The present disclosure generally relates to capturing events of interest relevant to security and data provenance within a cyber-physical system. The present disclosure also relates to systems and methods for monitoring, capturing, logging, analyzing, and reporting of kernel-level events. Systems and methods for generating a time-ordered event data stream of kernel-level events captured across different types of computing devices (e.g., devices running operating systems and devices running real-time operating systems) included in an industrial control system, are described.

A system for providing security to a fleet of vehicles, the system comprising: a plurality of modules, each module configured to monitor messages propagating in an in-vehicle network of a vehicle comprised in the fleet; a memory having data characterizing messages, and software executable to: identify an anomaly in communications over the in-vehicle communication network; and instruct a communication interface, configured to support communication with an entity external to the vehicle, to transmit monitoring data responsive to the messages; and a processor configured to execute the software in the memory; and a data monitoring and processing hub external to the vehicles comprised in the fleet and operable to receive transmission of monitoring data from the plurality of modules.

Disclosed are methods, systems, and non-transitory computer-readable storage media for evaluating software posture as a condition of zero trust access. The present technology provides a client-side validation agent and a validation service which in tandem can capture and evaluate data representative of parameters associated with an application executing on a user device. The validation service can validate the application to a networked service, and in turn the networked service can permit communication to the application running on the user device.

In one embodiment, a service receives administration traffic data in a network associated with a remote administration session in which a control device remotely administers a client device. The service analyzes the administration traffic data to determine whether any portion of the administration traffic data is resulting from an administration session involving a trusted administrator. The service flags a first portion of the administration traffic data as authorized when the first portion of the administration traffic data is determined to result from an administration session involving a trusted administrator, and a second portion of the administration traffic data is non-flagged. The service assesses the second portion of the administration traffic data using a machine learning-based traffic classifier to determine whether the second portion of the administration traffic data is malicious.

The present disclosure provides a computer system, method, and computer-readable medium for a computer processor to detect, prevent and counter potentially fraudulent communications by proactively monitoring communications and performing multi-step analysis to detect fraudsters and alert communication recipients. The present disclosure may implement artificial intelligence (AI) algorithms to identify fraudulent communications. The AI model may be trained by real world examples to become more efficient.

Systems and methods for side-channel monitoring a local network are disclosed. The methods involve generating a program trace signal from at least one of power consumption, electromagnetic emission, or acoustic emanation of a control processor connected to the local network and operating a monitoring processor to detect a communication of a message on the local network; identify at least one purported control processor related to the communication; analyze the program trace signal of the at least one purported control processor relative to the communication; and at least one of an authenticate or verify one or more purported control processors of the at least one purported control processor based on the program trace signal of the at least one purported control processor.

A system continuously monitors, by at least one inspector, an inspection work queue for a class of inspection operation request, detects, by the at least one inspector, the class of inspection operation request in the inspection work queue, removes, by the at least one inspector, the class of inspection operation request from the inspection work queue, determines, by the at least one inspector, one of a class of inspection tool and a specific level of inspection to perform for the class of inspection operation request that references a data object, and executes, by the at least one inspector, the one of the class of inspection tool and the specific level of inspection for the class of inspection operation request that references the data object at one of a certain time and a certain event during a data lifecycle of the data object.

A plant management method includes: acquiring correlation information indicating a correlation between a component subjected to a cyberattack and a component to be possibly affected by the cyberattack when a plant including a plurality of components is subjected to the cyberattack; and zoning the plurality of components on the basis of the correlation information.

A method includes defining a set of context types; defining a set of source types, each comprising context types; defining, for each source type; and for each context type included in the events from data sources having the source type, a context definition comprising a set of fields, in events from the data sources, that are associated with the context type; receiving a query comprising a first field value and a time period; retrieving a plurality of events that include the first field value and the time period; for each retrieved event, and for each context definition defined for a source type and a context type of a data source from which the retrieved event originated, determining field values of fields in the set of fields of the context definition; aggregating, for each context type, determined field values from the events; and generating an output.

Various examples are provided related to identification of protected information elements associated with unique entities in data files present in data file collections associated with enterprise IT networks. The unique entities can be associated with one or more entity identifications in one or more data files. Computer-generated identification of entity identifications and protected information elements can be conducted, in part, by at least some human review. Information generated accordingly to the disclosed methodology can be used to generate plans for a time and number of human reviewers needed to review data files. Information generated from the processes herein can be configured as user notifications, reports, dashboards, machine learning for subsequent data file analyses, and notifications of unique entities having protected information elements present in one or more data files.