Abstract: The disclosure is directed towards the real-time detection and mitigation of security threats to a domain name system (DNS) for a communication network. A graph-theoretic method is applied to detect compromised DNS assets (e.g., DNS servers and web servers that DNS servers map domain names to). A graph is generated from domain name resolution (DNR) transactions. The nodes of the graph represent the DNS assets and edges between the nodes represent the DNR transactions. The graph is analyzed to detect features that signal compromised assets. The detection of such features serves to act as a binary classifier for the represented assets. The binary classifier acts to classify each node as non-compromised or compromised. The analysis is guided by supervised and/or unsupervised machine learning methods. Once the assets are classified, DNR transactions are analyzed in real-time. If the transaction involves a compromised asset, an intervention is performed that mitigates the threat.

Abstract: The technology described herein identifies malicious URLs using a classifier that is both accurate and fast. Aspects of the technology are particularly well adapted for use as a real-time URL security analysis tool because the technology is able to quickly process a URL and produce a warning when a malicious URL is identified. The rapid processing speed of the technology described herein is produced, in part, by use of only a single input signal, which is the URL itself. The high accuracy produced by the technology described herein is achieved by analyzing the unstructured text on both a character-by-character level and a word-by-word level. The technology described herein uses both character-level and word-level information from the incoming URL.

Abstract: The technology described herein identifies malicious URLs using a classifier that is both accurate and fast. Aspects of the technology are particularly well adapted for use as a real-time URL security analysis tool because the technology is able to quickly process a URL and produce a warning when a malicious URL is identified. The rapid processing speed of the technology described herein is produced, in part, by use of only a single input signal, which is the URL itself. The high accuracy produced by the technology described herein is achieved by analyzing the unstructured text on both a character-by-character level and a word-by-word level. The technology described herein uses both character-level and word-level information from the incoming URL.

Abstract: The techniques disclosed herein identify ransomware attacks as they are occurring, improving the security and functionality of computer systems. Ransomware attacks are identified using a new probabilistic machine learning model that better handles the unique properties of ransomware data. Ransomware data includes a list of computing operations, some of which are labeled as being associated with ransomware attacks. In contrast to deterministic machine learning techniques that learn weights, probabilistic machine learning techniques learn the parameters of a distribution function. In some configurations, a radial Spike and Slab distribution function is used within a Bayesian neural network framework to better handle sparse, missing, and imbalanced data. Once trained, the machine learning model may be provided with real-time operations, e.g., from a cloud service security module, from which to infer whether a ransomware attack is taking place.

Abstract: Various embodiments discussed herein enable the detection of malicious content. Some embodiments do this by determining a similarity score between content, computer objects, or indications (e.g., vectors, file hashes, file signatures, code, etc.) known to be malicious and other content (e.g., unknown files) or indications based on feature weighting. Over various training stages, certain feature characteristics for each labeled malicious content or indication can be learned. For example, for a first malware family of computer objects, the most prominent feature may be a particular URL, whereas other features change considerably for different iterations of the first malware family of computer objects. Consequently, the particular URL can be weighted to determine a particular output classification corresponding to malicious behavior.

Abstract: The techniques disclosed herein enable systems to train machine learning models using benign augmentation to enabled resistance various data poisoning attacks. This is achieved by first training a machine learning model using an initial dataset that is trustworthy and originates from a known source. The initial dataset is then modified to include known attack triggers such as syntactic paraphrasing to generate an augmented dataset. The augmented dataset is then used to train a robust machine learning model based using the initially trained machine learning model. The resultant robust machine learning model is then enabled to detect and resist attacks captured by the augmented dataset. The robust machine learning model can be retrained using an untrusted dataset that includes various compromised inputs in conjunction with the augmented dataset. Retraining results in an updated robust machine learning model that can learn and resist various data poisoning attacks on the fly.

