Abstract: A method for generating a query filter list includes obtaining set of training queries, each training query comprising a predicate and one or more accessed columns returned from evaluating the predicate, and transforming the set of training queries into a structure. The structure relates, for an accessed column and a training query, the predicate and a correlation value to the accessed column. The method further includes normalizing the structure into a normalized structure. The normalized structure grouping entries in the structure according to accessed column. The method further includes generating a generalized query from the normalized structure, and adding the generalized query to the query filter list.

Abstract: A method including collating data from a plurality of data sources into a first data repository; identifying, using a machine-learning model, class clusters and relationship clusters of the collated data in the first data repository; generating a domain-specific semantic model as a graph-structured data model based on the identified class clusters and relationship clusters; generating a data object model using the domain-specific semantic model and the collated data in the first data repository; creating a first domain-specific knowledge graph by associating the data object model with the domain-specific semantic model; creating a cross-domain analytics knowledge graph for deriving insights involving cross-domain analytics by merging the first domain-specific knowledge graph with a second domain-specific knowledge graph created from a second data repository; and deriving insights corresponding to performance of one or more of an asset or a process in a facility based on utilization of the cross-domain analyti

Abstract: In order to efficiently perform security inspection, an inspection support apparatus includes a reception processing section configured to receive information related to a plurality of activity histories for security inspections performed by a plurality of inspection apparatuses, a specifying section configured to specify a conforming activity history meeting a predetermined correlation condition, from the plurality of activity histories, and a generating section configured to generate information related to the conforming activity history.

Abstract: Implementations generally relate to access and usage of privileged credentials. In some implementations, a method includes receiving, from a mobile device, an access request for privileged credentials. The method further includes accessing one or more predetermined conditional access policies. The method further includes receiving location data associated with the mobile device. The method further includes performing a plurality of location-aware verification checks based on the one or more predetermined conditional access policies and the location data. The method further includes determining whether to grant or to deny the access request based on results from the plurality of location-aware verification checks.

Abstract: Provided is a computer-implemented method, system, and computer program product for predictive service orchestration using threat modeling analytics. A processor may identify a plurality of attributes of a client computing environment. The processor may collect threat modeling content for a plurality of vendor computing environments. The processor may analyze the threat modeling content for the plurality of vendor computing environments. The processor may compare the analyzed threat modeling content for the plurality of vendor computing environments with the plurality of attributes of the client computing environment. The processor may generate, based on the comparing, a client threat model for the client computing environment.

Abstract: A method for unifying risks and remediations associated with entities in application and infrastructure code, including the steps of: defining governance rules; fetching data from more than one source; extracting features from the data in a unified manner; formalizing sub-entities from the extracted features, the formalized sub-entities representing the extracted features in a formal and unified manner; providing a plurality of entities from the formalized sub-entities, matching and unifying sub-entities having common extracted features into single entities of the plurality of entities; aggregating risks and remediations of each of the same sub-entities and assigning the aggregated risks and remediations to the corresponding single entity; and computing risk priority and triggering workflows based on the matched governance rules.

Abstract: The risk evaluation apparatus evaluates the risk of a machine learning model. The risk evaluation apparatus includes a recording unit, a loss function regression model acquirer, an attack noise addition unit, an error acquisition unit, and an evaluation unit. The recording unit records a set of predetermined loss functions and a set of pairs of data and labels predetermined. The loss function regression model acquirer determines a regression model of the loss function in the vicinity of data by nonparametric regression. The attack noise addition unit creates attack data that is an Adversarial Example using the regression model. The error acquisition unit determines the error between the output of the machine learning model when the data is input and the output of the machine learning model when the attack data is input. The evaluation unit evaluates the risk based on a set of errors.

Abstract: A method for managing a data protection module (DPM) includes: obtaining metadata associated with the DPM; analyzing the metadata to extract relevant data; making, based on the relevant data, a first determination that a resource-related change has occurred in the DPM; making, based on the first determination, a second determination that the resource-related change is an increased resource-related change; sending, based on the second determination, the relevant data to a vendor environment (VE) analyzer; in response to sending the relevant data, receiving a recommendation from the VE analyzer; sending the recommendation to a user of a client about the recommendation using a graphical user interface (GUI) of the client; making, after sending the recommendation to the user, a third determination that the DPM is not reconfigured by the user based on the recommendation; and resending, based on the third determination, the recommendation to the user using the GUI.

