Abstract: A system and method for quantitative measurement of detection and response control effect on risk. Various parameters are used to determine the value of incident detection and response controls, including Maximum Loss ML, Event Velocity v, Loss Growth Rate G, Visibility V, Recognition R, Monitoring Frequency M, Monitoring Window d, Containment C, Detection and Containment Time T, Recovery Time S, and Realized Loss L.

Abstract: Systems and methods are provided for implementing an adaptive machine learning platform for security penetration and risk assessment. For example, the system can receive publicly-available information associated with a client computer system, process the information to identify an input feature, and implement a machine learning model to identify the corresponding risk associated with the input feature. The system can recommend a penetration test for discovered weaknesses associated with the input feature and help make changes to the client computer system to improve security and reduce risk overall.

Abstract: The system implements in memory decoys to disrupt the attacker techniques. This has multiple benefits. 1) The attacker is never aware of a decoy present in memory as it is virtually indistinguishable from any regular process on an endpoint. 2) The decoys process also tracks attacker activity from a behavior perspective and predict and preempt the attackers next steps without alerting the attacker. 3) the decoy processes can then provide false information by intercepting the kernel responses to the attackers process and disrupt the attack chain. 4) the decoy processes can also pollute the responses that the attacker is expecting, thereby preventing the attacker from ever achieving execution of the endpoint. 5) The decoy processes also detect the attacker's evasion techniques and adjust accordingly to divert the attacker from ever achieving execution.

Abstract: Aspects of the subject disclosure may include, for example, obtaining data that identifies network traffic associated with a threat actor, responsive to the obtaining the data, performing feature extraction on the data, resulting in extracted features, classifying the network traffic based on the extracted features, detecting, in accordance with the classifying the network traffic, an action change in the network traffic, resulting in a detected action change, predicting a future traffic profile for the threat actor based on the detected action change, and responsive to the predicting the future traffic profile, generating an alert regarding the future traffic profile, thereby enabling mitigation of a security risk associated with the threat actor. Other embodiments are disclosed.

Abstract: Software products that are installed on a computer are identified from application names of application programs on the computer. The application names are pre-filtered to discard those that do not meet initial product filtering criteria that were used to collect sample data from which training datasets for training encoder-only transformer models were selected. Application names that meet initial product filtering criteria are classified using the encoder-only transformer models. Application names that have been classified by the encoder-only transformer models as those of supported products are post-filtered to discard those that do not meet the initial product filtering criteria of corresponding supported products. Application names that have not been discarded by the post-filtering are deemed to be those of software products installed on the computer.

Abstract: Systems, methods, and computer-readable storage media for compliance verification and validation of cyber resilience in a distributed entity or third-party network (DETPN). Some methods can include generating or identifying, by one or more processing circuits, one or more compliance parameters for a plurality of entities or third-parties on the DETPN. Some methods can include determining, by the one or more processing circuits, at least one compliance level. Some methods can include receiving or identifying, by the one or more processing circuits, environmental data of the DETPN. Some methods can include determining, by the one or more processing circuits at a second timing phase, an updated at least one compliance level for at least one of the plurality of entities or third-parties based at least on the environmental data. In some implementations, some methods can include generating and storing, by the one or more processing circuits, one or more tokens.

Abstract: An authentication system includes one or more processors and a memory storing instructions executable by the one or more processors to cause the one or more processors to receive a first request for an electronic data action from a user device associated with a user and to select one or more first authentication factors from a plurality of available authentication factors based on a rotation schedule, a random selection, a prior location of the user, a prior activity of the user, a presence of an auxiliary device in a vicinity of the user device, or any combination thereof.

Abstract: A machine learning computing system identifies a vulnerability associated with a server. Based on information associated with the server and a knowledge base, the computing system schedules an interval for patching the server in a centralized tracking module. Based on the knowledge base and the vulnerability, the computing system creates, validates, and deploys the patch job. During patch job execution, the computing system monitors the status of the patch job at the server and transmits status updates to a user interface module. After expiration of the interval, the computing system generates an assessment report for the executed patch job. The computing system updates the knowledge base based on the assessment report to improve future decisioning processes. Based on the success or failure of the patch job, the computing system, upon a failure indication, automatically reschedules an interval for patching the server.