Abstract: The techniques disclosed herein enable systems to train a machine learning model to classify malicious command line strings and select anomalous and uncertain samples for analysis. To train the machine learning model, a system receives a labeled data set containing command line inputs that are known to be malicious or benign. Utilizing a term embedding model, the system can generate aggregated numerical representations of the command line inputs for analysis by the machine learning model. The aggregated numerical representations can include various information such as term scores that represent a probability that an individual term of the command line string is malicious as well as numerical representations of the individual terms. The system can subsequently provide the aggregated numerical representations to the machine learning model for analysis. Based on the aggregated numerical representations, the machine learning model can learn to distinguish malicious command line inputs from benign inputs.

Abstract: The disclosure is directed towards the real-time detection and mitigation of security threats to a domain name system (DNS) for a communication network. A graph-theoretic method is applied to detect compromised DNS assets (e.g., DNS servers and web servers that DNS servers map domain names to). A graph is generated from domain name resolution (DNR) transactions. The nodes of the graph represent the DNS assets and edges between the nodes represent the DNR transactions. The graph is analyzed to detect features that signal compromised assets. The detection of such features serves to act as a binary classifier for the represented assets. The binary classifier acts to classify each node as non-compromised or compromised. The analysis is guided by supervised and/or unsupervised machine learning methods. Once the assets are classified, DNR transactions are analyzed in real-time. If the transaction involves a compromised asset, an intervention is performed that mitigates the threat.

Abstract: The technology described herein can identify phishing URLs using transformers. The technology tokenizes useful features from the subject URL. The useful features can include the text of the URL and other data associated with the URL, such as certificate data for the subject URL, a referrer URL, an IP address, etc. The technology may build a joint Byte Pair Encoding for the features. The token encoding may be processed through a transformer, resulting in a transformer output. The transformer output, which may be described as a token embedding, may be input to a classifier to determine whether the URL is a phishing URL. Additional or improved URL training data may be generated by permuting token order, by simulating a homoglyph attack, and by simulating an a compound word attack.

Abstract: A compromise detection system protects data centers (DCs) or other providers in the cloud. The compromise detection system can detect compromised virtual machines (VMs) through changes in network traffic characteristics while avoiding expensive data collection and preserving privacy. The compromise detection system obtains and uses periodically-obtained flow pattern summaries to detect compromised VMs. Agent-based detection on predetermined and compromised VMs can expose (using supervised learning) the network behavior of compromised VMs and then apply the learned model to all VMs in the DC. The compromise detection system can run continuously, protect the privacy of cloud customers, comply with Europe's General Data Protection Regulation (GDPR), and avoid various techniques that both erode privacy and degrade VM performance.

Abstract: Various technologies described herein pertain to detecting contextual anomalies in a behavioral network. Label propagation can be performed to construct contexts and assign respective context membership scores to users. Each context can be a respective subset of the users expected to have similar resource usages. The contexts can be constructed and the context membership scores can be assigned by combining behavioral information and contextual side information. The behavioral information can specify respective resource usages by the users within the behavioral network. Moreover, respective contextual anomaly scores for the users can be computed based on the respective context membership scores assigned to the users and the contextual side information. Further, the contextual anomalies can be detected from the contextual anomaly scores.

Abstract: The technology described herein identifies malicious URLs using a classifier that is both accurate and fast. Aspects of the technology are particularly well adapted for use as a real-time URL security analysis tool because the technology is able to quickly process a URL and produce a warning when a malicious URL is identified. The rapid processing speed of the technology described herein is produced, in part, by use of only a single input signal, which is the URL itself. The high accuracy produced by the technology described herein is achieved by analyzing the unstructured text on both a character-by-character level and a word-by-word level. The technology described herein uses both character-level and word-level information from the incoming URL.

Abstract: Various embodiments discussed herein enable the detection of malicious content. Some embodiments do this by determining a similarity score between content, computer objects, or indications (e.g., vectors, file hashes, file signatures, code, etc.) known to be malicious and other content (e.g., unknown files) or indications based on feature weighting. Over various training stages, certain feature characteristics for each labeled malicious content or indication can be learned. For example, for a first malware family of computer objects, the most prominent feature may be a particular URL, whereas other features change considerably for different iterations of the first malware family of computer objects. Consequently, the particular URL can be weighted to determine a particular output classification corresponding to malicious behavior.

