Abstract: A computer-implemented method of monitoring activity of devices in a network is provided. The method comprises passively collecting data regarding how the devices access the network, and for each device on the network, identifying all other devices on the network with which the device communicates. All communication traffic from the devices to outside the network is identified. A determination is made if there are any required updates and if patches for the devices execute in a fashion defined as safe. A number of risk indicators for privacy risks are determined according to device communication within the network, device communication to outside the network, and update and patch execution. A visualization of any identified risk factors is displayed to a user through a user interface.

Abstract: A computer-implemented method of verifying software is provided. The method comprises creating a number of virtual machines that simulate computing environments and running a number of software program on the virtual machines. The software programs have full access to the simulated computing environments, but the source code of the software program is unavailable. A hypervisor performs virtual machine introspection as the software programs run on the virtual machines, wherein the virtual machines and software programs are unaware the virtual machine introspection is being performed. Telemetry data is collected about the software programs, including any identified threats posed by the software programs to the simulated computing environments, and presented to a user via an interface.

Abstract: A method of automating emulations is provided. The method comprising collecting publicly available network data over a predefined time interval, wherein the collected network data might comprise structured and unstructured data. Any unstructured data is converted into structured data. The original and converted structured data is stored in a database and compared to known network vulnerabilities. An emulated network is created according to the collected network data and the comparison of the structured data with known vulnerabilities. Virtual machines are created to run on the emulated network. Director programs and guest actor programs are run on the virtual machines, wherein the actor programs imitate real user behavior on the emulated network. The director programs deliver task commands to the guest actor programs to imitate real user behavior. The imitated behavior is presented to a user via an interface.

Abstract: A computer-implemented method of deep packet inspection (DPI) in a network is provided. The method comprises collecting data packets comprising a number of traffic flows from a number of devices via a number of traffic taps and classifying each traffic flow according to data about network protocol layers of the packets comprising the traffic flow. Application layer metadata is extracted from the packets. Traffic flow classification data and the extracted metadata are ingested into a data cluster and normalized. The normalized classification data and extracted metadata is then correlated to other data sets.

Abstract: A method for emulating threats in virtual network computing environment is provided. The method comprises creating a number of virtual machines in the virtual network computing environment. A number of threat actors are emulated, wherein each threat actor comprises a number of threat artifacts that form a sequence of attack steps against the virtual network computing environment. The threat actors are then deployed against the virtual network computing environment. Behavioral data about actions of the threat actors in the virtual network computing environment is collected, as is performance data about the virtual network computing environment in response to the threat actors. The collected behavioral and performance data is then presented to a user via an interface.

Abstract: A method of automating emulations is provided. The method comprising collecting publicly available network data over a predefined time interval, wherein the collected network data might comprise structured and unstructured data. Any unstructured data is converted into structured data. The original and converted structured data is stored in a database and compared to known network vulnerabilities. An emulated network is created according to the collected network data and the comparison of the structured data with known vulnerabilities. Virtual machines are created to run on the emulated network. Director programs and guest actor programs are run on the virtual machines, wherein the actor programs imitate real user behavior on the emulated network. The director programs deliver task commands to the guest actor programs to imitate real user behavior. The imitated behavior is presented to a user via an interface.

Abstract: A system, method, and device for cloud forensics and incident response is provided. In an embodiment, a computer-implemented method for performing cloud forensics and incident response includes intercepting, by a cloud incident response module (CIRM), communication between a virtual machine (VM) and a hypervisor. The method also includes extracting, by the CIRM, data from the communication between the VM and the hypervisor according to a forensic policy. Intercepting and extracting the data are transparent to the VM and to the hypervisor. Intercepting and extracting the data are independent of the VM and the hypervisor.

Abstract: A computer-implemented method of monitoring activity of devices in a network is provided. The method comprises passively collecting data regarding how the devices access the network, and for each device on the network, identifying all other devices on the network with which the device communicates. All communication traffic from the devices to outside the network is identified. A determination is made if there are any required updates and if patches for the devices execute in a fashion defined as safe. A number of risk indicators for privacy risks are determined according to device communication within the network, device communication to outside the network, and update and patch execution. A visualization of any identified risk factors is displayed to a user through a user interface.

