Abstract: Systems, methods, and apparatus, including computer programs encoded on computer storage media, for obtaining, processing, and presenting data related to security events, and for implementing courses of action to protect assets in response to the security events. An event management module identifies malicious activity present on a first network domain and/or a second network domain based on received network domain activity. A threat intelligence module receives data identifying the malicious activity in first data constructs of a predefined data structure. The threat intelligence module obtains additional data related to the identified malicious activity and generates second data constructs that include enriched data regarding the malicious activity. The enriched data includes data describing a campaign in which at least a portion of the malicious activity is involved and one or more courses of action. A course of action module receives the second data constructs and implements a given course of action.

Abstract: Systems, methods, and apparatus, including computer programs encoded on computer storage media, for facilitating communication in an industrial control network. A system includes an industrial control network, one or more controller devices, one or more emulators, and an encryption relay processor. Each controller device can be operable to control one or more operational devices connected to the industrial control network. Each emulator can be configured to communicate with a respective controller device, and each emulator can be configured to reference a respective profile that includes information about security capabilities of the respective controller device. The encryption relay processor can be operable to facilitate communication to and from each emulator over the industrial control network.

Abstract: Systems, methods, and apparatus, including computer programs encoded on computer storage media, for obtaining, processing, and presenting data related to security events, and for implementing courses of action to protect assets in response to the security events. An event management module identifies malicious activity present on a first network domain and/or a second network domain based on received network domain activity. A threat intelligence module receives data identifying the malicious activity in first data constructs of a predefined data structure. The threat intelligence module obtains additional data related to the identified malicious activity and generates second data constructs that include enriched data regarding the malicious activity. The enriched data includes data describing a campaign in which at least a portion of the malicious activity is involved and one or more courses of action. A course of action module receives the second data constructs and implements a given course of action.

Abstract: Methods, systems, and apparatus, including computer programs encoded on computer storage media, for determining a network security threat response. A data structure that represents communication events between computing devices of two or more network domains is received. The data structure is analyzed and a threat scenario that is based on a chain of communication events that indicates a potential attack path is determined. The chain of communication events include a sequence of communication events between computing devices proceeding from an originating computing device to a destination computing device, wherein the originating computing device and the destination computing device exist on different network domains. Attack pattern data, for the threat scenario and from a threat intelligence data source, that is associated with communications between computing devices that occurred during one or more prior attacks is received.

Abstract: Systems, methods, and apparatus, including computer programs encoded on computer storage media, for obtaining, processing, and presenting data related to security events, and for implementing courses of action to protect assets in response to the security events. An event management module identifies malicious activity present on a first network domain and/or a second network domain based on received network domain activity. A threat intelligence module receives data identifying the malicious activity in first data constructs of a predefined data structure. The threat intelligence module obtains additional data related to the identified malicious activity and generates second data constructs that include enriched data regarding the malicious activity. The enriched data includes data describing a campaign in which at least a portion of the malicious activity is involved and one or more courses of action. A course of action module receives the second data constructs and implements a given course of action.

Abstract: Unmanned vehicle (UV) control may include receiving a UV work order and generating a mission request based on the UV work order. The mission request may identify an objective of a mission, assign a UV and a sensor to the mission from a fleet of UVs and sensors, and assign a first movement plan to the mission based on the identified objective of the mission. The assigned UV may be controlled according to the assigned first movement plan, and communication data may be received from the assigned sensor. The communication data may be analyzed to identify an event related to the mission. The identified event and the first movement plan may be analyzed to assign a second movement plan to the mission based on the analysis of the identified event and the first movement plan to meet the identified objective of the mission.

Abstract: Methods, systems, and apparatus, including computer programs encoded on computer storage media, for determining network related anomaly scores. One of the methods includes generating a network map including at least a plurality of network nodes and a plurality of edges that indicate communications paths between the plurality of network nodes, obtaining first data indicating network activity over the edges and between the plurality of network nodes for a first time period, generating a model of expected network activity over the edges and between the plurality of network nodes for a future time period using the network map and the first data, obtaining second data indicating network activity over the edges and between the plurality of network nodes for a second time period, and determining an anomaly score using a comparison between the second data and the model of expected network activity.

Abstract: Systems, methods, and apparatus, including computer programs encoded on computer storage media, for facilitating communication in an industrial control network. A system includes an industrial control network, one or more controller devices, one or more emulators, and an encryption relay processor. Each controller device can be operable to control one or more operational devices connected to the industrial control network. Each emulator can be configured to communicate with a respective controller device, and each emulator can be configured to reference a respective profile that includes information about security capabilities of the respective controller device. The encryption relay processor can be operable to facilitate communication to and from each emulator over the industrial control network.

Abstract: Systems, methods, and apparatus, including computer programs encoded on computer storage media, for facilitating secure communication. A system for facilitating secure communication includes an enterprise network, one or more operational technology networks, and a management server. Each of the operational technology networks can include one or more controller devices operable to control one or more operational devices, and can include a respective site security server and a respective security relay server. The security relay server can be operable to facilitate secure communication between controller devices of the operational technology network and its corresponding site security server. The management server can be a node on the enterprise network and can be operable to communicate with each site security server.

Abstract: Systems, methods, and apparatus, including computer programs encoded on computer storage media, for facilitating communication in an industrial control network. A system includes an industrial control network, one or more controller devices, one or more emulators, and an encryption relay processor. Each controller device can be operable to control one or more operational devices connected to the industrial control network. Each emulator can be configured to communicate with a respective controller device, and each emulator can be configured to reference a respective profile that includes information about security capabilities of the respective controller device. The encryption relay processor can be operable to facilitate communication to and from each emulator over the industrial control network.

