Abstract: In some implementations, a method includes receiving, for each of multiple users, user activity data describing actions taken by the user by use of a user device over a period of time, determining, for each user and based on the actions taken by the user over the period of time and user responsibility data that describe responsibilities of the user, a risk assessment representative of a security risk resulting from the actions taken by the user by use of the user device, and determining, by the data processing apparatus, for each user and based on the risk assessment determined for the user, whether to implement a user-specific remedial action directed to risk mitigation.

Abstract: In some implementations, a method includes receiving, by a malware detection system, a request for a certification user interface element for a file to be served in an Internet resource, wherein the file is a file that has previously been classified as not containing malware by the malware detection system, and wherein the certification user interface element certifies that the file has been classified by the malware detection system as not containing malware, determining, based on the request, that the file is available for download from an Internet resource, and storing data that identifies the Internet resource as a location where a malware-free file is available for download.

Abstract: In some implementations, a method includes logging, by a user device, mapping data that maps domain names of Internet resources presented on the user device to Internet Protocol (IP) addresses of the Internet resources, determining, by the user device, that one or more criteria are satisfied for transmitting the mapping data to a passive Domain Name Service (DNS) system, and in response to determining that the one or more criteria are satisfied, transmitting, by the user device, the mapping data to the passive DNS system.

Abstract: In some implementations, a method includes obtaining an unlabeled computer security data log and processing the unlabeled computer security data log using a machine learning model to generate a probability distribution that includes a respective probability for each of a plurality of possible log types. Each of the plurality of possible log types is associated with a corresponding parser that parses logs of the possible log type to extract structured computer security data. The method further includes selecting the possible log type having the highest probability and parsing the unlabeled computer security data log using the parser corresponding to the selected possible log type.

Abstract: In some implementations, a method includes receiving, for each of multiple users, user activity data describing actions taken by the user by use of a user device over a period of time, determining, for each user and based on the actions taken by the user over the period of time and user responsibility data that describe responsibilities of the user, a risk assessment representative of a security risk resulting from the actions taken by the user by use of the user device, and determining, by the data processing apparatus, for each user and based on the risk assessment determined for the user, whether to implement a user-specific remedial action directed to risk mitigation.

Abstract: Methods, systems, and apparatus, including computer programs encoded on computer storage media, for correcting timestamps in computer security telemetry data. A method includes: receiving, at a computer network security data analysis system, first log data identifying a plurality of first events occurring on a computer network, the first log data including, for each first event, a respective first timestamp identifying when the first event occurred, the first timestamp including a first hour value, a first minute value, and a first second value; and generating first modified log data, the first modified log data including, for each first event, a first modified timestamp including the first minute value and the first second value from the log data and a first modified hour value that represents an hour value from a current time at which the first log data was received at the computer network security data analysis system.

Abstract: The subject matter of this specification generally relates to computer security. In some implementations, a method includes maintaining a first data structure that stores arrays of identifier tuples. Each identifier tuple corresponds to a respective computer security event and includes one or more identifiers for a computing element associated with the computer security event. Each array of identifier tuples corresponds to a respective identifier and only includes identifier tuples that include the corresponding identifier. A second data structure that stores arrays of computer security data is maintained. Each array of computer security data corresponds to a respective identifier tuple stored in the first data structure and only includes computer security data associated with each identifier in the corresponding identifier tuple. A query that specifies a first identifier for a first computing element is received.

Abstract: Methods, systems, and apparatus, including computer programs encoded on computer storage media, for surfacing anomalous network activity on a user interface. An example method provides, for presentation on a user device, a user interface for analyzing network traffic from a customer network. The user interface is populated with network traffic data from the customer network for display to the user. An interactive first filter that is configurable for filtering network traffic based on prevalence of the destination domains of the network traffic is displayed to the user. A first user input configuring the first filter to a first prevalence value is received. In response, the network traffic data is filtered in the user interface to only include network traffic data that has a destination domain that is less prevalent than the first prevalence value.