Abstract: A system and method for vulnerability detection. A method includes: tokenizing device attribute data for a device into at least one set of first tokens, wherein each of the first tokens is formatted according to a token schema; creating at least one device attribute string, each device attribute string including one of the first tokens; matching each of the at least one device attribute string to combinations of device attributes stored in a vulnerabilities database in order to identify at least one matching combination of device attributes for the device, wherein the vulnerabilities database stores mappings between combinations of device attributes and vulnerabilities, wherein each combination of device attributes in the vulnerabilities database includes second tokens formatted according to the token schema; detecting at least one vulnerability of the device based on the at least one matching combination of device attributes and the mappings in the vulnerabilities database.

Abstract: A computer-implemented method, computer program product and computing system for: obtaining consolidated platform information for a computing platform to identify one or more deployed security-relevant subsystems; processing the consolidated platform information to identify one or more non-deployed security-relevant subsystems; generating a list of ranked & recommended security-relevant subsystems that ranks the one or more non-deployed security-relevant subsystems; and providing the list of ranked & recommended security-relevant subsystems to a third-party.

Abstract: A building management system includes one or more computer-readable storage media having instructions stored thereon that, when executed by one or more processors, cause the one or more processors to receive threats, the threats each indicating an incident affecting a dynamic risk score associated with an asset, wherein one or more of the threats are current threats that are active at a current point in time and one or more of the threats are historic threats that were active at one or more past times. The instructions cause the one or more processors to generate, based on the one or more current threats, the dynamic risk score at the current point in time, generate, based on the one or more historic threats, a baseline risk score, and cause a user interface to display an indication of the dynamic risk score at the current point in time and an indication of the baseline risk score.

Abstract: In one aspect, a system that provides a context-aware code security solution within a continuous integration and continuous deployment (CI/CD) pipeline is disclosed. During operation, the system can receive a set of security vulnerabilities generated by a set of security tools incorporated with the CI/CD pipeline. The system further receives contextual data associated with the set of security vulnerabilities from a set of DevOps tools used by the CI/CD pipeline. Next, the system augments the set of security vulnerabilities with the received contextual data. The system next prioritizes the augmented security vulnerabilities to identify a subset of high-priority vulnerabilities within the set of security vulnerabilities. The system subsequently notifies the owners of the identified subset of high-priority vulnerabilities to cause the subset of high-priority vulnerabilities to be fixed by the owners.

Abstract: The present disclosure generally relates to systems and methods for utilization of network mitigation techniques in the form of null address routing to mitigate coordinated DDOS attacks. One or more computing devices can install malware code into a network device after exploiting a vulnerability of the network device. A monitoring and mitigation service can monitor network devices and detect malware code installed on the network-based service. The monitoring and mitigation service can identify the internet protocol (IP) address or any routing information regarding the computing devices that sent the malware code. Based on the identified information, the monitoring and mitigation service can identify and implement the network mitigation information in the form of null routing addresses that will cause network communications associated with the identified computing device to be terminated or otherwise not delivered to the intended network-based resources.

Abstract: A method (300) for linking a common vulnerability and exposure, CVE, (106) with at least one synthetic common platform enumeration, CPE, (112) wherein the CVE (106) comprises a summary of a vulnerability, is disclosed. The method (300) comprising: receiving (S302) the summary of the CVE (106) from a vulnerability database, VD, (104); extracting (S304) information from the summary of the CVE (106) using a Natural Language Processing, NLP, model; building (S306) at least one synthetic CPE (112) based on the extracted information; and linking (S308) the CVE (106) with the at least one synthetic CPE (112).

Abstract: Systems and methods for streamlining risk modeling in software development using natively sourced kernels are described. The system may receive a native kernel for the first model, wherein the native kernel comprises a native code sample and a native description of the native code sample. The system may input the native code sample into an artificial intelligence model to generate a first output. The system may filter the first output based on the native description to generate a first validation assessment for the first model. The system may generate for display, in the user interface, the first validation assessment.

Abstract: A computing device may be configured to continuously, repeatedly, or recursively generate, train, improve, focus, or refine the machine learning classifier models that are used data anomalies. The computing device may create a corpus of data based on architecture or standards documents, generate classifier models based on the corpus of data, collect information from one or more data sources, generate feature vectors based on the collected information, apply the feature vectors to the classifier models to generate an analysis result, and identify a data anomaly based on the generated analysis result.

Abstract: Systems, methods, and computer-readable storage media for protecting data. One system includes a processing circuit configured to receive, identify, or collect cybersecurity data. The processing circuit can further be configured to generate metadata from the cybersecurity data based on characterizing the at least one cyber incident or claim. The processing circuit can further be configured to generate or update a protection parameter of one or more protection products of a protector based on the metadata. The processing circuits can further be configured to determine at least two cyber incidents correspond to a catastrophic incident based on the metadata. The processing circuits can further be configured to generate and provide a claim data package including the metadata and the catastrophic incident.

