A cyber threat defense system can incorporate data from a Software-as-a-Service (SaaS) application hosted by a third-party operator platform to identify cyber threats related to that SaaS application. The cyber threat defense module can have a SaaS module to collect third-party event data from the third-party operator platform. The cyber threat defense system can have a comparison module to compare third-party event data for a network entity to at least one machine-learning model of a network entity using a normal behavior benchmark to spot behavior deviating from normal benign behavior. The comparison module can identify whether the network entity is in a breach state. The cyber threat defense system can have a cyber threat module to identify whether the breach state and a chain of relevant behavioral parameters correspond to a cyber threat. An autonomous response module can execute an autonomous response in response to the cyber threat.
H04L 41/22 - Dispositions pour la maintenance, l’administration ou la gestion des réseaux de commutation de données, p. ex. des réseaux de commutation de paquets comprenant des interfaces utilisateur graphiques spécialement adaptées [GUI]
H04L 43/045 - Traitement des données de surveillance capturées, p. ex. pour la génération de fichiers journaux pour la visualisation graphique des données de surveillance
H04L 51/212 - Surveillance ou traitement des messages utilisant un filtrage ou un blocage sélectif
H04L 51/224 - Surveillance ou traitement des messages en fournissant une notification sur les messages entrants, p. ex. des poussées de notifications des messages reçus
H04L 51/42 - Aspects liés aux boîtes aux lettres, p. ex. synchronisation des boîtes aux lettres
2.
VOICE CLONING DETECTION AND TRAINING SYSTEM FOR A CYBER SECURITY SYSTEM
A cyber security system that protects against cyber threats including a synthetic clone of a voice of a speaker can include several components. A deep learning model is trained to analyze an audio file and produce one or more embeddings of the audio file. One or more AI classifiers are trained to analyze the one or more embeddings of the audio file from the deep learning model to determine whether it is likely that the voice of the speaker engaging with a user is real or the synthetic clone of the voice of the speaker. The voice clone detection bot can be resident on a computing device of the user and can integrate with different sources of audio data on the computing device of the user in order to collect the audio file containing an attempt to synthetically clone the voice of the speaker protected by the cyber security system.
G06F 21/55 - Détection d’intrusion locale ou mise en œuvre de contre-mesures
G10L 13/027 - Synthétiseurs de parole à partir de conceptsGénération de phrases naturelles à partir de concepts automatisés
G10L 17/02 - Opérations de prétraitement, p. ex. sélection de segmentReprésentation ou modélisation de motifs, p. ex. fondée sur l’analyse linéaire discriminante [LDA] ou les composantes principalesSélection ou extraction des caractéristiques
G10L 17/04 - Entraînement, enrôlement ou construction de modèle
G10L 17/06 - Techniques de prise de décisionStratégies d’alignement de motifs
G10L 17/26 - Reconnaissance de caractéristiques spéciales de voix, p. ex. pour utilisation dans les détecteurs de mensongeReconnaissance des voix d’animaux
3.
VOICE CLONING DETECTION AND TRAINING SYSTEM FOR A CYBER SECURITY SYSTEM
A cyber security system that protects against cyber threats including a synthetic clone of a voice of a speaker can include several components. A deep learning model is trained to analyze an audio file and produce one or more embeddings of the audio file. One or more Al classifiers are trained to analyze the one or more embeddings of the audio file from the deep learning model to determine whether it is likely that the voice of the speaker engaging with a user is real or the synthetic clone of the voice of the speaker. The voice clone detection bot can be resident on a computing device of the user and can integrate with different sources of audio data on the computing device of the user in order to collect the audio file containing an attempt to synthetically clone the voice of the speaker protected by the cyber security system.
G10L 17/06 - Techniques de prise de décisionStratégies d’alignement de motifs
G10L 17/26 - Reconnaissance de caractéristiques spéciales de voix, p. ex. pour utilisation dans les détecteurs de mensongeReconnaissance des voix d’animaux
G06F 21/56 - Détection ou gestion de programmes malveillants, p. ex. dispositions anti-virus
G06N 3/04 - Architecture, p. ex. topologie d'interconnexion
G10L 15/06 - Création de gabarits de référenceEntraînement des systèmes de reconnaissance de la parole, p. ex. adaptation aux caractéristiques de la voix du locuteur
G10L 15/16 - Classement ou recherche de la parole utilisant des réseaux neuronaux artificiels
G10L 15/18 - Classement ou recherche de la parole utilisant une modélisation du langage naturel
G10L 17/04 - Entraînement, enrôlement ou construction de modèle
G10L 25/30 - Techniques d'analyse de la parole ou de la voix qui ne se limitent pas à un seul des groupes caractérisées par la technique d’analyse utilisant des réseaux neuronaux
G10L 25/51 - Techniques d'analyse de la parole ou de la voix qui ne se limitent pas à un seul des groupes spécialement adaptées pour un usage particulier pour comparaison ou différentiation
4.
CLOUD-BASED CYBER SECURITY AND METHODS OF OPERATION
A cyber security system is adapted to contextualize and visualize cloud architectures featuring ephemeral cloud assets with generation of a cloud asset remediation plan to group alerts for handling based on security team responsibilities.
A cyber threat defense system is provided comprising: a processing component; and a non-transitory computer readable medium including one or more software modules accessible by the processing component, the one or more software modules comprising: a vehicle module configured to receive data from a first vehicle and a second vehicle and reference one or more machine-learning models using machine-learning and artificial intelligence (AI) algorithms, the one or more machine-learning models including a first machine-learning model trained on a normal pattern of life associated with the first vehicle and the second vehicle, and a comparator module configured to cooperate with the vehicle module to compare data received from the first vehicle and the second vehicle to the normal pattern of life associated with the first vehicle and the second vehicle to detect anomalies representing a cyber threat within the first vehicle or the second vehicle. A corresponding method and non-transitory computer readable medium are also provided.
H04W 4/46 - Services spécialement adaptés à des environnements, à des situations ou à des fins spécifiques pour les véhicules, p. ex. communication véhicule-piétons pour la communication de véhicule à véhicule
H04W 12/00 - Dispositions de sécuritéAuthentificationProtection de la confidentialité ou de l'anonymat
An analyzer module determines whether a file under analysis is likely malicious or not malicious. A transformation module analyzes the file under analysis in order i) to generate a representation of the file under analysis that includes a simplified summary on information in and behavioral properties about the file under analysis and iii) then to feed the representation of the file under analysis into the LLM. The LLM is trained with MLM to create a semantic understanding of the file that creates a depiction of the file that retains multiple aspects of the information in and behavioral properties about the file as an embedding, in a space that allows the analyzer module to determine whether the file is likely malicious or not malicious via how closely the file under analysis as an embedding is related to a known malicious file or a known not malicious file with similar information and behavioral properties.
A computer-implemented method of updating a set of clusters representative of a classification of a text-based dataset into a plurality of different text types for use in a cyber security system is described as part of a classification pipeline. The method comprises receiving text data associated with an entity. The method further comprises generating one or more vector embeddings representative of the text data. The method further comprises using incremental learning to update the set of clusters based on the one or more vector embeddings.
An analyzer module determines whether a file under analysis is likely malicious or not malicious. A transformation module analyzes the file under analysis in order i) to generate a representation of the file under analysis that includes a simplified summary on information in and behavioral properties about the file under analysis and iii) then to feed the representation of the file under analysis into the LLM. The LLM is trained with MLM to create a semantic understanding of the file that creates a depiction of the file that retains multiple aspects of the information in and behavioral properties about the file as an embedding, in a space that allows the analyzer module to determine whether the file is likely malicious or not malicious via how closely the file under analysis as an embedding is related to a known malicious file or a known not malicious file with similar information and behavioral properties.
A coordinator module, a cyber threat analyst module, and AI models trained to model a normal pattern of life for entities in a wireless domain and a normal pattern of life for entities in a second domain cooperate with a combination of wireless sensors with RF protocol adapters to monitor and analyze wireless activity and probes to monitor activity in the second domain in order to analyze an anomaly of interest in a wider view of another domain's activity. These modules and models understand and assess the wireless activity and the activity from the second domain in light of the AI models modelling the pattern of life for entities in a wireless domain and/or a in the second domain in order to detect a cyber threat indicated by at least by the anomaly of interest. A formatting model generates an alert and/or a report.
H04L 41/16 - Dispositions pour la maintenance, l’administration ou la gestion des réseaux de commutation de données, p. ex. des réseaux de commutation de paquets en utilisant l'apprentissage automatique ou l'intelligence artificielle
H04L 41/22 - Dispositions pour la maintenance, l’administration ou la gestion des réseaux de commutation de données, p. ex. des réseaux de commutation de paquets comprenant des interfaces utilisateur graphiques spécialement adaptées [GUI]
10.
USER AGENT INFERENCE AND ACTIVE ENDPOINT FINGERPRINTING FOR ENCRYPTED CONNECTIONS
A cyber security appliance can inoculate a fleet of network devices by analyzing each endpoint of a secure connection. The appliance can receive a hostname for a malicious web server. The appliance can generate an unencrypted target fingerprint based on sending a series of unencrypted connection protocol requests to the malicious web server and an encrypted target fingerprint based on sending a series of encrypted secure connection protocol requests to the malicious web server. The appliance can build a combined web server fingerprint for the malicious web server based on both the encrypted target fingerprint derived and the unencrypted target fingerprint. The appliance can determine a set of suspicious IP addresses based on the combined web server fingerprint for the malicious web server. The appliance can inoculate a fleet of network devices against a cyberattack using the IP addresses to preemptively alert the fleet of cyber-attack.
H04L 41/16 - Dispositions pour la maintenance, l’administration ou la gestion des réseaux de commutation de données, p. ex. des réseaux de commutation de paquets en utilisant l'apprentissage automatique ou l'intelligence artificielle
H04L 41/22 - Dispositions pour la maintenance, l’administration ou la gestion des réseaux de commutation de données, p. ex. des réseaux de commutation de paquets comprenant des interfaces utilisateur graphiques spécialement adaptées [GUI]
An apparatus comprises a cyber security restoration engine configured to restore an asset in a computing network that is involved in a cyberattack to a trusted operational state and prioritize remediation actions for the asset in the computing network. The cyber security restoration engine is configured to receive an indication that the asset in the computing network is involved in a cyber security scenario. The cyber security restoration engine is further configured to identify, based on a property of the asset, an ordered set of instructions forming a playbook that applies to the asset to at least partially address the cyber security scenario.
G06F 21/50 - Contrôle des utilisateurs, des programmes ou des dispositifs de préservation de l’intégrité des plates-formes, p. ex. des processeurs, des micrologiciels ou des systèmes d’exploitation
An apparatus comprises a cyber threat autonomous response engine configured to control connectivity between a first computing device and a second computing device and take one or more actions to mitigate a cyber threat. The cyber threat autonomous response engine is configured to determine that a connection between a first computing device and a second computing device needs to be modified. The cyber threat autonomous response engine is further configured to identify an indicator in a message transmitted via the connection in accordance with a communication protocol. The cyber threat autonomous response engine is further configured to determine, based on the indicator and knowledge about a previously observed sequence of messages communicated between the first computing device and the second computing device in accordance with the communication protocol, a plurality of triggers to be sent to one or both of the first computing device and the second computing device to modify the connection. The cyber threat autonomous response engine is further configured to cause the plurality of triggers to be sent.
