Abstract: A system for governing access to a network environment, including: at least one communication node communicatively coupled to a network infrastructure; a network assurance agent configured to monitor the at least one communication node, wherein the network assurance agent performs actions including: generating, in response to an access request for a network resource from the at least one communication node, an environmental model of the at least one communication node relative to the network environment, wherein the environmental model includes operational data of the at least one communication node or at least one other communication node in the network environment, calculating a risk score for the at least one communication node via a machine learning algorithm, based on the environmental model, and granting or denying the access request based on the risk score.

Abstract: There is disclosed in one example a computing apparatus, including: a hardware platform including a processor and a memory; and instructions encoded within the memory to instruct the processor to: trace, for a plurality of actions having different direct parent actors, a common responsible parent actor, wherein the instructions determine that the common responsible parent actor caused or directed the plurality of actions; compile a report of the plurality of actions, wherein the actions are grouped by the common responsible parent actor; send the report to a machine or human analysis agent; responsive to the report, receive from the analysis agent a remedial action; and execute the remedial action.

Abstract: Some embodiments of the invention provide a method of detecting and remediating anomalies in an SD-WAN implemented by multiple forwarding elements (FEs) located at multiple sites connected by the SD-WAN. The method receives, from the multiple FEs, multiple sets of flow data associated with application traffic that traverses the multiple FEs. The method uses a first set of machine-trained processes to analyze the multiple sets of flow data in order to identify at least one anomaly associated with at least one particular FE in the multiple FEs. The method uses a second set of machine-trained processes to identify at least one remedial action for remediating the identified anomaly. The method implements the identified remedial action by directing an SD-WAN controller deployed in the SD-WAN to implement the identified remedial action.

Abstract: The present disclosure is directed to network traffic management and load balancing at a cloud-based secure access service accessible to remotely connected user devices. In one example, a cloud-based secure service system includes a network controller configured to receive network traffic from one or more user devices remotely connected to the controller; parse the network traffic into flow data and contextual information associated with the network traffic; determine that the network traffic is to be serviced by a target firewall service at the cloud-based secure service system based on the flow data and the contextual information; and direct the network traffic to the target firewall service to be serviced.

Abstract: A system and method for malware detection uses static and dynamic analysis to train a machine learning model. At the training step, static and dynamic features are extracted from training datasets and used to train a malware classification model. The malware classification model is used to classify unknown files based on verdicts from both static and dynamic models.

Abstract: A rule generation apparatus 100 is an apparatus that automatically generates rules used to analyze an attack, and includes a collection unit 200, an attack success condition generation unit 300, an attack-time history generation unit 400, and a rule generation unit 500.

Abstract: A threat management system provides a collection of queries for investigating security issues within an enterprise. Useful inferences are drawn about the value of different queries, and about the security posture of the enterprise, by monitoring contextual activity such as the popularity and context of query usage, patterns of end user modification to queries, and post-query activity.

Abstract: A system and method for detecting malware in portable executable (PE) files is provided. The system and method can include receiving a PE file, parsing the PE file to filter known malware, decompiling the filtered PE file into assembly code and/or p-code, extracting all API call sequences from the p-code, for all API call sequences that match a stored API call sequence, and/or identify the corresponding PE file as malware.

Abstract: An information processing device (10) includes an anomaly receiving means (11) for receiving an anomaly detected by a monitoring device installed in a control system, a collating means (12) for receiving the anomaly from the anomaly receiving means (11), making a first determination to determine whether the anomaly matches each of predetermined collating conditions for collating an event contained in an attack procedure and the anomaly, and when the first determination results in a match, making a further second determination to determine whether an event contained in each of predefined attack procedures matches the collating condition determined to match the anomaly, and when the second determination results in a match, specifying an attack procedure containing the event, and an extracting means (13) for extracting an event matching a predetermined extraction condition from the specified attack procedure.

Abstract: Systems, methods, and software described herein provide security actions based on the current state of a security threat. In one example, a method of operating an advisement system in a computing environment with a plurality of computing assets includes identifying a security threat within the computing environment. The method further includes, in response to identifying the security threat, obtaining state information for the security threat within the computing environment, and determining a current state for the security threat within the computing environment. The method also provides obtaining enrichment information for the security threat and determining one or more security actions for the security threat based on the enrichment information and the current state for the security threat.