Abstract: A system and method are provided for assessing whether data files contain sensitive information associated with an entity. The system stores search keywords associated with the entity, generates search terms based on the search keywords, and searches one or more online public databases for data files associated with each search term. The system then generates risk scores for data files in the search results indicating a likelihood that the data files contain information from a data breach associated with the entity. The system identifies data files that contain information from the data breach from the generated risk scores, and transmits a notification to the entity describing the identified data files.

Abstract: A computer-implemented method is provided for interactive communication of a user device with a server, the method including: providing, on the user device, a notification to a user of the user device; acquiring reaction data indicative of a reaction of the user to the notification; and determining, based on the acquired reaction data, a sentiment score for transmission to the server, in which the sentiment score is indicative of a sentiment of the user in reaction to the notification. A nontransitory computer-readable storage medium, an a user device for interactive communication with a server, are also provided.

Abstract: Methods are provided for generating hierarchical summaries with actionable recommendations having various granularities. Specifically, the methods involve obtaining notifications related to network issues and generating meta-semantic data that includes a summary of each of the notifications. The methods further involve obtaining inventory data of network devices in a plurality of domains of a network. The inventory data includes configuration information of the network devices. The methods further involve generating a multi-level hierarchical summary specific to the network based on the inventory data and the meta-semantic data. The multi-level hierarchical summary includes a first level specific to one or more affected network devices and a second level specific to a group of network devices. The methods further involve providing the multi-level hierarchical summary for performing one or more actions associated with the network.

Abstract: Attack path information includes information about an attack path including at least one attack step including an attack source, an attack destination, and an attack method. Vulnerability specification means refers to the attack path information and thereby specifies vulnerabilities exploitable by an attack on the attack destination in the attack step. In the vulnerability information DB, vulnerabilities and presence/absence of exploit codes for the vulnerabilities are stored and associated with each other. Diagnosis evaluation generation means refers to the vulnerability information DB, and thereby examines whether or not there is an exploit code for the specified vulnerability and generates, for the attack step, a risk diagnosis evaluation including the number of specified vulnerabilities and the presence/absence of the exploit codes therefor. Output means outputs the attack step and the risk diagnosis evaluation while associating them with each other.

Abstract: Systems and methods for alert management. A method includes analyzing alerts with respect to cybersecurity issues indicated in the alerts to identify at least one group of matching alerts. Each group of matching alerts includes alerts generated by multiple cybersecurity detection tools. A software component associations database is queried based on software components indicated in each of the groups of alerts. The software component associations database stores associations between configuration files of software containers and build files used to build the software containers. At least one group of duplicate alerts is identified among the groups of matching alerts based on associations returned by the software component associations database. The software component indicated by a first alert of each group of duplicate alerts is associated with the software component indicated by a second alert of the group of duplicate alerts. The alerts are managed based on the groups of duplicate alerts.

Abstract: Disclosed in the present application are a model protection method and apparatus, a data processing method and apparatus, and a device and a medium, which are used for improving the security protection of a model. In the present application, a cloud device can determine, from a target model, a first sub-model which is stored in a trusted execution environment (TEE) of a terminal device, and send the first sub-model to the terminal device; the terminal device can store the first sub-model in the TEE of the terminal device; and the TEE can ensure that data processing, etc., are performed in a trusted environment.

Abstract: A hierarchical structure constructor constructs a hierarchical structure that comprises nodes associated with feature sets patterns of URLs. Nodes at each depth are labelled as malicious, benign, or mixed for corresponding to URLs that are malicious, benign, or malicious and benign that match the corresponding patterns. Malicious feature set patterns are extracted from malicious nodes in the hierarchical structure. A URL analyzer operates inline by logging traffic sessions, extracting URLs from the logs, and matching the extracted URLs with the malicious feature sets patterns extracted from the hierarchical structure. The hierarchical structure is periodically updated with known malicious/benign URLs to improve quality of malicious URL detection.