An apparatus comprises a cyber security restoration engine configured to simulate an asset of a computing network that is involved in a simulated cyberattack. The cyber security restoration engine is configured to generate data representative of a simulated cyber security scenario involving the asset of the computing network. The simulated cyber security scenario is derived from a real world cyber security scenario mapped to the asset.
H04L 41/16 - Dispositions pour la maintenance, l’administration ou la gestion des réseaux de commutation de données, p. ex. des réseaux de commutation de paquets en utilisant l'apprentissage automatique ou l'intelligence artificielle
A security awareness training system can include a recognition module, a mapping module, a customized training module, and an authentication module. The recognition module can detect when behavioral activity by an end user on an endpoint device creates one or more of i) a model breach indicative of a potential cyber threat and ii) a violation of a network policy, an email policy, or a cloud policy. The authentication module can cooperate with the recognition module to provide just-in-time cyber security awareness training on a display screen of the endpoint device associated with that specific end user, at a time when the behavioral activity by the end user on the endpoint device creates the one or more of i) the model breach indicative of the potential cyber threat and ii) the violation of the network policy, the email policy, or the cloud policy. The authentication module can cooperate with a mapping module and a customized training module to provide the just-in-time cyber security awareness training on the endpoint device associated with that specific end user at the time when the behavioral activity by the end user on the endpoint device triggers a need for the cyber security awareness training, which causes more relevant and better learning for the end user. The mapping module can correlate the just-in-time cyber security awareness training to the behavioral activity by the end user on the endpoint device that created the model breach and/or the violation.
Disclosed herein is a method for use in detection of anomalous behavior of a device of a computer system. The method is arranged to be performed by a processing system. The method includes deriving values, m1, . . . , mN, of a metric, M, representative of data associated with the device; modeling a distribution of the values; and determining, in accordance with the distribution of the values, the probability of observing a more extreme value of the metric than a given value, m, of the metric, wherein the probability is used to determine whether the device is behaving anomalously. Also disclosed is an equivalent computer readable medium and anomalous behavior detection system
Cybersecurity components configured to cooperate with LLMs including i) a cyber security appliance with a cyber threat detect engine to detect a cyber threat, ii) a proactive threat notification service, iii) a cyber threat autonomous response engine, iv) a cyberattack simulator, v) a cyber-attack restoration engine, and vi) an artificial intelligence-based cyber threat analyst module. The LLMs are configured to communicate and cooperate with the one or more cybersecurity components via one or more Application Program Interfaces (APIs) to receive cyber security information being produced by the one or more of the cybersecurity components and then to apply language generation functionality in order to assist a human in an understanding of the cyber security information being produced by the cybersecurity components, and then also to provide recommendations to prioritize breaches over other breaches in a native human friendly format for the human.
G06F 40/58 - Utilisation de traduction automatisée, p. ex. pour recherches multilingues, pour fournir aux dispositifs clients une traduction effectuée par le serveur ou pour la traduction en temps réel
17.
SYSTEM AND METHOD FOR UTILIZING LARGE LANGUAGE MODELS AS A LOGICAL COMPONENT TO ENHANCE REACTIVE AND PROACTIVE SECURITY WITHIN A CYBERSECURITY SYSTEM
An orchestration component implemented within a cybersecurity system and operating in concert with a cybersecurity appliance to enhance cyber threat detection or a response to a cyber threat detected by the cybersecurity appliance is described. The orchestration component comprises a first landscape analysis module, a data score and an action severely configured to operate with a first large language model to (i) analyze threat landscape data received from one or more external sources and (ii) identify threat technique data associated with one or more cyber threats included within the threat landscape data. The orchestration component further comprises a data store adapted to maintain the threat technique data identified by the threat landscape analysis module; and an action severity module is configured to adjust a sensitivity of a cyber threat detection engine of the cybersecurity appliance in monitoring for the one or more cyber threats represented by the threat technique data.
SYSTEM AND METHOD FOR UTILIZING LARGE LANGUAGE MODELS FOR MITIGATION OF CYBER THREATS AND REMEDIATION OR RESTORATION OF FUNCTIONALITY OF A CYBERSECURITY SYSTEM
A system operating with a cybersecurity system to enhance cyber threat detection is described. The system features a first and second orchestrator modules. The first orchestrator module includes at least a first large language model and is configured to perform artificial intelligence-based simulations of cyber-attacks to determine (i) how a simulated cyber-attack might occur in a selected computing device and (ii) how to use simulated cyber-attack information to preempt possible escalations of an ongoing actual cyber-attack. The second orchestrator module includes at least a second large language model and is configured to (i) perform a remediation task to correct one or more misconfigurations in one or more components associated with the cybersecurity system and (ii) return the one or more components back to a trusted operational state.
An interactive cyber-security user-interface for cybersecurity components can receive a voice input from a user as well as ii) a text input as a user input. The interactive cyber-security user-interface works with a set of differently trained LLMs to carry out tasks on behalf of the user input. The interactive cyber-security user-interface cooperates with the set of differently trained LLMs, which are grouped together to operate as an orchestrated system to provide different tasks. The tasks can include a collection of supplementary information, a summarization of cyber security information, translating a query in the natural human speech format into the required search syntax, how to integrate with an API, acting as a first line of support to user inquiries, a suggested response to a cyber security issue, etc. The interactive cyber-security user-interface for the cybersecurity components acts as the user interface for one or more of the cybersecurity components.
An interactive cyber-security user-interface for cybersecurity components can receive a voice input from a user as well as ii) a text input as a user input. The interactive cyber-security user-interface works with a set of differently trained LLMs to carry out tasks on behalf of the user input. The interactive cyber-security user-interface cooperates with the set of differently trained LLMs, which are grouped together to operate as an orchestrated system to provide different tasks. The tasks can include a collection of supplementary information, a summarization of cyber security information, translating a query in the natural human speech format into the required search syntax, how to integrate with an API, acting as a first line of support to user inquiries, a suggested response to a cyber security issue, etc. The interactive cyber-security user-interface for the cybersecurity components acts as the user interface for one or more of the cybersecurity components.
G06N 5/04 - Modèles d’inférence ou de raisonnement
G06F 21/50 - Contrôle des utilisateurs, des programmes ou des dispositifs de préservation de l’intégrité des plates-formes, p. ex. des processeurs, des micrologiciels ou des systèmes d’exploitation
G06F 21/55 - Détection d’intrusion locale ou mise en œuvre de contre-mesures
21.
SYSTEM AND METHOD FOR UTILIZING LARGE LANGUAGE MODELS AND NATURAL LANGUAGE PROCESSING TECHNOLOGIES TO PRE-PROCESS AND ANALYZE DATA TO IMPROVE DETECTION OF CYBER THREATS
A cybersecurity system for enhancing detection of cyber threats through use of one or more Large Language Models (LLMs) is described. Herein, the LLMs are configured to generate one or more structured elements that operate as a complex filter for automatically extracting salient data from data received from one or more external sources for training of Artificial Intelligence (AI) models. Additionally, the LLMs are further configured to correlate multiple user credentials associated with different platforms to identify a common user to enhance training of the AI models and anonymize at least personally identifiable information (PII) data prior to training of the AI models.
A cybersecurity system for adjusting content within an Artificial Intelligence (AI) model or creating a new AI model based on analysis of a model breach alert is described. The cybersecurity system features a model health analysis component and a model refinement component. The model health analysis component is configured to analyze content associated with a model breach alert. Communicatively coupled to the model health analysis component, the model refinement component is configured to receive analytic results from the model health analysis component. Based on the analytic results, the model refinement component determines adjustments to the threshold associated with the AI model or generates a new AI model in substitution of the AI model to avoid an over-breaching condition or improve cyber threat detection.
A synthetic cyberattack tool uses a generative AI component to assist in generating a synthetic cyberattack by a cyber threat to produce one or more cybersecurity incidents and/or events. The synthetic cyberattack tool uses the generative AI component also to provide an analysis and an explanation for a purpose of providing cyber security training to at least one of an end user of a network and a cyber security team member for the network in a mimic network. The synthetic cyberattack tool orchestrates the synthetic cyberattack and derives the synthetic cyberattack from real world cyberattacks and the wargaming cyberattack exercise from real world behaviors of the end user and/or the cyber security team member as well as the architecture and policies implemented in the real world network. A user interface component displays both results of testing in the wargaming cyberattack exercise along with an explainability on the synthetic cyberattack.
G06F 9/455 - ÉmulationInterprétationSimulation de logiciel, p. ex. virtualisation ou émulation des moteurs d’exécution d’applications ou de systèmes d’exploitation
24.
CYBER SECURITY TRAINING TOOL THAT USES A LARGE LANGUAGE MODEL
The cyber security training tool has a natural language processor and a large language model to be able to analyze both i) a synthetic cyberattack in a mimic network corresponding to a real world network as well as ii) a real cyberattack in the real world network. The cyber security training tool can then provide analysis and an explanation as to why machine learning identified the synthetic cyberattack and/or the real cyberattack as a cyber threat for a purpose of providing cyber security training to at least one of i) an end user of the real world network and ii) a cyber security team member for the real world network. The cyber security training tool further has a user interface component to display security awareness training for the synthetic cyberattack and/or the real cyberattack, and to show the end user and/or the cyber security team member an understanding of the machine learning of the synthetic cyberattack and/or the real cyberattack displayed in the user interface component.
In an embodiment, an apparatus is described. The apparatus comprises an appliance extension configured to perform functions with i) a monitoring module configured to monitor metrics and receive alerts regarding potential cyber threats on a system including an email system, ii) an investigative module configured to retrieve the metrics and alerts, and iii) a remote response module configured observe the metrics and alerts and send one or more control signals to an autonomous response module to take one or more actions to counter one or more detected cyber threats on the system remotely from the appliance extension. The apparatus extension is configured to display one or more of the metrics, alerts, and one or more actions of the remote response module on an interactive user interface, the interactive user interface being configured to receive one or more user inputs from a user to control or modify the one or more actions, where the appliance extension is further configured to provide a secure extension of a second user interface of a cyber security appliance installed in the system.
An autonomous email-report composer composes a type of report on cyber threats that is composed in a human-readable format with natural language prose, terminology, and level of detail on the cyber threats aimed at a target audience. The autonomous email-report composer cooperates with libraries with prewritten text templates with i) standard pre-written sentences written in the natural language prose and ii) prewritten text templates with fillable blanks that are populated with data for the cyber threats specific for a current report being composed, where a template for the type of report contains two or more sections in that template. Each section having different standard pre-written sentences written in the natural language prose.