Abstract: A network security system includes a network interface configured to connect to a public wide area network and a first malicious activity detection subsystem configured to extract from textual sources on the network different threat levels in a first threat category for addresses on the wide area network. One or more further malicious activity detection subsystems are configured to extract from textual sources on the network different threat levels in one or more further threat categories. A weighting subsystem is configured to provide weighted threat levels for addresses on the wide area network for the first and further malicious activity detection subsystems. A scoring subsystem is responsive to the weighting subsystem to derive an aggregated, weighted threat score for each of the network addresses. An address proximity engine can determine a measure of logical proximity of network addresses independently of any measure of physical proximity between them.

Abstract: Disclosed embodiments relate to systems and methods for composite risk scores for network resources. Techniques include retrieving data associated with multiple network resources. The retrieved data is used to perform a first assessment for each of the multiple network resources to estimate a vulnerability level for each of the multiple network resources. The retrieved dated is also used to perform a second assessment for each of the multiple network resources to estimate an importance level for each of the multiple network resources. Based on a result of the first assessment and a result of the second assessment, a composite risk score for each of the multiple network resources is determined. When needed, a security response is performed based on the determined composite risk score of a specific network resource among the multiple network resources.

Abstract: This document describes among other things, network security systems that incorporate a feedback loop so as to automatically and dynamically adjust the scope of network traffic that is subject to inspection. Risky traffic can be sent for inspection; risky traffic that is demonstrated to have high rate of threats can be outright blocked without further inspection; traffic that is causing errors due to protocol incompatibility or should not be inspected for regulatory or other reasons can be flagged so it bypasses the security inspection system. The system can operate on a domain by domain basis, IP address basis, or otherwise.

Abstract: A system and method of processing data on detected vulnerabilities using a learning vulnerability processing model to generate refined vulnerability data that excludes one or more of a false positive finding, a repeated item, and an inaccurate finding assignment, the learning vulnerability processing model being trained and evaluated using a task component that outputs one or more evaluation processes for a corresponding one or more processed vulnerability records and a performance measurement component that executes the one or more evaluation processes to output one or more evaluation metrics, the one or more evaluation metrics comprising a comparison metric for a comparison between respective one or more potential error indicators in the raw vulnerability data and corresponding one or more vulnerability type classifications using the learning vulnerability processing model.

Abstract: Provided are computer-implemented methods for authenticating a mobile device based on a real-time mobile device application profile which may include generating, with a mobile device application on a mobile device, a real-time mobile device application profile associated with the mobile device, receiving the mobile device application profile by the mobile device; and determining whether there is an anomaly between the real-time mobile device application profile and a historical mobile device application profile associated with the mobile device. The methods may also include performing a remedial action associated with a transaction based on determining that there is an anomaly between the real-time mobile device application profile and the historical mobile device application profile. Systems and computer program products are also provided.

Abstract: Provided is an intrusion detection technique configured to: obtain kernel-filter criteria indicative of which network traffic is to be deemed potentially malicious, determine that a network packet is resident in a networking stack, access at least part of the network packet, apply the kernel-filter criteria to the at least part of the network packet and, based on applying the kernel-filter criteria, determining that the network packet is potentially malicious, associate the network packet with an identifier of an application executing in userspace of the operating system and to which or from which the network packet is sent, and report the network packet in association with the identifier of the application to an intrusion-detection agent executing in userspace of the operating system of the host computing device, the intrusion-detection agent being different from the application to which or from which the network packet is sent.

Abstract: Implementations are directed to methods, systems, and apparatus for ontology-based risk propagation over digital twins. Actions include obtaining knowledge graph data defining a knowledge graph including nodes and edges between the nodes, the nodes including asset nodes representing assets and process nodes representing processes; each edge representing a relation between nodes; determining, from the knowledge graph, an aggregated risk for a first process represented by a first process node, including: identifying, for the first process node, a set of incoming nodes, each incoming node comprising an asset node or a process node and being connected to the first process node by a respective edge; determining a direct risk for the first process; and determining an indirect risk for the first process; and generating, based on the aggregated risk for the first process node, a mitigation recommendation including actions for reducing the aggregated risk for the first process node.

Abstract: Implementations are directed to receiving graph data representative of a process-aware AAG that is representative of potential lateral movement of adversaries within a computer network, receiving risk profile data representative of a risk profile of an enterprise with respect to two or more risk aspects, generating, by a process-aware risk assessment module, a risk assessment based on the process-aware AAG and the risk profile, and generating, by a mitigation simulator module, a mitigation list based on the process-aware AAG, the risk profile, and the risk assessment, the mitigation list comprising a prioritized list of two or more facts of the process-aware AAG. Other implementations of this aspect include corresponding systems, apparatus, and computer programs, configured to perform the actions of the methods, encoded on computer storage devices.