Abstract: A method for detecting anomalous streaming network traffic data in real time includes: creating an anomaly detection model including a singular value matrix and a data pattern matrix from a matrix of historical network traffic data; storing the singular value matrix and the data pattern matrix of the anomaly detection model; receiving streaming network traffic data; performing a log transform on the streaming network traffic data; applying the anomaly detection model to a matrix of the streaming network traffic data in real time as the streaming network traffic data is received; detecting anomalous patterns in the streaming network traffic data based on patterns identified by the anomaly detection model; and associating the anomalous patterns in the streaming network traffic data with IP addresses.

Abstract: An adaptive risk management application retrieves data corresponding to an asset. The asset is a computing device or software application of an enterprise system. The adaptive risk management system identifies a set of vulnerabilities of the asset. For each vulnerability in the set of vulnerabilities, the adaptive risk management application generates a recommendation for mitigating the vulnerability. The adaptive risk management application generates a user interface for the asset. The user interface comprises a list of the recommendations. The adaptive risk management system provides the user interface for display.

Abstract: Security risk evaluation across user devices is disclosed herein. An example method includes identifying a user and one or more devices associated with the user, collecting information identifying applications used by the user on the one or more devices, determining respective security sub-scores for each item of the one or more devices, computing an overall security score for the user based, at least in part, on an aggregation of the security sub-scores, and creating a user profile based on the overall security score, the user profile to enable the at least one of the one or more devices to exchange data with an external device when the overall security score meets a security score threshold, the user profile to prevent the at least one of the one or more devices from exchanging data with the external device when the overall security score does not meet the security score threshold.

Abstract: The present disclosure describes defending against an attack execution operation. According to one aspect of the subject matter described in this disclosure, a method for generating a domain-specific language (DSL) file is disclosed. The method may comprise determining, a framework based on an attack repository, determining a first primitive based on the framework, and determining a second primitive based on the framework. In one implementation, the first primitive and the second primitive are fundamental structures or constructs within a DSL. The method further comprises combining the first primitive and the second primitive into a DSL file. In one implementation, the DSL file is executed to defend against a first attack execution operation executed by a threat-actor.

Abstract: In an example, a component analyzer can compute a respective part score for each part of the platform based on a part property table, and a respective connection score for each connection of the platform based on a connection property table. The component analyzer can provide the respective part and connection scores as score data to an architecture modeling engine to compute a probability model based on the score data and an architecture model. The probability model can include a part probability value and a connection probability value, and the architecture model can characterize a target architecture of the platform. A survivability analysis engine can evaluate the probability model and the architecture model to determine a likelihood that one or more potential cyber-attacks on the platform based on the target architecture are successful or unsuccessful in compromising at least one part of the platform.

Abstract: An embodiment of the present invention is directed to implementing an AI security platform that secures AI/ML models while keeping the configuration and implementation simple and streamlined. An embodiment of the present invention is directed to delivering visibility on AI models across an entire organization.

Abstract: A software-defined network (SDN) system, device and method comprise one or more input ports, a programmable parser, a plurality of programmable lookup and decision engines (LDEs), programmable lookup memories, programmable counters, a programmable rewrite block and one or more output ports. The programmability of the parser, LDEs, lookup memories, counters and rewrite block enable a user to customize each microchip within the system to particular packet environments, data analysis needs, packet processing functions, and other functions as desired. Further, the same microchip is able to be reprogrammed for other purposes and/or optimizations dynamically.

Abstract: The present describes simulating a threat-actor executing an attack execution operation. According to one aspect of the subject matter described in this disclosure, a method for generating a domain-specific language (DSL) simulant is disclosed. The method may comprise determining, a framework based on an attack repository, determining a first primitive based on the framework, and determining a second primitive based on the framework. In one implementation, the first primitive and the second primitive are fundamental structures or constructs within a DSL. The method further comprises combining the first primitive and the second primitive into a DSL simulant. In one implementation, the DSL simulant is executed to simulate a threat-actor executing an attack execution operation.

Abstract: Techniques for enforcing policies on Internet of Things (IoT) device communications are disclosed. Information associated with a network communication of an IoT device is received. The received information is used to determine a device profile, including a device type, to associate with the IoT device. A recommended security policy to be applied to the IoT device by a security appliance is generated.

Abstract: Embodiments of the disclosure are related to a method, apparatus, and system for identity threat detection and response for a client computer network including: collecting network security logs for the client computer network; monitoring the network security logs; generating an alert if a condition of the network security logs matches a correlation rule or an anomaly is determined to meet a predefined condition; and, based upon the alert, initiating an automated response including disabling a user account of the client computer network.

