Abstract: A computer-implemented method of updating a set of clusters representative of a classification of a text-based dataset into a plurality of different text types for use in a cyber security system is described as part of a classification pipeline. The method comprises receiving text data associated with an entity. The method further comprises generating one or more vector embeddings representative of the text data. The method further comprises using incremental learning to update the set of clusters based on the one or more vector embeddings.

Abstract: A security awareness training system can include a recognition module, a mapping module, a customized training module, and an authentication module. The recognition module can detect when behavioral activity by an end user on an endpoint device creates one or more of i) a model breach indicative of a potential cyber threat and ii) a violation of a network policy, an email policy, or a cloud policy. The authentication module can cooperate with the recognition module to provide just-in-time cyber security awareness training on a display screen of the endpoint device associated with that specific end user, at a time when the behavioral activity by the end user on the endpoint device creates the one or more of i) the model breach indicative of the potential cyber threat and ii) the violation of the network policy, the email policy, or the cloud policy.

Abstract: In an embodiment, an apparatus is described. The apparatus comprises an appliance extension configured to perform functions with i) a monitoring module configured to monitor metrics and receive alerts regarding potential cyber threats on a system including an email system, ii) an investigative module configured to retrieve the metrics and alerts, and iii) a remote response module configured observe the metrics and alerts and send one or more control signals to an autonomous response module to take one or more actions to counter one or more detected cyber threats on the system remotely from the appliance extension.

Abstract: A cyber-threat defense system for a network including its email domain protects this network from cyber threats. Modules utilize machine learning models as well communicate with a cyber threat module. Modules analyze the wide range of metadata from the observed email communications. The cyber threat module analyzes with the machine learning models trained on a normal behavior of email activity and user activity associated with the network and in its email domain in order to determine when a deviation from the normal behavior of email activity and user activity is occurring. A mass email association detector determines a similarity between highly similar emails being i) sent from or ii) received by a collection of two or more individual users in the email domain in a substantially simultaneous time frame. Mathematical models can be used to determine similarity weighing in order to derive a similarity score between compared emails.

Abstract: An endpoint agent extension of a cyber defense system for email that includes modules and machine learning models. An integration module integrates with an email client application to detect email cyber threats in emails in the email client application as well as regulate emails. An action module interfaces with the email client application to direct autonomous actions against an outbound email and/or its files when a cyber threat module determines the email and/or its files (a) to be a data exfiltration threat, (b) to be both malicious and anomalous behavior as compared to a user's modeled email behavior, and (c) any combination of these. The autonomous actions can include actions of logging a user off the email client application, preventing the sending of the email, stripping the attached files and/or disabling the link to the files from the email, and sending a notification to cyber security personnel regarding the email.

Abstract: An apparatus to protect a network from a potential cyber threat associated with a new endpoint to that network is described. The apparatus comprises a memory to store a representation of an artificial intelligence (AI) model. The AI model is at least partly trained based on information aggregated from a first information source and a second information source. The first information source comprises information about a first factor that at least partly characterizes endpoints. The second information source comprises information about a second, different, factor that at least partly characterizes endpoints. The apparatus further comprises a processor. The processor is to receive information about the new endpoint to that network. The processor is further to determine, using the AI model, whether the information about the new endpoint indicates that a characteristic of the new endpoint overlaps with a profile of characteristics associated with endpoints known to be associated with a cyber threat.

Abstract: The email system utilizes statistical analysis to assign an importance score to each user within an organization based on their email activity. The score is continuously updated to reflect changes in email flow and user status. The system identifies high-profile individuals who are likely to be targeted by external actors and assigns them a higher importance score. It also adjusts the scores based on several dampening factors related to the user's email behavior. The system uses these scores to determine vip users and tailors its response to malicious emails accordingly. Vip-specific threat handling rules, which are less disruptive or intrusive, are applied when a malicious email targets a vip user. The system intelligently derives user importance information, allowing it to identify a larger subset of important users within an organization. This approach minimizes disruption, tailors actions to key stakeholders, and does not require significant manual tuning.

Abstract: An endpoint agent extension of a cyber defense system for email that includes modules and machine learning models. An integration module integrates with an email client application to detect email cyber threats in emails in the email client application as well as regulate emails. An action module interfaces with the email client application to direct autonomous actions against an outbound email and/or its files when a cyber threat module determines the email and/or its files (a) to be a data exfiltration threat, (b) to be both malicious and anomalous behavior as compared to a user's modeled email behavior, and (c) any combination of these. The autonomous actions can include actions of logging a user off the email client application, preventing the sending of the email, stripping the attached files and/or disabling the link to the files from the email, and sending a notification to cyber security personnel regarding the email.

Abstract: A cyber-threat defense system for a network including its email domain protects this network from cyber threats. Modules utilize machine learning models as well communicate with a cyber threat module. Modules analyze the wide range of metadata from the observed email communications. The cyber threat module analyzes with the machine learning models trained on a normal behavior of email activity and user activity associated with the network and in its email domain in order to determine when a deviation from the normal behavior of email activity and user activity is occurring. A mass email association detector determines a similarity between highly similar emails being i) sent from or ii) received by a collection of two or more individual users in the email domain in a substantially simultaneous time frame. Mathematical models can be used to determine similarity weighing in order to derive a similarity score between compared emails.