Abstract: Described herein are systems and methods for identifying security vulnerabilities. The systems and methods herein can utilize security vulnerability information to identify potential security threats and can utilize this information to generate an attack using a machine learning model, such as a large language model. Generated attacks can be carried out to assess impact of a security vulnerability. An output can be provided that represents the assessed impact. In some implementations, the systems and methods herein generate patches or other mitigations for security vulnerabilities, which can be tested and deployed to address security vulnerabilities.

Abstract: Systems and methods are disclosed for providing a cyber resilience rating. A method can include obtaining a plurality of entity indicators. The method can include determining a peer group of entities for the entity based on the entity indicators. The method can include obtaining a plurality of loss event records for the peer group. The method can include executing, based on the loss event records, a plurality of Monte Carlo simulations to generate loss simulation data. The method can include identifying, based on the loss simulation data, an expected probability value. The method can include providing a risk factor score indicative of a cyber security risk of the entity based on the identified expected probability value. The method can include providing a cyber resilience rating for the entity based on a combination of the risk factor score, a fortitude factor score, and a governance factor score.

Abstract: A data processing method a device, and a storage medium are provided. The method includes: detecting, via a security detection device in response to receiving a data message sent by a client, whether a destination server corresponding to the data message is under cyberattack; in response to the destination server being under cyberattack, guiding the data message to a security protection device, and sending a test message to the client via the security protection device; and verifying, via the security protection device, the verification message returned by the client, and in response to the verification succeeding, determining that the client is a valid client and sending the data message to the destination server, or in response to the verification failing, determining that the client is an attacking client and discarding the data message.

Abstract: Methods for securing an electronic communication is provided. In a registration process, an anti-phish, personalized, security token may be created and/or selected for a predetermined account. The token may be stored in a database at an enterprise location. An electronic communication may be generated at a third-party location on behalf of the enterprise. The communication may be forwarded from the third-party location to a recipient associated with the account. The communication may be intercepted at an edge server. The edge server may be located at the third-party location or the enterprise location. The edge server may be in communication with the database. The edge server may select, from the database, the anti-phish token that is associated with the account. The selected token may be injected into the communication. The communication with the token may be transmitted to the recipient.

Abstract: A method for checking an incoming message. In the method, based on the message authentication code, an authentication of the useful data is performed by a hardware security module and the hardware security module is subjected to a function check.

Abstract: Receiving configuration settings (CSs) from a resource using an API; determining a resource risk score (RERS), a first tactic risk score (TARS), a first plurality of technique risk scores (TERSs), a second TARS, and a second TERSs, wherein the RERS is based on the first TARS and the second TARS, wherein the first TARS is based on the first TERSs, wherein the second TARS is based on the second TERSs, wherein each of the first TERSs is based on a subset of a set of policy scores (SPS), wherein each of the second TERSs is based on a subset of the SPS, and wherein each of the SPS is based on compliance of the CSs with a setting; and selecting a most-important technique (MIT) based on the first TARS, the second TARS, and one of the first TERSs and the second TERSs, and remediating a CS corresponding to the MIT.

Abstract: A system and method for improved endpoint detection and response (EDR) in a cloud computing environment initiates inspection based on data received from a sensor deployed on a workload. The method includes: configuring a resource, deployed in a cloud computing environment, to deploy thereon a sensor, the sensor configured to detect runtime data; detecting a potential cybersecurity threat on the resource based on detected runtime data received from the sensor; and initiating inspection of the resource for the potential cybersecurity threat.

Abstract: Systems and methods are described for contextualizing a simulated phishing communication based at least on one of language and locale. Initially, a template for a simulated phishing communication is created with content in a source language. Then one or more contextual parameters for a user are identified. The one or more contextual parameters identify at least one of a target language and a target locale. The content of the simulated phishing communication is modified according to at least one of the target language and the target locale and the simulated phishing communication is communicated to one or more devices of the user with the content modified for at least one of the target language and the target locale.