Abstract: Systems and methods are disclosed for monitoring, evaluating protection against, improving protection against, and simulating phishing threats. Network usage information for users of an organization can be leveraged to determine user-specific network behavior information. This user-specific network behavior information can then be leveraged to better identify incoming threats as well as generate and deploy user-specific phishing lures. Phishing simulation campaigns can be conducted, including by implementing variations in how the phishing lures are presented. Such campaigns can be scored to determine how different presentation variations perform. User-specific phishing lures can be generated using user environment information collected by an agent running on the user's device. Alerts informing users of potential threats can be dynamically updated with different presentation parameters to improve performance.

Abstract: A method for machine learning-based detection of an automated fraud or abuse attack includes: identifying, via a computer network, a digital event associated with a suspected automated fraud or abuse attack; composing, via one or more computers, a digital activity signature of the suspected automated fraud or abuse attack based on digital activity associated with the suspected automated fraud or abuse attack; computing, via a machine learning model, an encoded representation of the digital activity signature; searching, via the one or more computers, an automated fraud or abuse signature registry based on the encoded representation of the digital activity signature; determining a likely origin of the digital event based on the searching of the automated fraud or abuse signature registry; and selectively implementing one or more automated threat mitigation actions based on the likely origin of the digital event.

Abstract: Disclosed in some examples are methods, systems, and machine readable mediums for applications that detect indicators of data exfiltration through applications such as browser-based interfaces. The disclosed system monitors file system element events related to one or more target applications (such as browsers) through operating system interfaces. Once an event of interest is detected, the system interfaces with the browser to determine a context for the event of interest that may include a URL of a website that the user was visiting corresponding to the file system element event. If the URL is directed towards a prohibited site, a notification may be generated that may be used as a signal to alert an administrator. As used herein, a file system element may include a file, directory, folder, archive, blob, raw storage, metadata, or the like. File system element events may include copying, deleting, modifying, or moving a file system element.

Abstract: Systems, methods, and other embodiments described herein relate to securing software composition information in a software management environment. In one embodiment, a method includes acquiring, in a managing device, identifying information about a software package installed on a remote device, including a unique identifier of an entity associated with the software package, and a secure identifier that combines the unique identifier with a package identifier of the software package. The method includes, responsive to identifying a vulnerability, generating a vulnerability identifier using the unique identifier of the entity and a vulnerability label that identifies a vulnerable package that includes the vulnerability. The method includes comparing the vulnerability identifier with the secure identifier to determine whether the software package includes the vulnerability. The method includes providing a response about the vulnerability when the vulnerability identifier matches the secure identifier.

Abstract: In some implementations, a device may monitor incoming messages to at least one message account of a user. The device may determine, based on monitoring the incoming messages, that one or more messages, of the incoming messages, are associated with resetting authentication information for one or more accounts of the user. The device may determine, based on determining that the one or more messages are associated with resetting authentication information, whether the one or more messages are indicative of abnormal authentication information resetting activity. The device may perform one or more actions based on determining that the one or more messages are indicative of abnormal authentication information resetting activity.

Abstract: A system to detect abnormal cross authorizations and take action is described. The system determines whether cross authorization event applied to a first trained anomaly detection model and activity post cross authorization event applied to a second trained anomaly detection model is suspicious. An indicator score is determined from rule-based security indications applied to the cross authorization. A security action is taken based on application of the indicator score applied to a threshold.

Abstract: When security-related behavior is detected on an endpoint, e.g., through a local security agent executing on the endpoint, a threat management facility associated with the endpoint can interact with a user via a second local security agent on a second endpoint in order to solicit verification, authorization, authentication or the like related to the behavior. In one aspect, an administrator for an enterprise managed by the threat management facility may verify, authorize, or otherwise approve the detected behavior using this technique. In another aspect, a user of the device may use this infrastructure to approve of a potentially risky behavior on one device by using a verification procedure on a second device associated with the user.

Abstract: A manufacturing system is disclosed herein. The manufacturing system includes one or more stations, a monitoring platform, and a control module. Each station of the one or more stations is configured to perform at least one step in a multi-step manufacturing process for a component. The monitoring platform is configured to monitor progression of the component throughout the multi-step manufacturing process. The control module is configured to detect a cyberattack to the manufacturing system. The control module is configured to perform operations. The operations include receiving control values for a first station of the one or more stations. The operations further include determining that there is a cyberattack based on the control values for the first station using one or more machine learning algorithms. The operations further include generating an alert to cease processing of the component. In some embodiments, the operations further include correcting errors caused by the cyberattack.