Abstract: A method includes scanning a network having a first and second host, obtaining, via the scanning, a first and second type information of the first and second host, respectively, the first or second type information including a device category the first or second host belongs to, obtaining, via the scanning, a first and second scaling factor of the first and second host, respectively, calculating, a first criticality score of the first host based on the first type information and the first scaling factor, calculating a second criticality score of the second host based on the second type information and the second scaling factor, and facilitating to apply a security patch on the first host prior to the second host when the first criticality score is higher than the second criticality score.

Abstract: Implementations generally relate to access and usage of privileged credentials. In some implementations, a method includes receiving, from a mobile device, an access request for privileged credentials. The method further includes accessing one or more predetermined conditional access policies. The method further includes receiving location data associated with the mobile device. The method further includes performing a plurality of location-aware verification checks based on the one or more predetermined conditional access policies and the location data. The method further includes determining whether to grant or to deny the access request based on results from the plurality of location-aware verification checks.

Abstract: The risk evaluation apparatus evaluates the risk of a machine learning model. The risk evaluation apparatus includes a recording unit, a loss function regression model acquirer, an attack noise addition unit, an error acquisition unit, and an evaluation unit. The recording unit records a set of predetermined loss functions and a set of pairs of data and labels predetermined. The loss function regression model acquirer determines a regression model of the loss function in the vicinity of data by nonparametric regression. The attack noise addition unit creates attack data that is an Adversarial Example using the regression model. The error acquisition unit determines the error between the output of the machine learning model when the data is input and the output of the machine learning model when the attack data is input. The evaluation unit evaluates the risk based on a set of errors.

Abstract: A method for generating a query filter list includes obtaining set of training queries, each training query comprising a predicate and one or more accessed columns returned from evaluating the predicate, and transforming the set of training queries into a structure. The structure relates, for an accessed column and a training query, the predicate and a correlation value to the accessed column. The method further includes normalizing the structure into a normalized structure. The normalized structure grouping entries in the structure according to accessed column. The method further includes generating a generalized query from the normalized structure, and adding the generalized query to the query filter list.

Abstract: In order to efficiently perform security inspection, an inspection support apparatus includes a reception processing section configured to receive information related to a plurality of activity histories for security inspections performed by a plurality of inspection apparatuses, a specifying section configured to specify a conforming activity history meeting a predetermined correlation condition, from the plurality of activity histories, and a generating section configured to generate information related to the conforming activity history.

Abstract: Provided is a computer-implemented method, system, and computer program product for predictive service orchestration using threat modeling analytics. A processor may identify a plurality of attributes of a client computing environment. The processor may collect threat modeling content for a plurality of vendor computing environments. The processor may analyze the threat modeling content for the plurality of vendor computing environments. The processor may compare the analyzed threat modeling content for the plurality of vendor computing environments with the plurality of attributes of the client computing environment. The processor may generate, based on the comparing, a client threat model for the client computing environment.

Abstract: A method including collating data from a plurality of data sources into a first data repository; identifying, using a machine-learning model, class clusters and relationship clusters of the collated data in the first data repository; generating a domain-specific semantic model as a graph-structured data model based on the identified class clusters and relationship clusters; generating a data object model using the domain-specific semantic model and the collated data in the first data repository; creating a first domain-specific knowledge graph by associating the data object model with the domain-specific semantic model; creating a cross-domain analytics knowledge graph for deriving insights involving cross-domain analytics by merging the first domain-specific knowledge graph with a second domain-specific knowledge graph created from a second data repository; and deriving insights corresponding to performance of one or more of an asset or a process in a facility based on utilization of the cross-domain analyti

Abstract: A method for managing a data protection module (DPM) includes: obtaining metadata associated with the DPM; analyzing the metadata to extract relevant data; making, based on the relevant data, a first determination that a resource-related change has occurred in the DPM; making, based on the first determination, a second determination that the resource-related change is an increased resource-related change; sending, based on the second determination, the relevant data to a vendor environment (VE) analyzer; in response to sending the relevant data, receiving a recommendation from the VE analyzer; sending the recommendation to a user of a client about the recommendation using a graphical user interface (GUI) of the client; making, after sending the recommendation to the user, a third determination that the DPM is not reconfigured by the user based on the recommendation; and resending, based on the third determination, the recommendation to the user using the GUI.