Abstract: A system for improving efficiency of processing alerts by a Security Incident & Event Management (SIEM) platform involves a pipeline, and an error log associated with the pipeline, wherein the pipeline is coupled to a source of alerts and to an SIEM platform, the pipeline including a source task, at least one process task and at least one sink task, wherein the at least one sink task is configured to publish cases to the SIEM platform and wherein the error log is configured such that, when an exception occurs in a particular task in the pipeline, an object relating to the particular task and the exception will be stored in the error log.

Abstract: Described are techniques for application hardening. The techniques include generating application traces using fuzzing for an application with a known security vulnerability, where the application traces include good traces that do not result in exploitation of the known security vulnerability and bad traces that result in exploitation of the known security vulnerability. The techniques further include identifying code segments that are executed by the bad traces and not executed by the good traces. The techniques further include modifying the identified code segments using binary rewriting.

Abstract: A system and method for initiating a remediation action on a software service in a computing environment are presented. The method includes detecting a software service in a computing environment, the service including a code object and a resource; generating a representation of the software service in a security database, the security database further including a representation of the computing environment; traversing the security database to detect a plurality of components, each component having a representation connected to the representation of the software service; initiating inspection for a cybersecurity object on each component of the software service; and initiating a remediation action on each component of the software service on which the cybersecurity object is detected.

Abstract: A system and method to analyze security across digital environments is provided. The system includes a report generation module to generate reports stating vulnerabilities in a software delivery pipeline. A recommendation engine is configured to perform a comprehensive analysis of the reports, verifies by cross-referencing with a CVE database to provide a rationalized and comprehensive view of the vulnerabilities. Further, the recommendation engine is configured to conduct an impact analysis using a ML model to determine the consequence of fixing the vulnerabilities and generates a score matrix based on a predefined threshold limit. Recommendations are provided to resolve the vulnerabilities based on the score matrix generated and impact analysis. The system includes a vulnerability remediation module to utilize the threshold limit to initiate automated vulnerability remediation thereby ensuring a secure and reliable development process.

Abstract: Methods, computer-readable media, software, systems and apparatuses may receive, from a user device, notification of a user enrolling in a privacy incident protection application, receive, from the user device, user account information associated with one or more user accounts of the user, where the user account information includes a plurality of contextual settings, determine a risk footprint associated with the user based on the user account information, monitor the one or more user accounts, receive an indication of an incident based on monitoring the one or more user accounts and based on the risk footprint, and transmit an incident notification to a data server provider associated with the incident. The incident notification may include instructions to perform a mitigation action associated with the incident.

Abstract: Some embodiments of the invention provide a method for WAN (wide area network) optimization for a WAN that connects multiple sites, each of which has at least one router. At a gateway router deployed to a public cloud, the method receives from at least two routers at least two sites, multiple data streams destined for a particular centralized datacenter. The method performs a WAN optimization operation to aggregate the multiple streams into one outbound stream that is WAN optimized for forwarding to the particular centralized datacenter. The method then forwards the WAN-optimized data stream to the particular centralized datacenter.

Abstract: Systems, methods, and software can be used to identify security risks in software code based on Software Bill of Materials (SBOM). In some aspects, a method includes: obtaining, by a server, software code and a SBOM corresponding to the software code; identifying, by the server and based on the SBOM, a library used by the software code; and generating, by the server, a risk assessment based on at least one metric corresponding to the library, where the at least one metric is associated with one or more maintainers of the library.

Abstract: A vulnerability with respect to an image file in a continuous integration (CI) pipeline can be suppressed according to some aspects described herein. For example, a processor can receive an alert for the vulnerability with the CI pipeline being able to block deployment of the image file in response to the alert. Based on the alert, the processor can determine that the vulnerability of the image file is deferrable. After determining that the vulnerability is deferrable, the processor can automatically adjust a status of the vulnerability from an observed state to a deferred state. The CI pipeline can allow the deployment of the image file based on the status of the vulnerability being in the deferred state. The processor can deploy the image file in the CI pipeline after adjusting the status of the vulnerability to the deferred state.

Abstract: Methods and systems for securing an application programming interface (API) are presented. The method comprises: receiving API workflow data associated with an API testing tool and generating a scan configuration file using the API workflow data; crawling the collection of API requests by identifying and retrieving a link associated with the collection of API requests; and crawling the link to generate a crawled link response. The method also includes executing one or more vulnerability tests on the crawled link response including applying at least one passive detection rule to the crawled link response and fuzzing the link. The fuzzed link may be transmitted in a request to an application server following which scan data indicative of at least one vulnerability associated with a response from the application server may be generated. The scan data may be used to generate a vulnerability report.

