Abstract: Methods and systems for detecting malicious processes. Methods described herein gather data regarding process locations and calculate one or more inequality indicators related to the process paths based on economic principles. Instances of inequality with respect to process paths may indicate a path is uncommon and therefore the associated binary is used for malicious purposes.

Abstract: Methods, systems, and processes to optimize role level identification for computing resource allocation to perform security operations in networked computing environments. A role level classifier to process a training dataset that corresponds to a clean title is generated from a subset of entities associated with the clean title. An initial effective title determined by the role level classifier based on processing the training dataset is assigned to an entity. A new effective title based on feature differences between the initial effective title and the clean title is re-assigned to the entity. Performance of the generating, the assigning, and the re-assigning is repeated using the new effective title instead of the clean title.

Abstract: Approaches provide for securing an electronic environment. A threat analysis service can obtain data for devices, users, and threats from disparate sources and can correlate users to devices and threats to build an understanding of an electronic environment's operational, organizational, and security concerns in order to provide customized security strategies and remediations. Additionally, the threat analysis service can develop a model of an electronic environment's behavior by monitoring and analyzing various the data from the data sources. The model can be updated such that the threat analysis service can tailor its orchestration to complement existing operational processes.

Abstract: Disclosed herein are methods, systems, and processes to detect valid clusters and eliminate spurious clusters in cybersecurity-based computing environments. A cluster detection and elimination model is trained by accessing a dataset with raw data that includes data points associated with computing devices in a network and applying two or more different clustering methodologies independently to the dataset. The resulting cluster detection and elimination model is used to compare two or more clusters to determine whether a cluster from one clustering methodology matches another cluster from another clustering methodology based on centroid locations and shared data points.

Abstract: Methods and systems for classifying a device on a network. The systems and methods may receive network activity data associated with an unknown device. A classifier executing one or more machine learning models may then classify the device as an internet of things (IoT) device or a non-IoT device.

Abstract: Disclosed herein are methods, systems, and processes to detect valid clusters and eliminate spurious clusters in cybersecurity-based computing environments. A cluster detection and elimination model is trained by accessing a dataset with raw data that includes data points associated with computing devices in a network and applying two or more different clustering methodologies independently to the dataset. The resulting cluster detection and elimination model is used to compare two or more clusters to determine whether a cluster from one clustering methodology matches another cluster from another clustering methodology based on centroid locations and shared data points.

Abstract: Methods and systems for classifying a device on a network. The systems and methods may receive network activity data associated with an unknown device. A classifier executing one or more machine learning models may then classify the device as an internet of things (IoT) device or a non-IoT device.

Abstract: Disclosed herein are methods, systems, and processes for utilizing computing entity resolution for network asset correlation. A generated canonical dataset that includes the identities of existing computing devices is accessed and a scanned dataset generated by a security server that includes an identity of a scanned computing device is received. Paired records that include the identities of the existing computing devices and the identity of the scanned computing device are generated from the canonical dataset and the scanned dataset and user input applicable to the paired records that indicates whether the identity of the scanned computing device matches an identity of an existing computing device is received. A network asset correlator that indicates a disparate correlation between each of the existing computing devices and a newly-scanned computing device that is part of a newly-scanned dataset generated by the security server without requiring a subsequent user input is generated.

Abstract: Disclosed herein are methods, systems, and processes to automate cluster interpretation in computing environments to develop targeted remediation security actions. To interpret clusters that are generated by a clustering methodology without subjecting clustered data to classifier-based processing, separation quantifiers that indicate a spread in feature values across clusters are determined and used to discover relative feature importances of features that drive the formation of clusters, permitting a security server to identify features that discriminate between clusters.

Abstract: Disclosed herein are methods, systems, and processes to detect valid clusters and eliminate spurious clusters in cybersecurity-based computing environments. A cluster detection and elimination model is trained by accessing a dataset with raw data that includes data points associated with computing devices in a network and applying two or more different clustering methodologies independently to the dataset. The resulting cluster detection and elimination model is used to compare two or more clusters to determine whether a cluster from one clustering methodology matches another cluster from another clustering methodology based on centroid locations and shared data points.

Abstract: Disclosed herein are methods, systems, and processes to optimize role level identification for computing resource allocation to perform security operations in networked computing environments. A role level classifier to process a training dataset that corresponds to a clean title is generated from a subset of entities associated with the clean title. An initial effective title determined by the role level classifier based on processing the training dataset is assigned to an entity. A new effective title based on feature differences between the initial effective title and the clean title is re-assigned to the entity. Performance of the generating, the assigning, and the re-assigning is repeated using the new effective title instead of the clean title.

Abstract: Disclosed herein are methods, systems, and processes for utilizing computing entity resolution for network asset correlation. A generated canonical dataset that includes the identities of existing computing devices is accessed and a scanned dataset generated by a security server that includes an identity of a scanned computing device is received. Paired records that include the identities of the existing computing devices and the identity of the scanned computing device are generated from the canonical dataset and the scanned dataset and user input applicable to the paired records that indicates whether the identity of the scanned computing device matches an identity of an existing computing device is received. A network asset correlator that indicates a disparate correlation between each of the existing computing devices and a newly-scanned computing device that is part of a newly-scanned dataset generated by the security server without requiring a subsequent user input is generated.

Abstract: Approaches provide for securing an electronic environment. A threat analysis service can obtain data for devices, users, and threats from disparate sources and can correlate users to devices and threats to build an understanding of an electronic environment's operational, organizational, and security concerns in order to provide customized security strategies and remediations. Additionally, the threat analysis service can develop a model of an electronic environment's behavior by monitoring and analyzing various the data from the data sources. The model can be updated such that the threat analysis service can tailor its orchestration to complement existing operational processes.

Abstract: Methods and systems for detecting malicious processes. Methods described herein gather data regarding process locations and calculate one or more inequality indicators related to the process paths based on economic principles. Instances of inequality with respect to process paths may indicate a path is uncommon and therefore the associated binary is used for malicious purposes.

Abstract: Analyzing and reporting anomalous internet traffic data by accepting a request for a connection to a virtual security appliance, collecting attribute data about the connection, applying an alert module to the data, and automatically generating an alert concerning an identified incident. An alert system for analyzing and reporting the anomalous internet traffic data. A processor to analyze and report anomalous internet traffic data.

Abstract: Methods and systems for detecting malicious processes. Methods described herein gather data regarding process locations and calculate one or more inequality indicators related to the process paths based on economic principles. Instances of inequality with respect to process paths may indicate a path is uncommon and therefore the associated binary is used for malicious purposes.