Abstract: A method for unifying risks and remediations associated with entities in application and infrastructure code, including the steps of: defining governance rules; fetching data from more than one source; extracting features from the data in a unified manner; formalizing sub-entities from the extracted features, the formalized sub-entities representing the extracted features in a formal and unified manner; providing a plurality of entities from the formalized sub-entities, matching and unifying sub-entities having common extracted features into single entities of the plurality of entities; aggregating risks and remediations of each of the same sub-entities and assigning the aggregated risks and remediations to the corresponding single entity; and computing risk priority and triggering workflows based on the matched governance rules.

Abstract: Implementations are directed to methods, systems, and apparatus for ontology-based risk propagation over digital twins. Actions include obtaining knowledge graph data defining a knowledge graph including nodes and edges between the nodes, the nodes including asset nodes representing assets and process nodes representing processes; each edge representing a relation between nodes; determining, from the knowledge graph, an aggregated risk for a first process represented by a first process node, including: identifying, for the first process node, a set of incoming nodes, each incoming node comprising an asset node or a process node and being connected to the first process node by a respective edge; determining a direct risk for the first process; and determining an indirect risk for the first process; and generating, based on the aggregated risk for the first process node, a mitigation recommendation including actions for reducing the aggregated risk for the first process node.

Abstract: This document describes among other things, network security systems that incorporate a feedback loop so as to automatically and dynamically adjust the scope of network traffic that is subject to inspection. Risky traffic can be sent for inspection; risky traffic that is demonstrated to have high rate of threats can be outright blocked without further inspection; traffic that is causing errors due to protocol incompatibility or should not be inspected for regulatory or other reasons can be flagged so it bypasses the security inspection system. The system can operate on a domain by domain basis, IP address basis, or otherwise.

Abstract: Disclosed embodiments relate to systems and methods for composite risk scores for network resources. Techniques include retrieving data associated with multiple network resources. The retrieved data is used to perform a first assessment for each of the multiple network resources to estimate a vulnerability level for each of the multiple network resources. The retrieved dated is also used to perform a second assessment for each of the multiple network resources to estimate an importance level for each of the multiple network resources. Based on a result of the first assessment and a result of the second assessment, a composite risk score for each of the multiple network resources is determined. When needed, a security response is performed based on the determined composite risk score of a specific network resource among the multiple network resources.

Abstract: Provided are computer-implemented methods for authenticating a mobile device based on a real-time mobile device application profile which may include generating, with a mobile device application on a mobile device, a real-time mobile device application profile associated with the mobile device, receiving the mobile device application profile by the mobile device; and determining whether there is an anomaly between the real-time mobile device application profile and a historical mobile device application profile associated with the mobile device. The methods may also include performing a remedial action associated with a transaction based on determining that there is an anomaly between the real-time mobile device application profile and the historical mobile device application profile. Systems and computer program products are also provided.

Abstract: Provided is an intrusion detection technique configured to: obtain kernel-filter criteria indicative of which network traffic is to be deemed potentially malicious, determine that a network packet is resident in a networking stack, access at least part of the network packet, apply the kernel-filter criteria to the at least part of the network packet and, based on applying the kernel-filter criteria, determining that the network packet is potentially malicious, associate the network packet with an identifier of an application executing in userspace of the operating system and to which or from which the network packet is sent, and report the network packet in association with the identifier of the application to an intrusion-detection agent executing in userspace of the operating system of the host computing device, the intrusion-detection agent being different from the application to which or from which the network packet is sent.

Abstract: A system and method of processing data on detected vulnerabilities using a learning vulnerability processing model to generate refined vulnerability data that excludes one or more of a false positive finding, a repeated item, and an inaccurate finding assignment, the learning vulnerability processing model being trained and evaluated using a task component that outputs one or more evaluation processes for a corresponding one or more processed vulnerability records and a performance measurement component that executes the one or more evaluation processes to output one or more evaluation metrics, the one or more evaluation metrics comprising a comparison metric for a comparison between respective one or more potential error indicators in the raw vulnerability data and corresponding one or more vulnerability type classifications using the learning vulnerability processing model.

Abstract: A network security system includes a network interface configured to connect to a public wide area network and a first malicious activity detection subsystem configured to extract from textual sources on the network different threat levels in a first threat category for addresses on the wide area network. One or more further malicious activity detection subsystems are configured to extract from textual sources on the network different threat levels in one or more further threat categories. A weighting subsystem is configured to provide weighted threat levels for addresses on the wide area network for the first and further malicious activity detection subsystems. A scoring subsystem is responsive to the weighting subsystem to derive an aggregated, weighted threat score for each of the network addresses. An address proximity engine can determine a measure of logical proximity of network addresses independently of any measure of physical proximity between them.