Abstract: Methods and systems for analyzing request to access resources and determining a resource access policy are provided. The resource access system can train, store, evaluate, and deploy machine learning models that learn to output a trust score associated with a resource access request, the trust score relating to the request's legitimacy. A resource access system can receive a request for a resource from a requesting entity. The resource access system can determine an entity profile using request data in the request. The resource access system can request data from the request to determine whether the request is normal or anomalous. Using a policy engine, the resource access system can determine a resource access policy, such as allowing or denying access to the resource.

Abstract: Various embodiments of apparatuses and methods for threat sensor deployment and management in a malware threat intelligence system are described. In some embodiments, the system comprises a plurality of threat sensors, deployed at different network addresses and physically located in different geographic regions in a provider network, which detect interactions from sources. In some embodiments, a threat sensor deployment and management service determines a deployment plan for the plurality of threat sensors, including each threat sensor's associated threat data collectors. The threat data collectors can be of different types such as utilizing different communication protocols or ports, or providing different kinds of responses to inbound communications. The different threat sensors can have different lifetimes.

Abstract: Examples of the present disclosure describe systems and methods for providing enhanced security in edge computing environments. A first aspect describes a method for moving security features dynamically applied to an application at a first deployment location to an application at a second deployment location. A second aspect describes a method for locally expanding/contracting an instance of a deployed application. A third aspect describes a method for redirected network traffic associated with detected malicious conduct from a first application deployment environment to a secured second application deployment environment. A fourth aspect describes a method for performing multi-stage network traffic filtering.

Abstract: A system and method for traffic-based misconfiguration detection. A method includes analyzing a first set of computing interface traffic data to identify types of data included among traffic to and from a computing interface; creating at least one computing interface schema based on the analysis, wherein each computing interface schema defines a plurality of schema fields and a plurality of corresponding schema values, wherein each schema value indicates a normal behavior for the computing interface with respect to the corresponding schema field; and identifying a misconfiguration of the computing interface based on the at least one computing interface schema and a second set of computing interface traffic data.

Abstract: Systems, devices, media, and methods are presented for assigning configuration parameters to unknown devices by comparing characteristics of unknown devices to characteristics of known devices. Characteristics of an unknown device are compared to characteristics of known devices to identify a similar device having known configuration parameters. The unknown devise is then assigned the configuration parameters of the identified similar device.

Abstract: A method includes receiving, by a computing device, metrics identifying vulnerabilities in an application; collecting, by the computing device, information related to the vulnerabilities; assigning, by the computing device, weights to the metrics using collected information; applying, by the computing device, a machine learning model on the weighted metrics; and generating, by the computing device, a predictive score for the vulnerabilities using the machine learning model.

Abstract: A non-transitory, processor-readable medium storing instructions that, when executed by a processor, cause the processor to receive, from a requestor compute device, a first request that references one of an electronic file or a data set stored in a memory. The processor monitors a plurality of subsequent requests originating from the requestor compute device. The instructions cause the processor to identify, based on the monitoring of the plurality of subsequent requests, a detected ransomware type from a plurality of ransomware types. Each ransomware type is associated with a predefined sequence of actions associated with the one of the electronic file or the data set. In response to identifying the detected ransomware type, the processor either generates an alert message that includes an indication of an association between the requestor compute device and the detected ransomware type; or modifies an access control permission associated with the requestor compute device.

Abstract: A system and method for detecting a combined cybersecurity risk for an artificial intelligence (AI) model is presented. The method includes: inspecting a computing environment for an AI model deployed therein; generating a representation of the AI model in a security database, the security database including a representation of the computing environment; detecting a first cybersecurity risk respective of the AI model; inspecting the computing environment for a cybersecurity object; determining that the AI model is exposed to a toxic combination cybersecurity risk based on the detected first cybersecurity risk and the cybersecurity object; and initiating a mitigation action based on the toxic combination cybersecurity risk.

Abstract: The present application discloses a method, system, and computer system for predicting responses to DNS queries. The method includes receiving a DNS query comprising a subdomain portion and a root domain portion from a client device, determining whether to obtain target address information corresponding to the DNS from a predictive cache, in response to determining to obtain the target address information from the predictive cache, obtaining the target address information from the predictive cache, and providing the target address information to the client device.