An expert interface component can automatically connect a system user with a system support expert. A user interface module can present a threat-tracking graphical user interface and a query interface component integrated into the threat-tracking graphical user interface to a system user belonging to a client team to review a potential cyber threat and receive a query for assistance. The query interface component can allow the system user to digitally grab a visual data container displaying information and containing a data object. The query interface component can collect the visual data container from the threat-tracking graphical user interface into a collection window of the query interface component. A communication module provides an incident ticket containing the query and the visual data container to a system support expert at a remote platform.
H04L 41/22 - Dispositions pour la maintenance, l’administration ou la gestion des réseaux de commutation de données, p. ex. des réseaux de commutation de paquets comprenant des interfaces utilisateur graphiques spécialement adaptées [GUI]
H04L 43/045 - Traitement des données de surveillance capturées, p. ex. pour la génération de fichiers journaux pour la visualisation graphique des données de surveillance
H04L 51/212 - Surveillance ou traitement des messages utilisant un filtrage ou un blocage sélectif
H04L 51/224 - Surveillance ou traitement des messages en fournissant une notification sur les messages entrants, p. ex. des poussées de notifications des messages reçus
H04L 51/42 - Aspects liés aux boîtes aux lettres, p. ex. synchronisation des boîtes aux lettres
Cyber threat defense systems and methods are provided. The system includes a network module, an analyzer module and a classifier. The network module ingests network data, which is provided to one or more machine learning models included in the analyzer module. Each machine learning model identifies metrics associated with the network data and outputs a score indicative of whether anomalous network data metrics are caused by a cyber threat. These output scores are provided to the classifier, which determines a probability that a cybersecurity breach has occurred.
In an embodiment, an apparatus is described. The apparatus comprises a memory and a processor coupled to the memory. The processor is configured to generate an embedding representative of an entity with an unknown cyber security status based on an identifier of the entity. The embedding is generated using an artificial intelligence (AI) model trained with a dataset comprising a set of identifiers that identify a corresponding set of other entities.
An AI adversary red team configured to pentest email and/or network defenses implemented by a cyber threat defense system used to protect an organization and all its entities. AI model(s) trained with machine learning on contextual knowledge of the organization and configured to identify data points from the contextual knowledge including language-based data, email/network connectivity and behavior pattern data, and historic knowledgebase data. The trained AI models cooperate with an AI classifier in producing specific organization-based classifiers for the AI classifier. A phishing email generator generates automated phishing emails to pentest the defense systems, where the phishing email generator cooperates with the AI models to customize the automated phishing emails based on the identified data points of the organization and its entities. The customized phishing emails are then used to initiate one or more specific attacks on one or more specific users associated with the organization and its entities.
A cyber threat defense system and a method for detecting a cyber threat may use a predictor, e.g. a Transformer deep learning model, which is configured to predict a next item in the sequence of events and to detect one or more anomalies in the sequence of events. This provides a notification comprising (i) information about the one or more anomalies; and (ii) a prediction of what would have been expected.
A cyber security system is adapted to generate a cloud architecture assembled from a plurality of cloud resources within a customer cloud environment based on metadata associated with the plurality of cloud resources. The cyber security system features at least a plurality of components. The first component identifies the plurality of cloud resources and collects metadata associated with each of the plurality of cloud resources including a first cloud resource for storage within a storage subsystem. The second component determines how at least the first cloud resource of the plurality of cloud resources is behaving within the customer cloud environment based on analytics conducted on log data and network traffic data associated with the first cloud resource. The third component conducts analytics on information associated with the plurality of cloud resources in order to detect compliance or misconfiguration of the plurality of cloud resources forming the cloud architecture.
A cyber defense system using machine learning models trained on the classification of structured documents, such as emails, in order to identify a cyber threat risk of the incoming or outgoing structured document and to cause one or more autonomous actions to be taken in relation to the structured document based on a comparison of a category the structured document is classified with, a score associated with the classification and a threshold score. For incoming structured documents, the autonomous actions of the cyber defense system may act to contain a malign nature of identified incoming structured documents. For outgoing structured documents, the autonomous actions of the cyber defense system may act to prevent the structured document from being sent to an unintended recipient.
G06F 18/214 - Génération de motifs d'entraînementProcédés de Bootstrapping, p. ex. ”bagging” ou ”boosting”
H04L 41/16 - Dispositions pour la maintenance, l’administration ou la gestion des réseaux de commutation de données, p. ex. des réseaux de commutation de paquets en utilisant l'apprentissage automatique ou l'intelligence artificielle
34.
Cyber Threat Defense System Protecting Email Networks with Machine Learning Models using a Range of Metadata from Observed Email Communications
A cyber-threat defense system for a network including its email domain protects this network from cyber threats. Modules utilize machine learning models as well communicate with a cyber threat module. Modules analyze the wide range of metadata from the observed email communications. The cyber threat module analyzes with the machine learning models trained on a normal behavior of email activity and user activity associated with the network and in its email domain in order to determine when a deviation from the normal behavior of email activity and user activity is occurring. A mass email association detector determines a similarity between highly similar emails being i) sent from or ii) received by a collection of two or more individual users in the email domain in a substantially simultaneous time frame. Mathematical models can be used to determine similarity weighing in order to derive a similarity score between compared emails.
A traffic manager module of a cyber threat defense platform that can differentiate between data flows to a client device. A registration module can register a connection between devices within a client network to transmit a series of data packets. A classifier module can execute a comparison of features of the connection to a set of interest criteria to determine an interest level for the cyber threat defense platform in the connection. The classifier module can apply an interest classifier describing the interest level to the connection based on the comparison. A deep packet inspection engine can examine the data packets of the connection for cyber threats if the interest classifier indicates interest. A diverter can shunt the data packets of the connection away from the deep packet inspection engine if the interest classifier indicates no interest.
A multi-stage anomaly detector analyzes an anomalous process chain in real time and rapidly determines whether the process chain is indicative of a cyber threat on an endpoint computing device in a multi-host environment. The multi-stage anomaly detector is used in an analyzer module configured within a host endpoint agent on that device. The analyzer module generates an anomaly score to correlate a likelihood that the cyber threat detected is harmful to that device. The multi-stage anomaly detector includes multiple stages of anomaly detectors including a first stage, a second stage, and a third stage of the anomaly detectors. Each stage generates its own anomaly score to produce at least one rapidly determined anomaly score as well as one thoroughly determined anomaly score. Each anomaly score is generated from various computational processes and factors different from the computational processes and factors of the other stages of anomaly detectors.
A non-transitory computer readable medium including software that, upon execution by a processor, performs to generate cloud architecture(s) for representation of a customer cloud environment. The software performs operations, including (i) identifying a plurality of cloud resources within a customer cloud environment; (ii) collecting metadata associated with the plurality of cloud resources from a cloud provider of the customer cloud environment; and (ii) augmenting the metadata associated with the plurality of cloud resources based on (a) metadata associated with network traffic data being monitored by sensors deployed within the customer cloud environment, (b) metadata associated with user data, and (c) metadata associated with flow log data. The cloud architecture(s) are provided after augmenting of the metadata.
G06F 9/455 - ÉmulationInterprétationSimulation de logiciel, p. ex. virtualisation ou émulation des moteurs d’exécution d’applications ou de systèmes d’exploitation
38.
CYBER SECURITY SYSTEM WITH ENHANCED CLOUD-BASED METRICS
A cyber security system is adapted to compute enhanced metrics including resource misconfiguration and risk levels associated with a plurality of cloud resources and one or more cloud architectures formed by the plurality of cloud resources within a customer cloud environment.
G06F 9/455 - ÉmulationInterprétationSimulation de logiciel, p. ex. virtualisation ou émulation des moteurs d’exécution d’applications ou de systèmes d’exploitation
39.
USE OF GRAPH NEURAL NETWORKS TO CLASSIFY, GENERATE, AND ANALYZE SYNTHETIC CYBER SECURITY INCIDENTS
A cyber security appliance has a trained GNN model configured to analyze events occurring in ongoing cyber incidents, to cooperate with a scoring classifier, and to turn the analyzed events occurring in the ongoing cyber incidents into actionable information reported by a user interface to a user. The GNN model performs a graph-based meta-analysis of the events occurring in an ongoing cyber incident, and then produces an output, at least one of, 1) to make embeddings that are subsequently clustered and analyzed, 2) to be classified into a type of cyber incident and assigned score indicative how bad the ongoing cyber incident is, and 3) to be generative to make a predictive graph of a possible end result of the events occurring in the ongoing cyber incidents and what an end graph shape is going to look like based on how events evolved in historical cyber incidents.
H04L 41/16 - Dispositions pour la maintenance, l’administration ou la gestion des réseaux de commutation de données, p. ex. des réseaux de commutation de paquets en utilisant l'apprentissage automatique ou l'intelligence artificielle
40.
ENDPOINT AGENT EXTENSION OF A MACHINE LEARNING CYBER DEFENSE SYSTEM FOR EMAIL
An endpoint agent extension of a cyber defense system for email that includes modules and machine learning models. An integration module integrates with an email client application to detect email cyber threats in emails in the email client application as well as regulate emails. An action module interfaces with the email client application to direct autonomous actions against an outbound email and/or its files when a cyber threat module determines the email and/or its files (a) to be a data exfiltration threat, (b) to be both malicious and anomalous behavior as compared to a user's modeled email behavior, and (c) any combination of these. The autonomous actions can include actions of logging a user off the email client application, preventing the sending of the email, stripping the attached files and/or disabling the link to the files from the email, and sending a notification to cyber security personnel regarding the email.
An apparatus to protect a network from a potential cyber threat associated with a new endpoint to that network is described. The apparatus comprises a memory to store a representation of an artificial intelligence (AI) model. The AI model is at least partly trained based on information aggregated from a first information source and a second information source. The first information source comprises information about a first factor that at least partly characterizes endpoints. The second information source comprises information about a second, different, factor that at least partly characterizes endpoints. The apparatus further comprises a processor. The processor is to receive information about the new endpoint to that network. The processor is further to determine, using the AI model, whether the information about the new endpoint indicates that a characteristic of the new endpoint overlaps with a profile of characteristics associated with endpoints known to be associated with a cyber threat. The processor is further to, in response to determining that the characteristic of the new endpoint overlaps with the profile of characteristics, instruct an action to be taken to protect the network from the cyber threat.
The network reachability module maps and dynamically tracks network reachability of network addresses and/or devices. The network reachability module can map and dynamically track network reachability of a response-orchestrator engine, via communicating and cooperating with the response-orchestrator engine. The network reachability module has a tracking module to 1) monitor network traffic and 2) keep a list of known devices and/or known subnets on the network, which is dynamically tracked and updated as previously unknown devices and subnets on the network are detected. A trigger module generates a spoofed transmission and/or response communication, supported by a network protocol used by the network. The spoofed transmission and/or response communication can be used to map network reachability of i) network devices, ii) network addresses, and iii) any combination of both, which either 1) can receive or 2) cannot receive protocol communications from a host for the network reachability module in the network.
