A process to investigate intrusions with an investigation system is disclosed. The process receives forensic facts from a set of forensic events on a system or network. A suspicious fact is identified from the forensic facts. A related fact from the forensic facts is identified based on the suspicious fact.

A computer-implemented method for determining features of a dataset that are indicative of anomalous behavior of one or more computers in a large group of computers comprises (1) receiving log files including a plurality of entries of data regarding connections between a plurality of computers belonging to an organization and a plurality of websites outside the organization, each entry being associated with the actions of one computer, (2) executing a time series decomposition algorithm on a portion of the features of the data to generate a first list of features, (3) implementing a plurality of traffic dispersion graphs to generate a second list of features, and (4) implementing an autoencoder and a random forest regressor to generate a third list of features.

A system and method for authorizing a client device to access a host device based on timestamps including preferably at least two time units. Both devices contain multiple sequence tables that relate an order of time units to the value of one of the time units. Both devices also contain multiple string tables that relate strings to values of the time units within the timestamps. When the client device wants to access the host, it generates a first timestamp and sends the host device the first timestamp and the character strings from host tables related to the value of time units of the first timestamp. The host tables are known to all authorized client devices within the network. The strings are ordered according to a sequence table in the client device and the host device. When received, the host device compares the received characters strings to the character strings within its host string table based on an order determined by its host sequence table. If the character strings and order match, the host sends the client a second timestamp and the process is repeated using the second timestamp and sequence and string tables associated with, and known only to, the client device and the host device. In addition, the client, which may be monitored or controlled by the host, is able to request ongoing re-verification of the hosts authorization to detect and prevent unauthorized access from a third party. The rapidly changing timestamps and network keys eliminate recursive efforts to access these protected devices from an unauthorized third party.

A security platform employs a variety techniques and mechanisms to detect security related anomalies and threats in a computer network environment. The security platform is big data driven and employs machine learning to perform security analytics. The security platform performs user/entity behavioral analytics (UEBA) to detect the security related anomalies and threats, regardless of whether such anomalies/threats were previously known. The security platform can include both real-time and batch paths/modes for detecting anomalies and threats. By visually presenting analytical results scored with risk ratings and supporting evidence, the security platform enables network security administrators to respond to a detected anomaly or threat, and to take action promptly.

Techniques for provisioning access data may include receiving, by a first application installed on a communication device, user input selecting an account to provision to a second application installed on the communication device. The first application may invoke the second application and send a session identifier (ID) to the second application. The second application may send a user ID associated with the second application, a device ID, and the session ID to the first application. The first application may then generate encrypted provisioning request data and send the encrypted provisioning request data to the second application. The second application may send the encrypted provisioning request data to a remote server computer to request access data that can be used to access a resource. The second application may receive the access data provided by the remote server computer based on validation of the encrypted provisioning request data.

A service management system facilitates and validates service on building management systems installed in a building with an access control system. A service workflow module receives device events from control panels of the building management systems and combines them with local service data from mobile computing devices of technicians performing the service, generating service events. A validation module receives the service events and retrieves access control events from an access control system controller of the access control system and determines whether they are coherent. The service workflow module also infers the location of the technician based on the access control events and sends service eligible devices to be displayed on the mobile computing devices of the technicians. In an alternative embodiment, device events from a building automation system such as a heating, ventilation and air-conditioning system are further used to validate the service events.

Systems and methods are disclosed for performing location-based authentication using location-aware devices. One method includes: receiving an access request comprising authentication credentials and a first location from a first location-aware device; receiving a second location from a second location-aware device associated with the authentication credentials; and upon determining that the first location and second location are within a pre-determined distance, authenticating the authentication credentials.

A comprehensive cybersecurity platform includes a cybersecurity intelligence hub, a cybersecurity sensor and one or more endpoints communicatively coupled to the cybersecurity sensor, where the platform allows for efficient scaling, analysis, and detection of malware and/or malicious activity. An endpoint includes a local data store and an agent that monitors for one or more types of events being performed on the endpoint, and performs deduplication within the local data store to identify distinct events. The agent provides the collected metadata of distinct events to the cybersecurity sensor which also performs deduplication within a local data store. The cybersecurity sensor sends all distinct events and/or file objects to a cybersecurity intelligence hub for analysis. The cybersecurity intelligence hub is coupled to a data management and analytics engine (DMAE) that analyzes the event and/or object using multiple services to render a verdict (e.g., benign or malicious) and issues an alert.

A liquid additive mixing apparatus is provided that has a plurality of chambers containing additives, as well as a system for mixing the additives. One or more additives are mixed with water to form a mixing fluid. The mixing fluid is placed in a first tank that is fluidly connected to a cement mixing unit. A cementing operation is executed during which the mixing fluid from the first tank is mixed with a cement to form a slurry. A capillary electrophoresis (CE) instrument is employed to monitor at least one additive parameter and detect deviations from a predetermined tolerance for the at least one additive parameter.

There is described a smart building data connector, and method thereof, of a building management system. The connector receives change of value data from a local data device and generates processed data based on the change of value data and mapping data correlating the local data device to a remote cloud device. The connector attempts to transmit the processed data to the remote cloud device. The connector generates buffer data in response to determining that the remote cloud device is not ready to receive the processed data or the processed data has not been transmitted properly to the remote cloud device. Data analytics are determined based on the change of value data, the processed data, and the buffer data, and an action is performed at the remote cloud device based on the results of the data analytics.