Abstract: An authentication system uses machine learning models to quantify a degree of risk that a given request to authenticate as a particular user of an organization is not in fact originating from that user, but rather from a malicious actor attempting to gain access to the user's account. More particularly, the authentication system employs both a user model that quantifies a degree of deviation from a user context in which a particular user typically requests authentication, and an organization model that quantifies a degree of deviation of a current context of the organization from a “normal” context for that organization. The user model and the organization can be employed individually, such as the organization model providing organization administrators with insights into the current security status of the organization, or together, such as using the risk scores of both models when assessing how to respond to a particular authentication request.

Abstract: Adversarial attacks on a machine learning model are detected by receiving vectorized data input into the machine learning model along with outputs of the machine learning model responsive to the vectorized data. The vectorized data corresponds to a plurality of queries of the machine learning model by a requesting user. A confidence level is determined which characterizes a likelihood of the vectorized data being part of a malicious act directed to the machine learning model by the requesting user. Data providing the determined confidence levels can be provided to a consuming application or process. Multi-tenant architectures are also provided in which multiple machine learning models associated with different customers can be centrally monitored.

Abstract: An information management system includes one or more client computing devices in communication with a storage manager and a secondary storage computing device. The storage manager manages the primary data of the one or more client computing devices and the secondary storage computing device manages secondary copies of the primary data of the one or more client computing devices. Each client computing device may be configured with a ransomware protection monitoring application that monitors for changes in their primary data. The ransomware protection monitoring application may input the changes detected in the primary data into a machine-learning classifier, where the classifier generates an output indicative of whether a client computing device has been affected by malware and/or ransomware. Using a virtual machine host, a virtual machine copy of an affected client computing device may be instantiated using a secondary copy of primary data of the affected client computing device.

Abstract: A method including setting an initial lookback path length for a current path in a directed acyclic graph. The current path includes a subset of the nodes connected by a sequence of the edges. The method also includes querying, for a current lookback path length, whether a matching key is present in a transition probability dictionary (TPD). The method also includes querying, responsive to the matching key being present in the TPD for the current lookback path length, whether a matching value is present for the matching key. The matching value includes a sample path in the TPD that matches the current path. Responsive to the matching value being present in the TPD for the matching key, a next node associated with the matching value is returned. The next node is connectable in a valid operational relationship to a last node in the current path.

Abstract: A machine compromised by malicious activity is detected by identifying an anomalous port opened on an entity of a network. The anomalous port is detected through collaborative filtering using usage patterns derived from normal network traffic using open ports of entities on the network. The collaborative filtering employs single value decomposition with alternating least squares to generate a recommendation score identifying whether an entity having a newly-opened port is likely to be used for malicious activity.

Abstract: In an embodiment, a computer implemented method is provided. The method may include quantifying a plurality of component level risks for at least a subset of components in the network. The method may further include simulating cascades of the component level risks, with each corresponding component designated as a risk seed of the subset of components, throughout the network. The method may additionally include quantifying the network level risk as a risk status in a resilience spectrum based on the simulated cascades.

Abstract: A method for detecting spoofed webpages includes: accessing an email; and scanning the email for links. The method also includes, in response to detecting a link in the email: accessing web content contained in a target webpage at the link; extracting target visual features from the web content; accessing a set of verified webpage templates, each verified webpage template in the set of verified webpage templates containing a set of verified features present in a verified webpage associated with a verified resource locator; identifying a particular verified webpage template, in the set of verified webpage templates, containing a particular set of verified features approximating the target visual features; characterizing a difference between the link and a particular verified resource locator associated with the particular verified webpage template; and, in response to the difference exceeding a threshold difference, flagging the email as malicious.

Abstract: A cyber threat intelligence (CTI) gateway device may receive rules for filtering TCP/IP packet communications events that are configured to cause the CTI gateway device to identify communications corresponding to indicators, signatures, and behavioral patterns of network threats. The CTI gateway device may receive packets that compose endpoint-to-endpoint communication events and, for each event, may determine that the event corresponds to criteria specified by a filtering rule. The criteria may correspond to one or more of the network threat indicators, signatures, and behavioral patterns. The CTI gateway may create a log of the threat event and forward the threat event log to a task queue managed by a cyberanalysis workflow application. Human cyberanalysts use the cyberanalysis workflow application to service the task queue by removing the task at the front of the queue, investigating the threat event, and deciding whether the event is a reportable finding that should be reported to the proper authorities.

