Abstract: A detection dictionary system provides a framework for describing, detecting, and reporting anomalies across multiple operating environments each including multiple computing devices. An anomaly in an operating environment refers to one or more operations or activities in the operating environment that may be indicative of an attack on the operating environment by a malicious user or program. The framework includes guarantees, detections, properties, and detection instances. Guarantees are promises or assertions made to an entity (e.g., a business or other organization) that describes what the detection dictionary system will detect and alert on when a particular trend or anomaly is identified. A detection is a set of metadata describing how to fulfill a given guarantee. A property describes how to map the detection to a particular detection instance. A detection instance is a specific implementation of a detection as applied to a property.

Abstract: Systems and methods for automated selection of payloads for use in a security scan of a web application by a security scanner are described herein. More specifically, the systems and methods test potential payloads for a security scan of a given web application on a test application with known security vulnerabilities, evaluate valid response returned by this test application, determine functionally equivalent responses, group payloads based the equivalence of their valid responses, and select one or more payloads from each created group for use in the security scan of the given web application.

Abstract: A detection dictionary system provides a framework for describing, detecting, and reporting anomalies across multiple operating environments each including multiple computing devices. An anomaly in an operating environment refers to one or more operations or activities in the operating environment that may be indicative of an attack on the operating environment by a malicious user or program. The framework includes guarantees, detections, properties, and detection instances. Guarantees are promises or assertions made to an entity (e.g., a business or other organization) that describes what the detection dictionary system will detect and alert on when a particular trend or anomaly is identified. A detection is a set of metadata describing how to fulfill a given guarantee. A property describes how to map the detection to a particular detection instance. A detection instance is a specific implementation of a detection as applied to a property.

Abstract: Various implementations provide an approach to control testing frequency based on behavior change detection. Behavior change detection is utilized, instead of a pre-defined patterns approach, to look at a system's behavior and detect any variances from what would otherwise be normal operating behavior. In at least some implementations, a behavior change detection system collects behavior from a service, such as an online service, and detects behavior changes, either permanent or transient, in the service. In this way, the changes may be used to compute a volatility score, which the system uses to control testing frequency of one or more services, such as URLs that are part of a particular service.

Abstract: To protect network-based services, offering computer implemented functionality, from attacks, a passive web application firewall reactively identifies vulnerabilities, enabling such vulnerabilities to be quickly ameliorated, without intercepting communications or introducing other suboptimal aspects of traditional web application firewalls. Communications directed to the network-based services are logged and such logs are scanned for entries evidencing attacks, such as based on predetermined attack syntax. Further evaluation of the entries identified as evidencing attacks identifies a subset of those entries that correspond to likely successful attacks. Such further evaluation includes attacking the network-based service in an equivalent manner. Attacks that are found to be successful identify vulnerabilities, and a notification of such vulnerabilities is provided to facilitate amelioration of such vulnerabilities.

Abstract: Template identification techniques for control of testing are described. In one or more implementations, a method is described to control testing of one or more services by one or more computing devices using inferred template identification. Templates are inferred, by the one or more computing devices, that are likely used for documents for respective services of a service provider that are available via corresponding universal resource locators (URLs) to form an inferred dataset. Overlaps are identified by the one or computing devices in the inferred dataset to cluster services together that have likely used corresponding templates. Testing is controlled by the one or more computing devices of the one or more services based at least in part on the clusters.

Abstract: A behavior change detection system collects behavior from a service, such as an online service, and detects behavior changes, either permanent or transient, in the service. Machine learning hierarchical (agglomerative) clustering techniques are utilized to compute deviations between clustered data sets representing an “answer” that the service presents to a series of requests.

Abstract: To protect network-based services, offering computer implemented functionality, from attacks, a passive web application firewall reactively identifies vulnerabilities, enabling such vulnerabilities to be quickly ameliorated, without intercepting communications or introducing other suboptimal aspects of traditional web application firewalls. Communications directed to the network-based services are logged and such logs are scanned for entries evidencing attacks, such as based on predetermined attack syntax. Further evaluation of the entries identified as evidencing attacks identifies a subset of those entries that correspond to likely successful attacks. Such further evaluation includes attacking the network-based service in an equivalent manner. Attacks that are found to be successful identify vulnerabilities, and a notification of such vulnerabilities is provided to facilitate amelioration of such vulnerabilities.

Abstract: Template identification techniques for control of testing are described. In one or more implementations, a method is described to control testing of one or more services by one or more computing devices using inferred template identification. Templates are inferred, by the one or more computing devices, that are likely used for documents for respective services of a service provider that are available via corresponding universal resource locators (URLs) to form an inferred dataset. Overlaps are identified by the one or computing devices in the inferred dataset to cluster services together that have likely used corresponding templates. Testing is controlled by the one or more computing devices of the one or more services based at least in part on the clusters.

Abstract: Various embodiments provide an approach to classifying security events based on the concept of behavior change detection or “volatility.” Behavior change detection is utilized, in place of a pre-defined patterns approach, to look at a system's behavior and detect any variances from what would otherwise be normal operating behavior. In operation, machine learning techniques are utilized as an event classification mechanism which facilitates implementation scalability. The machine learning techniques are iterative and continue to learn over time. Operational scalability issues are addressed by using the computed volatility of the events in a time series as input for a classifier. During a learning process (i.e., the machine learning process), the system identifies relevant features that are affected by security incidents. When in operation, the system evaluates those features in real-time and provides a probability that an incident is about to occur.

Abstract: Various implementations provide an approach to control of testing frequency based on the concept of behavior change detection or “volatility.” Behavior change detection is utilized, in place of a pre-defined patterns approach, to look at a system's behavior and detect any variances from what would otherwise be normal operating behavior. In at least some implementations, a behavior change detection system collects behavior from a service, such as an online service, and detects behavior changes, either permanent or transient, in the service. In this way, the changes may be used to compute a volatility score that describes an amount of change in the behaviors. The changes in behavior as reflected by the volatility scores are then usable to control a testing frequency of the services, such as URLs that are part of the service. This may be performed dynamically to reflect ongoing changes in volatility.

Abstract: Systems and methods for automated selection of payloads for use in a security scan of a web application by a security scanner are described herein. More specifically, the systems and methods test potential payloads for a security scan of a given web application on a test application with known security vulnerabilities, evaluate valid response returned by this test application, determine functionally equivalent responses, group payloads based the equivalence of their valid responses, and select one or more payloads from each created group for use in the security scan of the given web application.

Abstract: Various embodiments provide an approach to classifying security events based on the concept of behavior change detection or “volatility.” Behavior change detection is utilized, in place of a pre-defined patterns approach, to look at a system's behavior and detect any variances from what would otherwise be normal operating behavior. In operation, machine learning techniques are utilized as an event classification mechanism which facilitates implementation scalability. The machine learning techniques are iterative and continue to learn over time. Operational scalability issues are addressed by using the computed volatility of the events in a time series as input for a classifier. During a learning process (i.e., the machine learning process), the system identifies relevant features that are affected by security incidents. When in operation, the system evaluates those features in real-time and provides a probability that an incident is about to occur.

Abstract: A behavior change detection system collects behavior from a service, such as an online service, and detects behavior changes, either permanent or transient, in the service. Machine learning hierarchical (agglomerative) clustering techniques are utilized to compute deviations between clustered data sets representing an “answer” that the service presents to a series of requests.