Abstract: A cyber security appliance to protect a domain associated with an organization or user and global domain intelligence data store for centralized storage of analytic results is described. The cyber security appliance features a communication module including one or more input/output (I/O) ports, an email module, and an autonomous response module. The email module comprises email report analytic logic to analyze content within an email authentication report, received via the one or more I/O ports, to detect an email suspected of being malicious when the email is directed to a computing device operating outside of the domain and a source address of the email falsely identifying the domain as part of the source email address. The autonomous response module is configured to cause a first set of autonomous actions to mitigate similar email dissemination over a network.

Abstract: The email campaign detector checks whether clustered emails with similar characteristics are part of a targeted campaign of malicious emails. An email similarity classifier analyzes a group of emails in order to cluster emails with similar characteristics in the group of emails. A targeted campaign classifier analyzes the clustered emails with similar characteristics to check whether the clustered emails with similar characteristics are a) coming from a same threat actor b) going to a same intended target, and c) any combination of both, as well as ii) verify whether the clustered emails with similar characteristics are deemed malicious. The email campaign detector uses this information from the email similarity classifier and the targeted campaign classifier to provide an early warning system of a targeted campaign of malicious emails is underway. The email campaign detector cooperates with one or more machine learning models to identify emails that are deemed malicious.

Abstract: A cyber-threat defense system for a network including its email domain protects this network from cyber threats. Modules utilize machine learning models as well communicate with a cyber threat module. Modules analyze the wide range of metadata from the observed email communications. The cyber threat module analyzes with the machine learning models trained on a normal behavior of email activity and user activity associated with the network and in its email domain in order to determine when a deviation from the normal behavior of email activity and user activity is occurring. A mass email association detector determines a similarity between highly similar emails being i) sent from or ii) received by a collection of two or more individual users in the email domain in a substantially simultaneous time frame. Mathematical models can be used to determine similarity weighing in order to derive a similarity score between compared emails.

Abstract: A cyber security appliance (CSA) configurable to protect a computer system from email cyber threat campaigns is disclosed. The CSA may comprise: an email module configured to process all incoming emails and log data and metadata; a cyber threat module coupled configured to assess a severity level of a cyber threat using one or more Artificial Intelligence (AI) models; an AI classifier configured to determine the likelihood of an email cyber threat campaign; an autonomous response module configured to act against emails determined to be threats; and a user interface module configured to generate a report, present data on a display, and show a graphical display of the system indicating the details of a cyber threat campaign.

Abstract: A cyber-threat defense system for a network including its email domain protects this network from cyber threats. Modules utilize machine learning models as well communicate with a cyber threat module. Modules analyze the wide range of metadata from the observed email communications. The cyber threat module analyzes with the machine learning models trained on a normal behavior of email activity and user activity associated with the network and in its email domain in order to determine when a deviation from the normal behavior of email activity and user activity is occurring. A mass email association detector determines a similarity between highly similar emails being i) sent from or ii) received by a collection of two or more individual users in the email domain in a substantially simultaneous time frame. Mathematical models can be used to determine similarity weighing in order to derive a similarity score between compared emails.

Abstract: An AI adversary red team configured to pentest email and/or network defenses implemented by a cyber threat defense system used to protect an organization and all its entities. AI model(s) trained with machine learning on contextual knowledge of the organization and configured to identify data points from the contextual knowledge including language-based data, email/network connectivity and behavior pattern data, and historic knowledgebase data. The trained AI models cooperate with an AI classifier in producing specific organization-based classifiers for the AI classifier. A phishing email generator generates automated phishing emails to pentest the defense systems, where the phishing email generator cooperates with the AI models to customize the automated phishing emails based on the identified data points of the organization and its entities. The customized phishing emails are then used to initiate one or more specific attacks on one or more specific users associated with the organization and its entities.

Abstract: A cyber-threat defense system for a network including its email domain protects this network from cyber threats. Modules utilize machine learning models as well communicate with a cyber threat module. Modules analyze the wide range of metadata from the observed email communications. The cyber threat module analyzes with the machine learning models trained on a normal behavior of email activity and user activity associated with the network and in its email domain in order to determine when a deviation from the normal behavior of email activity and user activity is occurring. A mass email association detector determines a similarity between highly similar emails being i) sent from or ii) received by a collection of two or more individual users in the email domain in a substantially simultaneous time frame. Mathematical models can be used to determine similarity weighing in order to derive a similarity score between compared emails.

Abstract: An endpoint agent extension of a cyber defense system for email that includes modules and machine learning models. An integration module integrates with an email client application to detect email cyber threats in emails in the email client application as well as regulate emails. An action module interfaces with the email client application to direct autonomous actions against an outbound email and/or its files when a cyber threat module determines the email and/or its files (a) to be a data exfiltration threat, (b) to be both malicious and anomalous behavior as compared to a user's modeled email behavior, and (c) any combination of these. The autonomous actions can include actions of logging a user off the email client application, preventing the sending of the email, stripping the attached files and/or disabling the link to the files from the email, and sending a notification to cyber security personnel regarding the email.