H04L 41/22 - Dispositions pour la maintenance, l’administration ou la gestion des réseaux de commutation de données, p. ex. des réseaux de commutation de paquets comprenant des interfaces utilisateur graphiques spécialement adaptées [GUI]
The email system utilizes statistical analysis to assign an importance score to each user within an organization based on their email activity. The score is continuously updated to reflect changes in email flow and user status. The system identifies high-profile individuals who are likely to be targeted by external actors and assigns them a higher importance score. It also adjusts the scores based on several dampening factors related to the user's email behavior. The system uses these scores to determine vip users and tailors its response to malicious emails accordingly. Vip-specific threat handling rules, which are less disruptive or intrusive, are applied when a malicious email targets a vip user. The system intelligently derives user importance information, allowing it to identify a larger subset of important users within an organization. This approach minimizes disruption, tailors actions to key stakeholders, and does not require significant manual tuning.
A classifier detects anomalous activity and models a pattern of life of network entities through a series of machine learning models cooperating with multiple response and training instances, which are served by a scalable cloud platform that receives data associated with processes from multiple endpoint agents. The classifier spins up the multiple response instances to support the detection of anomalous activity through the series of machine learning models and the multiple training instances to support the creation and training of the series of machine learning models modeling of the pattern of life of network entities. The classifier spin ups the multiple response instances and the multiple training instances to automatically scale an amount of response instances and training instances needed to respond to a current data load of the data associated with the processes coming from the endpoint agents connected to the network.
An autonomous report composer composes a type of report on cyber threats that is composed in a human-readable format with natural language prose, terminology, and level of detail on the cyber threats aimed at a target audience. The autonomous report composer cooperates with libraries with prewritten text templates with i) standard pre-written sentences written in the natural language prose and ii) prewritten text templates with fillable blanks that are populated with data for the cyber threats specific for a current report being composed, where a template for the type of report contains two or more sections in that template. Each section having different standard pre-written sentences written in the natural language prose.
H04L 41/22 - Dispositions pour la maintenance, l’administration ou la gestion des réseaux de commutation de données, p. ex. des réseaux de commutation de paquets comprenant des interfaces utilisateur graphiques spécialement adaptées [GUI]
H04L 43/045 - Traitement des données de surveillance capturées, p. ex. pour la génération de fichiers journaux pour la visualisation graphique des données de surveillance
H04L 51/212 - Surveillance ou traitement des messages utilisant un filtrage ou un blocage sélectif
H04L 51/224 - Surveillance ou traitement des messages en fournissant une notification sur les messages entrants, p. ex. des poussées de notifications des messages reçus
H04L 51/42 - Aspects liés aux boîtes aux lettres, p. ex. synchronisation des boîtes aux lettres
46.
AUTOMATED SANDBOX GENERATOR FOR A CYBER-ATTACK EXERCISE ON A MIMIC NETWORK IN A CLOUD ENVIRONMENT
An automated sandbox generator for a cyber-attack exercise on a mimic network in a cloud environment can include various components. The cloud deployment component deploys the mimic network in a sandbox environment in the cloud environment. The mimic network can be a clone of components from a network that exists in an organization's environment and/or, predefined example components. The attack engine deploys a cyber threat to use an exploit for the wargaming cyber-attack exercise in the mimic network. The user interface displays, in real time, results of the wargaming cyber-attack exercise being conducted in the sandbox environment, to create a behavioral profile of how the cyber threat using the exploit would actually perform in that particular organization's environment as well as have human users interact with the cyber threat deployed by the attack engine during the cyber-attack on the mimic network, as it happens in real time, during the wargaming cyber-attack exercise.
A cyber security appliance has one or more modules to interact with entities in an operational technology network and potentially in an informational technology network. The operational technology module can reference various machine-learning models trained on a normal pattern of life of users, devices, and/or controllers of the operational technology network. A comparator module cooperates with the operational technology module to compare the received data on the operational technology network to the normal pattern of life of any of the users, devices, and controllers to detect anomalies in the normal pattern of life for these entities in order to detect a cyber threat. An autonomous response module can be programmed to respond to counter the detected cyber threat.
H04L 41/22 - Dispositions pour la maintenance, l’administration ou la gestion des réseaux de commutation de données, p. ex. des réseaux de commutation de paquets comprenant des interfaces utilisateur graphiques spécialement adaptées [GUI]
H04L 43/045 - Traitement des données de surveillance capturées, p. ex. pour la génération de fichiers journaux pour la visualisation graphique des données de surveillance
H04L 51/212 - Surveillance ou traitement des messages utilisant un filtrage ou un blocage sélectif
H04L 51/224 - Surveillance ou traitement des messages en fournissant une notification sur les messages entrants, p. ex. des poussées de notifications des messages reçus
H04L 51/42 - Aspects liés aux boîtes aux lettres, p. ex. synchronisation des boîtes aux lettres
48.
Incorporating software-as-a-service data into a cyber threat defense system
A cyber threat defense system can incorporate data from a Software-as-a-Service (SaaS) application hosted by a third-party operator platform to identify cyber threats related to that SaaS application. The cyber threat defense module can have a SaaS module to collect third-party event data from the third-party operator platform. The cyber threat defense system can have a comparison module to compare third-party event data for a network entity to at least one machine-learning model of a network entity using a normal behavior benchmark to spot behavior deviating from normal benign behavior. The comparison module can identify whether the network entity is in a breach state. The cyber threat defense system can have a cyber threat module to identify whether the breach state and a chain of relevant behavioral parameters correspond to a cyber threat. An autonomous response module can execute an autonomous response in response to the cyber threat.
G06N 20/10 - Apprentissage automatique utilisant des méthodes à noyaux, p. ex. séparateurs à vaste marge [SVM]
H04L 41/22 - Dispositions pour la maintenance, l’administration ou la gestion des réseaux de commutation de données, p. ex. des réseaux de commutation de paquets comprenant des interfaces utilisateur graphiques spécialement adaptées [GUI]
H04L 43/045 - Traitement des données de surveillance capturées, p. ex. pour la génération de fichiers journaux pour la visualisation graphique des données de surveillance
H04L 51/212 - Surveillance ou traitement des messages utilisant un filtrage ou un blocage sélectif
H04L 51/224 - Surveillance ou traitement des messages en fournissant une notification sur les messages entrants, p. ex. des poussées de notifications des messages reçus
H04L 51/42 - Aspects liés aux boîtes aux lettres, p. ex. synchronisation des boîtes aux lettres
G06N 20/20 - Techniques d’ensemble en apprentissage automatique
An interactive cyber security user interface is provided. The interactive cyber security user interface comprises a large language model, LLM, module configured to receive a natural language input from a user; analyze the natural language input to determine contextual information from the natural language input; determine one or more components of a cyber security system to query based on the contextual information and the natural language input; and generate a query in a software code format accepted by the one or more components of the cyber security system based on an analysis of the natural language input, the contextual information, and the determined one or more components to be queried. The interactive cyber security user interface is configured to query the determined one or more components of the cyber security system using the generated query and receive a response to the query from the one or more components of the cyber security system.
G06F 21/50 - Contrôle des utilisateurs, des programmes ou des dispositifs de préservation de l’intégrité des plates-formes, p. ex. des processeurs, des micrologiciels ou des systèmes d’exploitation
G06F 16/901 - IndexationStructures de données à cet effetStructures de stockage
G06F 21/50 - Contrôle des utilisateurs, des programmes ou des dispositifs de préservation de l’intégrité des plates-formes, p. ex. des processeurs, des micrologiciels ou des systèmes d’exploitation
G06F 21/55 - Détection d’intrusion locale ou mise en œuvre de contre-mesures
A cyber security restoration engine prioritizes nodes in a graph of nodes in a computer network or system that are involved in a cyber attack for remediation actions. The cyber security restoration engine performs this prioritization by, for each node, determining one or more edges linking the node to other nodes in the graph, the edges representing interactions between two nodes; obtaining metadata indicative of a type of interaction between two nodes connected by the edge and the roles of the two nodes in that interaction; determining how severe the interaction represented by that edge is within the context of the cyber attack, based on the metadata of that edge; and determining a severity score for the node by combining the severity score for each of the one or more edges connected to the node. The cyber security restoration engine prioritizes nodes for remediation action based on the severity scores for the nodes.
G06F 16/901 - IndexationStructures de données à cet effetStructures de stockage
G06F 21/50 - Contrôle des utilisateurs, des programmes ou des dispositifs de préservation de l’intégrité des plates-formes, p. ex. des processeurs, des micrologiciels ou des systèmes d’exploitation
G06F 21/55 - Détection d’intrusion locale ou mise en œuvre de contre-mesures
An interactive cyber security user interface is provided. The interactive cyber security user interface comprises a large language model, LLM, module configured to receive a natural language input from a user; analyze the natural language input to determine contextual information from the natural language input; determine one or more components of a cyber security system to query based on the contextual information and the natural language input; and generate a query in a software code format accepted by the one or more components of the cyber security system based on an analysis of the natural language input, the contextual information, and the determined one or more components to be queried. The interactive cyber security user interface is configured to query the determined one or more components of the cyber security system using the generated query and receive a response to the query from the one or more components of the cyber security system.
Unifying of the network device entity and the user entity for better cyber security modeling along with ingesting firewall rules to determine pathways through a network
A device linking service can unify data streams from different sources of access into a network to get a composite picture of a behavior of an individual physical network device that has different device identifiers from the different sources of access into the network via cross-referencing information from the different sources of access into the network. The device linking service creates a unified network device identifier for the different device identifiers from the different sources of access into the network. The device linking service supplies the unified network device identifier and associated information with the different device identifiers from the different sources of access into the network to a prediction engine. The prediction engine runs a simulation of attack paths for the network that a cyber threat may take.
A cyber threat defense system can leverage identifying threats by spotting deviations from normal behavior to create a system-wide inoculation regimen. The cyber threat defense system can have a comparison module to execute a comparison of input data for a network entity to at least one machine-learning model of a generic network entity using a normal behavior benchmark to spot behavior deviating from normal benign behavior. The comparison module can identify whether the network entity is in a breach state. The cyber threat defense system can have a cyber threat module to identify whether the breach state and a chain of relevant behavioral parameters correspond to a cyber threat. The cyber threat defense system can have an inoculation module to send an inoculation notice to warn of a potential cyber threat to a target device.
G06F 21/36 - Authentification de l’utilisateur par représentation graphique ou iconique
H04L 43/045 - Traitement des données de surveillance capturées, p. ex. pour la génération de fichiers journaux pour la visualisation graphique des données de surveillance
H04L 41/22 - Dispositions pour la maintenance, l’administration ou la gestion des réseaux de commutation de données, p. ex. des réseaux de commutation de paquets comprenant des interfaces utilisateur graphiques spécialement adaptées [GUI]
G06F 40/40 - Traitement ou traduction du langage naturel
H04L 51/42 - Aspects liés aux boîtes aux lettres, p. ex. synchronisation des boîtes aux lettres
H04L 51/212 - Surveillance ou traitement des messages utilisant un filtrage ou un blocage sélectif
G06F 21/55 - Détection d’intrusion locale ou mise en œuvre de contre-mesures
H04L 51/224 - Surveillance ou traitement des messages en fournissant une notification sur les messages entrants, p. ex. des poussées de notifications des messages reçus
55.