Abstract: In some implementations, a method includes logging, by a user device, mapping data that maps domain names of Internet resources presented on the user device to Internet Protocol (IP) addresses of the Internet resources, determining, by the user device, that one or more criteria are satisfied for transmitting the mapping data to a passive Domain Name Service (DNS) system, and in response to determining that the one or more criteria are satisfied, transmitting, by the user device, the mapping data to the passive DNS system.

Abstract: Methods, systems, and apparatus, including computer programs encoded on computer storage media, for analyzing telemetry to detect anomalous activity. One of the methods includes accessing data describing a telemetry tree that includes a plurality of nodes and edges; querying, for each of the edges in the telemetry tree using at least one value for the edge from a number of values, historical telemetry data that quantifies an anomaly score for each value to determine whether a relationship indicated by the edge in the telemetry tree represents a potentially malicious relationship; and performing an action using a result of the querying of the historical telemetry data that indicates whether one of the anomaly scores indicates that the relationship indicated by the edge in the telemetry tree represents a potentially malicious relationship.

Abstract: In some implementations, a method includes receiving, by a malware detection system, a request for a certification user interface element for a file to be served in an Internet resource, wherein the file is a file that has previously been classified as not containing malware by the malware detection system, and wherein the certification user interface element certifies that the file has been classified by the malware detection system as not containing malware, determining, based on the request, that the file is available for download from an Internet resource, and storing data that identifies the Internet resource as a location where a malware-free file is available for download.

Abstract: In some implementations, a method includes receiving, for each of multiple users, user activity data describing actions taken by the user by use of a user device over a period of time, determining, for each user and based on the actions taken by the user over the period of time and user responsibility data that describe responsibilities of the user, a risk assessment representative of a security risk resulting from the actions taken by the user by use of the user device, and determining, by the data processing apparatus, for each user and based on the risk assessment determined for the user, whether to implement a user-specific remedial action directed to risk mitigation.

Abstract: The subject matter of this specification generally relates to data security. In some implementations, a method includes receiving, from data owners, a first cryptographically secure representation of data to be monitored for data breaches. Each first cryptographically secure representation can include a cryptographically secure data structure that represents a plurality of first data records maintained by the data owner. One or more second cryptographically secure representations of second data records are received from a user. A number of the second cryptographically secure representations that match a corresponding portion of the first cryptographically secure representation received from a data owner is determined. A determination is made that a data breach occurred for the data owner based on the number of the second cryptographically secure representations that match the corresponding portion of the first cryptographically secure representation received from the data owner.

Abstract: The subject matter of this specification generally relates to computer security. In some implementations, a method includes receiving indicators of compromise from multiple security data providers. Each indicator of compromise can include data specifying one or more characteristics of one or more computer security threats. Each indicator of compromise can be configured to, when processed by a computer, cause the computer to detect the presence of the specified one or more characteristics of the one or more computer security threats. Telemetry data for computing systems of users can be received. The telemetry data can include data describing at least one event detected at the computing system. A determination is made that the telemetry data for a given user includes the one or more characteristics specified by a given indicator of compromise.

Abstract: Methods, systems, and apparatus, including computer programs encoded on computer storage media, for analyzing telemetry to detect anomalous activity. One of the methods includes accessing data describing a telemetry tree that includes a plurality of nodes and edges; querying, for each of the edges in the telemetry tree using at least one value for the edge from a number of values, historical telemetry data that quantifies an anomaly score for each value to determine whether a relationship indicated by the edge in the telemetry tree represents a potentially malicious relationship; and performing an action using a result of the querying of the historical telemetry data that indicates whether one of the anomaly scores indicates that the relationship indicated by the edge in the telemetry tree represents a potentially malicious relationship.

Abstract: Methods, systems, and apparatus, including a system that includes a secure hardware unit; and a database system including one or more processors; and a computer-readable medium having stored instructions that, when executed by the one or more processors, cause the one or more processors to perform operations including: receiving a client request to perform a database operation using first encrypted data as an encrypted value of a field to be operated on by the database operation, where the first encrypted data has been encrypted by a database client using a first encryption key; providing, to the secure hardware unit, a system request for performing one or more data processing operations, the system request including (i) the first encrypted data and (ii) data identifying the first encryption key; and receiving, from the secure hardware unit, output data representing an output of the one or more data processing operations.