Techniques for identifying vulnerabilities in a computing environment, including: using at least one computer hardware processor to perform: obtaining first vulnerability data for a first event from external data source(s); associating the first event with a particular vulnerability in a vulnerability dictionary using at least some of the first vulnerability data, the particular vulnerability being associated with one or more historical events; enriching the first vulnerability data with first metadata comprising one or more time-based feature values to obtain first enriched vulnerability data; generating a first set of feature values for the first event using both: the first enriched vulnerability data; and enriched vulnerability data for at least some of the one or more historical events; determining, using the first set of feature values, that a vulnerability mitigation action is to be triggered for the first event; and triggering performance of the vulnerability mitigation action for the first event.
G06F 21/57 - Certification ou préservation de plates-formes informatiques fiables, p. ex. démarrages ou arrêts sécurisés, suivis de version, contrôles de logiciel système, mises à jour sécurisées ou évaluation de vulnérabilité
G06F 21/62 - Protection de l’accès à des données via une plate-forme, p. ex. par clés ou règles de contrôle de l’accès
2.
SYSTEM FOR AUTOMATICALLY DISCOVERING, ENRICHING AND REMEDIATING ENTITIES INTERACTING IN A COMPUTER NETWORK
An entity tracking system and method for a computer network employs proactive data collection and enrichment driven by configurable rules and workflows responsive to the discovery of new entities, changes to existing entities, and specifics about the entities' attributes. The data collection is used in conjunction with graph technologies to map interactions and relationships between various entities interacting in the computer environment and deduce interactions and relationships between the entities. Machine learning techniques further identify, group or categorize entities and identify patterns which are indicative of anomalies that might be due to nefarious actions or compromised security.
Some embodiments provide techniques for generating common vulnerability scoring system (CVSS) vectors for vulnerabilities to use in scanning a computing environment for vulnerabilities. The techniques involve obtaining a textual description of a vulnerability; generating inputs for a plurality of ML models using the textual description of the vulnerability; providing the inputs to the plurality of ML models to obtain outputs indicating values of CVSS risk metrics; and storing the values of the CVSS risk metrics indicated by the outputs of the plurality of ML models in a vector to obtain the CVSS vector for the vulnerability.
G06F 21/57 - Certification ou préservation de plates-formes informatiques fiables, p. ex. démarrages ou arrêts sécurisés, suivis de version, contrôles de logiciel système, mises à jour sécurisées ou évaluation de vulnérabilité
Embodiments disclose a honeyrepo implemented in a cybersecurity computing environment. A honey repository is configured for inclusion in a source control system by a detection and response server that is communicatively coupled to a continuous integration system that accesses a shared repository and has access to individual repositories of the source control system by generating a honey repository configuration package that includes decoy metadata to entice an attacker to initiate a request to access the honey repository. The honey repository configuration package that includes the decoy metadata is transmitted to the source control system to generate the honey repository and access to the source control system is monitored at the detection and response server. If an attacker initiates the request to access the honey repository, access is disabled for the attacker to the individual repositories of the source control system and the shared repository managed by the continuous integration system.
Various embodiments include systems and methods of assessing vendor risk. One or more sets of IP address(es) associated with one or more vendors is identified. Risk data related to the set(s) of IP address(es) is obtained using internet telemetry data. Based at least in part on the risk data, security risk level(s) are determined for the vendor(s). Some embodiments include systems and methods of implementing a vendor-based risk posture assessment of an organization. The vendor-based risk posture assessment may be based at least in part on one or more security risk levels determined for the vendor(s) of the organization.
Various embodiments include systems and methods pertaining to a security service platform that detects security threats based on a security service that operates on structurally deduplicated network data. The security service platform, based on using the structure, or data model, of data being deduplicated, generates structurally deduplicated event data that is more compact than traditionally compressed data or traditionally deduplicated data stored in a structured data format. The security service may perform a security analysis that includes rule matching to detect threats to a network, where the rule matching operates on the structurally deduplicated data.
Techniques for monitoring assets in a cloud computing environment, comprising: collecting datasets for respective assets in the cloud computing environment, each of the datasets comprising at least some data stored by a respective one of the assets at one or multiple timepoints, the datasets including a first dataset for a first asset of the assets; determining priority scores for the assets using: feature values determined using data in the datasets, and feature values determined using data about the assets and stored in the cloud computing environment, wherein the determining comprises: determining, using data in the first dataset that was stored by the first asset at one or more timepoints, at least one first feature value for the first asset; determining, using data about the first asset and stored in the cloud computing environment, at least one second feature value for the first asset; and determining a priority score for the first asset using the at least one first feature value and the at least one second feature value; and collecting further data about at least some of the assets using the determined priority scores.
G06F 9/455 - ÉmulationInterprétationSimulation de logiciel, p. ex. virtualisation ou émulation des moteurs d’exécution d’applications ou de systèmes d’exploitation
Various embodiments include systems and methods to implement a complementary scan engine scheme for avoiding redundant vulnerability check data collection when using a scan engine to scan a target asset and/or to implement a vulnerability result integration scheme for determining whether to integrate a respective vulnerability result into one or more databases. In various embodiments, at least one integration state may be determined. According to the vulnerability result integration scheme, the at least one integration state may define whether an integrator is to integrate the respective vulnerability result into the database(s).
A configuration change assessment pipeline is disclosed, executable to assess a continuous stream of resource configuration changes in a cloud-based computer network for security policy violations. In embodiments, the system executes assessment nodes that are configurable to monitor the input stream for specific change events, identify a set of related resources that should be assessed as result of a change event, perform various assessments on the related resources, and write assessment findings to an output stream. Action nodes are configured to consume the output stream and perform responsive actions such as generating user notifications and initiating automated remediation steps. Advantageously, the disclosed system is able to perform ad hoc assessments of a small set of relevant resources in response to specific change events in the network, so that security policy violations can be identified much more quickly.
Techniques for analyzing cybersecurity vulnerabilities in a computing environment, including: using at least one computer hardware processor to perform: (A) identifying a first cybersecurity vulnerability associated with a resource in the computing environment; (B) obtaining data related to one or more factors related to risk posed by the first cybersecurity vulnerability, the one or more factors including at least one factor indicative of a degree of current exploitation of the first cybersecurity vulnerability; (C) determining, using the obtained data, one or more factor weights for the one or more factors related to the risk posed by the first cybersecurity vulnerability; (D) determining a first score for the first cybersecurity vulnerability using the determined one or more factor weights; and (E) performing one or more security actions based on the determined first score for the first cybersecurity vulnerability.
G06F 21/57 - Certification ou préservation de plates-formes informatiques fiables, p. ex. démarrages ou arrêts sécurisés, suivis de version, contrôles de logiciel système, mises à jour sécurisées ou évaluation de vulnérabilité
The techniques described herein relate to visualizing network attack paths. An example method includes using at least one computer hardware processor to perform: identifying one or more vulnerable network resources in a plurality of network resources, each of the one or more vulnerable network resources having at least one respective security vulnerability; accessing at least one portion of a relational representation of a set of network resources in the plurality of network resources, identifying, using the at least one portion of the relational representation, one or more network attack paths between the one or more vulnerable network resources and network resources in the set, generating, using the at least one portion of the relational representation, a graph, and generating a GUI comprising a visualization of the graph and information indicating that the one or more attack paths may be used to exploit one or more security vulnerabilities of the set.
H04L 41/22 - Dispositions pour la maintenance, l’administration ou la gestion des réseaux de commutation de données, p. ex. des réseaux de commutation de paquets comprenant des interfaces utilisateur graphiques spécialement adaptées [GUI]
12.
Intelligent identification of correlations across security services
Various embodiments include systems and methods pertaining to a security service platform that includes a correlation engine for identifying correlations between different security services of the security service platform. In some embodiments, the correlation engine may be configured to parse, aggregate, and/or correlate data from an application security service and data from a vulnerability management service to assess coverage (or lack thereof) and/or to assist in remediation prioritization. The correlation engine may generate a report that can be presented to a user via a graphical user interface (GUI).
G06F 21/57 - Certification ou préservation de plates-formes informatiques fiables, p. ex. démarrages ou arrêts sécurisés, suivis de version, contrôles de logiciel système, mises à jour sécurisées ou évaluation de vulnérabilité
Various embodiments include systems and methods to implement a complementary scan engine scheme for avoiding redundant vulnerability check data collection when using a scan engine to scan a target asset. The implementation may include determining a set of potential vulnerability checks for scanning the target asset using the scan engine. Fingerprint data indicating which versions of software are installed on the target asset may be collected. Based at least in part on the fingerprint data, it may be determined that a particular version of a local scan agent is installed on the target asset. Responsive to a determination that the local scan agent is functioning, the scan engine may perform any vulnerability check, in the set of potential vulnerability checks, that is not covered by the local scan agent. Responsive to a determination that the local scan agent is not functioning, the scan engine may perform all vulnerability checks in the set of potential vulnerability checks.
G06F 21/57 - Certification ou préservation de plates-formes informatiques fiables, p. ex. démarrages ou arrêts sécurisés, suivis de version, contrôles de logiciel système, mises à jour sécurisées ou évaluation de vulnérabilité
14.
TECHNIQUES FOR OPERATING A COMPUTER NETWORK SECURITY SYSTEM IN A CLOUD COMPUTING ENVIRONMENT
Machine learning techniques for updating a configuration of a computer network security system operating in a cloud computing environment. The techniques include obtaining a plurality of datasets containing information about a respective plurality of events detected by the computer network security system in the cloud computing environment; generating, using at least one trained ML model, a plurality of signatures representing the plurality of events, the generating comprising processing the plurality of datasets using the at least one trained ML model to obtain the plurality of signatures; clustering the plurality of signatures to obtain signature clusters representing clusters of events in the plurality of events; identifying a particular event cluster from among the clusters of events; and updating the configuration of the computer network security system based on characteristics of events in the identified particular event cluster.