MALICIOUS SITE DETECTION FOR A CYBER THREAT RESPONSE SYSTEM
The cyber security appliance can have at least the following components. A phishing site detector that has a segmentation module to break up an image of a page of a site under analysis into multiple segments and then analyze each segment of the image to determine visually whether a key text-like feature exists in that segment. A signature creator creates a digital signature for each segment containing a particular key text-like feature. The digital signature for that segment is indicative of a visual appearance of the particular key text-like feature. Trained AI models compare digital signatures from a set of key text-like features detected in the image of that page under analysis to digital signatures of a set of key text-like features from known bad phishing sites in order to output a likelihood of maliciousness of the unknown site under analysis.
G06F 21/36 - Authentification de l’utilisateur par représentation graphique ou iconique
H04L 43/045 - Traitement des données de surveillance capturées, p. ex. pour la génération de fichiers journaux pour la visualisation graphique des données de surveillance
H04L 41/22 - Dispositions pour la maintenance, l’administration ou la gestion des réseaux de commutation de données, p. ex. des réseaux de commutation de paquets comprenant des interfaces utilisateur graphiques spécialement adaptées [GUI]
G06F 40/40 - Traitement ou traduction du langage naturel
H04L 51/42 - Aspects liés aux boîtes aux lettres, p. ex. synchronisation des boîtes aux lettres
H04L 51/212 - Surveillance ou traitement des messages utilisant un filtrage ou un blocage sélectif
G06F 21/55 - Détection d’intrusion locale ou mise en œuvre de contre-mesures
H04L 51/224 - Surveillance ou traitement des messages en fournissant une notification sur les messages entrants, p. ex. des poussées de notifications des messages reçus
56.
ANALYSES AND AGGREGATION OF DOMAIN BEHAVIOR FOR EMAIL THREAT DETECTION BY A CYBER SECURITY SYSTEM
A cyber security appliance to protect a domain associated with an organization or user and global domain intelligence data store for centralized storage of analytic results is described. The cyber security appliance features a communication module including one or more input/output (I/O) ports, an email module, and an autonomous response module. The email module comprises email report analytic logic to analyze content within an email authentication report, received via the one or more I/O ports, to detect an email suspected of being malicious when the email is directed to a computing device operating outside of the domain and a source address of the email falsely identifying the domain as part of the source email address. The autonomous response module is configured to cause a first set of autonomous actions to mitigate similar email dissemination over a network.
A cyber security restoration engine prioritizes nodes in a graph of nodes in a computer network or system that are involved in a cyber attack for remediation actions. The cyber security restoration engine performs this prioritization by, for each node, determining one or more edges linking the node to other nodes in the graph, the edges representing interactions between two nodes; obtaining metadata indicative of a type of interaction between two nodes connected by the edge and the roles of the two nodes in that interaction; determining how severe the interaction represented by that edge is within the context of the cyber attack, based on the metadata of that edge; and determining a severity score for the node by combining the severity score for each of the one or more edges connected to the node. The cyber security restoration engine prioritizes nodes for remediation action based on the severity scores for the nodes.
A classifier detects anomalous activity and models a pattern of life of network entities through a series of machine learning models cooperating with multiple response and training instances, which are served by a scalable cloud platform that receives data associated with processes from multiple endpoint agents. The classifier spins up the multiple response instances to support the detection of anomalous activity through the series of machine learning models and the multiple training instances to support the creation and training of the series of machine learning models modeling of the pattern of life of network entities. The classifier spin ups the multiple response instances and the multiple training instances to automatically scale an amount of response instances and training instances needed to respond to a current data load of the data associated with the processes coming from the endpoint agents connected to the network.
G06F 21/55 - Détection d’intrusion locale ou mise en œuvre de contre-mesures
G06F 21/57 - Certification ou préservation de plates-formes informatiques fiables, p. ex. démarrages ou arrêts sécurisés, suivis de version, contrôles de logiciel système, mises à jour sécurisées ou évaluation de vulnérabilité
A UNIFYING OF THE NETWORK DEVICE ENTITY AND THE USER ENTITY FOR BETTER CYBER SECURITY MODELING ALONG WITH INGESTING FIREWALL RULES TO DETERMINE PATHWAYS THROUGH A NETWORK
A device linking service can unify data streams from different sources of access into a network to get a composite picture of a behavior of an individual physical network device that has different device identifiers from the different sources of access into the network via cross-referencing information from the different sources of access into the network. The device linking service creates a unified network device identifier for the different device identifiers from the different sources of access into the network. The device linking service supplies the unified network device identifier and associated information with the different device identifiers from the different sources of access into the network to a prediction engine. The prediction engine runs a simulation of attack paths for the network that a cyber threat may take.
G06F 21/57 - Certification ou préservation de plates-formes informatiques fiables, p. ex. démarrages ou arrêts sécurisés, suivis de version, contrôles de logiciel système, mises à jour sécurisées ou évaluation de vulnérabilité
An intelligent-adversary simulator can construct a graph of a virtualized instance of a network including devices connecting to the virtualized instance of the network as well as connections and pathways through the virtualized instance of the network. Running a simulated cyber-attack scenario on the virtualized instance of the network in order to identify one or more critical devices connecting to the virtualized instance of the network from a security standpoint, and then put this information into a generated report to help prioritize which devices should have a priority. During a simulation, the intelligent-adversary simulator calculates paths of least resistance for a cyber threat in the cyber-attack scenario to compromise a source device through to other components until reaching an end goal of the cyber-attack scenario in the virtualized network, all based on historic knowledge of connectivity and behaviour patterns of users and devices within the actual network under analysis.
G06F 21/57 - Certification ou préservation de plates-formes informatiques fiables, p. ex. démarrages ou arrêts sécurisés, suivis de version, contrôles de logiciel système, mises à jour sécurisées ou évaluation de vulnérabilité
G06F 16/953 - Requêtes, p. ex. en utilisant des moteurs de recherche du Web
G06F 9/455 - ÉmulationInterprétationSimulation de logiciel, p. ex. virtualisation ou émulation des moteurs d’exécution d’applications ou de systèmes d’exploitation
G06N 5/04 - Modèles d’inférence ou de raisonnement
The node exposure score generator and the attack path modeling component are configured to cooperate to analyze the actual detected vulnerabilities that exist for that network node in the network, the importance of network nodes in the network compared to other network nodes in the network, and the key pathways within the network and the vulnerable network nodes in the network that a cyber-attack would use during the cyber-attack in order to provide an intelligent prioritization of remediation actions to remediate the actual detected vulnerabilities for each network node from the network protected by a cyber security appliance.
H04L 41/0816 - Réglages de configuration caractérisés par les conditions déclenchant un changement de paramètres la condition étant une adaptation, p. ex. en réponse aux événements dans le réseau
An autonomous email-report composer composes a type of report on cyber threats that is composed in a human-readable format with natural language prose, terminology, and level of detail on the cyber threats aimed at a target audience. The autonomous email-report composer cooperates with libraries with prewritten text templates with i) standard pre-written sentences written in the natural language prose and ii) prewritten text templates with fillable blanks that are populated with data for the cyber threats specific for a current report being composed, where a template for the type of report contains two or more sections in that template. Each section having different standard pre-written sentences written in the natural language prose.
An open-source intelligence (OSINT) monitoring engine operating as an AI-driven system for monitoring incoming content received from an OSINT source to detect emerging cyber threats is described. The OSINT monitoring engine features a source evaluation module, a content processing engine, and a content classification engine. The source evaluation module determines a confidence level associated with a source of the incoming content and refrains from providing textual information associated with the incoming content unless the confidence level associated with the source is equal to or exceeds a prescribed threshold. The content processing engine identifies salient information from the textual information for use in identifying an emerging cyber threat. The content classification module classifies the salient information to identify characteristics associated with the emerging cyber threat for subsequent adjustment of security controls and/or network resources to mitigate the risks associated with the emerging cyber threat.
H04L 41/16 - Dispositions pour la maintenance, l’administration ou la gestion des réseaux de commutation de données, p. ex. des réseaux de commutation de paquets en utilisant l'apprentissage automatique ou l'intelligence artificielle
A cyber security restoration engine takes one or more autonomous remediation actions to remediate one or more nodes in a graph of a system being protected back to a trusted operational state in order to assist in a recovery from the cyber threat. The cyber security restoration engine has a tracking component the operational state of each node in the graph of the protected system. The communication module also cooperates with the cyber security restoration engine to communicate with at least one of an external backup system and a recovery service to invoke backup remediation actions and/or recovery remediation actions to remediate one or more nodes potentially compromised by the cyber threat back to a trusted operational state, for example the state before the detected compromise by the cyber threat occurred in the protected system.
The email campaign detector checks whether clustered emails with similar characteristics are part of a targeted campaign of malicious emails. An email similarity classifier analyzes a group of emails in order to cluster emails with similar characteristics in the group of emails. A targeted campaign classifier analyzes the clustered emails with similar characteristics to check whether the clustered emails with similar characteristics are a) coming from a same threat actor b) going to a same intended target, and c) any combination of both, as well as ii) verify whether the clustered emails with similar characteristics are deemed malicious. The email campaign detector uses this information from the email similarity classifier and the targeted campaign classifier to provide an early warning system of a targeted campaign of malicious emails is underway. The email campaign detector cooperates with one or more machine learning models to identify emails that are deemed malicious.
H04L 41/16 - Dispositions pour la maintenance, l’administration ou la gestion des réseaux de commutation de données, p. ex. des réseaux de commutation de paquets en utilisant l'apprentissage automatique ou l'intelligence artificielle
66.
INTERACTIVE ARTIFICIAL INTELLIGENCE-BASED RESPONSE LOOP TO A CYBERATTACK
An intelligent orchestration component can facilitate an AI augmented and adaptive interactive response loop between multiple AI-based engines. A cyber threat detection uses AI to detect a cyber threat. An autonomous response engine uses AI to mitigate the detected cyber threat. A cyber-security restoration engine uses AI to remediate nodes in the system to a trusted operational state. The prediction engine uses AI to conduct simulations of cyberattacks to assist in determining how a simulated cyberattack might occur in the system, and how to use the simulated cyberattack information to preempt possible escalations of an ongoing actual cyberattack. The multiple AI-based engines bilaterally exchange behavioral metrics between the AI-based engines to work together to provide an overall cyber threat response during the ongoing cyberattack in light of continuing attack activities and simulations of the cyberattack to predict what might occur in the nodes based on the mitigation actions taken and/or the restoration actions taken.
An intelligent orchestration component can facilitate an Al augmented and adaptive interactive response loop between multiple Al-based engines. A cyber threat detection uses Al to detect a cyber threat. An autonomous response engine uses Al to mitigate the detected cyber threat. A cyber-security restoration engine uses Al to remediate nodes in the system to a trusted operational state. The prediction engine uses Al to conduct simulations of cyberattacks to assist in determining how a simulated cyberattack might occur in the system, and how to use the simulated cyberattack information to preempt possible escalations of an ongoing actual cyberattack. The multiple Al-based engines bilaterally exchange behavioral metrics between the Al- based engines to work together to provide an overall cyber threat response during the ongoing cyberattack in light of continuing attack activities and simulations of the cyberattack to predict what might occur in the nodes based on the mitigation actions taken and/or the restoration actions taken.
