Abstract: A network security system employing multiple levels of processing to identify security threats. Multiple host machines may each contain an agent that detects possibilities of security threats based on raw data sensed locally at that host. The hosts may share information obtained from local analysis and each host may use information generated at one or more other hosts, in combination with information generated locally, to identify a security concern, indicating with greater certainty that a security threat exists. Based on security concerns generated by multiple hosts, a security threat may be to indicated and protective action may be taken.

Abstract: An analysis system is described for identifying potentially malicious activity within a computer network. It performs this task by interacting with a user to successively remove known instances of non-malicious activity, to eventually reveal potentially malicious activity. The analysis system interacts with the user by inviting the user to apply labels to identified examples of network behavior; upon response by the user, the analysis system supplies new examples of network behavior to the user. In one implementation, the analysis system generates such examples using a combination of feature-based analysis and graph-based analysis. The graph-based analysis relies on analysis of graph structure associated with access events, such as by identifying entropy scores for respective portions of the graph structure.

Abstract: A network security system employing multiple levels of processing to identify security threats. Multiple host machines may each contain an agent that detects possibilities of security threats based on raw data sensed locally at that host. The hosts may share information obtained from local analysis and each host may use information generated at one or more other hosts, in combination with information generated locally, to identify a security concern, indicating with greater certainty that a security threat exists. Based on security concerns generated by multiple hosts, a security threat may be to indicated and protective action may be taken.

Abstract: A network security system employing multiple levels of processing to identify security threats. Multiple host machines may each contain an agent that detects possibilities of security threats based on raw data sensed locally at that host. The hosts may share information obtained from local analysis and each host may use information generated at one or more other hosts, in combination with information generated locally, to identify a security concern, indicating with greater certainty that a security threat exists. Based on security concerns generated by multiple hosts, a security threat may be indicated and protective action may be taken.

Abstract: An analysis system is described for identifying potentially malicious activity within a computer network. It performs this task by interacting with a user to successively remove known instances of non-malicious activity, to eventually reveal potentially malicious activity. The analysis system interacts with the user by inviting the user to apply labels to identified examples of network behavior; upon response by the user, the analysis system supplies new examples of network behavior to the user. In one implementation, the analysis system generates such examples using a combination of feature-based analysis and graph-based analysis. The graph-based analysis relies on analysis of graph structure associated with access events, such as by identifying entropy scores for respective portions of the graph structure.

Abstract: A network security system employing multiple levels of processing to identify security threats. Multiple host machines may each contain an agent that detects possibilities of security threats based on raw data sensed locally at that host. The hosts may share information obtained from local analysis and each host may use information generated at one or more other hosts, in combination with information generated locally, to identify a security concern, indicating with greater certainty that a security threat exists. Based on security concerns generated by multiple hosts, a security threat may be indicated and protective action may be taken.

Abstract: Described is a technology by which storage space in the form of allocation units (e.g., clusters of a storage volume) are intentionally allocated so as to likely be non-contiguous for a file's data. For example, random selection of each of the allocation units will likely provide non-contiguous allocation units; on solid state storage media, such a random distribution of a file's data does not significantly affect access times. In one aspect, a file system driver randomly allocates the allocation units, and records the allocation units in association with the file, e.g., in a master file table or similar database. Non-contiguous (e.g., random) allocation may be on demand as storage space is needed, and/or may be performed in anticipation of needing storage space for satisfying a later request. Once the storage space is no longer mapped to a file, reconstructing that file's data in forensic analysis is more difficult.

Abstract: Described is a technology by which storage space in the form of allocation units (e.g., clusters of a storage volume) are intentionally allocated so as to likely be non-contiguous for a file's data. For example, random selection of each of the allocation units will likely provide non-contiguous allocation units; on solid state storage media, such a random distribution of a file's data does not significantly affect access times. In one aspect, a file system driver randomly allocates the allocation units, and records the allocation units in association with the file, e.g., in a master file table or similar database. Non-contiguous (e.g., random) allocation may be on demand as storage space is needed, and/or may be performed in anticipation of needing storage space for satisfying a later request. Once the storage space is no longer mapped to a file, reconstructing that file's data in forensic analysis is more difficult.