Techniques for event driven harvesting and analysis of cloud computing resources in a cloud computing environment, comprising: obtaining, from a cloud computing environment, data related to an event that occurred in the cloud computing environment; in response to obtaining the data, requesting, from the cloud computing environment, supplemental data about the event that occurred in the cloud computing environment, the supplemental data including information about the event and/or information about impact of the event on a resource; determining whether a security action is to be taken at least in part by analyzing the data and/or the supplemental data; and when it is determined a security action is to be taken, performing the security action.
Methods and systems for identifying a vulnerability on a network are disclosed. The methods described herein may involve executing a first scanning function to obtain a first view of a network and then filtering the first view of the network for at least one point of exposure of a first entity that originates from a second entity. The methods described herein may further involve executing a secondary scanning function to identify any vulnerabilities of the first entity based on the point of exposure of the first entity that originates from the second entity and implementing a threat prevention procedure upon identifying a vulnerability of the first entity based on the point of exposure of the first entity that originates from the second entity.
Techniques for analyzing cybersecurity vulnerabilities in a computing environment, including: using at least one computer hardware processor to perform: (A) identifying a first cybersecurity vulnerability associated with a resource in the computing environment; (B) obtaining data related to one or more factors related to risk posed by the first cybersecurity vulnerability, the one or more factors including at least one factor indicative of a degree of current exploitation of the first cybersecurity vulnerability; (C) determining, using the obtained data, one or more factor weights for the one or more factors related to the risk posed by the first cybersecurity vulnerability; (D) determining a first score for the first cybersecurity vulnerability using the determined one or more factor weights; and (E) performing one or more security actions based on the determined first score for the first cybersecurity vulnerability.
G06F 21/57 - Certification ou préservation de plates-formes informatiques fiables, p. ex. démarrages ou arrêts sécurisés, suivis de version, contrôles de logiciel système, mises à jour sécurisées ou évaluation de vulnérabilité
18.
PROACTIVE PROTECTION OF COMPUTER NETWORKS AGAINST UNEXPLOITED VULNERABILITIES
A server determines vulnerabilities associated with components of a computing device. The server determines attributes associated with individual vulnerabilities. The server determines a subset of the vulnerabilities that includes unexploited vulnerabilities. The server executes a machine learning model to predict a probability of an exploit being created for a particular unexploited vulnerability in the subset. The server sends to a device: information identifying the particular unexploited vulnerability, particular attributes associated with the particular unexploited vulnerability, and the probability of an exploit being created for the particular unexploited vulnerability.
Some embodiments provide techniques for detecting presence of malicious software in a computing asset. The techniques identify, from among a plurality of memory locations allocated for use by a process managed by an operating system (OS) associated with the computing asset, memory location(s) to monitor in furtherance of detecting presence of malicious software in the computing asset, monitor threads initialized by the process using the identified memory location(s) to determine a number of threads so initialized, identify value(s) for visibility characteristic(s) of the process indicative of whether the process is attempting to evade detection of its execution on the computing asset, and determine whether the process is a malicious software process based on the number of threads and the value(s) for the visibility characteristic(s).
Some embodiments provide techniques for detecting cyberattacks against a software service authentication system that authorizes access to software services. The techniques access a user activity profile specifying values of parameters indicating the user's pattern of requesting access to unique software service(s). The techniques monitor the activity of the user over a time period to obtain software request data indicating request(s) by the user to access software services in the time period. The techniques determine, using the software service request data and the user activity profile, whether computing activity of the user during the time period is anomalous.
Various embodiments include systems and methods to implement a security platform providing application-level cyberattack detection using multiple stages of classifiers. The security platform may use requests received by a web service to determine training data to train one or more machine learning models. The training data may be determined by instrumenting an application, such as a web service, with a first stage classifier to determine security events indicative of cyberattacks. The security platform may train machine learning models using aggregations of security events over various periods of time. The machine learning models may serve as second stage classifiers for the security platform.
A method for authenticated asset assessment is provided. The method involves executing a scan assistant on an asset to allow a remote scan engine to execute one or more scan operations on the asset for determining a state of the asset. The scan assistant may verify the identity of the scan engine by checking that a certificate received from the scan engine is signed with a private key associated with the scan engine. In some embodiments, the authentication may be performed as part of a TLS handshake process that establishes a TLS connection between the scan engine and the scan assistant. Once the scan engine is authenticated, the scan engine may communicate with the scan assistant according to a communication protocol to collect data about the asset. Advantageously, the disclosed technique reduces security risks associated with authenticated scans and improves the performance of authenticated scans.
H04L 9/32 - Dispositions pour les communications secrètes ou protégéesProtocoles réseaux de sécurité comprenant des moyens pour vérifier l'identité ou l'autorisation d'un utilisateur du système
23.
File directory structure and naming convention for storing columnar tables
A database system stores a table as a set of column files in a columnar format in a manner that improves the write performance of the table and avoids use of separate metadata repository. In embodiments, each column file groups values into entity chunks indexed by an entity index. Each chunk includes a live value index that determines which rows in chunk has live values. New values are written to the column file by appending an updated copy of the entity chunk. The entity index to refer to the newly written chunk as the latest version. This approach avoids expensive in-place updating of individual column values and allows the update to be performed much more quickly. In embodiments, the database system encodes metadata such as table schema information using file naming and placement conventions in the file store, so that a centralized metadata repository is not required.
42 - Services scientifiques, technologiques et industriels, recherche et conception
Produits et services
Installation of computer software for network and application security in the areas of network vulnerability exploitation, network vulnerability management and assessment, and network remediation management; computer consultation in the field of computer security risks, computer network security risks, and internet security risks; computer and internet security testing services to determine and identify information and network security vulnerabilities and risks and help to prioritize remediations; computer network security services, namely, assessing, auditing, and monitoring network vulnerabilities and security risks and reporting thereon; computer system analysis services for installation of computer systems; providing temporary use of online non-downloadable computer software for use in detecting, analyzing, and prioritizing cyber computer threats and vulnerabilities; Software as a Service (SAAS) services featuring software for use in detecting, analyzing, and prioritizing cyber computer threats and vulnerabilities; design and development of electronic data security systems; computer security threat analysis for protecting data; development of software for secure network operations; computer security consultancy, namely, scanning, auditing and monitoring computer systems and networks for vulnerabilities and other security risks; computer security consultancy, namely, scanning, auditing, analyzing, measuring, and monitoring computer systems and networks for vulnerabilities, security threats, and other cybersecurity risks; security risk assessment and response and managed security threat detection in on-premises, hosted, hybrid, and cloud computing environments; maintenance of computer software relating to computer security and prevention of computer risks; providing temporary use of non-downloadable software and applications for collecting, analyzing, evaluating, monitoring, and transmitting data in the fields of compliance, network security, enterprise security, and maintenance; providing temporary use of non-downloadable software and applications for detecting fraudulent transactions and activities; providing temporary use of non-downloadable software and applications for investigating, remediating, and responding to fraud and to network and enterprise threat incidents; providing temporary use of non-downloadable software and applications for troubleshooting, diagnosing, and protecting computer software, hardware, networks, virtual machines, and operational technology; providing temporary use of non-downloadable software and applications for use in analyzing and monitoring computer networks; providing temporary use of non-downloadable software and applications for diagnosing industrial and business performance issues; providing temporary use of non-downloadable software and applications in the field of application analytics; providing temporary use of non-downloadable software and applications for providing operational intelligence, business analytics, security information, and troubleshooting based on data; providing temporary use of non-downloadable data mining software; consulting in the field of information technology relating to installation, maintenance and repair of computer software; technical consulting services in the fields of datacenter architecture, public and private cloud computing solutions, and evaluation and implementation of information technology and services; technical support services, namely, remote and on-site infrastructure management services for monitoring, administration and management of public and private cloud computing and information technology systems
42 - Services scientifiques, technologiques et industriels, recherche et conception
Produits et services
Installation of computer software for network and application security in the areas of network vulnerability exploitation, network vulnerability management and assessment, and network remediation management; computer consultation in the field of computer security risks, computer network security risks, and internet security risks; computer and internet security testing services to determine and identify information and network security vulnerabilities and risks and help to prioritize remediations; computer network security services, namely, assessing, auditing, and monitoring network vulnerabilities and security risks and reporting thereon; computer system analysis services for installation of computer systems; providing temporary use of online non-downloadable computer software for use in detecting, analyzing, and prioritizing cyber computer threats and vulnerabilities; Software as a Service (SAAS) services featuring software for use in detecting, analyzing, and prioritizing cyber computer threats and vulnerabilities; design and development of electronic data security systems; computer security threat analysis for protecting data; development of software for secure network operations; computer security consultancy, namely, scanning, auditing and monitoring computer systems and networks for vulnerabilities and other security risks; computer security consultancy, namely, scanning, auditing, analyzing, measuring, and monitoring computer systems and networks for vulnerabilities, security threats, and other cybersecurity risks; security risk assessment and response and managed security threat detection in on-premises, hosted, hybrid, and cloud computing environments; maintenance of computer software relating to computer security and prevention of computer risks; providing temporary use of non-downloadable software and applications for collecting, analyzing, evaluating, monitoring, and transmitting data in the fields of compliance, network security, enterprise security, and maintenance; providing temporary use of non-downloadable software and applications for detecting fraudulent transactions and activities; providing temporary use of non-downloadable software and applications for investigating, remediating, and responding to fraud and to network and enterprise threat incidents; providing temporary use of non-downloadable software and applications for troubleshooting, diagnosing, and protecting computer software, hardware, networks, virtual machines, and operational technology; providing temporary use of non-downloadable software and applications for use in analyzing and monitoring computer networks; providing temporary use of non-downloadable software and applications for diagnosing industrial and business performance issues; providing temporary use of non-downloadable software and applications in the field of application analytics; providing temporary use of non-downloadable software and applications for providing operational intelligence, business analytics, security information, and troubleshooting based on data; providing temporary use of non-downloadable data mining software; consulting in the field of information technology relating to installation, maintenance and repair of computer software; technical consulting services in the fields of datacenter architecture, public and private cloud computing solutions, and evaluation and implementation of information technology and services; technical support services, namely, remote and on-site infrastructure management services for monitoring, administration and management of public and private cloud computing and information technology systems
