An attack situation visualization device includes: a memory that stores instructions; and at least one processer configured to process the instructions to: analyze a log in which information about a cyberattack is recorded and specify at least either of a source of a communication related to the cyberattack and a destination of a communication related to the cyberattack; and generate display information allowing display of an image in which an image representing a map, a source image representing the source, and a destination image representing the destination are arranged on the map, wherein, the at least one processer configured to process the instructions to generate the display information including an attack situation image visualizing at least either of a traffic volume and a communication frequency of a communication related to the cyberattack between the source and the destination.

Systems and techniques for detecting suspicious file activity are described herein. System for identifying anomalous data events is adapted to monitor a networked file system and receive an indication of a suspicious event associated with a user and a file. The system is further adapted to perform a pattern of behavior analysis for the user, perform an adjacency by time analysis based on a set of events before the suspicious event and a set of events after the suspicious event, and perform an adjacency by location analysis using a set of files located in a location of the file. The system is further adapted to determine whether the suspicious event is an anomalous event based on the pattern of behavior analysis, the adjacency by time analysis, and the adjacency by location analysis and display a report for the user including the anomalous event.

A method for protection from cyber attacks in a CAN (Controller Area Network), of a vehicle including the steps of selecting periodic messages having a transmission periodicity, grouping the periodic messages, and performing an analysis of messages of the nodes that exchange the received periodic messages, which includes obtaining times of arrival at the respective nodes of a set of periodic messages that have the same message identifier, computing average-offset values over successive subsets, of a given number of messages, accumulating the average-offset values for each identifier to obtain accumulated-offset values, identifying linear parameters by computing an angular coefficient, of a regression, and an intercept, or identification error, computing a correlation coefficient of the average offset of pairs of messages identified as coming from the same node, determining whether the correlation coefficient is higher than a first given threshold, determining whether the angular coefficient between two consecutive messages with the same identifier is higher than a second given threshold, determining whether the intercept between two consecutive messages is higher than a third given threshold, and supplying the results of these determinations to a message-classification operation.

According to examples, an apparatus may include a processor and a memory on which is stored machine-readable instructions that when executed by the processor, may cause the processor to identify a first set of entities corresponding to a security incident, identify anomalies associated with the first set of entities that occurred around a predefined time period with respect to the incident, identify a second set of entities associated with the identified anomalies, identify a set of incidents that share a common entity from the second set of entities, determine a probability of likelihood that the set of incidents normally share the common entity, determine whether the determined probability of likelihood falls below a predefined threshold, and based on the determined probability of likelihood falling below the predefined threshold, output an indication that the security incident and the set of incidents are likely related.

A computer-implemented method of analysing anomalous network traffic in a telecommunications network, said telecommunications network comprising a plurality of network entities (120, 110) and a security analyser (130-3), wherein the method comprises the steps of: receiving at the security analyser a network communication from a first network entity; identifying the first network entity; by means of the security analyser: analysing the network communication and/or a performance of the first network entity thereby to identify the network communication as an anomalous communication (310); in response to identifying the network communication as an anomalous communication, communicating an instruction to the identified first network entity to respond with origin information regarding the anomalous communication, wherein the origin information identifies a preceding network entity from which the anomalous communication was directly received by the first network entity (320, 330); and commencing with the preceding network entity, iteratively communicating an instruction to a preceding network entity to respond with origin information for identifying another preceding network entity from which the anomalous communication was directly received until a source network entity from which the anomalous communication originated is identified (380, 390; and applying a security policy to the identified source network entity (370).

A method includes accessing a first intelligence feed including a plurality of cybersecurity incidents. A second intelligence feed is generated including a plurality of technical indicators defined on one or more virtual private network internet point of presence (“VPN internet PoP”) that connects a plurality of VPN tunnels to an internet. The first and second intelligence feeds are compared, a particular incident is determined, and a time frame of the particular incident is determined. Use of a particular VPN internet PoP by a plurality of sources including a plurality of clients is monitored to determine a plurality of time-based behaviors. The plurality of time-based behaviors are compared to the particular incident and to the time frame to determine a match. A particular source is blocked at the particular VPN internet PoP based on the determination of the match.

A malicious attack detection method includes receiving, by a controller, a packet-in message sent by a switch, sending, by the controller, an abnormal flow entry to the switch, receiving, by the controller, a triggering count sent by the switch, where the triggering count is a quantity of times that the abnormal flow entry is triggered, and determining, according to the triggering count, whether a malicious attack is initiated.

Systems and techniques for detecting suspicious file activity are described herein. System for identifying anomalous data events is adapted to monitor a networked file system and receive an indication of a suspicious event associated with a user and a file. The system is further adapted to perform a pattern of behavior analysis for the user, perform an adjacency by time analysis based on a set of events before the suspicious event and a set of events after the suspicious event, and perform an adjacency by location analysis using a set of files located in a location of the file. The system is further adapted to determine whether the suspicious event is an anomalous event based on the pattern of behavior analysis, the adjacency by time analysis, and the adjacency by location analysis and display a report for the user including the anomalous event.

Disclosed herein are system, method, and computer program product embodiments for creating cyber situational understanding in an operational environment. An embodiment operates by normalizing streaming cyber information for a plurality of cyberspace entities and generating cyber-graphs based on relationships between two or more of the plurality of cyberspace entities. A cyber-threat inquiry of the cyber-graphs returns potential cyber-threats that are subsequently visualized as an overlay on a corresponding operational environment.

Computer-implemented method of detecting potential cybersecurity threats from collected data pertaining to a monitored network, the collected data comprising network data and/or endpoint data. The method comprises structuring the collected data as at least one data matrix, each row of the data matrix being a datapoint and each column corresponding to a feature. The method also comprises identifying one or more datapoints as anomalous, thereby detecting a potential cybersecurity threat. The method also comprises extracting causal information about the anomalous datapoint based on an angular relationship between a second-pass coordinate vector of the anomalous datapoint and a second-pass coordinate vector of one or more features. The second-pass coordinate vectors are determined by applying a second-pass singular value decomposition (SVD) to a residuals matrix. The residuals matrix is computed between the data matrix and an approximation of the data matrix by applying a first-pass truncated SVD to the data matrix.