Security related anomalies in the data related to network entities are identified, and a risk score is assigned to each entity based on the anomalies. Visualization data is generated for a color-coded interactive visualization. Generating the visualization data includes assigning each entity to a separate polygon to be displayed concurrently on a display screen; selecting a size of each polygon to indicate one of: a number of security related anomalies associated with the entity, or a risk level assigned to the entity, where the risk level is based on the risk score of the entity, and selecting a color of each polygon to indicate the other one of: the number of security related anomalies associated with the entity, or the risk level assigned to the entity; and causing, the color-coded interactive visualization to be displayed on a display device based on the visualization data.

An estimation device includes: a collection section configured to collect related information when cyber threat intelligence of a maliciousness estimation target is input, the related information being related to the cyber threat intelligence and other cyber threat intelligence different from the cyber threat intelligence; a feature generation section configured to generate a feature based on the related information, the feature representing a feature of the cyber threat intelligence; a graph information generation section configured to generate graph information based on the related information and the other cyber threat intelligence, the graph information indicating a graph in which each of the cyber threat intelligence and the other cyber threat intelligence is a node and a relationship between the nodes is an edge; and an estimation section configured to estimate the maliciousness of the cyber threat intelligence by a graph convolutional neural network using the feature of the cyber threat intelligence when a graph indicated by the graph information has a graph structure between the cyber threat intelligence and the other cyber threat intelligence.

An anomaly detection and recovery system (ADRS) for an open platform communications united architecture (OPC UA)-based industrial automation network that includes OPC UA devices includes an anomaly detector is configured to monitor an OPC UA traffic stream comprising OPC UA messages of the OPC UA devices and analyze the OPC UA traffic stream using OPC UA semantics of the industrial automation network for anomaly detection.

Various implementations of the present application set forth a method comprising generating three-dimensional data and two-dimensional data representing a physical space that includes a real-world asset, generating an extended-reality (XR) stream representing a remote collaboration session between a host device and a set of remote devices, where the XR stream includes a combination of the three-dimensional data and the two-dimensional data, a set of augmented-reality (AR) elements associated with the real-world asset, and a set of performed actions associated with a portion of the digital representation or at least one AR element, serializing the XR stream into a set of serialized chunks, transmitting the serialized chunks to the remote devices, where the remote devices recreate the XR stream in a set of remote XR environments, and transmitting the serialized chunks to a remote storage device, where a device subsequently retrieves the serialized chunks to replay the remote collaboration session.

A non-transitory storage medium having stored thereon logic wherein the logic is executable by one or more processors to perform operations is disclosed. The operations may include parsing an object, detecting one or more features of a predefined feature set, evaluating each feature-condition pairing of a virtual feature using the one or more values observed of each of the one or more detected features, determining whether results of the evaluation of one or more feature-condition pairings satisfies terms of the virtual feature, and responsive to determining the results of the evaluation satisfy the virtual feature, performing one or more of a static analysis to determine whether the object is associated with anomalous characteristics or a dynamic analysis on the object to determine whether the object is associated with anomalous behaviors.

A method for a cyber threat defense system is provided. The method comprises receiving a first abnormal behavior pattern where the first abnormal behavior pattern represents behavior on a first network deviating from a normal benign behavior of that network; and receiving a second abnormal behavior pattern where the second abnormal behavior pattern representing either behavior on the first network or on a second network deviating from a normal benign behavior of that network. The method further comprises comparing the first and second abnormal behavior patterns to determine a similarity score between the first and second abnormal behavior patterns and determining, based on the comparison, that the first abnormal behavior pattern likely corresponds to malicious behavior when the similarity score is above a threshold. A corresponding non-transitory computer readable medium is also provided.

A detection device monitors a communication event including communication by humans when a legitimate user accesses sensitive data for each legitimate user. The detection device builds a profile of the user indicating normal behavior when the user accesses the sensitive data by performing machine learning on a result of the monitoring. After that, the detection device acquires a communication event when a user to be authenticated accesses sensitive data. The detection device determines whether behavior of the user to be authenticated indicated in the acquired communication event corresponds to normal behavior when the user accesses the sensitive data indicated in a profile of the user, and outputs a result of the determination.

A system for an artificial intelligence synchronized distributed ledger. The system includes a computing device containing a receiving module, the receiving module designed and configured to receive an input from a remote device, parse the input to identify protected and non-protected data contained within the input, transform the protected data into a digitally signed assertion and convert the non-protected into an encrypted datastore. The computing device containing a processing module, the processing module designed and configured to receive the digitally signed assertion from the receiving module, insert the digitally signed assertion into an immutable sequential data structure, receive the encrypted datastore, retrieve at least an input, generate a record utilizing the at least a retrieved input, and perform a first machine-learning process utilizing the at least a retrieved input.

A method and system for characterizing application layer flood denial-of-service (DDoS) attacks carried by advanced application layer flood attack tools. The method comprises receiving an indication on an on-going DDoS attack directed toward a protected entity; analyzing requests received during the on-going DDoS attack to determine a plurality of different attributes of the received requests; generating a dynamic applicative multi-paraphrase signature by clustering at least one value of the plurality of different attributes, wherein the multi-paraphrase signature characterizes requests with different attributes as generated by an advanced application layer flood attack tool executing the on-going DDoS attack; and characterizing each incoming request based on the multi-paraphrase signature, wherein the characterization provides an indication for each incoming request whether a request is generated by the attack tool.

Techniques for detection of the fraudulent use of content delivery network (CDN) served byte streams are described. A fraud detection service obtains CDN log data, distribution data, and account data and uses elements therefrom to perform a distribution-centric fraud analysis using machine learning techniques. Based on the likelihood of fraud determined by the analysis, the fraud detection service can rapidly perform actions to address the fraud, such as the termination of service for the distribution, throttling of resources provided for the distribution, or further investigation techniques.