Abstract: A computer-implemented method of verifying software is provided. The method comprises creating a number of virtual machines that simulate computing environments and running a number of software program on the virtual machines. The software programs have full access to the simulated computing environments, but the source code of the software program is unavailable. A hypervisor performs virtual machine introspection as the software programs run on the virtual machines, wherein the virtual machines and software programs are unaware the virtual machine introspection is being performed. Telemetry data is collected about the software programs, including any identified threats posed by the software programs to the simulated computing environments, and presented to a user via an interface.

Abstract: A computer-implemented method of analyzing malware is provided. The method comprises creating a number of virtual machines that simulate environments and running a number of malware programs on the virtual machines. A hypervisor performs virtual machine introspection as the malware programs run on the virtual machines, wherein the virtual machines and malware programs are unaware the virtual machine introspection is being performed. Behavioral data about the malware programs is collected and presented to a user via an interface.

Abstract: A system, method, and device for cloud forensics and incident response is provided. In an embodiment, a computer-implemented method for performing cloud forensics and incident response includes intercepting, by a cloud incident response module (CIRM), communication between a virtual machine (VM) and a hypervisor. The method also includes extracting, by the CIRM, data from the communication between the VM and the hypervisor according to a forensic policy. Intercepting and extracting the data are transparent to the VM and to the hypervisor. Intercepting and extracting the data are independent of the VM and the hypervisor.

Abstract: A method and apparatus for protecting virtual machines. A computer system creates a copy of a group of the virtual machines in an operating network in a deception network to form a group of cloned virtual machines in the deception network when the group of the virtual machines is accessed by an adversary. The computer system creates an emulation of components from the operating network in the deception network. The components are accessible by the group of the cloned virtual machines as if the group of the cloned virtual machines was in the operating network. The computer system moves network connections for the group of the virtual machines in the operating network used by the adversary from the group of the virtual machines in the operating network to the group of the cloned virtual machines, enabling protecting the group of the virtual machines from actions performed by the adversary.

Abstract: A method and apparatus for protecting virtual machines. A computer system creates a copy of a group of the virtual machines in an operating network in a deception network to form a group of cloned virtual machines in the deception network when the group of the virtual machines is accessed by an adversary. The computer system creates an emulation of components from the operating network in the deception network. The components are accessible by the group of the cloned virtual machines as if the group of the cloned virtual machines was in the operating network. The computer system moves network connections for the group of the virtual machines in the operating network used by the adversary from the group of the virtual machines in the operating network to the group of the cloned virtual machines, enabling protecting the group of the virtual machines from actions performed by the adversary.

Abstract: Embodiments of network testbed creation and validation processes are described herein. A “network testbed” is a replicated environment used to validate a target network or an aspect of its design. Embodiments describe a network testbed that comprises virtual testbed nodes executed via a plurality of physical infrastructure nodes. The virtual testbed nodes utilize these hardware resources as a network “fabric,” thereby enabling rapid configuration and reconfiguration of the virtual testbed nodes without requiring reconfiguration of the physical infrastructure nodes. Thus, in contrast to prior art solutions which require a tester manually build an emulated environment of physically connected network devices, embodiments receive or derive a target network description and build out a replica of this description using virtual testbed nodes executed via the physical infrastructure nodes. This process allows for the creation of very large (e.g.

Abstract: Embodiments of network testbed creation and validation processes are described herein. A “network testbed” is a replicated environment used to validate a target network or an aspect of its design. Embodiments describe a network testbed that comprises virtual testbed nodes executed via a plurality of physical infrastructure nodes. The virtual testbed nodes utilize these hardware resources as a network “fabric,” thereby enabling rapid configuration and reconfiguration of the virtual testbed nodes without requiring reconfiguration of the physical infrastructure nodes. Thus, in contrast to prior art solutions which require a tester manually build an emulated environment of physically connected network devices, embodiments receive or derive a target network description and build out a replica of this description using virtual testbed nodes executed via the physical infrastructure nodes. This process allows for the creation of very large (e.g.