Methods and systems for penetration testing of a networked system involve assigning network nodes to disjoint classes based on current information about the compromisability of the network nodes. The classes distinguish between nodes not currently known to be compromisable, nodes that only recently have become known to be compromisable, e.g., by a first method of a attack, and nodes that have been known for a longer time to be compromisable. Nodes that only recently have become known to be compromisable can be re-targeted by the penetration testing system to determine whether such nodes can be compromised using multiple methods of attack and not just using the first method of attack.

A computer-implemented method includes: receiving system information data representing configurations of digital systems; receiving attack information data associated one or more of the digital systems; analyzing the received system information data and attack information data, to associated attack types; identifying, for each identified attack type, correlations and/or causalities between individual system constituents or combinations thereof in the digital systems associated with attacks; determining and assigning, based on the identified correlations and/or causalities, an attack vulnerability value, for each attack, respectively, to each of the systems and/or systems' constituents and/or combinations thereof; and retrievably storing attack vulnerability values associated with the systems, system constituents and/or combinations thereof.

There are provided systems and methods for identifying patterns in computing attacks through an automated traffic variance finder. A service provider, such as an electronic transaction processor for digital transactions, may determine network traffic logs caused or generated by malicious web traffic and network communications, such as during a computing attack by a bad actor. The service provider may generate a log signature for the network traffic log based on a variance or uniqueness of the network traffic logs IP address from other network traffic logs for each field in the network traffic log over a time period, and a spread in the commonality of the network traffic log with other network traffic logs. An aggregate score for each field may be determined based on the variance and the spread. Once determined, the log signature may be used to identify other network traffic logs through a search function.

There are provided measures for trust related management of artificial intelligence or machine learning pipelines. Such measures exemplarily include, at a first network entity managing artificial intelligence or machine learning trustworthiness in a network, transmitting a first artificial intelligence or machine learning trustworthiness related message towards a second network entity managing artificial intelligence or machine learning trustworthiness in an artificial intelligence or machine learning pipeline in the network, and receiving a second artificial intelligence or machine learning trustworthiness related message from the second network entity, where the first artificial intelligence or machine learning trustworthiness related message includes at least one criterion related to an artificial intelligence or machine learning trustworthiness aspect.

A protocol state fuzzing method for security of a control plane of a distributed software-defined network is provided. The protocol state fuzzing method includes receiving input alphabets being abstract symbols of a protocol message in an ambusher of a distributed network operating system (NOS), converting the input alphabets into the protocol message, and sending the protocol message to a cluster, monitoring, by the cluster, intercommunication between instances in the distributed NOS, and selecting a set of sequences executable in the cluster and searching a cluster log for an output by executing the sequence to generate an attack result.

A device may receive security data identifying assets of an entity, security issues associated with the assets, and objectives associated with the assets and may utilize a data model to generate, based on the security data, asset related data identifying mapped sets of security data. The device may process a first portion of the asset related data, with a first model, to calculate an asset risk likelihood score for an asset of the assets and may process a second portion of the asset related data, with a second model, to calculate an asset criticality score for the asset. The device may process a third portion of the asset related data, with a third model, to calculate an asset control effectiveness score for the asset and may combine the scores to generate a security risk score for the asset. The device may provide the security risk score for display.

According to an example, an autonomous normal and novel behavior sharing apparatus may receive one or more novel behavior baseline models and one or more normal behavior baseline models from a first entity for sharing with a second entity and a subset of other entities; share the received models with the second entity and a subset of other entities; receive one or more novel behavior baseline models and one or more normal behavior baseline models from other entities for sharing with the first entity and a subset of other entities; share the received models with the first entity and subset of other entities; receive effectiveness factor of the shared models from the entities that received these models; score the models based on effectiveness factor received from a plurality of entities; prioritize sharing of the models based on their score.

Managing security access in real-time to a computer system using control lists includes detecting a security event at a computer system. The security event is analyzed including an analysis of a historical corpus having historical data of security events. An access control list is generated based on the security event. A determination is made when the security event includes abnormal behavior based on the analysis of the security event and the historical corpus. The security event is published to a monitoring system for controlling access to the computer system, in response to the security event.

An on-vehicle communication system includes: a plurality of function units; and one or a plurality of switch devices, each switch device being configured to perform a relay process of relaying communication data between the function units. When unauthorized communication by a function unit has been detected, the switch device performs a validation process of validating a function unit other than an unauthorized-communication function unit that is the function unit for which the unauthorized communication has been detected.

Techniques for providing network traffic security in a virtualized environment are described. A threat aware controller uses a threat feed provided by a threat intelligence service to establish a threat detection engine on virtual switches. The threat aware controller and threat detection engine work together to detect any anomalous or malicious behavior of network traffic on the virtual switch and established virtual network functions to quickly detect, verify, and isolate network threats.