G06F 21/42 - Authentification de l’utilisateur par des canaux séparés pour les données de sécurité
G06F 21/56 - Détection ou gestion de programmes malveillants, p. ex. dispositions anti-virus
H04L 9/32 - Dispositions pour les communications secrètes ou protégéesProtocoles réseaux de sécurité comprenant des moyens pour vérifier l'identité ou l'autorisation d'un utilisateur du système
The cyber security appliance can include many AI models and modules working together including self-learning models that use unsupervised machine learning algorithms to model different entities in the telecommunications network via modelling their normal behavior and an assessment module. The assessment module can cooperate with the self-learning models that model the normal behavior of the communications and activities in the control plane and/or management plane in the telecommunications network in order to assess deviations in the control plane's/management plane's normal behavior to protect the telecommunications network from a cyber threat. The self-learning models can also use unsupervised machine learning algorithms to model the normal behavior of the communications and activities in the control plane and/or management plane in the telecommunications network in order to self-learn over time of an operation of the telecommunications network to and adjust and assist in determining what is normal and what is abnormal.
H04L 41/16 - Dispositions pour la maintenance, l’administration ou la gestion des réseaux de commutation de données, p. ex. des réseaux de commutation de paquets en utilisant l'apprentissage automatique ou l'intelligence artificielle
69.
Educational Tool for Business and Enterprise Risk Management
An automated training apparatus can include an importance node module to compute and use graphs to compute an importance of a node based on factors that include a hierarchy and a job title of the user in the organization, aggregated account privileges from different network domains, and a level of shared resource access for the user. The graphs are supplied into an attack path modeling component to understand an importance of the network nodes and determine key pathways and vulnerable network nodes that a cyber-attack would use, and a grouping module to analyze the importance of the network nodes and the key pathways and the vulnerable network nodes, and to classify the nodes based on security risks and the vulnerabilities to provide reports including areas of vulnerability and known weaknesses of the network.
G06Q 10/06 - Ressources, gestion de tâches, des ressources humaines ou de projetsPlanification d’entreprise ou d’organisationModélisation d’entreprise ou d’organisation
70.
Capturing Importance In A Network Using Graph Theory
A cyber security system includes an importance node module to compute and use graphs to compute an importance of a node based on factors including a hierarchy and a job title of the user, aggregated account privileges from network domains and a level of shared resource access for the user. The graphs are supplied into an attack path modeling component to understand an importance of the network nodes and determine key pathways within the network that a cyber-attack would use, via a modeling the cyber-attack on a simulated and a virtual device version of the network. The cyber security system provides an intelligent prioritization of remediation action to a remediation suggester module to analyze results of the modeling the cyber-attack for each node and suggest how to perform intelligent prioritization of remediation action on a network node in one of a report and an autonomous remediation action.
The network reachability module maps and dynamically tracks network reachability of network addresses and/or devices. The network reachability module can map and dynamically track network reachability of a response-orchestrator engine, via communicating and cooperating with the response-orchestrator engine. The network reachability module has a tracking module to 1) monitor network traffic and 2) keep a list of known devices and/or known subnets on the network, which is dynamically tracked and updated as previously unknown devices and subnets on the network are detected. A trigger module generates a spoofed transmission and/or response communication, supported by a network protocol used by the network. The spoofed transmission and/or response communication can be used to map network reachability of i) network devices, ii) network addresses, and iii) any combination of both, which either 1) can receive or 2) cannot receive protocol communications from a host for the network reachability module in the network.
H04L 41/22 - Dispositions pour la maintenance, l’administration ou la gestion des réseaux de commutation de données, p. ex. des réseaux de commutation de paquets comprenant des interfaces utilisateur graphiques spécialement adaptées [GUI]
Aspects of the invention relate to a cyber security system that may enable an end user to communicate with a cyber security appliance to identify cyber threats across the client system. The system can include one or more host devices each having a user interface and an endpoint agent for facilitating bi-directional communication between the user and a cyber security appliance. The endpoint agent may include a communication facilitation module including a user interaction module configured to communicate with the user interface and a helper module configured to communicate with the cyber security appliance. The endpoint agent is configured to enable the bi-directional communication between the user interface and the cyber security appliance on receiving a query associated with identified unusual behavior.
The endpoint agent detects a cyber threat on an end-point computing device. The endpoint agent on the computing device has a communications module that communicates with a cyber defense appliance. A collections module monitors and collects pattern of life data on processes executing on the end-point computing-device and users of the end-point computing-device. The communications module sends the pattern of life data to the cyber defense appliance installed on a network. The cyber defense appliance at least contains one or more machine-learning models to analyze the pattern of life data for each endpoint agent connected to that cyber defense appliance. The endpoint agent and the cyber defense appliance may trigger one or more actions to be autonomously taken to contain a detected cyber threat when a cyber-threat risk score is indicative of a likelihood of a cyber-threat is equal to or above an actionable threshold.
G06F 21/36 - Authentification de l’utilisateur par représentation graphique ou iconique
H04L 43/045 - Traitement des données de surveillance capturées, p. ex. pour la génération de fichiers journaux pour la visualisation graphique des données de surveillance
H04L 41/22 - Dispositions pour la maintenance, l’administration ou la gestion des réseaux de commutation de données, p. ex. des réseaux de commutation de paquets comprenant des interfaces utilisateur graphiques spécialement adaptées [GUI]
G06K 9/62 - Méthodes ou dispositions pour la reconnaissance utilisant des moyens électroniques
G06F 40/40 - Traitement ou traduction du langage naturel
H04L 51/42 - Aspects liés aux boîtes aux lettres, p. ex. synchronisation des boîtes aux lettres
H04L 51/212 - Surveillance ou traitement des messages utilisant un filtrage ou un blocage sélectif
H04L 51/224 - Surveillance ou traitement des messages en fournissant une notification sur les messages entrants, p. ex. des poussées de notifications des messages reçus
G06F 21/55 - Détection d’intrusion locale ou mise en œuvre de contre-mesures
74.
Cyber security using one or more models trained on a normal behavior
Disclosed herein is a method for detection of a cyber-threat to a computer system. The method is arranged to be performed by a processing apparatus. The method comprises receiving input data associated with a first entity associated with the computer system, deriving metrics from the input data, the metrics representative of characteristics of the received input data, analysing the metrics using one or more models, and determining, in accordance with the analysed metrics and a model of normal behavior of the first entity, a cyber-threat risk parameter indicative of a likelihood of a cyber-threat. A computer readable medium, a computer program and a threat detection system are also disclosed.
H04L 29/06 - Commande de la communication; Traitement de la communication caractérisés par un protocole
G06F 21/00 - Dispositions de sécurité pour protéger les calculateurs, leurs composants, les programmes ou les données contre une activité non autorisée
G06F 21/55 - Détection d’intrusion locale ou mise en œuvre de contre-mesures
G06F 21/56 - Détection ou gestion de programmes malveillants, p. ex. dispositions anti-virus
G06F 21/57 - Certification ou préservation de plates-formes informatiques fiables, p. ex. démarrages ou arrêts sécurisés, suivis de version, contrôles de logiciel système, mises à jour sécurisées ou évaluation de vulnérabilité
H04L 41/069 - Gestion des fautes, des événements, des alarmes ou des notifications en utilisant des journaux de notificationsPost-traitement des notifications
75.
Cyber threat defense system protecting email networks with machine learning models using a range of metadata from observed email communications
A cyber-threat defense system for a network including its email domain protects this network from cyber threats. Modules utilize machine learning models as well communicate with a cyber threat module. Modules analyze the wide range of metadata from the observed email communications. The cyber threat module analyzes with the machine learning models trained on a normal behavior of email activity and user activity associated with the network and in its email domain in order to determine when a deviation from the normal behavior of email activity and user activity is occurring. A mass email association detector determines a similarity between highly similar emails being i) sent from or ii) received by a collection of two or more individual users in the email domain in a substantially simultaneous time frame. Mathematical models can be used to determine similarity weighing in order to derive a similarity score between compared emails.
An apparatus may include a set of modules and artificial intelligence models to detect a cyber incident, a simulator to simulate an actual cyber attack of the cyber incident on a network including physical devices being protected by the set of modules and artificial intelligence models; and a feedback loop between i) the set of modules and artificial intelligence models and ii) the simulator, during an ongoing detected cyber incident. An attack path modeling module is configured to feed details of the detected incident by a cyber threat module into an input module of the simulator, and to run one or more hypothetical simulations of that detected incident in order to predict and control an autonomous response to the detected incident. Any software instructions forming part of the set of modules, the artificial intelligence models, and the simulator are stored in an executable form in memories and executed by processors.
A virtual computing environment cloning method is used to allow rapid repeatable testing of unsupervised machine learning (ML) architectures and algorithms. A virtual reference environment contains a set of virtual devices, user accounts and IP traffic as well as scripted activity and a cyber security appliance including unsupervised ML trained on the scripted activity. A clone creator makes a replica of the environment. Clones can be taken from the reference at any time and more than one can exist simultaneously. Testing that takes place within a clone environment has no effect on the reference environment, including having no effect on the unsupervised ML architectures and algorithms. Clones can be interacted with, and outcomes from testing a clone can be recorded. Clones can be discarded after tests are completed and tests are independent and repeatable.
G06F 21/53 - Contrôle des utilisateurs, des programmes ou des dispositifs de préservation de l’intégrité des plates-formes, p. ex. des processeurs, des micrologiciels ou des systèmes d’exploitation au stade de l’exécution du programme, p. ex. intégrité de la pile, débordement de tampon ou prévention d'effacement involontaire de données par exécution dans un environnement restreint, p. ex. "boîte à sable" ou machine virtuelle sécurisée
78.
METHOD FOR CYBER THREAT RISK ANALYSIS AND MITIGATION IN DEVELOPMENT ENVIRONMENTS
A method for a cyber security appliance incorporating data from a source code repository, hosted by a software development environment, to identify cyber threats related to source code being stored and developed in that source code repository is provided. The method comprises: receiving, at one or more modules of the cyber security appliance, data indicating a network entity representing a user's interaction with the source code repository; and comparing the data, received from the one or more modules, to one or more machine learning models trained on a normal benign behavior interacting with the source code repository using a normal behavior benchmark describing parameters corresponding to a normal interaction behavior. The method further comprises identifying whether the data indicating the network entities interaction with the source code repository corresponds to behavior that deviates from the normal benign behavior; identifying whether a threshold level of deviation from the normal benign behavior has been exceeded; and, if the threshold level of deviation from the normal benign behavior has been exceeded, determining that a cyber threat may be present and executing an autonomous response to restrict the network entities interaction with the source code repository.
G06F 21/57 - Certification ou préservation de plates-formes informatiques fiables, p. ex. démarrages ou arrêts sécurisés, suivis de version, contrôles de logiciel système, mises à jour sécurisées ou évaluation de vulnérabilité
G06F 11/36 - Prévention d'erreurs par analyse, par débogage ou par test de logiciel
79.