42 - Services scientifiques, technologiques et industriels, recherche et conception
Produits et services
Installation of computer software for network and application security in the areas of network vulnerability exploitation, network vulnerability management and assessment, and network remediation management; computer consultation in the field of computer security risks, computer network security risks, and internet security risks; computer and internet security testing services to determine and identify information and network security vulnerabilities and risks and help to prioritize remediations; computer network security services, namely, assessing, auditing, and monitoring network vulnerabilities and security risks and reporting thereon; computer system analysis services for installation of computer systems; providing temporary use of online non-downloadable computer software for use in detecting, analyzing, and prioritizing cyber computer threats and vulnerabilities; Software as a Service (SAAS) services featuring software for use in detecting, analyzing, and prioritizing cyber computer threats and vulnerabilities; design and development of electronic data security systems; computer security threat analysis for protecting data; development of software for secure network operations; computer security consultancy, namely, scanning, auditing and monitoring computer systems and networks for vulnerabilities and other security risks; computer security consultancy, namely, scanning, auditing, analyzing, measuring, and monitoring computer systems and networks for vulnerabilities, security threats, and other cybersecurity risks; security risk assessment and response and managed security threat detection in on-premises, hosted, hybrid, and cloud computing environments; maintenance of computer software relating to computer security and prevention of computer risks; providing temporary use of non-downloadable software and applications for collecting, analyzing, evaluating, monitoring, and transmitting data in the fields of compliance, network security, enterprise security, and maintenance; providing temporary use of non-downloadable software and applications for detecting fraudulent transactions and activities; providing temporary use of non-downloadable software and applications for investigating, remediating, and responding to fraud and to network and enterprise threat incidents; providing temporary use of non-downloadable software and applications for troubleshooting, diagnosing, and protecting computer software, hardware, networks, virtual machines, and operational technology; providing temporary use of non-downloadable software and applications for use in analyzing and monitoring computer networks; providing temporary use of non-downloadable software and applications for diagnosing industrial and business performance issues; providing temporary use of non-downloadable software and applications in the field of application analytics; providing temporary use of non-downloadable software and applications for providing operational intelligence, business analytics, security information, and troubleshooting based on data; providing temporary use of non-downloadable data mining software; consulting in the field of information technology relating to installation, maintenance and repair of computer software; technical consulting services in the fields of datacenter architecture, public and private cloud computing solutions, and evaluation and implementation of information technology and services; technical support services, namely, remote and on-site infrastructure management services for monitoring, administration and management of public and private cloud computing and information technology systems
42 - Services scientifiques, technologiques et industriels, recherche et conception
Produits et services
Installation of computer software for network and application security in the areas of network vulnerability exploitation, network vulnerability management and assessment, and network remediation management; computer consultation in the field of computer security risks, computer network security risks, and internet security risks; computer and internet security testing services to determine and identify information and network security vulnerabilities and risks and help to prioritize remediations; computer network security services, namely, assessing, auditing, and monitoring network vulnerabilities and security risks and reporting thereon; computer system analysis services for installation of computer systems; providing temporary use of online non-downloadable computer software for use in detecting, analyzing, and prioritizing cyber computer threats and vulnerabilities; Software as a Service (SAAS) services featuring software for use in detecting, analyzing, and prioritizing cyber computer threats and vulnerabilities; design and development of electronic data security systems; computer security threat analysis for protecting data; development of software for secure network operations; computer security consultancy, namely, scanning, auditing and monitoring computer systems and networks for vulnerabilities and other security risks; computer security consultancy, namely, scanning, auditing, analyzing, measuring, and monitoring computer systems and networks for vulnerabilities, security threats, and other cybersecurity risks; security risk assessment and response and managed security threat detection in on-premises, hosted, hybrid, and cloud computing environments; maintenance of computer software relating to computer security and prevention of computer risks; providing temporary use of non-downloadable software and applications for collecting, analyzing, evaluating, monitoring, and transmitting data in the fields of compliance, network security, enterprise security, and maintenance; providing temporary use of non-downloadable software and applications for detecting fraudulent transactions and activities; providing temporary use of non-downloadable software and applications for investigating, remediating, and responding to fraud and to network and enterprise threat incidents; providing temporary use of non-downloadable software and applications for troubleshooting, diagnosing, and protecting computer software, hardware, networks, virtual machines, and operational technology; providing temporary use of non-downloadable software and applications for use in analyzing and monitoring computer networks; providing temporary use of non-downloadable software and applications for diagnosing industrial and business performance issues; providing temporary use of non-downloadable software and applications in the field of application analytics; providing temporary use of non-downloadable software and applications for providing operational intelligence, business analytics, security information, and troubleshooting based on data; providing temporary use of non-downloadable data mining software; consulting in the field of information technology relating to installation, maintenance and repair of computer software; technical consulting services in the fields of datacenter architecture, public and private cloud computing solutions, and evaluation and implementation of information technology and services; technical support services, namely, remote and on-site infrastructure management services for monitoring, administration and management of public and private cloud computing and information technology systems
42 - Services scientifiques, technologiques et industriels, recherche et conception
Produits et services
Installation of computer software for network and application security in the areas of network vulnerability exploitation, network vulnerability management and assessment, and network remediation management; computer consultation in the field of computer security risks, computer network security risks, and internet security risks; computer and internet security testing services to determine and identify information and network security vulnerabilities and risks and help to prioritize remediations; computer network security services, namely, assessing, auditing, and monitoring network vulnerabilities and security risks and reporting thereon; computer system analysis services for installation of computer systems; providing temporary use of online non-downloadable computer software for use in detecting, analyzing, and prioritizing cyber computer threats and vulnerabilities; Software as a Service (SAAS) services featuring software for use in detecting, analyzing, and prioritizing cyber computer threats and vulnerabilities; design and development of electronic data security systems; computer security threat analysis for protecting data; development of software for secure network operations; computer security consultancy, namely, scanning, auditing and monitoring computer systems and networks for vulnerabilities and other security risks; computer security consultancy, namely, scanning, auditing, analyzing, measuring, and monitoring computer systems and networks for vulnerabilities, security threats, and other cybersecurity risks; security risk assessment and response and managed security threat detection in on-premises, hosted, hybrid, and cloud computing environments; maintenance of computer software relating to computer security and prevention of computer risks; providing temporary use of non-downloadable software and applications for collecting, analyzing, evaluating, monitoring, and transmitting data in the fields of compliance, network security, enterprise security, and maintenance; providing temporary use of non-downloadable software and applications for detecting fraudulent transactions and activities; providing temporary use of non-downloadable software and applications for investigating, remediating, and responding to fraud and to network and enterprise threat incidents; providing temporary use of non-downloadable software and applications for troubleshooting, diagnosing, and protecting computer software, hardware, networks, virtual machines, and operational technology; providing temporary use of non-downloadable software and applications for use in analyzing and monitoring computer networks; providing temporary use of non-downloadable software and applications for diagnosing industrial and business performance issues; providing temporary use of non-downloadable software and applications in the field of application analytics; providing temporary use of non-downloadable software and applications for providing operational intelligence, business analytics, security information, and troubleshooting based on data; providing temporary use of non-downloadable data mining software; consulting in the field of information technology relating to installation, maintenance and repair of computer software; technical consulting services in the fields of datacenter architecture, public and private cloud computing solutions, and evaluation and implementation of information technology and services; technical support services, namely, remote and on-site infrastructure management services for monitoring, administration and management of public and private cloud computing and information technology systems
29.
SYSTEM FOR COLLECTING COMPUTER NETWORK ENTITY INFORMATION EMPLOYING ABSTRACT MODELS
An entity tracking system and method for a computer network employs proactive data collection and enrichment driven by configurable rules and workflows responsive to the discovery of new entities, changes to existing entities, and specifics about the entities' attributes. The data collection is used in conjunction with graph technologies to map interactions and relationships between various entities interacting in the computer environment and deduce interactions and relationships between the entities. The method and system provides for abstract entity types and collation nodes.
H04L 41/22 - Dispositions pour la maintenance, l’administration ou la gestion des réseaux de commutation de données, p. ex. des réseaux de commutation de paquets comprenant des interfaces utilisateur graphiques spécialement adaptées [GUI]
30.
VISUAL EXPLORATION FOR EFFICIENT ACCESS ANALYSIS FOR CLOUD PROVIDER ENTITIES
An access policy analysis system may use visual exploration to efficiently perform access analysis. A request to display an effective access of an entity with respect to a resource hosted in a cloud provider may be received via a visual exploration user interface element. An analysis of a set of access policies applied by an access management system to determine an effective access of the entity with respect to the resource may be performed. One or more selectable access policy interface elements may be generated that correspond to one or more access policies of the set of access policies that are used to determine the effective access of the entity with respect to the resource. The one or more selectable access policy interface elements may be included in a display of the visual exploration user interface element along with the determined effective access of the entity with respect to the resource.
H04L 41/22 - Dispositions pour la maintenance, l’administration ou la gestion des réseaux de commutation de données, p. ex. des réseaux de commutation de paquets comprenant des interfaces utilisateur graphiques spécialement adaptées [GUI]
As an example, an asset receives a request from a scanner performing a reconnaissance of a network that includes the asset. The asset sends a response acknowledging receiving the request, indicating that the asset is alive. The asset receives port scan requests associated with ports of the asset. The asset creates fake fingerprints that include incorrect information about ports of the asset. The asset sends the fake fingerprints to the scanner in response to the port scan requests. The asset determines that a scan engine is requesting access to the asset via a particular port of the asset. The asset grants the scan engine access to the asset via the particular port to enable the scan engine to gather asset data associated with the asset for analysis.
Systems and methods are disclosed for detecting code injection vulnerabilities in software systems. In embodiments, an injection string is created to implement an exploit against a software system. The exploit includes an unauthorized executable code that will generate an easily detectable token if executed by the software system. The string is injected into the software system during execution to simulate a code injection attack on the software system. The software system's execution result is obtained and analyzed to determine whether the execution detection token was generated. If so, the software system is proven to be vulnerable to the attack, and the vulnerability may be indicated in an alert or a report. The vulnerability detection technique may be for both software under development as well as production software systems running in the wild to analyze and monitor these systems for code injection vulnerabilities.