Abstract: Implementations described herein disclose a malware sequence detection system for detecting presence of malware in a plurality of events. An implementation of the malware sequence detection includes receiving a sequence of a plurality of events, and detecting presence of a sequence of malware commands within the sequence of a plurality of events by dividing the sequence of plurality of events into a plurality of subsequences, performing sequential subsequence learning on one or more of the plurality of subsequences, and generating a probability of one or more of the plurality of subsequences being a malware based on the output of the sequential subsequence.

Abstract: Enhanced neural network architectures that enable the determination and employment of association-based or attention-based “interrelatedness” of various portions of the input data are provided. A method of employing an architecture includes receiving a first input data element, a second input element, and a third input element. A first interrelated metric that indicates a degree of interrelatedness between the first input data element and the second input data element is determined. A second interrelated metric is determined. The second interrelated metric indicates a degree of interrelatedness between the first input data element and the third input data element. An interrelated vector is generated based on the first interrelated metric and the second interrelated metric. The neural network is employed to generate an output vector that corresponds to the first input vector and is based on a combination of the first input vector and the interrelated vector.

Abstract: Technologies for detecting malware based on reinforcement learning model to detect whether a file is malicious or benign and to determine the best time to halt the file's execution in so detecting. The reinforcement learning model combined with an event classifier and a file classifier learns whether to halt execution after enough state information has been observed or to continue execution if more events are needed to make a highly confident determination. The algorithm disclosed allows the system to decide when to stop on a per file basis.

Abstract: A compromise detection system protects data centers (DCs) or other providers in the cloud. The compromise detection system can detect compromised virtual machines (VMs) through changes in network traffic characteristics while avoiding expensive data collection and preserving privacy. The compromise detection system obtains and uses periodically-obtained flow pattern summaries to detect compromised VMs. Agent-based detection on predetermined and compromised VMs can expose (using supervised learning) the network behavior of compromised VMs and then apply the learned model to all VMs in the DC. The compromise detection system can run continuously, protect the privacy of cloud customers, comply with Europe's General Data Protection Regulation (GDPR), and avoid various techniques that both erode privacy and degrade VM performance.

Abstract: Enhanced neural network architectures that enable the determination and employment of association-based or attention-based “interrelatedness” of various portions of the input data are provided. A method of employing an architecture includes receiving a first input data element, a second input element, and a third input element. A first interrelated metric that indicates a degree of interrelatedness between the first input data element and the second input data element is determined. A second interrelated metric is determined. The second interrelated metric indicates a degree of interrelatedness between the first input data element and the third input data element. An interrelated vector is generated based on the first interrelated metric and the second interrelated metric. The neural network is employed to generate an output vector that corresponds to the first input vector and is based on a combination of the first input vector and the interrelated vector.

Abstract: Graph-based detection systems and techniques are provided to identify potential malicious lateral movement paths. System and security events may be used to generate a network connection graph and detect remote file executions and/or other detections, for use in tracking malicious lateral movement across a computer network, such as a compromised computer network. Lateral movement determination across a computer network may be divided into two subproblems: forensic analysis and general detection. With forensic analysis, given a malicious node, possible lateral movement leading into or out of the node is identified. General detection identifies previously unknown malicious lateral movement on a network using a remote file execution detector, and/or other detectors, and a rare path anomaly detection algorithm.

Abstract: Technologies for training systems for detecting malware based on reinforcement learning model. Such trained systems detect whether a file is malicious or benign and to determine the best time to halt the file's execution in so detecting. The reinforcement learning model combined with an event classifier and a file classifier learns whether to halt execution after enough state information has been observed or to continue execution if more events are needed to make a highly confident determination. The algorithm disclosed allows the system to decide when to stop on a per file basis.