METHOD FOR DETERMINING LIKELY MALICIOUS BEHAVIOR BASED ON ABNORMAL BEHAVIOR PATTERN COMPARISON
A method for a cyber threat defense system is provided. The method comprises receiving a first abnormal behavior pattern where the first abnormal behavior pattern represents behavior on a first network deviating from a normal benign behavior of that network; and receiving a second abnormal behavior pattern where the second abnormal behavior pattern representing either behavior on the first network or on a second network deviating from a normal benign behavior of that network. The method further comprises comparing the first and second abnormal behavior patterns to determine a similarity score between the first and second abnormal behavior patterns and determining, based on the comparison, that the first abnormal behavior pattern likely corresponds to malicious behavior when the similarity score is above a threshold. A corresponding non-transitory computer readable medium is also provided.
H04L 41/16 - Dispositions pour la maintenance, l’administration ou la gestion des réseaux de commutation de données, p. ex. des réseaux de commutation de paquets en utilisant l'apprentissage automatique ou l'intelligence artificielle
80.
A METHOD AND SYSTEM FOR DETERMINING AND ACTING ON AN EMAIL CYBER THREAT CAMPAIGN
A cyber security appliance (CSA) configurable to protect a computer system from email cyber threat campaigns is disclosed. The CSA may comprise: an email module configured to process all incoming emails and log data and metadata; a cyber threat module coupled configured to assess a severity level of a cyber threat using one or more Artificial Intelligence (AI) models; an AI classifier configured to determine the likelihood of an email cyber threat campaign; an autonomous response module configured to act against emails determined to be threats; and a user interface module configured to generate a report, present data on a display, and show a graphical display of the system indicating the details of a cyber threat campaign.
An apparatus may include a set of modules and artificial intelligence models to detect a cyber incident, a simulator to simulate an actual cyber attack of the cyber incident on a network including physical devices being protected by the set of modules and artificial intelligence models; and a feedback loop between i) the set of modules and artificial intelligence models and ii) the simulator, during an ongoing detected cyber incident. An attack path modeling module is configured to feed details of the detected incident by a cyber threat module into an input module of the simulator, and to run one or more hypothetical simulations of that detected incident in order to predict and control an autonomous response to the detected incident. Any software instructions forming part of the set of modules, the artificial intelligence models, and the simulator are stored in an executable form in memories and executed by processors.
An analyzer module forms a hypothesis on what are a possible set of cyber threats that could include the identified abnormal behavior and/or suspicious activity with AI models trained with machine learning on possible cyber threats. The Analyzer analyzes a collection of system data, including metric data, to support or refute each of the possible cyber threat hypotheses that could include the identified abnormal behavior and/or suspicious activity data with the AI models. A formatting and ranking module outputs supported possible cyber threat hypotheses into a formalized report that is presented in 1) printable report, 2) presented digitally on a user interface, or 3) both.
G06F 21/36 - Authentification de l’utilisateur par représentation graphique ou iconique
H04L 43/045 - Traitement des données de surveillance capturées, p. ex. pour la génération de fichiers journaux pour la visualisation graphique des données de surveillance
H04L 41/22 - Dispositions pour la maintenance, l’administration ou la gestion des réseaux de commutation de données, p. ex. des réseaux de commutation de paquets comprenant des interfaces utilisateur graphiques spécialement adaptées [GUI]
G06K 9/62 - Méthodes ou dispositions pour la reconnaissance utilisant des moyens électroniques
G06F 40/40 - Traitement ou traduction du langage naturel
H04L 51/42 - Aspects liés aux boîtes aux lettres, p. ex. synchronisation des boîtes aux lettres
H04L 51/212 - Surveillance ou traitement des messages utilisant un filtrage ou un blocage sélectif
H04L 51/224 - Surveillance ou traitement des messages en fournissant une notification sur les messages entrants, p. ex. des poussées de notifications des messages reçus
83.
Secure communication platform for a cybersecurity system
An expert interface component can automatically connect a system user with a system support expert. A user interface module can present a threat-tracking graphical user interface and a query interface component integrated into the threat-tracking graphical user interface to a system user belonging to a client team to review a potential cyber threat and receive a query for assistance. The query interface component can allow the system user to digitally grab a visual data container displaying information and containing a data object. The query interface component can collect the visual data container from the threat-tracking graphical user interface into a collection window of the query interface component. A communication module provides an incident ticket containing the query and the visual data container to a system support expert at a remote platform.
G06F 21/36 - Authentification de l’utilisateur par représentation graphique ou iconique
H04L 43/045 - Traitement des données de surveillance capturées, p. ex. pour la génération de fichiers journaux pour la visualisation graphique des données de surveillance
H04L 41/22 - Dispositions pour la maintenance, l’administration ou la gestion des réseaux de commutation de données, p. ex. des réseaux de commutation de paquets comprenant des interfaces utilisateur graphiques spécialement adaptées [GUI]
G06F 40/40 - Traitement ou traduction du langage naturel
H04L 51/42 - Aspects liés aux boîtes aux lettres, p. ex. synchronisation des boîtes aux lettres
H04L 51/212 - Surveillance ou traitement des messages utilisant un filtrage ou un blocage sélectif
G06F 21/55 - Détection d’intrusion locale ou mise en œuvre de contre-mesures
H04L 51/224 - Surveillance ou traitement des messages en fournissant une notification sur les messages entrants, p. ex. des poussées de notifications des messages reçus
G06N 20/20 - Techniques d’ensemble en apprentissage automatique
84.
AN AI CYBERSECURITY SYSTEM MONITORING WIRELESS DATA TRANSMISSIONS
A coordinator module, a cyber threat analyst module, and Al models trained to model a normal pattern of life for entities in a wireless domain and a normal pattern of life for entities in a second domain cooperate with a combination of wireless sensors with RF protocol adapters to monitor and analyze wireless activity and probes to monitor activity in the second domain in order to analyze an anomaly of interest in a wider view of another domain's activity. These modules and models understand and assess the wireless activity and the activity from the second domain in light of the Al models modelling the pattern of life for entities in a wireless domain and/or a in the second domain in order to detect a cyber threat indicated by at least by the anomaly of interest. A formatting model generates an alert and/or a report.
H04L 41/16 - Dispositions pour la maintenance, l’administration ou la gestion des réseaux de commutation de données, p. ex. des réseaux de commutation de paquets en utilisant l'apprentissage automatique ou l'intelligence artificielle
A coordinator module, a cyber threat analyst module, and AI models trained to model a normal pattern of life for entities in a wireless domain and a normal pattern of life for entities in a second domain cooperate with a combination of wireless sensors with RF protocol adapters to monitor and analyze wireless activity and probes to monitor activity in the second domain in order to analyze an anomaly of interest in a wider view of another domain's activity. These modules and models understand and assess the wireless activity and the activity from the second domain in light of the AI models modelling the pattern of life for entities in a wireless domain and/or a in the second domain in order to detect a cyber threat indicated by at least by the anomaly of interest. A formatting model generates an alert and/or a report.
H04L 41/16 - Dispositions pour la maintenance, l’administration ou la gestion des réseaux de commutation de données, p. ex. des réseaux de commutation de paquets en utilisant l'apprentissage automatique ou l'intelligence artificielle
H04L 41/22 - Dispositions pour la maintenance, l’administration ou la gestion des réseaux de commutation de données, p. ex. des réseaux de commutation de paquets comprenant des interfaces utilisateur graphiques spécialement adaptées [GUI]
H04W 12/122 - Contre-mesures pour parer aux attaquesProtection contre les dispositifs malveillants
86.
User agent inference and active endpoint fingerprinting for encrypted connections
A cyber security appliance can inoculate a fleet of network devices by analyzing each endpoint of a secure connection. The appliance can receive a hostname for a malicious web server. The appliance can generate an unencrypted target fingerprint based on sending a series of unencrypted connection protocol requests to the malicious web server and an encrypted target fingerprint based on sending a series of encrypted secure connection protocol requests to the malicious web server. The appliance can build a combined web server fingerprint for the malicious web server based on both the encrypted target fingerprint derived and the unencrypted target fingerprint. The appliance can determine a set of suspicious IP addresses based on the combined web server fingerprint for the malicious web server. The appliance can inoculate a fleet of network devices against a cyberattack using the IP addresses to preemptively alert the fleet of cyber-attack.
H04L 41/16 - Dispositions pour la maintenance, l’administration ou la gestion des réseaux de commutation de données, p. ex. des réseaux de commutation de paquets en utilisant l'apprentissage automatique ou l'intelligence artificielle
H04L 41/22 - Dispositions pour la maintenance, l’administration ou la gestion des réseaux de commutation de données, p. ex. des réseaux de commutation de paquets comprenant des interfaces utilisateur graphiques spécialement adaptées [GUI]
87.
Artificial intelligence based analyst as an evaluator
Methods, systems, and apparatus are disclosed for an Artificial Intelligence based cyber security system. An Artificial Intelligence based cyber analyst can make use of a data structure containing multiple tags to assist in creating a consistent, expanding modeling of an ongoing cyber incident. The Artificial Intelligence based cyber analyst can make use of a cyber incident graph database when rendering that incident to an end user. The Artificial Intelligence based cyber analyst can also be used as a mechanism to evaluate the quality of the alerts coming from 3rd parties' security tools both when the system being protected by the cyber security appliance is not actually under attack by a cyber threat as well as during an attack by a cyber threat.
09 - Appareils et instruments scientifiques et électriques
42 - Services scientifiques, technologiques et industriels, recherche et conception
Produits et services
Computer software; computer hardware; computer programs;
data banks; computer systems for monitoring computer network
behavioural patterns to detect and remove computer viruses
and security threats; computer software for managing and
filtering electronic communications; computer software for
encrypting and authenticating data; computer software for
detecting and repairing computer software, computer
hardware, and computer network problems; computer software
and computer systems for monitoring, measuring, tracking and
reporting computer network behavioural patterns to discover
risks, correlate security information, assess
vulnerabilities, and managing and communicating compliance;
computer software for managing and filtering electronic
communications; computer software for encrypting and
authenticating data; computer software for detecting and
repairing computer software, computer hardware, and computer
network problems; computer software for verifying compliance
with security policies; manuals in electronic format
provided together with each of the foregoing goods. Design and development of computer software and computer
systems; computer engineering; software as a service [SaaS];
design and development of computer software and computer
systems for monitoring computer network behavioural patterns
to detect and remove computer viruses and security threats;
computer programming; consultancy, design, testing, research
and advisory services, all relating to computer programming,
computer security and computer networks; technical support
services relating to computer software, computer security,
computer networks and the Internet; troubleshooting of
computer software, computer hardware and computer network
problems (terms considered too vague by the International
Bureau - Rule 13 (2) (b) of the Common Regulations);
services for enhancing the performance, function and
security of computer networks; data security services;
provision of security services for computer networks,
computer access and computerised transactions; computer
security services, computer network security services;
services relating to the protection of computer software,
computer hardware, computer networks and computer systems
against attacks from computer viruses and security threats;
monitoring of computer network systems; monitoring of
computer network behavioural patterns for detecting and
removing computer viruses and security threats; maintenance
and repair of computer software and computer networks (terms
considered too vague by the International Bureau - Rule 13
(2) (b) of the Common Regulations); advisory services
relating to data security; security services for the
protection of computer software and computer systems;
information, consultancy and advisory services relating to
all the aforesaid services.