G06F 21/00 - Dispositions de sécurité pour protéger les calculateurs, leurs composants, les programmes ou les données contre une activité non autorisée
G06F 11/3604 - Analyse de logiciel pour vérifier les propriétés des programmes
G06F 21/57 - Certification ou préservation de plates-formes informatiques fiables, p. ex. démarrages ou arrêts sécurisés, suivis de version, contrôles de logiciel système, mises à jour sécurisées ou évaluation de vulnérabilité
33.
Predictive modeling to identify anomalous log data
Disclosed herein are methods, systems, and processes for interference-based detection and identification of anomalous log data using predictive modeling. A log data that includes a path with strings is accessed. Multiple anomalous log data prediction models are trained for the path by processing the strings at a character level and at a name level using disparate Markov prediction models that include n-gram and skip gram models after performing an A-replace operation. A trained dataset is generated based on the training that includes a simplified path for each of the various anomalous log data prediction models along with a transition probability for each string in the path. Other paths in the log or other logs are trained using the trained dataset and the several trained anomalous log data prediction models are deployed to observe, identify, and highlight anomalous strings in new log data.
G06F 18/214 - Génération de motifs d'entraînementProcédés de Bootstrapping, p. ex. ”bagging” ou ”boosting”
G06F 18/2415 - Techniques de classification relatives au modèle de classification, p. ex. approches paramétriques ou non paramétriques basées sur des modèles paramétriques ou probabilistes, p. ex. basées sur un rapport de vraisemblance ou un taux de faux positifs par rapport à un taux de faux négatifs
Various embodiments include systems and methods to implement a security platform providing cyberattack detection using multiple stages of classifiers. The security platform may use a first stage of classifiers to analyze multiple requests from a client device to a service. The first stage of classifiers may determine an initial indication of whether a request is indicative of a cyberattack and provide the initial indication to a second stage of classifiers. The second stage of classifiers may, based on initial indication of a cyberattack over a period of time, determine whether a cyberattack is underway.
H04L 41/16 - Dispositions pour la maintenance, l’administration ou la gestion des réseaux de commutation de données, p. ex. des réseaux de commutation de paquets en utilisant l'apprentissage automatique ou l'intelligence artificielle
35.
Predicting a probability associated with an unexploited vulnerability
A server determines vulnerabilities associated with components of a computing device. The server determines attributes associated with individual vulnerabilities. The server determines a subset of the vulnerabilities that includes unexploited vulnerabilities. The server executes a machine learning model to predict a probability of an exploit being created for a particular unexploited vulnerability in the subset. The server sends to a device: information identifying the particular unexploited vulnerability, particular attributes associated with the particular unexploited vulnerability, and the probability of an exploit being created for the particular unexploited vulnerability.
Various embodiments include systems and methods to implement a security posture recommender system. The security posture recommender system may improve the security posture of a deployment of assets by generating recommendation data indicating how to modify the deployment of assets. A deployment may be described by deployment data. The recommendation data may be based on similarities and/or differences between deployment data for a particular user and deployment data associated with users that are within a cluster of users similar to the particular user.
Various embodiments include systems and methods pertaining to a security service platform that detects security threats based on a security service that operates on structurally deduplicated network data. The security service performs a security analysis that includes rule matching to detect threats to a network, where the rule matching operates on the structurally deduplicated data. The security service may compile one or more rulesets into an executable binary that efficiently operates over the format of the structurally deduplicated data.
An access policy analysis system may use stored policy summaries to efficiently perform access analysis. A request that causes an access analysis of an entity in a cloud service provider with respect to a resource hosted in the cloud service provider may be received. An access policy summary generated for the entity based on a set of access policies applied by an access management system of the cloud service provider may be obtained. An access policy summary generated for the resource based on the set of access policies may be obtained. A tree structure that describes a hierarchy of entities in the cloud service provider may be traversed to identify a parent node of the entity in the hierarchy of entities. The access analysis may then be generated based on the access policy summaries for the identified node in the tree structure, for the entity and for the resource.
Various embodiments include systems and methods pertaining to a security service platform that detects security threats based on a security service that operates on structurally deduplicated network data. The security service may operate within a cloud environment and perform the security analysis that includes compiling a ruleset to generate an executable, where the executable is run over the structurally deduplicated event data. If the executable identifies a rule match for a given portion of structurally deduplicated event data, then the security service platform may reconstruct the structurally deduplicated event data to access all portions of a network event associated with the structurally deduplicated event data that triggered the rule match. The security service platform may use the reconstructed event data to generate and provide an alert that indicates a detected cyberattack.
An access policy analysis system may use visual exploration to efficiently perform access analysis. A request to display an effective access of an entity with respect to a resource hosted in a cloud provider may be received via a visual exploration user interface element. An analysis of a set of access policies applied by an access management system to determine an effective access of the entity with respect to the resource may be performed. One or more selectable access policy interface elements may be generated that correspond to one or more access policies of the set of access policies that are used to determine the effective access of the entity with respect to the resource. The one or more selectable access policy interface elements may be included in a display of the visual exploration user interface element along with the determined effective access of the entity with respect to the resource.
H04L 41/22 - Dispositions pour la maintenance, l’administration ou la gestion des réseaux de commutation de données, p. ex. des réseaux de commutation de paquets comprenant des interfaces utilisateur graphiques spécialement adaptées [GUI]
41.
Command line parsing for classification of process start alerts
A method includes obtaining a command captured at a computing device to start a process on the computing device submitted via a command line interface. The command is of a plurality of commands captured at respective computing devices that triggered respective alerts to review the plurality of commands. The method includes parsing the command to generate a plurality of tokens that represent the command according to dictionary of features of commands submitted via the command line interface, generating a feature vector based, at least in part, on the plurality of tokens, applying a classification model, trained on other commands submitted via the command line interface to predict benign commands, to the feature vector to determine a score indicative of a probability that the command is benign, and, responsive to a determination that the score is above a confidence threshold, removing the command from the plurality of commands to be reviewed.
A method for authenticated asset assessment is provided. The method involves executing a scan assistant on an asset to allow a remote scan engine to execute one or more scan operations on the asset for determining a state of the asset. The scan assistant may verify the identity of the scan engine by checking that a certificate received from the scan engine is signed with a private key associated with the scan engine. In some embodiments, the authentication may be performed as part of a TLS handshake process that establishes a TLS connection between the scan engine and the scan assistant. Once the scan engine is authenticated, the scan engine may communicate with the scan assistant according to a communication protocol to collect data about the asset. Advantageously, the disclosed technique reduces security risks associated with authenticated scans and improves the performance of authenticated scans.
G06F 21/56 - Détection ou gestion de programmes malveillants, p. ex. dispositions anti-virus
G06F 21/57 - Certification ou préservation de plates-formes informatiques fiables, p. ex. démarrages ou arrêts sécurisés, suivis de version, contrôles de logiciel système, mises à jour sécurisées ou évaluation de vulnérabilité
H04L 9/00 - Dispositions pour les communications secrètes ou protégéesProtocoles réseaux de sécurité
H04L 9/32 - Dispositions pour les communications secrètes ou protégéesProtocoles réseaux de sécurité comprenant des moyens pour vérifier l'identité ou l'autorisation d'un utilisateur du système
Various embodiments include systems and methods to implement predictive scan engine runtime durations by a security platform to predict runtime durations associated with computing resources. Predictive scan engine runtime durations may be determined by training a prediction model using a multiple linear regression analysis. For example, the security platform may determine a prediction model using training data that associates runtime durations with configuration inputs associated with a security service that operates with respect to a computing resource. Based on the prediction model, the security platform may determine a runtime estimate for a security service run that is configured similarly to a previous security service run used to train the prediction model.
G06F 21/57 - Certification ou préservation de plates-formes informatiques fiables, p. ex. démarrages ou arrêts sécurisés, suivis de version, contrôles de logiciel système, mises à jour sécurisées ou évaluation de vulnérabilité
44.
Automated generation of anomaly scenarios for testing machine learned anomaly detection models
An anomaly detection system is disclosed capable of reporting anomalous processes or hosts in a computer network using machine learning models trained using unsupervised training techniques. In embodiments, the system assigns observed processes to a set of process categories based on the file system path of the program executed by the process. The system extracts a feature vector for each process or host from the observation records and applies the machine learning models to the feature vectors to determine an outlier metric each process or host. The processes or hosts with the highest outlier metrics are reported as detected anomalies to be further examined by security analysts. In embodiments, the machine learnings models may be periodically retrained based on new observation records using unsupervised machine learning techniques. Accordingly, the system allows the models to learn from newly observed data without requiring the new data to be manually labeled by humans.
G06F 11/34 - Enregistrement ou évaluation statistique de l'activité du calculateur, p. ex. des interruptions ou des opérations d'entrée–sortie
G06F 21/52 - Contrôle des utilisateurs, des programmes ou des dispositifs de préservation de l’intégrité des plates-formes, p. ex. des processeurs, des micrologiciels ou des systèmes d’exploitation au stade de l’exécution du programme, p. ex. intégrité de la pile, débordement de tampon ou prévention d'effacement involontaire de données
G06F 21/55 - Détection d’intrusion locale ou mise en œuvre de contre-mesures
G06F 21/57 - Certification ou préservation de plates-formes informatiques fiables, p. ex. démarrages ou arrêts sécurisés, suivis de version, contrôles de logiciel système, mises à jour sécurisées ou évaluation de vulnérabilité
Methods and systems for identifying targets on a network. The disclosed methods involve classifying data as valuable or non-valuable, and then classifying an asset associated with the retrieved data as a target or a non-target based in part on the classification of the data.