Abstract: A multi-level, ensemble network monitoring system for detection of suspicious network activity from one or more a plurality of user computing devices on an external network communicatively connected via a network server to a private communication network is disclosed. In malware detection, the ensemble network monitoring system comprises artificial intelligence (AI) with bidirectional long short-term memory (BDLSTM) recurrent neural networks (RNNs) and natural language processing (NLP) to predict possible security threats and then initiate remedial measures accordingly. Enabling a proactive approach to detection and prevention of potential malicious activity, the BDLSTM RNN may perform real-time monitoring and proactively forecast network security violations to block network communications associated with high-risk user computing devices from accessing a private communication network.

Abstract: Systems and methods for vulnerability remediation based on a dynamic security model are disclosed. Device connectivity data for an entity external to an identifier entity is received by the identifier entity. A vulnerability is identified and risk-scored based on a property parsed from the device connectivity data. The identifier entity may execute an automatic action to prevent the identifier entity from receiving electronic communications from the affected component of the external entity. Further, based on the risk score meeting various parameters, a hyperlink is generated by the identifier entity and provided to the external entity. The hyperlink may include a remediation executable parametrized using the property parsed from the device connectivity data. The remediation executable may include a reference to a patch structured to remediate the vulnerability. Once the external entity remediates the vulnerability, the external entity may initiate a rescan of its affected component.

Abstract: Knowledge about a user is used to determine whether one or more messages received by the user are malicious. The knowledge about the user may be based on the user's financial history such as transaction records. Particularly, a classifier model is trained on a supervised approach using a dataset containing, for example, a categorization of incoming messages (e.g., password change message), the user's aggregated transaction records, message attributes, user attributes, and corresponding classification labels. After the training, the classifier model is deployed to determine whether an incoming message is malicious.

Abstract: A data processing system and a data processing method are capable of separating application processes. The data processing system of the invention includes a data storage device and at least one processor. When a user operates the at least one processor to execute an application process to access a designated file from the data storage device through a file control module residing in a kernel mode of an operating system, the file control module compares a user account of the user and M rules and M characteristics of the application process with a plurality of execution space setting data previously stored to obtain an authority data, where M is a natural number. The file control module selectively returns the designated file to the application process in accordance with the authority data.

Abstract: An example computer-implemented method of providing security for a software container includes discovering credentials that a software container is expected to use at runtime. The discovering is performed prior to instantiation of the software container from a container image, and is based on one or more of credentials stored in the container image, credentials stored in runtime configuration data for the software container, and credentials from a secrets management service. An unsafe credential set is determined that includes one or more of the discovered credentials that do not meet predefined credential safety criteria. A runtime request is intercepted from the software container. A credential violation is detected based on the intercepted runtime request attempting to use a credential from the unsafe discovered credential set. A corrective action is performed for the software container based on the detected credential violation.

Abstract: Novel tools and techniques might provide for implementing Internet of Things (“IoT”) functionality, and, in particular embodiments, implementing added services for OBD2 connection for IoT-capable vehicles. In various embodiments, a portable device (when connected to an OBD2 DLC port of a vehicle) might monitor wireless communications between a vehicle computing system(s) and an external device(s), might monitor vehicle sensor data from vehicular sensors tracking operational conditions of the vehicle, and might monitor operator input sensor data from operator input sensors tracking input by a vehicle operator. The portable device (or a server) might analyze either the monitored wireless communications or a combination of the monitored vehicle sensor data and the monitored operator input sensor data, to determine whether vehicle operation has been compromised.

Abstract: Various aspects related to threat management are disclosed. An example method includes monitoring network traffic on a computer network that includes a plurality of endpoints, identifying a software application executing on at least one endpoint from one or more of the sent data or the received data, where execution of the software application is associated with a startup time window and a post-startup time window, determining a security status score for the at least one endpoint based on a comparison of the sent data and the received data with a known pattern of network activity associated with the software application, wherein the known pattern of network activity is based upon the startup time window of the software application, determining a threat status for the at least one endpoint based on the security status score, and, generating an indication of the threat status for the at least one endpoint.

