Abstract: Techniques are provided for generating performance improvement recommendations for machine learning models. One method comprises evaluating performance metrics for multiple implementations of a machine learning model; computing a performance score that aggregates the performance metrics for a given machine learning model implementation; and recommending a modification to the given machine learning model implementation based on the performance score by evaluating one or more performance metrics for the given implementation relative to at least one additional performance metric for the given implementation, wherein the recommended modification is based on a performance with the recommended modification for another implementation. A given performance metric may be weighted based on an expected improvement from modifying a factor related to the given performance metric.

Abstract: Techniques are provided for ground distance calculations using sanitized location data. One method comprises a service provider obtaining: (i) a geographic zone identifier of multiple predefined geographic zones of a first location of a user, and (ii) a first distance between the first location of the user and multiple reference points that define boundaries of the predefined geographic zones; the service provider obtaining: (i) a geographic zone identifier of the multiple predefined geographic zones of a second location of the user, and (ii) a second distance between the first location of the user and the multiple reference points; and computing a ground distance between the first location and the second location by selecting a subset of the multiple reference points based at least in part on the relative geographic zones of the current and second locations. The user may: (i) estimate the first location and calculate the first distance; and/or (ii) compute the first and second distances.

Abstract: Techniques are provided for community-based anomaly detection policy sharing among organizations. One method comprises obtaining a cluster of organizations derived from clustering multiple organizations based on predefined clustering parameters; obtaining multiple policies from the organizations in the cluster; selecting one of the obtained plurality of policies based on a predefined policy sharing criteria; and sharing the selected policy with one or more of the organizations in the cluster. A use of the selected policy by one or more of the organizations may be simulated to evaluate a performance of the selected policy. The selected policy may be normalized and/or abstracted prior to being shared with organizations in the cluster. A given policy obtained from the organizations in the cluster may be weighted based on an influence rating of one or more source organizations that provided the given policy.

Abstract: Techniques are provided for selecting attributes to cluster users for a user application entitlement evaluation.

Abstract: Techniques are provided for user behavior analytics using keystroke analysis of pseudo-random data strings. One method comprises obtaining timestamps corresponding to keystroke activities on a device of a user associated with typing a pseudo-random character string comprising multiple characters, wherein at least one timestamp is adjusted based on errors associated with the typing of the pseudo-random character string; determining a time difference between keystroke activities associated with the pseudo-random character string using at least one adjusted timestamp; obtaining a time difference distribution for a subset of character sequences in the pseudo-random character string; determining a probability value for one or more character sequences in the subset; and determining an aggregate probability value for the pseudo-random character string based on the probability values.

Abstract: Techniques are provided for authenticating a user using an endpoint device of the user with a local policy and endpoint data. One method comprises obtaining, at an endpoint device of a given user, behavioral anomalies from a remote engine that generates the behavioral anomalies based on behavior of multiple users; in response to an access request by the given user, performing the following steps at the endpoint device: obtaining authentication data related to the given user and/or the endpoint device; generating features based on the authentication data; applying the features to a behavior model incorporating the behavioral anomalies to determine a behavior score for the access request; and evaluating the access request to make an authentication decision based on the behavior score. The behavior score indicates, for example, a confidence that the given user is an expected user and/or a same user who has previously been validated.

Abstract: Techniques are provided for visualizing user access data and for configuring and enforcing location-based access policies.

Abstract: Techniques are provided for generating adaptive policies from organization data for detection of risk-related events. One method comprises obtaining features identified in organization data of an organization for a risk analysis, wherein a given feature comprises a plurality of data values, wherein each data value for the given feature comprises a discrete value of the given feature or a range of values for the given feature; obtaining a probability of occurrence associated with each data value based on the organization data; identifying a plurality of candidate anomalous data values based on the probabilities of occurrence; determining an intervention rate for a plurality of combinations of the candidate anomalous data values; and generating policies for the organization using the combinations of candidate anomalous data values based on a corresponding intervention rate. The generated policies are used to detect one or more risk-related events.

Abstract: Techniques are provided for generating performance improvement recommendations for machine learning models. One method comprises evaluating performance metrics for multiple implementations of a machine learning model; computing a performance score that aggregates the performance metrics for a given machine learning model implementation; and recommending a modification to the given machine learning model implementation based on the performance score by evaluating one or more performance metrics for the given implementation relative to at least one additional performance metric for the given implementation, wherein the recommended modification is based on a performance with the recommended modification for another implementation. A given performance metric may be weighted based on an expected improvement from modifying a factor related to the given performance metric.

Abstract: A method involves performing a mathematical estimation operation identifying a risk score threshold. The operation identifies the risk score threshold as a point on a curve rather than a value of a particular risk score. Such a curve approximates the distribution of risk score values output over a time interval and represents a function embodied by a plot of risk score percentile vs. risk score value. The risk engine, rather than selecting a particular risk score, selects a curve from a family of curves that is known to accurately represent such risk score distributions. For example, the risk engine may choose the curve that provides the best fit to the previous week's risk scores over the family of curves. The risk engine identifies the risk score threshold by finding a risk score value such that the function evaluated at that risk score value produces a specified risk score percentile.

