Abstract: A system for analyzing and clustering darknet traffic streams with word embeddings, comprising a data processing module which collects packets that are sent to non-existing IP addresses that belong to darknet's taps (blackholes) that are deployed over the internet: a port embedding module for performing port sequence embeddings by using a word embedding algorithm on the port sequences extracted from the data processing module while transforming the port sequences into a meaningful numerical feature vectors: a clustering module for performing temporal clustering of the feature vectors over time; and an alert logic and visualization module visualizes the data and provides alerts regarding a cluster that an analyst classified as malicious in the past.

Abstract: A system and methods are provided for determining a vehicle action during a phantom projection attack, including processing a received image to identify a traffic object, and creating from the received image multiple processed images that are applied to respective neural network (NN) models. Latent representations of the multiple processed images from each of the NN models are then fed to a combiner model trained to determine whether the latent representations indicate a phantom projection attack, and, responsively to a determination of a phantom projection attack, issuing a phantom projection indicator.

Abstract: Systems and methods are provided for detecting anomalous messages on a multipoint serial communications bus by extracting features from a first and a second message, including a time delay between the first and the second messages and, for each message, a sender address, a recipient address, a bus number, and a word count. A message transition pattern including the extracted features is generated. A probability of occurrence of the message transition pattern is determined by comparing the message transition pattern to a pattern dictionary, and the second message is determined to be anomalous when the probability is less than a predetermined threshold.

Abstract: A method of monitoring network traffic in a communication network with a sentinel module to detect malicious activity is described. A gateway sentinel module receives network traffic directed through a gateway installed for a local distribution of the network, the gateway connecting the local distribution of the network to a core of the network. Malicious activity in the local distribution is detected based on a combination of: a local machine-learning model for identifying malicious activity in the local distribution, the local machine-learning model modelling network traffic from the local distribution; and a global machine-learning model. The global machine-learning model models network traffic from a plurality of local distributions of the network based training data from a plurality of local sentinel modules executed on a respective plurality of computing nodes. The computing nodes respectively receive network traffic from the plurality of location distributions.

Abstract: Systems and methods are provided for detecting anomalous messages on a multipoint serial communications bus by extracting features from a first and a second message, including a time delay between the first and the second messages and, for each message, a sender address, a recipient address, a bus number, and a word count. A message transition pattern including the extracted features is generated. A probability of occurrence of the message transition pattern is determined by comparing the message transition pattern to a pattern dictionary, and the second message is determined to be anomalous when the probability is less than a predetermined threshold.

Abstract: A system for analyzing and clustering darknet traffic streams with word embeddings, comprising a data processing module which collects packets that are sent to non-existing IP addresses that belong to darknet's taps (blackholes) that are deployed over the internet; a port embedding module for performing port sequence embeddings by using a word embedding algorithm on the port sequences extracted from the data processing module while transforming the port sequences into a meaningful numerical feature vectors; a clustering module for performing temporal clustering of the feature vectors over time; and an alert logic and visualization module visualizes the data and provides alerts regarding a cluster that an analyst classified as malicious in the past.

Abstract: A method of monitoring network traffic in a communication network with a sentinel module to detect malicious activity is described. A gateway sentinel module receives network traffic directed through a gateway installed for a local distribution of the network, the gateway connecting the local distribution of the network to a core of the network. Malicious activity in the local distribution is detected based on a combination of: a local machine-learning model for identifying malicious activity in the local distribution, the local machine-learning model modelling network traffic from the local distribution; and a global machine-learning model. The global machine-learning model models network traffic from a plurality of local distributions of the network based training data from a plurality of local sentinel modules executed on a respective plurality of computing nodes. The computing nodes respectively receive network traffic from the plurality of location distributions.