described. In one embodiment, communication data associated with the computing device is accessed. The communication data includes device identification data, device group data, and device operational data. A device identity fingerprint associated with the computing device is generated using the device identification data. A device group fingerprint associated with the computing device is generated using the device group data. A device operational fingerprint associated with the computing device is generated using the device operational data. The device identity fingerprint, the device group fingerprint, and the device operational fingerprint are combined to generate a device composite fingerprint.

Abstract: Systems and methods for dynamic, hyper context-based microsegmentation are described. In one aspect, span traffic associated with a computing device on a network is processed. Meta data associated with the span traffic is transmitted to a hyper context cloud server. It is determined whether the span traffic meta data matches a policy condition. Responsive to the span traffic meta data matching a policy condition, a policy is triggered. It is determined whether an action associated with the triggered policy is segment. Responsive to determining that the action is segment, a MAC address of the computing device is added to a segment name provided in the policy. The segment name is pushed to one or more enforcement points associated with the network.

Abstract: Systems and methods to reverse-predict a MAC address associated with a computing device are described. In one embodiment, first temporal communication data associated with the computing device is accessed for a first time interval. The first temporal communication data is converted into a first image. Second temporal communication data associated with the computing device is accessed for a second time interval. The second temporal communication data is converted into a second image. An image ensemble including the first image and the second image is analyzed using a neural network. Each image in the image ensemble is converted from temporal communication data associated with the computing device. The neural network learns a temporal pattern associated with the image ensemble. Current temporal communication data associated with the computing device is accessed and converted into a current image. The current image is compared with the temporal pattern.

Abstract: Systems and methods for risk assessment of a computer network are described. In one embodiment a first static risk score corresponding to a first computing device is computed. A connectivity map corresponding to the first computing device is determined. Communication performed by the first computing device via the connectivity map is analyzed, and a first dynamic risk score corresponding to the first computing device is computed. The first static risk score and the first dynamic risk score are combined to generate a first total risk score for the first computing device. A second total risk score for a second computing device is determined. The first total risk score and the second total risk score are aggregated into an aggregate risk score. A risk assessment of the computer network is determined based on the aggregate risk score.

Abstract: Systems and methods for risk assessment of a computer network are described. In one embodiment a first static risk score corresponding to a first computing device is computed. A connectivity map corresponding to the first computing device is determined. Communication performed by the first computing device via the connectivity map is analyzed, and a first dynamic risk score corresponding to the first computing device is computed. The first static risk score and the first dynamic risk score are combined to generate a first total risk score for the first computing device. A second total risk score for a second computing device is determined. The first total risk score and the second total risk score are aggregated into an aggregate risk score. A risk assessment of the computer network is determined based on the aggregate risk score.

Abstract: Systems and methods for dynamic, hyper context-based microsegmentation are described. In one aspect, a computing device is detected on a network. A network hyper context is assigned to the computing device based on network properties and computing device properties associated with the computing device. A policy defining a segment identifier identifying a network segment and corresponding to the network hyper context is accessed. The segment identifier is assigned to the computing device. The computing device is segmented onto the network responsive to detecting the computing device.

Abstract: Systems and methods for dynamic, hyper context-based microsegmentation are described. In one aspect, span traffic associated with a computing device on a network is processed. Meta data associated with the span traffic is transmitted to a hyper context cloud server. It is determined whether the span traffic meta data matches a policy condition. Responsive to the span traffic meta data matching a policy condition, a policy is triggered. It is determined whether an action associated with the triggered policy is segment. Responsive to determining that the action is segment, a MAC address of the computing device is added to a segment name provided in the policy. The segment name is pushed to one or more enforcement points associated with the network.

Abstract: Systems and methods for anomaly detection are described. One aspect includes defining a computing device group comprising a plurality of networked computing devices. The networked computing devices are associated with a computer network. One or more statistical parameters associated with the computing device group are calculated. A set of communication data associated with a networked computing device is received. An operating point geometric distance of the networked computing device relative to the one or more statistical parameters is computed. This operating point geometric distance is based at least in part on the set of communication data. An anomaly is detected based on the operating point geometric distance.

Abstract: Systems and methods to determine an aggregate risk score are described. In one embodiment, a first dynamic risk factor and a second dynamic risk factor are generated associated with a first incident and a second incident respectively at a site. One or more static risk factors are retrieved from a database. The static risk factors and the dynamic risk factors are mapped to a first threat. A first threat risk score associated with the first threat is computed. A second risk score associated with a second threat is computed. A first total risk score associated with a first computing device included in a computer network associated with the site is computed. A second risk score associated with a second computing device included in the computer network is computed. The first total risk score and the second total risk score are aggregated to compute an aggregate risk score.

Abstract: Systems and methods for risk assessment of a computer network are described. In one embodiment a first static risk score corresponding to a first computing device is computed. A connectivity map corresponding to the first computing device is determined. Communication performed by the first computing device via the connectivity map is analyzed, and a first dynamic risk score corresponding to the first computing device is computed. The first static risk score and the first dynamic risk score are combined to generate a first total risk score for the first computing device. A second total risk score for a second computing device is determined. The first total risk score and the second total risk score are aggregated into an aggregate risk score. A risk assessment of the computer network is determined based on the aggregate risk score.

Abstract: Systems and methods to generate a hyper context associated with a computing device are described. In one embodiment, communication data associated with the computing device is accessed. One or more features associated with the computing device are extracted from the communication data. A type of the computing device is detected. An operating system associated with the computing device is detected. A control associated with the computing device is detected. A functionality of the computing device is detected. An ownership of the computing device is detected. A hyper context associated with the computing device is defined. The hyper context includes a type context, a category context, an ownership context, a connectivity context, and a control context.

Abstract: Systems and methods to generate a device composite fingerprint associated with a computing device are described. In one embodiment, communication data associated with the computing device is accessed. The communication data includes device identification data, device group data, and device operational data. A device identity fingerprint associated with the computing device is generated using the device identification data. A device group fingerprint associated with the computing device is generated using the device group data. A device operational fingerprint associated with the computing device is generated using the device operational data. The device identity fingerprint, the device group fingerprint, and the device operational fingerprint are combined to generate a device composite fingerprint.