Abstract: Systems, devices, and methods are discussed for automatically determining a risk-based focus in determining zero trust network access policy on one or more network elements.

Abstract: A computer-implemented method, computer program product and computing system for: a computer-implemented method is executed on a computing device and includes: obtaining object information concerning one or more initial objects within a computing platform in response to a security event; identifying an event type for the security event; and executing a response script based, at least in part, upon the event type.

Abstract: A system and method detect a malware infection path in a compute environment. The method includes detecting a malware object on a first workload in a computing environment including a plurality of workloads, wherein the first workload is represented by a resource node on a security graph, the security graph including an endpoint node representing a resource which is accessible to a public network; generating a potential infection path between the resource node and the endpoint node including at least a second resource node connected to the resource node; inspecting a second workload of the plurality of workloads represented by the second resource node; determining that the potential infection path is a confirmed infection path, in response to detecting the malware on the second workload; and determining that the potential infection path is not an infection path, in response to detecting that the second workload does not include the malware.

Abstract: Behavior report generation monitors the behavior of unknown sample files executing in a sandbox. Behaviors are encoded and feature vectors created based upon a q-gram for each sample. Prototypes extraction includes extracting prototypes from the training set of feature vectors using a clustering algorithm. Once prototypes are identified in this training process, the prototypes with unknown labels are reviewed by domain experts who add a label to each prototype. A K-Nearest Neighbor Graph is used to merge prototypes into fewer prototypes without using a fixed distance threshold and then assigning a malware family name to each remaining prototype. An input unknown sample can be classified using the remaining prototypes and using a fixed distance. For the case that no such prototype is close enough, the behavior report of a sample is rejected and tagged as an unknown sample or that of an emerging malware family.

Abstract: A device may receive, from a user device, a transaction request associated with a first entity and identify a distributed ledger associated with the first entity, the distributed ledger including a set of blocks recording work data associated with the first entity. The set of blocks may include: a first subset of blocks including data specifying work performed by the first entity, and a second subset of blocks including data verifying a portion of the work performed by the first entity and specified by the data included in the first subset of blocks. The device may determine that a transaction, associated with the transaction request, is associated with the first subset of blocks and the second subset of blocks. Based on predetermined instructions that correspond to the transaction and the distributed ledger, the device may perform the transaction.

Abstract: A computer-implemented method according to one embodiment includes performing an attestation of code of a logic loader in a trusted execution environment (TEE) and receiving a request for the logic loader to load service logic code to the TEE. An integrity check of the service logic code associated with the request is performed. In response to the service logic code associated with the request passing the integrity check, the logic loader is allowed to load the service logic code associated with the request to the TEE. A computer program product according to another embodiment includes a computer readable storage medium having program instructions embodied therewith. The program instructions are readable and/or executable by a computer to cause the computer to perform the foregoing method.

Abstract: Disclosed embodiments include receiving network data associated with a first system of a network. The network data may comprise first data, second data, third data, fourth data, fifth data, and sixth data. The method may quantify, the first data, the second data, the third data, the fourth data, the fifth data, and the sixth data. The method may further determine, a risk parameter based on the quantifying. The method may generate, a vulnerability risk profile for a vulnerability based on the risk parameter. The vulnerability profile may indicate a security weakness of the first system or the second system. The method may determine, based on the security weakness of the first system or the second system, a remediation protocol for minimizing the security weakness of the first system of the network or the second system of the network.

Abstract: Mechanisms for preventing trojan source attacks are provided, the mechanisms including: receiving first Web page content; determining first one or more languages associated with the first Web page content; determining if the first one or more languages use BIDI characters; and in response to determining that the first one or more languages do not use BIDI characters: searching the Web page content for first reference BIDI characters; and blocking the Web page content in response to finding the first reference BIDI characters in the Web page content. In some embodiments, the mechanisms further include: receiving second Web page content; determining second one or more languages associated with the second Web page content; determining if the second one or more languages use BIDI characters; and in response to determining that the second one or more languages do use BIDI characters, allowing the Web page content.

Abstract: Embodiments of the present invention relate to apparatuses, systems, methods and computer program products for dynamic adapted security analysis of network resource components. Specifically, the system is typically structured for providing proactive network security by dynamically analyzing entering network resource components for vulnerabilities, establishing adapted validation thresholds and mitigation actions, and preventing unsuccessfully validated network resource components in a distributed network. In some aspects, in response to determining that a file attribute data element of the first network program resource component is of a predetermined file type, the system blocks the incoming file transfer associated with the first network program resource component.