Abstract: Techniques are provided for determining reasons for unsupervised anomaly decisions. One method comprises obtaining values of predefined features associated with a remote user device; applying the predefined feature values to an unsupervised anomaly detection model that generates an unsupervised anomaly decision; applying the predefined feature values to a supervised anomaly detection model that generates a supervised anomaly decision; determining a third anomaly decision using the unsupervised anomaly decision; and determining reasons for the third anomaly decision by analyzing the supervised anomaly decision. The supervised anomaly detection model can be trained using the unsupervised anomaly decision and/or anomalous training data based on known anomalies. The third anomaly decision can be based on the supervised anomaly decision and the unsupervised anomaly decision using ensemble techniques.

Abstract: Techniques are provided for centralized processing of sensitive user data. One method comprises obtaining, by a service provider, values of predefined features based at least in part on personal information of a user, wherein the values of the predefined features are computed by the user; and processing, by the service provider, the values of the predefined features based on the personal information to detect one or more predefined anomalies associated with the user and/or a device of the user. The predefined anomalies comprise, for example, a risk anomaly, a security level anomaly, a fraud likelihood anomaly, an identity assurance anomaly, and/or a behavior anomaly. The predefined features relate to, for example, a location of the user and/or device-specific information for a device of the user.

Abstract: Techniques are provided for ground distance calculations using sanitized location data. One method comprises a service provider obtaining: (i) a geographic zone identifier of multiple predefined geographic zones of a first location of a user, and (ii) a first distance between the first location of the user and multiple reference points that define boundaries of the predefined geographic zones; the service provider obtaining: (i) a geographic zone identifier of the multiple predefined geographic zones of a second location of the user, and (ii) a second distance between the first location of the user and the multiple reference points; and computing a ground distance between the first location and the second location by selecting a subset of the multiple reference points based at least in part on the relative geographic zones of the current and second locations. The user may: (i) estimate the first location and calculate the first distance; and/or (ii) compute the first and second distances.

Abstract: Techniques are provided for evaluating anomaly detection algorithms using impersonation data derived from user transaction data. An exemplary method comprises obtaining transaction data of a given enterprise organization comprising transactions of a plurality of users; generating impersonation data by modifying one or more features of a subset of the transaction data of the given enterprise organization; classifying (i) at least a portion of the transaction data of the given enterprise organization, and (ii) at least a portion of the impersonation data using the anomaly detection algorithm of the given enterprise organization, wherein records of the impersonation data comprise a known classification; and evaluating a performance of the anomaly detection algorithm of the given enterprise organization by comparing the classification of records of the impersonation data by the anomaly detection algorithm with the known classification.

Abstract: Techniques of risk-based authentication involve adjusting a risk engine used by a recipient entity based on feedback acquired from multiple entities. Along these lines, both a recipient risk engine and one or more donor risk engines perform risk-based authentication for which respective feedback is generated. The feedback indicates whether certain transaction requests predicted to be fraudulent are confirmed to be fraudulent. The recipient risk engine is then adjusted based on the feedback created for itself, the feedback created for any of the donor risk engines, or some combination thereof.

Abstract: Techniques are provided for visualizing user access data and for configuring and enforcing location-based access policies.

Abstract: Techniques are provided for community-based anomaly detection policy sharing among organizations. One method comprises obtaining a cluster of organizations derived from clustering multiple organizations based on predefined clustering parameters; obtaining multiple policies from the organizations in the cluster; selecting one of the obtained plurality of policies based on a predefined policy sharing criteria; and sharing the selected policy with one or more of the organizations in the cluster. A use of the selected policy by one or more of the organizations is optionally simulated to evaluate a performance of the selected policy. The selected policy is optionally normalized and/or abstracted prior to being shared with organizations in the at least one cluster. A given policy obtained from the organizations in the cluster is optionally weighted based on an influence rating of one or more source organizations that provided the given policy.

Abstract: Techniques are provided for authenticating a user using an endpoint device of the user with a local policy and endpoint data. One method comprises obtaining, at an endpoint device of a given user, behavioral anomalies from a remote engine that generates the behavioral anomalies based on behavior of multiple users; in response to an access request by the given user, performing the following steps at the endpoint device: obtaining authentication data related to the given user and/or the endpoint device; generating features based on the authentication data; applying the features to a behavior model incorporating the behavioral anomalies to determine a behavior score for the access request; and evaluating the access request to make an authentication decision based on the behavior score. The behavior score indicates, for example, a confidence that the given user is an expected user and/or a same user who has previously been validated.

Abstract: Techniques are provided for generating adaptive policies from organization data for detection of risk-related events. One method comprises obtaining features identified in organization data of an organization for a risk analysis, wherein a given feature comprises a plurality of data values, wherein each data value for the given feature comprises a discrete value of the given feature or a range of values for the given feature; obtaining a probability of occurrence associated with each data value based on the organization data; identifying a plurality of candidate anomalous data values based on the probabilities of occurrence; determining an intervention rate for a plurality of combinations of the candidate anomalous data values; and generating policies for the organization using the combinations of candidate anomalous data values based on a corresponding intervention rate. The generated policies are used to detect one or more risk-related events.

Abstract: There are disclosed herein a technique for use in security. In at least one embodiment, the technique comprises receiving information relating to users and performing an affinity propagation clustering operation in connection with the information to identify a cluster of similar users. Further, the technique determines a risk in connection with a user in the cluster by comparing the user to one or more other users in the cluster. Still further, based on the risk in connection with the user, the technique controls access by the user to a computerized resource.