In some examples, a server identifies a first and second microservice. The server creates a first mirror to mirror first traffic sent to the first microservice and a second mirror to mirror second traffic sent to the second microservice. The server configures the first and second mirror service to create mirrored traffic out-of-band of a critical request path of the first and second microservice. The server configures the first and second mirror service to modify a header of a mirrored request to indicate: the mirrored request is a mirrored copy of a request, an original source of the request, and an original destination of the request. The server configures the first and second mirror service to send the mirrored traffic to a traffic analyzer that uses artificial intelligence, automated vulnerability scans, or both to identify an anomalous behavior of an offending microservice in the cluster.
A method for authenticated asset assessment is provided. The method includes authenticating, by a scan assistant, a scan engine with the scan assistant for executing one or more scan operations on the asset to determine a state of the asset. The asset includes at least one computing resource. The method also includes receiving, by the scan assistant, a plurality of scan requests associated with the one or more scan operations from the scan engine. The method further includes responding, by the scan assistant, to at least one scan request of the plurality of scan requests by transmitting one or more scan responses to the scan engine after receiving the plurality of scan requests. The scan assistant and the scan engine implement an asynchronous communication protocol that permits the scan engine to send the scan requests without waiting for scan responses for previous scan requests.
Embodiments of a cyberattack monitoring system are disclosed to identify successful attacks on a service based on benign activities of the attacker performed after the initial attack attempt. In embodiments, the system identifies the initial attack by matching client actions to known attack patterns. Clients observed with attempted attacks are remembered as suspected attackers. The system will then monitor subsequent actions of suspected attackers for signs that the initial attack attempt was successful. In embodiments, a successful attack is recognized when the system observes one or more subsequent benign actions by the suspected attacker. In embodiments, the presence of follow-on benign actions is used as a filter to filter out unsuccessful attacks and false positives detected by the system. The filtering enables the system to better focus system resources and human attention on a small set of client activities that are likely successful attacks.
Some embodiments provide techniques for detecting cyberattacks against a software service authentication system that authorizes access to software services. The techniques access a user activity profile specifying values of parameters indicating the user's pattern of requesting access to unique software service(s). The techniques monitor the activity of the user over a time period to obtain software request data indicating request(s) by the user to access software services in the time period. The techniques determine, using the software service request data and the user activity profile, whether computing activity of the user during the time period is anomalous.
The techniques described herein relate to identifying network attack paths. An example method includes using at least one computer hardware processor to perform obtaining metadata indicating a set of network resources in a plurality of network resources and network connections among network resources in the set of network resources, generating, using the metadata, a relational representation of the set of network resources, generating, using the relational representation, a plurality of network paths between network resources in the set of network resources, and identifying, from among the plurality of network paths and using the relational representation and information indicating one or more of the plurality of network resources that have at least one respective security vulnerability, one or more network attack paths that may be used to exploit one or more security vulnerabilities of network resources in the set of network resources.
An example method includes using at least one computer hardware processor to perform: identifying one or more vulnerable network resources in a plurality of network resources, each of the one or more vulnerable network resources having at least one respective security vulnerability; accessing at least one portion of a relational representation of a set of network resources in the plurality of network resources, identifying, using the at least one portion of the relational representation, one or more network attack paths between the one or more vulnerable network resources and network resources in the set, generating, using the at least one portion of the relational representation, a graph, and generating a GUI comprising a visualization of the graph and information indicating that the one or more attack paths may be used to exploit one or more security vulnerabilities of the set.
H04L 41/22 - Dispositions pour la maintenance, l’administration ou la gestion des réseaux de commutation de données, p. ex. des réseaux de commutation de paquets comprenant des interfaces utilisateur graphiques spécialement adaptées [GUI]
52.
UPDATING REMOTE SCAN ENGINES WITH CUSTOM VULNERABILITY CHECKS
Various embodiments include systems and methods of implementing vulnerability check synchronization. Vulnerability check synchronization may occur between computing resources at multiple different locations including a first location and a second location. Custom vulnerability check information associated with a particular security vulnerability may be received via a security console user interface that is located at the first location. A selection may be received, via the security console user interface, of a particular distributed engine to be utilized to perform a scan of one or more assets based at least in part on the custom vulnerability check information. Responsive to a determination to initiate the scan of the one or more assets, transfer of the custom vulnerability check information to the particular distributed engine via one or more networks may be automatically initiated.
A software agent executing on a computing device receives a high-level command from a client and converts the high-level command into multiple low-level commands. The software agent executes individual low-level command on the computing device and sends a result of executing the individual low-level command to the client until each low-level command has been executed.
An anomaly detection system is disclosed capable of reporting anomalous processes or hosts in a computer network using machine learning models trained using unsupervised training techniques. In embodiments, the system assigns observed processes to a set of process categories based on the file system path of the program executed by the process. The system extracts a feature vector for each process or host from the observation records and applies the machine learning models to the feature vectors to determine an outlier metric each process or host. The processes or hosts with the highest outlier metrics are reported as detected anomalies to be further examined by security analysts. In embodiments, the machine learnings models may be periodically retrained based on new observation records using unsupervised machine learning techniques. Accordingly, the system allows the models to learn from newly observed data without requiring the new data to be manually labeled by humans.
Embodiments of a transactional database system are described to implement transaction processing over database objects stored in a strongly consistent object storage system. When a transaction is initiated, the system makes a private copy of data objects that are used by the transaction. Reads and writes of the transaction will be performed on the private copy. When the transaction is to be committed, the system verifies that the committed state of the data objects has not changed outside the transaction, and updates metadata object(s) in the data storage system to point to the private copy as the currently committed state of the data objects. If the committed state of any data objects has changed during the transaction, the private copy is abandoned and the transaction is rolled back and/or retried.
Various embodiments include systems and methods to implement a process for determining expected exploitability of security vulnerabilities. Vulnerability information corresponding to a security vulnerability is input into a multi-headed neural network. A first feature vector is output via a probability of exploitation head of the multi-headed neural network. The first feature vector is extracted from the vulnerability information and comprises a first set of features. A second feature vector is extracted from code snippets and an abstract syntax tree analyzer, with the second feature vector including a second set of features related to the security vulnerability. The two feature vectors are concatenated to produce a third feature vector, and a regression model is used to determine a probability of exploitation for the security vulnerability based at least in part on the third feature vector.
A method for authenticated asset assessment is provided. The method involves executing a scan assistant on an asset to allow a remote scan engine to execute one or more scan operations on the asset for determining a state of the asset. The scan assistant may verify the identity of the scan engine by checking that a certificate received from the scan engine is signed with a private key associated with the scan engine. In some embodiments, the authentication may be performed as part of a TLS handshake process that establishes a TLS connection between the scan engine and the scan assistant. Once the scan engine is authenticated, the scan engine may communicate with the scan assistant according to a communication protocol to collect data about the asset. Advantageously, the disclosed technique reduces security risks associated with authenticated scans and improves the performance of authenticated scans.
Various embodiments include systems and methods of implementing automated assessment scheduling. A set of scheduling parameters may be received, including at least a frequency corresponding to how often assessments are to be completed via a particular automated assessment and a type of assessment to perform in the particular automated assessment. Based at least in part on the set of scheduling parameters, an assessment configuration may be generated. The assessment configuration includes a set of attributes defining how the particular automated assessment is to be performed. At least one scan engine resource of a set of scan engine resources may be identified for utilization in the particular automated assessment. Based at least in part on the assessment configuration and using the at least one scan engine resource, the particular automated assessment may be automatically initiated.
A database system stores a table as a set of column files in a columnar format in a manner that improves the write performance of the table and avoids use of separate metadata repository. In embodiments, each column file groups values into entity chunks indexed by an entity index. Each chunk includes a live value index that determines which rows in chunk has live values. New values are written to the column file by appending an updated copy of the entity chunk. The entity index to refer to the newly written chunk as the latest version. This approach avoids expensive in-place updating of individual column values and allows the update to be performed much more quickly. In embodiments, the database system encodes metadata such as table schema information using file naming and placement conventions in the file store, so that a centralized metadata repository is not required.
Embodiments of a transactional database system are described to implement transaction processing over database objects stored in a strongly consistent object storage system. When a transaction is initiated, the system makes a private copy of data objects that are used by the transaction. Reads and writes of the transaction will be performed on the private copy. When the transaction is to be committed, the system verifies that the committed state of the data objects has not changed outside the transaction, and updates metadata object(s) in the data storage system to point to the private copy as the currently committed state of the data objects. If the committed state of any data objects has changed during the transaction, the private copy is abandoned and the transaction is rolled back and/or retried.
Various embodiments include systems and methods of anomalous data transfer detection. Hotspots for an asset of an organization may be determined, corresponding to period(s) of time in which outbound data from the asset satisfies a hotspot threshold determined to be indicative of high outbound data traffic activity. Based on the outbound data, a first set of days are identified as “quiet” day(s); a second set of days are identified as “active” day(s); and “quiet” hour(s) of the day, associated with “active” day(s), are identified. The “quiet” day(s) and the “quiet” hour(s) are identified as a warmspot dataset, which may be utilized to detect anomalous data transfer activity associated with the asset. Detecting the anomalous data transfer activity includes computing one or more statistics on the warmspot dataset. Responsive to detecting the anomalous data transfer activity, an alert associated with the asset may be generated.
G06F 7/08 - Tri, c.-à-d. rangement des supports d'enregistrement dans un ordre de succession numérique ou autre, selon la classification d'au moins certaines informations portées sur les supports
Various embodiments include systems and methods to implement predictive scan autoscaling by a security platform to predict scanning loads associated with computing resources. Predictive scan autoscaling may improve the security posture of computing resources by improving the speed by which a security platform may scan for threats of a cyberattack. The security platform may predict scanning loads based on data indicative of previous scanning loads over one or more periods of time. The security platform may combine predicted scanning loads with requests for scans received from various client networks.
Various embodiments include systems and methods to implement a password requirement conformity check. During a password reset process, a proposed password is received. A homomorphic encryption operation may be performed on the proposed password to generate a first character string. The first character string may be compared to a previous character string associated with a previous password to determine a password similarity metric. The password similarity metric may or may not satisfy at least a distance threshold. Responsive to determining that the password similarity metric does not satisfy the distance threshold, there may be a rejection of the proposed password and a prompt to receive an alternative proposed password during the password reset process.