Abstract: Methods, systems, and apparatus, including computer programs encoded on computer storage media, for determining a network security threat response. A data structure that represents communication events between computing devices of two or more network domains is received. The data structure is analyzed and a threat scenario that is based on a chain of communication events that indicates a potential attack path is determined. The chain of communication events include a sequence of communication events between computing devices proceeding from an originating computing device to a destination computing device, wherein the originating computing device and the destination computing device exist on different network domains. Attack pattern data, for the threat scenario and from a threat intelligence data source, that is associated with communications between computing devices that occurred during one or more prior attacks is received.

Abstract: Methods, systems, and apparatus, including computer programs encoded on computer storage media, for determining network related anomaly scores. One of the methods includes generating a network map including at least a plurality of network nodes and a plurality of edges that indicate communications paths between the plurality of network nodes, obtaining first data indicating network activity over the edges and between the plurality of network nodes for a first time period, generating a model of expected network activity over the edges and between the plurality of network nodes for a future time period using the network map and the first data, obtaining second data indicating network activity over the edges and between the plurality of network nodes for a second time period, and determining an anomaly score using a comparison between the second data and the model of expected network activity.

Abstract: Methods, systems, and apparatus, including computer programs encoded on computer storage media, for correlating domain activity data. First domain activity data from a first network domain and second domain activity data from a second network domain is received. The first domain activity data and the second domain activity data is filtered to remove irrelevant activity data, based on a first set of profile data for devices in the first network domain and a second set of profile data for devices in the second network domain. Unfiltered first and second domain activity data is aggregated. Aggregated unfiltered first and second domain activity data is correlated to determine an attack path for an attack that occurs across the first network domain and the second network domain, based on attack signatures and profiles associated with previously identified attacks. A visualization of the attack path is generated.

Abstract: Methods, systems, and apparatus, including computer programs encoded on computer storage media, for determining network related anomaly scores. One of the methods includes generating a network map including at least a plurality of network nodes and a plurality of edges that indicate communications paths between the plurality of network nodes, obtaining first data indicating network activity over the edges and between the plurality of network nodes for a first time period, generating a model of expected network activity over the edges and between the plurality of network nodes for a future time period using the network map and the first data, obtaining second data indicating network activity over the edges and between the plurality of network nodes for a second time period, and determining an anomaly score using a comparison between the second data and the model of expected network activity.

Abstract: Methods, systems, and apparatus, including computer programs encoded on computer storage media, for transforming representations of network activity data. A data structure that represents communication events between computing devices of one or more networks is received. The data structure is analyzed and a set of potential attack paths represented in the data structure is determined. A score is assigned to each potential attack path in the set of potential attack paths. Potential attack paths that have scores that do not meet a predetermined threshold are removed from the set of potential attack paths. Potential attack paths that remain in the set of potential attack paths are ranked, based on each score assigned to each potential attack path, and the data structure that includes a ranked set of potential attack paths is provided.

Abstract: Systems, methods, and apparatus, including computer programs encoded on computer storage media, for obtaining, processing, and presenting data related to security events, and for implementing courses of action to protect assets in response to the security events. An event management module identifies malicious activity present on a first network domain and/or a second network domain based on received network domain activity. A threat intelligence module receives data identifying the malicious activity in first data constructs of a predefined data structure. The threat intelligence module obtains additional data related to the identified malicious activity and generates second data constructs that include enriched data regarding the malicious activity. The enriched data includes data describing a campaign in which at least a portion of the malicious activity is involved and one or more courses of action. A course of action module receives the second data constructs and implements a given course of action.

Abstract: Unmanned vehicle (UV) control may include receiving a UV work order and generating a mission request based on the UV work order. The mission request may identify an objective of a mission, assign a UV and a sensor to the mission from a fleet of UVs and sensors, and assign a first movement plan to the mission based on the identified objective of the mission. The assigned UV may be controlled according to the assigned first movement plan, and communication data may be received from the assigned sensor. The communication data may be analyzed to identify an event related to the mission. The identified event and the first movement plan may be analyzed to assign a second movement plan to the mission based on the analysis of the identified event and the first movement plan to meet the identified objective of the mission.

Abstract: Unmanned vehicle (UV) control may include receiving a UV work order and generating a mission request based on the UV work order. The mission request may identify an objective of a mission, assign a UV and a sensor to the mission from a fleet of UVs and sensors, and assign a first movement plan to the mission based on the identified objective of the mission. The assigned UV may be controlled according to the assigned first movement plan, and communication data may be received from the assigned sensor. The communication data may be analyzed to identify an event related to the mission. The identified event and the first movement plan may be analyzed to assign a second movement plan to the mission based on the analysis of the identified event and the first movement plan to meet the identified objective of the mission.

Abstract: Methods, systems, and apparatus, including computer programs encoded on computer storage media, for determining network related anomaly scores. One of the methods includes generating a network map including at least a plurality of network nodes and a plurality of edges that indicate communications paths between the plurality of network nodes, obtaining first data indicating network activity over the edges and between the plurality of network nodes for a first time period, generating a model of expected network activity over the edges and between the plurality of network nodes for a future time period using the network map and the first data, obtaining second data indicating network activity over the edges and between the plurality of network nodes for a second time period, and determining an anomaly score using a comparison between the second data and the model of expected network activity.

Abstract: Methods, systems, and apparatus, including computer programs encoded on computer storage media, for determining network related anomaly scores. One of the methods includes generating a network map including at least a plurality of network nodes and a plurality of edges that indicate communications paths between the plurality of network nodes, obtaining first data indicating network activity over the edges and between the plurality of network nodes for a first time period, generating a model of expected network activity over the edges and between the plurality of network nodes for a future time period using the network map and the first data, obtaining second data indicating network activity over the edges and between the plurality of network nodes for a second time period, and determining an anomaly score using a comparison between the second data and the model of expected network activity.