Abstract: A system and method for detecting and preventing ransomware includes creating a number of watch files in a filesystem, and adding a location and a timestamp of each to an ingest log. A number of native files are found in the filesystem and cataloged, adding the location and the timestamp of each to the ingest log. Periodically, each timestamp of each entry in the ingest log is compared to a current timestamp of a corresponding file in the filesystem and a count of watch files that have change and a count of native files that have changed is made. If the count of watch and native files that have changed indicate that a ransomware program is running on the computer, the ransomware program is suspended and reported. If a command indicates that the ransomware program is not ransomware, execution of the ransomware program is resumed.

Abstract: A system and method for data compression with intrusion detection, that measures in real-time the probability distribution of an encoded data stream, compares the probability distribution to a reference probability distribution, and uses one or more statistical algorithms to determine the divergence between the two sets of probability distributions to determine if an unusual distribution is the result of a data intrusion. The system comprises both encoding and decoding machines, an intrusion detection module, a codebook training module, and various databases which perform various analyses on encoded data streams.

Abstract: An apparatus comprises a processing device configured to monitor for events associated with users interacting with an e-commerce platform, to identify an event type of a given event associated with a given user interacting with the e-commerce platform, and to select, based on the identified event type, at least one of a plurality of machine learning models configured to characterize different types of potentially malicious behavior on the e-commerce platform. The processing device is also configured to determine, utilizing the selected at least one machine learning model, whether the given user is exhibiting at least one of the different types of potentially malicious behavior. The processing device is also configured, responsive to determining that the given user is exhibiting at least one of the different types of potentially malicious behavior, to initiate actions on the e-commerce platform to prevent or mitigate an effect of the potentially malicious behavior.

Abstract: Certain aspects of the present disclosure provide techniques for Scripting attack detection and mitigation. A method generally includes receiving a first report indicating a first violation for a first security policy applied to a first web application; identifying a first plurality of features associated with the first violation; classifying the first violation as a first JavaScript attack based on the first plurality of features; and taking action to mitigate the first JavaScript attack on the first web application.

Abstract: Disclosed herein are embodiments of systems, methods, and products comprise an analytic server, which detects and defends against malware in-flight regardless of the specific nature and methodology of the underlying attack. The analytic server learns the system's normal behavior during testing and evaluation phase and trains a machine-learning model based on the normal behavior. The analytic server monitors the system behavior during runtime comprising the runtime behavior of each sub-system of the system. The analytic server executes the machine-learning model and compares the system runtime behavior with the normal behavior to identify anomalous behavior. The analytic server executes one or more mitigation instructions to mitigate malware. Based on multiple available options for mitigating malware, the analytic server makes an intelligent decision and takes the least impactful action that have the least impact on the system to maintain mission assurance.

Abstract: A vehicle log transmission device includes: a vehicle log division processor that generates one or more divided logs; existing identifier storage that stores an existing identifier list, which is a list of identifiers corresponding to existing divided logs generated by dividing an existing vehicle log shared between the vehicle log transmission device and a vehicle log analysis server; a vehicle log transmission necessity determiner that determines that a divided log corresponding to an identifier present in the existing identifier list is a first divided log, and that a divided log corresponding to an identifier not present in the existing identifier list is a second divided log; and a vehicle-side communicator that transmits the identifier corresponding to the first divided log to the vehicle log analysis server, and transmits the second divided log to the vehicle log analysis server.

Abstract: Malicious homoglyphic domain name (MHDN) detection and associated cyber security applications are described. A domain name may be received that may be a potential MHDN. Homoglyphic domain name detection may be performed by, for example, generating a normalized character string corresponding to the input domain name by applying one or more normalization operations to the input domain name, wherein the one or more normalization operations may be configured to reduce homoglyphic characteristics in the input domain name; and generating a plurality of segmentations of the normalized character string, wherein generating each segmentation, of the plurality of segmentations, may comprise segmenting the normalized character string into a respective plurality of segments, and wherein each segmentation may comprise a different plurality of segments. A segmentation may be selected based on cost values corresponding to each respective segmentation determined using a cost function.

Abstract: An analysis system includes a control module generates data gathering parameters and data analysis parameters based on one or more inputs regarding an evaluation of a system aspect under test of a system, a data input module receives system gathered data regarding the system aspect under test to produce gathered data, and a data analysis module configured to generate the evaluation of the system aspect under test based on the data analysis parameters and the gathered data One or more databases store one or more of the gathered data, the data analysis parameters, and the evaluation of the system aspect under test and one or more data extraction modules interact with the system aspect under test to extract data from the system aspect under test in accordance with a respective portion of the data gathering parameters to produce the system gathered data and provide the system gathered data.