89.
ENDPOINT CLIENT SENSORS FOR EXTENDING NETWORK VISIBILITY
Endpoint agent cSensors can be used to extend network visibility and enhance tracking capabilities for a cyber security and threat defense environment. The cSensor may comprise a network module to monitor network information coming into and out of the endpoint computing device to ingest a first set of traffic data from network connections. The cSensor may have a collation module to collect the first set of traffic data and obtain input data related to observed network events. An analyzer module can receive the input data and use an intelligent DPI engine to perform predetermined levels of DPI from two or more possible levels of DPI on the input data based on network parameters. The cSensor may have a communication module to transmit a second set of traffic data to a cyber security appliance based on the specified DPI performed. Furthermore, the cSensor may have an autonomous action module to perform autonomous action(s) in response to autonomous action(s) correlated to the received second set of traffic data.
A cyber threat defense system can incorporate data from an instant messaging platform with multiple other platforms in a client system to identify cyber threats across the client system. The system can have one or more instant messaging modules to collect instant messaging data from one or more network entities that utilizes one or more instant messaging platforms. A user specific profile module can identify a user of the client system associated with the user account based on a composite user profile constructed from user context data collected across multiple platforms of the client system. A risk profile module can associate the user with a user risk profile based on the composite user profile. The risk profile module can apply one or more artificial intelligence classifiers to the instant message based on the user risk profile. A cyber threat module is configured to identify whether the instant messaging data corresponds to a cyber threat partially based on the user risk profile. An autonomous response module can execute an autonomous response in response to the cyber threat factoring in the user risk profile.
ENDPOINT AGENT CLIENT SENSORS (cSENSORS) AND ASSOCIATED INFRASTRUCTURES FOR EXTENDING NETWORK VISIBILITY IN AN ARTIFICIAL INTELLIGENCE (AI) THREAT DEFENSE ENVIRONMENT
Endpoint agent cSensors can be used to extend network visibility and enhance tracking capabilities for a cyber security and threat defense environment. The cSensor may comprise a network module to monitor network information coming into and out of the endpoint computing device to ingest a first set of traffic data from network connections. The cSensor may have a collation module to collect the first set of traffic data and obtain input data related to observed network events. An analyzer module can receive the input data and use an intelligent DPI engine to perform predetermined levels of DPI from two or more possible levels of DPI on the input data based on network parameters. The cSensor may have a communication module to transmit a second set of traffic data to a cyber security appliance based on the specified DPI performed. Furthermore, the cSensor may have an autonomous action module to perform autonomous action(s) in response to autonomous action(s) correlated to the received second set of traffic data.
A cyber threat defense system and a method for detecting a cyber threat may use a predictor, e.g. a Transformer deep learning model, which is configured to predict a next item in the sequence of events and to detect one or more anomalies in the sequence of events. This provides a notification comprising (i) information about the one or more anomalies; and (ii) a prediction of what would have been expected.
Cyber threat defense systems and methods are provided. The system includes a network module, an analyzer module and a classifier. The network module ingests network data, which is provided to one or more machine learning models included in the analyzer module. Each machine learning model identifies metrics associated with the network data and outputs a score indicative of whether anomalous network data metrics are caused by a cyber threat. These output scores are provided to the classifier, which determines a probability that a cybersecurity breach has occurred.
A Software as a Service (SaaS) console can retrieve data from one or more application programming interfaces (APIs) hosted by one or more SaaS platforms in order to identify cyber threats in a cyber threat defense system. The SaaS console can use customizable generic templates to provide a regular i) polling service, ii) data retrieval service, and iii) any combination of both, as well as a universal way to obtain data from the one or more APIs hosted by one or more SaaS platforms to collect event-based activity data from the one or more APIs. Data fields of the one or more customizable generic template are configured to be populated with data incorporated from a first user of a first SaaS platform for a first API for the first SaaS platform.
A multi-stage anomaly detector analyzes an anomalous process chain in real time and rapidly determines whether the process chain is indicative of a cyber threat on an endpoint computing device in a multi-host environment. The multi-stage anomaly detector is used in an analyzer module configured within a host endpoint agent on that device. The analyzer module generates an anomaly score to correlate a likelihood that the cyber threat detected is harmful to that device. The multi-stage anomaly detector includes multiple stages of anomaly detectors including a first stage, a second stage, and a third stage of the anomaly detectors. Each stage generates its own anomaly score to produce at least one rapidly determined anomaly score as well as one thoroughly determined anomaly score. Each anomaly score is generated from various computational processes and factors different from the computational processes and factors of the other stages of anomaly detectors.
A traffic manager module of a cyber threat defense platform that can differentiate between data flows to a client device. A registration module can register a connection between devices within a client network to transmit a series of data packets. A classifier module can execute a comparison of features of the connection to a set of interest criteria to determine an interest level for the cyber threat defense platform in the connection. The classifier module can apply an interest classifier describing the interest level to the connection based on the comparison. A deep packet inspection engine can examine the data packets of the connection for cyber threats if the interest classifier indicates interest. A diverter can shunt the data packets of the connection away from the deep packet inspection engine if the interest classifier indicates no interest.
A cyber defense system using machine learning models trained on the classification of structured documents, such as emails, in order to identify a cyber threat risk of the incoming or outgoing structured document and to cause one or more autonomous actions to be taken in relation to the structured document based on a comparison of a category the structured document is classified with, a score associated with the classification and a threshold score. For incoming structured documents, the autonomous actions of the cyber defense system may act to contain a malign nature of identified incoming structured documents. For outgoing structured documents, the autonomous actions of the cyber defense system may act to prevent the structured document from being sent to an unintended recipient.
H04L 41/16 - Dispositions pour la maintenance, l’administration ou la gestion des réseaux de commutation de données, p. ex. des réseaux de commutation de paquets en utilisant l'apprentissage automatique ou l'intelligence artificielle
09 - Appareils et instruments scientifiques et électriques
42 - Services scientifiques, technologiques et industriels, recherche et conception
Produits et services
(1) Computer hardware; downloadable computer programs for network management; data banks, namely, computer software for creating searchable databases of information and data; computer systems for monitoring computer network behavioural patterns to detect and remove computer viruses and security threats; computer software for managing and filtering electronic communications; computer software for encrypting and authenticating data; computer software for detecting and repairing computer software, computer hardware, and computer network problems; computer software and computer systems for monitoring, measuring, tracking and reporting computer network behavioural patterns to discover risks, correlate security information, assess vulnerabilities, and managing and communicating compliance; computer software for managing and filtering electronic communications; computer software for encrypting and authenticating data; computer software for detecting and repairing computer software, computer hardware, and computer network problems; computer software for verifying compliance with security policies; manuals in electronic format provided together with each of the foregoing goods. (1) Design and development of computer software and computer systems; computer software engineering; software as a service [SaaS] featuring software for monitoring computer network behavioural patterns to detect and remove computer viruses and security threats; software as a service (Saas) services featuring software for monitoring, measuring, tracking and reporting computer network behavioural patterns to discover risks, correlate security information, assess vulnerabilities, and managing and communicating compliance; software as a service (Saas) services featuring software for encrypting and authenticating data and detecting and repairing computer software, computer hardware, and computer network problems; design and development of computer software and computer systems for monitoring computer network behavioural patterns to detect and remove computer viruses and security threats; computer programming; consultancy, design, testing, research and advisory services, all relating to computer programming, computer security and computer networks; technical support services relating to computer software, computer security, computer networks and the Internet; troubleshooting of computer software, computer hardware and computer network problems; services for enhancing the performance, function and security of computer networks; data security services; provision of security services for computer networks, computer access and computerised transactions; computer security services, computer network security services; services relating to the protection of computer software, computer hardware, computer networks and computer systems against attacks from computer viruses and security threats; monitoring of computer network systems; monitoring of computer network behavioural patterns for detecting and removing computer viruses and security threats; maintenance and repair of computer software and computer networks; advisory services relating to data security; security services for the protection of computer software and computer systems; information, consultancy and advisory services relating to all the aforesaid services.
09 - Appareils et instruments scientifiques et électriques
42 - Services scientifiques, technologiques et industriels, recherche et conception
Produits et services
Computer hardware; downloadable computer software and computer hardware for monitoring computer network behavioural patterns to detect and remove computer viruses and security threats; downloadable computer software for managing and filtering electronic communications; downloadable computer software for encrypting and authenticating data; downloadable computer software for detecting and repairing computer software, computer hardware, and computer network problems; downloadable computer software and computer hardware for monitoring, measuring, tracking and reporting computer network behavioural patterns to discover risks, correlate security information, assess vulnerabilities, and managing and communicating compliance; downloadable computer software for managing and filtering electronic communications; downloadable computer software for encrypting and authenticating data; downloadable computer software for verifying compliance with security policies; and downloadable manuals in electronic format provided together with each of the foregoing goods Design and development of computer software and computer systems; computer engineering; design and development of computer software and computer systems for monitoring computer network behavioural patterns to detect and remove computer viruses and security threats; computer programming; advisory services relating to data security; Software as a service (SAAS) services featuring software for monitoring, measuring, tracking and reporting computer network behavioural patterns to discover risks, correlate security information, assess vulnerabilities, and managing and communicating compliance; Software as a service (SAAS) services featuring software for monitoring computer network behavioural patterns to detect and remove computer viruses and security threats; Software as a service (SAAS) services featuring software for encrypting and authenticating data and detecting and repairing computer software, computer hardware, and computer network problems; Software as a service (SAAS) services featuring software for managing and filtering electronic communications and verifying compliance with security policies; Technical support services, namely, troubleshooting of computer software problems; Data security consultancy; Computer security consultancy; Computer network security consultancy; Technical support, namely, monitoring technological functions of computer network systems; Computer services, namely, on-line scanning, detecting, quarantining and eliminating of viruses, worms, trojans, spyware, adware, malware and unauthorized data and programs on computers and electronic devices; maintenance and repair of computer software; Provision of information relating to computer programming via a website; Provision of information relating to computer technology via a website
An AI adversary red team configured to pentest email and/or network defenses implemented by a cyber threat defense system used to protect an organization and all its entities. AI model(s) trained with machine learning on contextual knowledge of the organization and configured to identify data points from the contextual knowledge including language-based data, email/network connectivity and behavior pattern data, and historic knowledgebase data. The trained AI models cooperate with an AI classifier in producing specific organization-based classifiers for the AI classifier. A phishing email generator generates automated phishing emails to pentest the defense systems, where the phishing email generator cooperates with the AI models to customize the automated phishing emails based on the identified data points of the organization and its entities. The customized phishing emails are then used to initiate one or more specific attacks on one or more specific users associated with the organization and its entities.