42 - Services scientifiques, technologiques et industriels, recherche et conception
Produits et services
Installation of computer software for network and
application security in the areas of network vulnerability
exploitation, network vulnerability management and
assessment, and network remediation management; computer
consultation in the field of computer security risks,
computer network security risks, and internet security
risks; computer and internet security testing services to
determine and identify information and network security
vulnerabilities and risks and help to prioritize
remediations; computer network security services, namely,
assessing, auditing, and monitoring network vulnerabilities
and security risks and reporting thereon; computer system
analysis services for installation of computer systems;
providing temporary use of online non-downloadable computer
software for use in detecting, analyzing, and prioritizing
cyber computer threats and vulnerabilities; software as a
service (SAAS) services featuring software for use in
detecting, analyzing, and prioritizing cyber computer
threats and vulnerabilities; design and development of
electronic data security systems; computer security threat
analysis for protecting data; development of software for
secure network operations; computer security consultancy,
namely, scanning, auditing and monitoring computer systems
and networks for vulnerabilities and other security risks;
computer security consultancy, namely, scanning, auditing,
analyzing, measuring, and monitoring computer systems and
networks for vulnerabilities, security threats, and other
cybersecurity risks; security risk assessment and response
and managed security threat detection in on-premises,
hosted, hybrid, and cloud computing environments;
maintenance of computer software relating to computer
security and prevention of computer risks; providing
temporary use of non-downloadable software and applications
for collecting, analyzing, evaluating, monitoring, and
transmitting data in the fields of compliance, network
security, enterprise security, and maintenance; providing
temporary use of non-downloadable software and applications
for detecting fraudulent transactions and activities;
providing temporary use of non-downloadable software and
applications for investigating, remediating, and responding
to fraud and to network and enterprise threat incidents;
providing temporary use of non-downloadable software and
applications for troubleshooting, diagnosing, and protecting
computer software, hardware, networks, virtual machines, and
operational technology; providing temporary use of
non-downloadable software and applications for use in
analyzing and monitoring computer networks; providing
temporary use of non-downloadable software and applications
for diagnosing industrial and business performance issues;
providing temporary use of non-downloadable software and
applications in the field of application analytics;
providing temporary use of non-downloadable software and
applications for providing operational intelligence,
business analytics, security information, and
troubleshooting based on data; providing temporary use of
non-downloadable data mining software; consulting in the
field of information technology relating to installation,
maintenance and repair of computer software; technical
consulting services in the fields of datacenter
architecture, public and private cloud computing solutions,
and evaluation and implementation of information technology
and services; technical support services, namely, remote and
on-site infrastructure management services for monitoring,
administration and management of public and private cloud
computing and information technology systems.
65.
Using discovered uniform resource identifier information to perform exploitation testing
A Uniform Resource Identifier (URI) discovery system is implemented that evaluates web configuration servers obtained from web servers to determine the existence and configuration of URIs hosted by the web servers. To discover URIs, the URI discovery system may obtain web server configuration files, and other metadata, from collection agents executing on web servers. The web server configuration files may then be parsed to evaluate the combinations of hosts, paths, and ports for the web server that may correspond to respective URIs. A URI discovery result may then be generated that describes the discovered URIs and includes configurations of the different URIs. The URI discovery result may be stored in an entry for the web server.
G06F 16/00 - Recherche d’informationsStructures de bases de données à cet effetStructures de systèmes de fichiers à cet effet
G06F 16/951 - IndexationTechniques d’exploration du Web
G06F 16/9538 - Présentation des résultats des requêtes
G06F 16/955 - Recherche dans le Web utilisant des identifiants d’information, p. ex. des localisateurs uniformisés de ressources [uniform resource locators - URL]
42 - Services scientifiques, technologiques et industriels, recherche et conception
Produits et services
Installation of computer software for network and
application security in the areas of network vulnerability
exploitation, network vulnerability management and
assessment, and network remediation management; computer
consultation in the field of computer security risks,
computer network security risks, and internet security
risks; computer and internet security testing services to
determine and identify information and network security
vulnerabilities and risks and help to prioritize
remediations; computer network security services, namely,
assessing, auditing, and monitoring network vulnerabilities
and security risks and reporting thereon; computer system
analysis services for installation of computer systems;
providing temporary use of online non-downloadable computer
software for use in detecting, analyzing, and prioritizing
cyber computer threats and vulnerabilities; software as a
service (SAAS) services featuring software for use in
detecting, analyzing, and prioritizing cyber computer
threats and vulnerabilities; design and development of
electronic data security systems; computer security threat
analysis for protecting data; development of software for
secure network operations; computer security consultancy,
namely, scanning, auditing and monitoring computer systems
and networks for vulnerabilities and other security risks;
computer security consultancy, namely, scanning, auditing,
analyzing, measuring, and monitoring computer systems and
networks for vulnerabilities, security threats, and other
cybersecurity risks; security risk assessment and response
and managed security threat detection in on-premises,
hosted, hybrid, and cloud computing environments;
maintenance of computer software relating to computer
security and prevention of computer risks; providing
temporary use of non-downloadable software and applications
for collecting, analyzing, evaluating, monitoring, and
transmitting data in the fields of compliance, network
security, enterprise security, and maintenance; providing
temporary use of non-downloadable software and applications
for detecting fraudulent transactions and activities;
providing temporary use of non-downloadable software and
applications for investigating, remediating, and responding
to fraud and to network and enterprise threat incidents;
providing temporary use of non-downloadable software and
applications for troubleshooting, diagnosing, and protecting
computer software, hardware, networks, virtual machines, and
operational technology; providing temporary use of
non-downloadable software and applications for use in
analyzing and monitoring computer networks; providing
temporary use of non-downloadable software and applications
for diagnosing industrial and business performance issues;
providing temporary use of non-downloadable software and
applications in the field of application analytics;
providing temporary use of non-downloadable software and
applications for providing operational intelligence,
business analytics, security information, and
troubleshooting based on data; providing temporary use of
non-downloadable data mining software; consulting in the
field of information technology relating to installation,
maintenance and repair of computer software; technical
consulting services in the fields of datacenter
architecture, public and private cloud computing solutions,
and evaluation and implementation of information technology
and services; technical support services, namely, remote and
on-site infrastructure management services for monitoring,
administration and management of public and private cloud
computing and information technology systems.
42 - Services scientifiques, technologiques et industriels, recherche et conception
Produits et services
Installation of computer software for network and
application security in the areas of network vulnerability
exploitation, network vulnerability management and
assessment, and network remediation management; computer
consultation in the field of computer security risks,
computer network security risks, and internet security
risks; computer and internet security testing services to
determine and identify information and network security
vulnerabilities and risks and help to prioritize
remediations; computer network security services, namely,
assessing, auditing, and monitoring network vulnerabilities
and security risks and reporting thereon; computer system
analysis services for installation of computer systems;
providing temporary use of online non-downloadable computer
software for use in detecting, analyzing, and prioritizing
cyber computer threats and vulnerabilities; software as a
service (SAAS) services featuring software for use in
detecting, analyzing, and prioritizing cyber computer
threats and vulnerabilities; design and development of
electronic data security systems; computer security threat
analysis for protecting data; development of software for
secure network operations; computer security consultancy,
namely, scanning, auditing and monitoring computer systems
and networks for vulnerabilities and other security risks;
computer security consultancy, namely, scanning, auditing,
analyzing, measuring, and monitoring computer systems and
networks for vulnerabilities, security threats, and other
cybersecurity risks; security risk assessment and response
and managed security threat detection in on-premises,
hosted, hybrid, and cloud computing environments;
maintenance of computer software relating to computer
security and prevention of computer risks; providing
temporary use of non-downloadable software and applications
for collecting, analyzing, evaluating, monitoring, and
transmitting data in the fields of compliance, network
security, enterprise security, and maintenance; providing
temporary use of non-downloadable software and applications
for detecting fraudulent transactions and activities;
providing temporary use of non-downloadable software and
applications for investigating, remediating, and responding
to fraud and to network and enterprise threat incidents;
providing temporary use of non-downloadable software and
applications for troubleshooting, diagnosing, and protecting
computer software, hardware, networks, virtual machines, and
operational technology; providing temporary use of
non-downloadable software and applications for use in
analyzing and monitoring computer networks; providing
temporary use of non-downloadable software and applications
for diagnosing industrial and business performance issues;
providing temporary use of non-downloadable software and
applications in the field of application analytics;
providing temporary use of non-downloadable software and
applications for providing operational intelligence,
business analytics, security information, and
troubleshooting based on data; providing temporary use of
non-downloadable data mining software; consulting in the
field of information technology relating to installation,
maintenance and repair of computer software; technical
consulting services in the fields of datacenter
architecture, public and private cloud computing solutions,
and evaluation and implementation of information technology
and services; technical support services, namely, remote and
on-site infrastructure management services for monitoring,
administration and management of public and private cloud
computing and information technology systems.
68.
HASHING TECHNIQUES FOR ASSOCIATING ASSETS RELATED TO EVENTS WITH ADDRESSABLE COMPUTER NETWORK ASSETS
Techniques for associating assets related to events detected in at least one computer network with respective assets in an asset catalog for the at least one computer network. The techniques comprising: obtaining information about an event related to a first asset, the information specifying computer network addressing information for the first asset; generating a signature of the first asset from the computer network addressing information using at least one trained machine learning model, wherein the signature comprises a numeric representation of the first asset; associating the first asset with at least one asset in the asset catalog using the signature and at least one signature of the at least one asset in the asset catalog, wherein the at least one signature was previously determined using the at least one trained machine learning model; and outputting information identifying the at least one asset with which the first asset was associated.
