Abstract: Disclosed herein are methods, systems, and processes for probabilistically identifying anomalous levels of honeypot activity. A honeypot dataset associated with a honeypot network is received and a representative usage value is determined from the honeypot dataset. The representative usage value is identified as being associated with anomalous behavior if the representative usage value deviates from an expected probability distribution. A remediation operation is initiated in the honeypot network in response to the identification of the representative usage value as being associated with the anomalous behavior by virtue of the representative usage value deviating from the expected probability distribution.

Abstract: Disclosed herein are methods, systems, and processes for probabilistically identifying anomalous levels of honeypot activity. A honeypot dataset associated with a honeypot network is received and a representative usage value is determined from the honeypot dataset. The representative usage value is identified as being associated with anomalous behavior if the representative usage value deviates from an expected probability distribution. A remediation operation is initiated in the honeypot network in response to the identification of the representative usage value as being associated with the anomalous behavior by virtue of the representative usage value deviating from the expected probability distribution.

Abstract: Disclosed herein are methods, systems, and processes to detect valid clusters and eliminate spurious clusters in cybersecurity-based computing environments. A cluster detection and elimination model is trained by accessing a dataset with raw data that includes data points associated with computing devices in a network and applying two or more different clustering methodologies independently to the dataset. The resulting cluster detection and elimination model is used to compare two or more clusters to determine whether a cluster from one clustering methodology matches another cluster from another clustering methodology based on centroid locations and shared data points.

Abstract: Methods and systems for classifying a device on a network. The systems and methods may receive network activity data associated with an unknown device. A classifier executing one or more machine learning models may then classify the device as an internet of things (IoT) device or a non-IoT device.

Abstract: Disclosed herein are methods, systems, and processes to optimize role level identification for computing resource allocation to perform security operations in networked computing environments. A role level classifier to process a training dataset that corresponds to a clean title is generated from a subset of entities associated with the clean title. An initial effective title determined by the role level classifier based on processing the training dataset is assigned to an entity. A new effective title based on feature differences between the initial effective title and the clean title is re-assigned to the entity. Performance of the generating, the assigning, and the re-assigning is repeated using the new effective title instead of the clean title.

Abstract: Methods and systems for identifying a network threat are disclosed. The methods described herein may involve receiving at least one permutation of a domain name, wherein the at least one permutation is registered with a domain name registrar. The methods described herein may further involve executing a scanning function to identify an active service on the at least one permutation registered with the domain name registrar and implementing a threat prevention procedure upon identifying an active service on the at least one permutation.

Abstract: Analyzing and reporting anomalous internet traffic data by accepting a request for a connection to a virtual security appliance, collecting attribute data about the connection, applying an alert module to the data, and automatically generating an alert concerning an identified incident. An alert system for analyzing and reporting the anomalous internet traffic data. A processor to analyze and report anomalous internet traffic data.

Abstract: Methods and systems for identifying a network threat are disclosed. The methods described herein may involve receiving at least one permutation of a domain name, wherein the at least one permutation is registered with a domain name registrar. The methods described herein may further involve executing a scanning function to identify an active service on the at least one permutation registered with the domain name registrar and implementing a threat prevention procedure upon identifying an active service on the at least one permutation.

Abstract: Disclosed herein are methods, systems, and processes to automate cluster interpretation in computing environments to develop targeted remediation security actions. To interpret clusters that are generated by a clustering methodology without subjecting clustered data to classifier-based processing, separation quantifiers that indicate a spread in feature values across clusters are determined and used to discover relative feature importances of features that drive the formation of clusters, permitting a security server to identify features that discriminate between clusters.

Abstract: Systems and methods are provided to build a machine learned exploitability risk model that predicts, based on the characteristics of a set of machines, a normalized risk score quantifying the risk that the machines are exploitable by a set of attacks. To build the model, a training dataset is constructed by labeling characteristic data of a population of machines with exploitation test results obtained by simulating a set of attacks on the population. The model is trained using the training data to accurately predict a probability that a given set of machines is exploitable by the set of attacks. In embodiments, the model may be used to make quick assessments about how vulnerable a set of machines are to the set of attacks. In embodiments, the model may be used to compare the effectiveness of different remediation actions to protect against the set of attacks.

