Abstract: A method and system of authenticating a user logon builds a user logon profile with a plurality of user logon features gathered during at least one successful attempted user logon, determines a logon feature novelty score for each feature, receives a user logon request for authentication and extracts current user logon features, retrieves corresponding logon feature novelty scores, determines a first distance function score for the corresponding logon feature novelty scores of the current user logon features, builds a failed logon attempt database, determines a failed logon feature novelty score, extracts the failed logon feature novelty scores corresponding to current user logon features, determines a second distance function score for the corresponding failed logon feature novelty scores of the current user logon features, and determining to one of allow or deny the user logon request based on at least one of the first distance function score and the second distance function score.

Abstract: Systems, devices, and techniques are disclosed for security configuration evaluation. A binary representation of a reference security configuration for an application may be generated. The binary representation of the reference security configuration for the application may be hashed to generate a reference hash for the application. Data for an instance security configuration for an instance of the application may be received. A binary representation of the instance security configuration may be generated from the received data for the instance security configuration. The binary representation of the instance security configuration may be hashed to generate an instance hash. The computing device may determine the distance between the reference hash and the instance hash. The instance security configuration may be determined to be secure if the distance is not greater than a threshold.

Abstract: A method and system of authenticating a user logon builds a user logon profile with a plurality of user logon features gathered during at least one successful attempted user logon, determines a logon feature novelty score for each feature, receives a user logon request for authentication and extracts current user logon features, retrieves corresponding logon feature novelty scores, determines a first distance function score for the corresponding logon feature novelty scores of the current user logon features, builds a failed logon attempt database, determines a failed logon feature novelty score, extracts the failed logon feature novelty scores corresponding to current user logon features, determines a second distance function score for the corresponding failed logon feature novelty scores of the current user logon features, and determining to one of allow or deny the user logon request based on at least one of the first distance function score and the second distance function score.

Abstract: Techniques are disclosed relating to reporting for network events within a computer network. A computer system may access a set of data corresponding to a particular network event within a computer network, where the set of data includes captured attributes of the particular network event. The computer system may then calculate, using the set of data, a security score indicative of suspiciousness of the event and an actionability score that is based on an extent to which of a particular group of attributes are missing from the set of data. The computer system may determine, based on the two scores, a combined score for the event. The computer system may then report a notification for the event, based on the combined score. Such techniques may decrease a number of reported events for a network, which may advantageously allow resources to be focused on a smaller set of events.

Abstract: An encoder receives an application log file including component values and encodes the component values into lists of preliminary encoded values. The lists of preliminary encoded values are combined into a combined list of preliminary encoded values. An encoder-decoder neural network is trained to encode the combined list of preliminary encoded values into a list of collectively encoded values, to decode the list of collectively encoded values into a list of decoded values, and to optimize a metric measuring the encoder-decoder neural network's functioning, in response to receiving the combined list of preliminary encoded values. The trained encoder-decoder neural network receives combined lists of preliminary encoded values for application log files and encodes the combined lists of preliminary encoded values into lists of collectively encoded values.

Abstract: An online system monitors resources utilization by users connecting with the online system and detects unauthorized resource utilization. The online system collects samples of browser attributes from browsers interacting with the online system. The online system determines statistics describing the browser attributes based on the collected samples for that user. The online system receives values of browser attributes for a new request received from a user and determines a browser score indicating a likelihood that the new request was sent from a new client device different from the client devices used by the user during the time interval. If the online system determines that the score indicates that the new request was sent by the new client device, the online system takes mitigating actions to control the unauthorized resource utilization, for example, by requesting credentials for authenticating the request.

Abstract: Techniques are disclosed relating to reporting for network events within a computer network. A computer system may access a set of data corresponding to a particular network event within a computer network, where the set of data includes captured attributes of the particular network event. The computer system may then calculate, using the set of data, a security score indicative of suspiciousness of the event and an actionability score that is based on an extent to which of a particular group of attributes are missing from the set of data. The computer system may determine, based on the two scores, a combined score for the event. The computer system may then report a notification for the event, based on the combined score. Such techniques may decrease a number of reported events for a network, which may advantageously allow resources to be focused on a smaller set of events.

Abstract: An online system monitors resources utilization by users connecting with the online system and detects unauthorized resource utilization. The online system collects samples of browser attributes from browsers interacting with the online system. The online system determines statistics describing the browser attributes based on the collected samples for that user. The online system receives values of browser attributes for a new request received from a user and determines a browser score indicating a likelihood that the new request was sent from a new client device different from the client devices used by the user during the time interval. If the online system determines that the score indicates that the new request was sent by the new client device, the online system takes mitigating actions to control the unauthorized resource utilization, for example, by requesting credentials for authenticating the request.

Abstract: An online system monitors resources utilization by users connecting with the online system and detects unauthorized resource utilization caused by sharing of sessions. The online system collects samples of browser attributes from browsers interacting with the online system. The online system determines a score indicating a difference between two samples of browser attributes taken at different times. The online system uses the score to determine whether the two samples of browser attributes in the same session were received from different browsers. If the online system detects unauthorized resource utilization if the two samples are determined to be from two different browsers. The online system takes mitigating actions, for example, by invalidating the session or requiring users to re-enter credentials.

Abstract: An encoder receives an application log file including component values and encodes the component values into lists of preliminary encoded values. The lists of preliminary encoded values are combined into a combined list of preliminary encoded values. An encoder-decoder neural network is trained to encode the combined list of preliminary encoded values into a list of collectively encoded values, to decode the list of collectively encoded values into a list of decoded values, and to optimize a metric measuring the encoder-decoder neural network's functioning, in response to receiving the combined list of preliminary encoded values. The trained encoder-decoder neural network receives combined lists of preliminary encoded values for application log files and encodes the combined lists of preliminary encoded values into lists of collectively encoded values.