H04L 9/32 - Dispositions pour les communications secrètes ou protégéesProtocoles réseaux de sécurité comprenant des moyens pour vérifier l'identité ou l'autorisation d'un utilisateur du système
H04L 41/06 - Gestion des fautes, des événements, des alarmes ou des notifications
H04L 41/12 - Découverte ou gestion des topologies de réseau
H04L 41/16 - Dispositions pour la maintenance, l’administration ou la gestion des réseaux de commutation de données, p. ex. des réseaux de commutation de paquets en utilisant l'apprentissage automatique ou l'intelligence artificielle
Various embodiments include systems and methods of assessing vendor risk. One or more sets of IP address(es) associated with one or more vendors is identified. Risk data related to the set(s) of IP address(es) is obtained using internet telemetry data. Based at least in part on the risk data, security risk level(s) are determined for the vendor(s). Some embodiments include systems and methods of implementing a vendor-based risk posture assessment of an organization. The vendor-based risk posture assessment may be based at least in part on one or more security risk levels determined for the vendor(s) of the organization.
A method for authenticated asset assessment is provided. The method includes authenticating, by a scan assistant, a scan engine with the scan assistant for executing one or more scan operations on the asset to determine a state of the asset. The asset includes at least one computing resource. The method also includes receiving, by the scan assistant, a plurality of scan requests associated with the one or more scan operations from the scan engine. The method further includes responding, by the scan assistant, to at least one scan request of the plurality of scan requests by transmitting one or more scan responses to the scan engine after receiving the plurality of scan requests. The scan assistant and the scan engine implement an asynchronous communication protocol that permits the scan engine to send the scan requests without waiting for scan responses for previous scan requests.
A software agent executing on a computing device receives a high-level command from a client and converts the high-level command into multiple low-level commands. The software agent executes individual low-level command on the computing device and sends a result of executing the individual low-level command to the client until each low-level command has been executed.
An anomaly detection system is disclosed capable of reporting anomalous processes or hosts in a computer network using machine learning models trained using unsupervised training techniques. In embodiments, the system assigns observed processes to a set of process categories based on the file system path of the program executed by the process. The system extracts a feature vector for each process or host from the observation records and applies the machine learning models to the feature vectors to determine an outlier metric each process or host. The processes or hosts with the highest outlier metrics are reported as detected anomalies to be further examined by security analysts. In embodiments, the machine learnings models may be periodically retrained based on new observation records using unsupervised machine learning techniques. Accordingly, the system allows the models to learn from newly observed data without requiring the new data to be manually labeled by humans.
A method for asset assessment is provided. The method includes receiving, by a scan engine, an event message from a scan assistant associated with an asset of a network system. The asset includes at least one computing resource. The event message includes an indication of one or more events associated with the asset. The method also includes responsive to receiving the event message, transmitting, by the scan engine, a request to the scan assistant for executing one or more scan operations on the asset and to determine a state of the asset based on at least one of an amount of available network resources or a schedule associated with the asset. The method further includes executing, by the scan engine, the one or more scan operations on the asset after transmitting the request.
H04L 9/00 - Dispositions pour les communications secrètes ou protégéesProtocoles réseaux de sécurité
H04L 9/32 - Dispositions pour les communications secrètes ou protégéesProtocoles réseaux de sécurité comprenant des moyens pour vérifier l'identité ou l'autorisation d'un utilisateur du système
Various embodiments include systems and methods to implement a process for determining expected exploitability of security vulnerabilities. Vulnerability information corresponding to a security vulnerability is input into a multi-headed neural network. A first feature vector is output via a probability of exploitation head of the multi-headed neural network. The first feature vector is extracted from the vulnerability information and comprises a first set of features. A second feature vector is extracted from code snippets and an abstract syntax tree analyzer, with the second feature vector including a second set of features related to the security vulnerability. The two feature vectors are concatenated to produce a third feature vector, and a regression model is used to determine a probability of exploitation for the security vulnerability based at least in part on the third feature vector.
Various embodiments include systems and methods of implementing a machine learning model for calculating confidence scores associated with potential security vulnerabilities. The machine learning model is trained using vulnerability data associated with a set of previously identified vulnerabilities, where the vulnerability data indicates whether a previously identified vulnerability is a true positive or a false positive. In some embodiments, scan traffic data may be obtained. The scan traffic data may be associated with potential security vulnerabilities detected via scan engine(s) that implement application security testing. The machine learning model may be used to determine respective confidence scores for each potential security vulnerability. According to some embodiments, responsive to a request for scan findings associated with a particular application, the respective confidence scores may be displayed via a vulnerability analysis graphical user interface.
G06F 21/57 - Certification ou préservation de plates-formes informatiques fiables, p. ex. démarrages ou arrêts sécurisés, suivis de version, contrôles de logiciel système, mises à jour sécurisées ou évaluation de vulnérabilité
A software agent executing on a computing device receives a request from a client to provide data associated with neighboring devices to the computing device. The client includes a scan engine to perform a network scan of a network that includes the computing device. The software agent accesses device data in a cache of an operating system command, determines, based on the device data, an identifier associated with each device that is neighboring the computing device, converts the device data into a standardized format to create neighboring device data, and sends the neighboring device data to the client.
Various embodiments include systems and methods of anomalous data transfer detection, including determining hotspots for an asset of an organization. The hotspots correspond to one or more periods of time in which outbound data from the asset satisfies a hotspot threshold determined to be indicative of high outbound data traffic activity. A subset of data that does not correspond to the hotspots is filtered out from the outbound data. The remaining data corresponds to a hotspot dataset associated with the hotspots. The hotspot dataset may be utilized to detect anomalous data transfer activity associated with the asset. Detecting the anomalous data transfer activity includes computing one or more statistics on the hotspot dataset. Responsive to detecting the anomalous data transfer activity, an alert associated with the asset may be generated.
An anomaly detection system is disclosed capable of reporting anomalous processes or hosts in a computer network using machine learning models trained using unsupervised training techniques. In embodiments, the system assigns observed processes to a set of process categories based on the file system path of the program executed by the process. The system extracts a feature vector for each process or host from the observation records and applies the machine learning models to the feature vectors to determine an outlier metric each process or host. The processes or hosts with the highest outlier metrics are reported as detected anomalies to be further examined by security analysts. In embodiments, the machine learnings models may be periodically retrained based on new observation records using unsupervised machine learning techniques. Accordingly, the system allows the models to learn from newly observed data without requiring the new data to be manually labeled by humans.
Various embodiments include systems and methods to implement predictive scan autoscaling using cluster-based prediction models by a security platform to predict scanning loads associated with computing resources. Predictive scan autoscaling using cluster-based prediction models may improve the security posture of computing resources by improving the speed by which a security platform may scan for threats of a cyberattack. The security platform may predict scanning loads based on data indicative of previous scanning loads over one or more periods of time for clusters of similar client networks, where similarity may be based on a comparison of deployment assets. The security platform may combine predicted scanning loads with requests for scans received from various client networks.
An automated login framework for dynamic application security testing is disclosed. A web application executing on a computing device is accessed and an automated login framework (ALF) is injected into an onload event of a web browser associated with the web application. The ALF is then accessed with a credential associated with the web application. A login page associated with application is identified by matching links or buttons with a user-defined regular expression and a user-defined wordlist. Then, a login form in the login page is detected by executing a signature technique, a dictionary technique, and a multistep signature technique. The login form is populated using the credential and submitted for authentication, and a status with a confidence score is received indicating whether the authentication was successful or failed.
Various embodiments include systems and methods to implement a graph analysis-based assessment to determine relative node significance. Network traffic data associated with a network may be obtained. A graph analysis-based assessment of the network may be performed to determine network traffic paths between a plurality of nodes in the network based at least in part on the network traffic data and to calculate, for each node and based at least in part on the network traffic paths, a respective centrality value. The respective centrality value may be indicative of a respective node being a potential source of disruption to the network relative to other nodes. At least one significant node in the network may be identified based at least in part on the centrality values, and a particular action to be performed with respect to the at least one significant node may be determined.
Some embodiments provide a vulnerability data processing system that uses machine learning (ML) to identify anomalous vulnerability data among vulnerability data acquired for configuring vulnerability detection of a computer network security system configured to monitor a computing environment. The system obtains vulnerability data that comprises values of a vulnerability parameter. The system generates datapoints representing values of the vulnerability parameter included in the obtained vulnerability data. The system clusters the datapoints to obtain vulnerability parameter clusters. The system identifies anomalous vulnerability data using the vulnerability parameter clusters.
Various embodiments include systems and methods of implementing vulnerability check synchronization. Vulnerability check synchronization may occur between computing resources at multiple different locations including a first location and a second location. Custom vulnerability check information associated with a particular security vulnerability may be received via a security console user interface that is located at the first location. A selection may be received, via the security console user interface, of a particular distributed engine to be utilized to perform a scan of one or more assets based at least in part on the custom vulnerability check information. Responsive to a determination to initiate the scan of the one or more assets, transfer of the custom vulnerability check information to the particular distributed engine via one or more networks may be automatically initiated.
A method for authenticated asset assessment is provided. The method involves executing a scan assistant on an asset to allow a remote scan engine to execute one or more scan operations on the asset for determining a state of the asset. The scan assistant may verify the identity of the scan engine by checking that a certificate received from the scan engine is signed with a private key associated with the scan engine. In some embodiments, the authentication may be performed as part of a TLS handshake process that establishes a TLS connection between the scan engine and the scan assistant. Once the scan engine is authenticated, the scan engine may communicate with the scan assistant according to a communication protocol to collect data about the asset. Advantageously, the disclosed technique reduces security risks associated with authenticated scans and improves the performance of authenticated scans.
Disclosed herein are methods, systems, processes, and machine learned models for performing opinionated threat assessments for cybersecurity vulnerabilities. An opinionated threat assessment system is implemented that obtains a training dataset that includes a codified opinionated threat assessment for security vulnerabilities. The codified opinionated threat assessment in the training dataset includes intrinsic attributes for the security vulnerabilities and subject attributes about the security vulnerabilities. The opinionated threat assessment system trains an opinionated threat assessment model using the training dataset and according to a machine learning technique where the training tunes the opinionated threat assessment model to generate a machined learned opinionated threat assessment for a new security vulnerability based on new intrinsic attributes associated with the new security vulnerability.
