Some embodiments provide a method of identifying packet latency in a software defined datacenter (SDDC) that includes a network and multiple host computers executing multiple machines. At a first host computer, the method identifies and stores (i) multiple time values associated with several packet processing operations performed on a particular packet sent by a first machine executing on the first host computer, and (ii) a time value associated with packet transmission through the SDDC network from the first host computer to a second host computer that is a destination of the particular packet. The method provides the stored time values to a set of one or more controllers to process to identify multiple latencies experienced by multiple packets processed in the SDDC.

A system and method for trigger-based scanning of cyber-physical assets, including a distributed operating system, parameter evaluation engine, at least one cyber-physical asset, at least one crypt-ledger, a network, and a scanner that detects trigger conditions and events and performs scans of cyber-physical assets based on the trigger and any relevant stored scan rules before storing scan results as time-series data.

A system and method for providing secure data to a client device having a token is disclosed. In one embodiment, the method comprises: (a) binding the token to the client device according to first token binding information comprising a first token identifier (ID), first client device fingerprint data, and a first timestamp, (b) receiving a request to provide secure data to the client device in a service, the request comprising the signed first token binding information and timestamp, (c) determining if the request to provide the secure data to the client device was received within an acceptable temporal range of the stored timestamp; and (d) providing the requested secure data according to the determination.

A system and method for receiving secure data in a client device. In one embodiment, the method comprises (a) receiving a token having a token ID and a digital certificate generated by a certificate authority (CA) having client device fingerprint data generated from client device parameters, (b) accepting a request in the client device to provide secure data to the client device, (c) regenerating the client device fingerprint data from the client device parameters, (d) determining, in the client device, differences between the client device fingerprint data of the digital certificate from the regenerated client device fingerprint data, and (e) transmitting a request to a secure data service to provide secure data based upon the determination.

A system and method for providing secure data to a client device having a token is disclosed. In one embodiment, the method comprises (a) binding the token to the client device according to first token binding information comprising a first token identifier (ID) , first client device fingerprint data, and a first timestamp, (b) receiving a request to provide secure data to the client device in a secure data service, (c) determining if the request to provide the secure data to the client device was received within an acceptable temporal range of the stored timestamp, and (d) providing the requested secure data according to the determination.

There is a need for more effective and efficient network security coordination. This need can be addressed by, for example, techniques for network asset vulnerability detection. In one example, a method includes detecting network assets within a monitored computer network; and for each network asset: determining a vulnerability profile, determining a connectivity profile, determining a vulnerability designation based on the vulnerability profile for the network asset and a network vulnerability documentation repository, determining whether the vulnerability designation for the network asset indicates a positive vulnerability designation, and in response to determining that the vulnerability designation indicates the positive vulnerability designation, decoupling the network asset from the monitored computer network using the connectivity profile for the network asset.

A distributed security system and method are disclosed that enable access to known threat events from threat intelligence feeds when the system includes public cloud components. A cloud-based security policy system stores observable events for security incidents detected by and sent from user devices within an enterprise network. The observable events include observable indicators for characterizing the observable events. The threat events within the feeds include threat indicators for characterizing the threat events. An on-premises connector within the enterprise network downloads the observable indicators from the security policy system and the threat indicators from the feeds. In response to determining that any observable indicators match any threat indicators, the on-premises connector provides access to the threat events and/or the observable events having the matching indicators. In one example, the on-premises connector generates opaque query strings for users on user devices to access the threat events/observable events having the matching indicators.

An anomaly-based intrusion detection system is presented for use in vehicle networks. The intrusion detection system measures and exploits the intervals of periodic in-vehicle messages for fingerprinting electronic control units. Fingerprints are then used for constructing a baseline of clock behaviors, for example with a Recursive Least Squares algorithm. Based on the baseline, the intrusion detection system uses cumulative sum to detect any abnormal shifts in the identification errors—a clear sign of an intrusion. This approach allows quick identification of in-vehicle network intrusions with low false positive rates.

Anomaly and causation detection in computing environments are disclosed. An example method includes receiving an input stream of data instances for a time series, each of the data instances being time stamped and including at least one principle value and a set of categorical attributes; generating anomaly scores for each of the data instances over time intervals; detecting a change in the anomaly scores over the time intervals for the data instances; and identifying which of the set of categorical attributes of the data instances caused the change in the anomaly scores using a counterfactual analysis. The counterfactual analysis may comprise removing a portion of the data instances; regenerating the anomaly scores for each of the remaining data instances over the time intervals; and if the anomaly scores are improved, identifying the portion as a cause of anomalous activity. Recommendations to remediate the cause may be generated.

A node system implements a method for node relay communication. A description of a flow entry including an address in a flow and a private key is received. The flow entry and the private key are stored in a database indexed to a flow ID. A packet comprising an authentication code and packet data including packet sequence information and a Flow ID is received. A look up in the database of a flow entry corresponding to the Flow ID of the packet is performed. The packet is either ignored or forwarded to the address in the flow, depending on the result of the look-up.