Abstract: The disclosure relates to systems and methods for determining a cyber risk level of an asset node associated with one or more functional aspects of a vehicle and assessing a node vulnerability score. Specifically, the disclosure relates to systems and methods of identifying, analyzing, and remediating vulnerabilities of networked vehicle components to various malicious exploits, by simulating attack on one or more vehicle nodes using known vulnerabilities under operational conditions.

Abstract: Examples of file analytics systems are described that may obtain event data from a virtualized file server. The event data may be aggregated and/or filtered to provide metrics which may be adjusted based on the operation of an application used to accomplish a user action. For example, actions relating to an application's temporary file handling may be aggregated and/or excluded when reporting metrics for the virtualized file server. To facilitate reporting of metrics, the file analytics system may provide a lineage index storing an association between files related through operation of the application used to accomplish the user action.

Abstract: A spectrum refarm system facilitates visual refarming of spectrum blocks. The system retrieves data defining a set of telecommunications spectrum blocks that are licensed by a telecommunications network within a selected geographic region, where each spectrum block is allocated to one or more technologies to facilitate communications transmitted according to a protocol defined within each technology. The system generates an interactive diagram representing the set of telecommunications spectrum blocks and identifying a first technology deployed on each of the telecommunications spectrum blocks at a first time. In response to at least one user input directed to the interactive diagram, the system defines a second technology to be deployed on at least one of the telecommunications spectrum blocks during a second time. The system then causes the at least one telecommunications spectrum block to transition from the first technology to the second technology at a time corresponding to the second time.

Abstract: A method and system of selecting a software testing regimen for a software application. The method comprises receiving, at a security assessing server computing device, a Quality of Service (QoS) performance level in conjunction with a set of technical attributes of the software application, determining a security vulnerability diagnostic score for the software application based at least in part on the set of technical attributes and the QoS performance level, and selecting the software testing regimen in accordance with the QoS performance level and the security vulnerability diagnostic score.

Abstract: Systems and methods for evaluation of system-of-systems (SoS) architectures for cyber vulnerabilities. Architecture definition file (ADF) data can be generated based on received architecture and component description data. A model of a target SoS architecture for the SoS can be generated based on the ADF data. The target SoS architecture for the SoS can be evaluated to identify potential cyber-attack vectors with respect to the target SoS architecture, and a probabilistic analysis of the potential cyber-attack vectors can be executed to compute a probability for each cyber-attack vector indicative of a likelihood that a respective cyber-attack results in a mission failure by the SoS based on the target SoS architecture. Display data can be generated for visualization on an output device that includes each identified potential cyber-attack vector and associated computed probability.

Abstract: Aspects of the disclosure relate to preventing data loss using enhanced analysis of the URLs and URIs in webpage requests. A computing platform may receive a user request to access a webpage, and may determine whether the webpage is regularly accessed by the user and whether the user is permitted to access the webpage. Based on determining the user might not regularly access the website, but that the user is permitted to access the webpage, the computing platform may engage an artificial intelligence (AI) engine to parse the URL and URI from the webpage request. The AI engine may compare the URL to source code associated with the webpage to determine whether the URI was re-written. The computing platform may grant the webpage request based on determining the source code corresponds to the URL and based on determining the URI might not have been re-written.

Abstract: A method for prioritizing security events comprises receiving a security event that includes security event data having been generated by an endpoint agent based on a detected activity, wherein the security event data includes one or more features; applying a first computing model to the security event data to automatically determine which of the one or more features are one or more input features to a machine learning system; applying a second computing model to historical data related to the security event data to determine time pattern information of the security event data as an input to the machine learning system; combining the one or more input features from the first computing model and the input from the second computing model to generate a computed feature result; and generating an updated security level value of the security event from the computed feature result.

Abstract: A computer implemented method of automatically generating security rules for a networked environment based on anomalies identified using Machine Learning (ML), comprising receiving one or more feature vectors each comprising a plurality of operational parameters of a plurality of objects of a networked environment, identifying one or more anomaly patterns in the networked environment by applying one or more trained ML models to the one or more feature vectors trained to identify patterns deviating from normal behavior of the plurality of objects, parsing each anomaly patterns to a set of behavioral rules by traversing the anomaly pattern through a tree-like decision model, and generating one or more security rules for the networked environment according to the set(s) of behavior rules. Wherein the one or more security rules are applied to increase security of the networked environment.