Abstract: Methods and systems for training a language processing model. The methods may involve receiving a first log record in a first format, wherein the first log record includes annotations describing items in the first log record, and then creating a second log record in a second format comprising data from the first log record utilizing the annotations in the first log record and a conversion rule set. The second log record may then be used to train a language processing model so that a trained model can identify items in a third log record and the relationships therebetween.

Abstract: Methods and systems for identifying a vulnerability on a network are disclosed. The methods described herein may involve executing a first scanning function to obtain a first view of a network and then filtering the first view of the network for at least one point of exposure of a first entity that originates from a second entity. The methods described herein may further involve executing a secondary scanning function to identify any vulnerabilities of the first entity based on the point of exposure of the first entity that originates from the second entity and implementing a threat prevention procedure upon identifying a vulnerability of the first entity based on the point of exposure of the first entity that originates from the second entity.

Abstract: Disclosed herein are methods, systems, and processes for utilizing computing entity resolution for network asset correlation. A scanned dataset that includes newly scanned node information that identifies newly scanned nodes on a network is received from a security server. The newly scanned node information is extracted from the scanned dataset and indicates that the newly scanned nodes cannot be identified as being part of existing computing devices in the network. The newly scanned node information is processed with a network asset correlator and the processing results in a set of asset correlation results for the newly scanned nodes. An existing computing device is identified based on a highest disparate correlation probability in the set of asset correlation results and the security server is instructed to perform a security action on the identified existing computing device.

Abstract: Methods and systems for parsing log records. A method involves receiving a log record including data regarding a network device's operation and providing the log record to a natural language processing model. The natural language processing model may analyze the log record to identify items in the log record and relationships between items in the log record.

Abstract: Systems and methods are provided to build a machine learned exploitability risk model that predicts, based on the characteristics of a set of machines, a normalized risk score quantifying the risk that the machines are exploitable by a set of attacks. To build the model, a training dataset is constructed by labeling characteristic data of a population of machines with exploitation test results obtained by simulating a set of attacks on the population. The model is trained using the training data to accurately predict a probability that a given set of machines is exploitable by the set of attacks. In embodiments, the model may be used to make quick assessments about how vulnerable a set of machines are to the set of attacks. In embodiments, the model may be used to compare the effectiveness of different remediation actions to protect against the set of attacks.

Abstract: Methods and systems for training a language processing model. The methods may involve receiving a first log record in a first format, wherein the first log record includes annotations describing items in the first log record, and then creating a second log record in a second format comprising data from the first log record utilizing the annotations in the first log record and a conversion rule set. The second log record may then be used to train a language processing model so that a trained model can identify items in a third log record and the relationships therebetween.

Abstract: Systems and methods are provided to build a machine learned exploitability risk model that predicts, based on the characteristics of a set of machines, a normalized risk score quantifying the risk that the machines are exploitable by a set of attacks. To build the model, a training dataset is constructed by labeling characteristic data of a population of machines with exploitation test results obtained by simulating a set of attacks on the population. The model is trained using the training data to accurately predict a probability that a given set of machines is exploitable by the set of attacks. In embodiments, the model may be used to make quick assessments about how vulnerable a set of machines are to the set of attacks. In embodiments, the model may be used to compare the effectiveness of different remediation actions to protect against the set of attacks.

Abstract: Analyzing and reporting anomalous internet traffic data by accepting a request for a connection to a virtual security appliance, collecting attribute data about the connection, applying an alert module to the data, and automatically generating an alert concerning an identified incident. An alert system for analyzing and reporting the anomalous internet traffic data. A processor to analyze and report anomalous internet traffic data.

Abstract: Disclosed herein are methods, systems, and processes to optimize role level identification for computing resource allocation to perform security operations in networked computing environments. A role level classifier to process a training dataset that corresponds to a clean title is generated from a subset of entities associated with the clean title. An initial effective title determined by the role level classifier based on processing the training dataset is assigned to an entity. A new effective title based on feature differences between the initial effective title and the clean title is re-assigned to the entity. Performance of the generating, the assigning, and the re-assigning is repeated using the new effective title instead of the clean title.

Abstract: Analyzing and reporting anomalous internet traffic data by accepting a request for a connection to a virtual security appliance, collecting attribute data about the connection, applying an alert module to the data, and automatically generating an alert concerning an identified incident. An alert system for analyzing and reporting the anomalous internet traffic data. A processor to analyze and report anomalous internet traffic data.