G06F 21/57 - Certification ou préservation de plates-formes informatiques fiables, p. ex. démarrages ou arrêts sécurisés, suivis de version, contrôles de logiciel système, mises à jour sécurisées ou évaluation de vulnérabilité
G06N 5/04 - Modèles d’inférence ou de raisonnement
An anomaly detection system is disclosed capable of reporting anomalous processes or hosts in a computer network using machine learning models trained using unsupervised training techniques. In embodiments, the system assigns observed processes to a set of process categories based on the file system path of the program executed by the process. The system extracts a feature vector for each process or host from the observation records and applies the machine learning models to the feature vectors to determine an outlier metric each process or host. The processes or hosts with the highest outlier metrics are reported as detected anomalies to be further examined by security analysts. In embodiments, the machine learnings models may be periodically retrained based on new observation records using unsupervised machine learning techniques. Accordingly, the system allows the models to learn from newly observed data without requiring the new data to be manually labeled by humans.
Disclosed herein are systems, methods, and processes for a machine learned alert triaging classification (ATC) system that uses machine learning techniques to generate an alert triage classification model that can be trained and deployed in modern security operation centers to optimize alert triaging and cyber threat classification. A training dataset of classified records is obtained. Each classified record in the training dataset includes detection characteristics data of a set of machines and threat classification results produced by performing alert triage classification of detection messages associated with the set of machines. An ATC model is trained using the training dataset according to a machine learning technique. The training tunes the ATC model to classify, based on at least the detection characteristics data, a new detection message associated with a machine from the set of machines as a threat or as not a threat.
Various embodiments include systems and methods of implementing radio frequency (RF) capture analysis reporting. The implementing may include receiving RF data captured by RF capture component(s) positioned at location(s) within a physical environment. The captured RF data includes RF device metrics associated with RF device(s) identified by the RF capture component(s) as being located within the physical environment. One or more analysis operations may be performed with respect to the RF device(s) based at least in part on the RF device metrics. Based at least in part on a result of the analysis operation(s), a potential security vulnerability associated with a particular RF device may be identified. A report may be generated that identifies at least the potential security vulnerability associated with the particular RF device.
Systems and methods are disclosed to implement a network data interpretation pipeline to recognize machine operations (MOs) and machine activities (MAs) from network traffic data observed in a monitored network. In embodiments, a MO recognition engine is implemented in the network to recognize MOs from network sensor events (NSEs) based on defined recognition patterns. The MOs and any unrecognized NSEs are uploaded to a network monitoring system, where they are further analyzed by a MA recognition engine to recognize higher-level machine activities performed by machines. The NSEs, MOs, and MAs are used by the network monitoring system to implement a variety of security threat detection processes. Advantageously, the pipeline may be used to add rich contextual information about the raw network data to facilitate security threat detection processes. Additionally, the MOs and MAs can be used to present the raw network data in a variety of intuitive user interfaces.
Various embodiments include systems and methods of implementing automated assessment scheduling. A particular automated assessment may be automatically performed based at least in part on an assessment configuration and scan engine resource(s) of an organization. Based at least in part on performance of the particular automated assessment, a scan engine utilization assessment may be performed to determine a scan engine utilization value that represents utilization of the scan engine resource(s) with respect to resource requirements that are based at least in part on the set of attributes of the assessment configuration. Based at least in part on the scan engine utilization assessment, a particular resource utilization recommendation may be generated. The particular resource utilization recommendation may correspond to a first resource utilization recommendation to allocate additional scan engine resources or a second resource utilization recommendation to allocate fewer scan engine resources.
Various embodiments include systems and methods pertaining to a network sensor host configured to implement a receive side scaling (RSS) configuration component in a security environment. The RSS configuration component may be used to automatically generate an RSS configuration comprising one or more settings customized for the network sensor host based at least in part on hardware information of the network sensor host. In some embodiments, the RSS configuration may be applied to change settings of a network interface driver of the network sensor host, e.g., to implement RSS and multithreading for network sensor tasks.
Various embodiments include systems and methods to implement network scanner timeouts based at least in part on historical network conditions. The implementing comprises initiating, using one or more network scanners and according to a first set of timeout parameters, a first security assessment of one or more scan targets in a network, wherein the first set of timeout parameters comprises a first initial round trip time (RTT)-timeout parameter value to which a dynamic RTT-timeout value is initially set. The implementing comprises determining a first set of RTT statistics for the first security assessment. The implementing comprises determining, based at least in part on the first set of RTT statistics, a second set of timeout parameters for a second security assessment of the one or more scan targets. The implementing comprises initiating, according to the second set of timeout parameters, the second security assessment of the one or more scan targets.
Various embodiments include systems and methods to implement processing of web content for vulnerability assessments. A plurality of documents comprising web content may be obtained from multiple different web sources, and the documents may be parsed to determine a set of discrete document chunks. Parsing the documents includes determining whether a document satisfies a segmentation condition for segmenting the document into multiple discrete document chunks using a named-entity recognition system configured to segment the document based at least in part on a vulnerability identification. The discrete document chunks may be stored in a database, where vulnerability information is indexed such that each respective entry in the database corresponds to a respective vulnerability identification and a respective discrete document chunk.
Disclosed herein are methods, systems, and processes for accepting and servicing interface agnostic validated unified platform queries. A request for shared data associated with web applications received from a user interface that is rendered by a client based on a specification is intercepted. The request is forwarded to a unified application programming interface (API) instead of a disparate unique API associated with the web applications. The request from the client is authenticated externally using the unified API and the request for the shared data is authorized to be displayed in the user interface based on the unified API instead of the specification.
G06F 16/9538 - Présentation des résultats des requêtes
H04L 9/32 - Dispositions pour les communications secrètes ou protégéesProtocoles réseaux de sécurité comprenant des moyens pour vérifier l'identité ou l'autorisation d'un utilisateur du système
H04L 67/02 - Protocoles basés sur la technologie du Web, p. ex. protocole de transfert hypertexte [HTTP]
Various embodiments include systems and methods of automated scan engine assignment. Responsive to determining to initiate a scan of a target asset, a scan engine assignment strategy may be determined for automatically assigning one or more scan engines to perform the scan. Determining the scan engine assignment strategy may include implementing a strategy selection scheme that defines a hierarchy of scan engine assignment strategies, which may include at least one of a passive discovery strategy, an active discovery strategy, or a scan engine subnet strategy. Using the scan engine assignment strategy, the one or more scan engines may be automatically assigned to perform the scan. The scan may be performed using the one or more scan engines.
Various embodiments include systems and methods of implementing a machine learning model for calculating confidence scores associated with potential security vulnerabilities. The machine learning model is trained using vulnerability data associated with a set of previously identified vulnerabilities, where the vulnerability data indicates whether a previously identified vulnerability is a true positive or a false positive. In some embodiments, scan traffic data may be obtained. The scan traffic data may be associated with potential security vulnerabilities detected via scan engine(s) that implement application security testing. The machine learning model may be used to determine respective confidence scores for each potential security vulnerability. According to some embodiments, responsive to a request for scan findings associated with a particular application, the respective confidence scores may be displayed via a vulnerability analysis graphical user interface.
H04L 29/04 - Commande de la communication; Traitement de la communication pour plusieurs lignes de communication
G06F 21/00 - Dispositions de sécurité pour protéger les calculateurs, leurs composants, les programmes ou les données contre une activité non autorisée
G06F 21/57 - Certification ou préservation de plates-formes informatiques fiables, p. ex. démarrages ou arrêts sécurisés, suivis de version, contrôles de logiciel système, mises à jour sécurisées ou évaluation de vulnérabilité
Various embodiments include systems and methods of anomalous data transfer detection, including determining hotspots for an asset of an organization. The hotspots correspond to one or more periods of time in which outbound data from the asset satisfies a hotspot threshold determined to be indicative of high outbound data traffic activity. A subset of data that does not correspond to the hotspots is filtered out from the outbound data. The remaining data corresponds to a hotspot dataset associated with the hotspots. The hotspot dataset may be utilized to detect anomalous data transfer activity associated with the asset. Detecting the anomalous data transfer activity includes computing one or more statistics on the hotspot dataset. Responsive to detecting the anomalous data transfer activity, an alert associated with the asset may be generated.
A software agent executing on a computing device receives a request from a client to provide data associated with neighboring devices to the computing device. The client includes a scan engine to perform a network scan of a network that includes the computing device. The software agent accesses device data in a cache of an operating system command, determines, based on the device data, an identifier associated with each device that is neighboring the computing device, converts the device data into a standardized format to create neighboring device data, and sends the neighboring device data to the client.
Various embodiments include systems and methods to implement a graph analysis-based assessment to determine relative node significance. Network traffic data associated with a network may be obtained. A graph analysis-based assessment of the network may be performed to determine network traffic paths between a plurality of nodes in the network based at least in part on the network traffic data and to calculate, for each node and based at least in part on the network traffic paths, a respective centrality value. The respective centrality value may be indicative of a respective node being a potential source of disruption to the network relative to other nodes. At least one significant node in the network may be identified based at least in part on the centrality values, and a particular action to be performed with respect to the at least one significant node may be determined.
Disclosed herein are methods, systems, and processes for performing optimized batched packet processing in deep packet inspection (DPI) computing systems. A batch of network packets is received. A stateless processing operation is performed for the batch that includes updating a current time for the batch, decoding the network packets in the batch, creating a flow-hash lookup key for each decoded network packet, and generating a first output that includes the current time and corresponding flow-hash lookup keys for the decoded network packets. Next, a stateful processing operation is performed for the batch that includes accessing the first output of the stateless processing operation, dividing the batch into multiple sub-batches, performing a parallel flow-hash table lookup operation on the network packets that are part of the sub-batches, and generating a second output that includes the sub-batches with associated packet flows. Finally, a batch-optimized DPI processing operation is performed that includes accessing the second output of the stateful processing operation and performing the DPI processing operation on a per-packet basis or on a per-flow basis.
H04L 43/028 - Capture des données de surveillance en filtrant
H04L 69/16 - Implémentation ou adaptation du protocole Internet [IP], du protocole de contrôle de transmission [TCP] ou du protocole datagramme utilisateur [UDP]
