Abstract: A service receives, from client computing devices of client networks, information regarding incoming network traffic addressed to dark Internet Protocol (IP) address spaces the of client networks. The service can predict a cyber attack based on the information received from the client computing devices of the client networks. The server computing device notifies the client computing device of each client network affected by the predicted cyber attack.

Abstract: According to examples, an apparatus may include a processor and a memory on which is stored machine readable instructions executable by the processor to access network activity data collected over a time period associated with a plurality of network entities, in which each of the network entities is assigned a distinct internet protocol (IP) address including a network prefix set of bits and a network entity identifier set of bits. The instructions may also cause the processor to generate representations of the network activity data corresponding to the respective network entities and display the generated representations of the network activity data corresponding to the respective network entities on an IP address block map according to the network entity identifier set of bits of the respective network entities.

Abstract: In some examples, a Domain Name System (DNS) server receives, over a network, DNS queries containing domain names, extracts a common domain name shared by the domain names, determines whether a measure of an amount of data relating to the DNS queries containing the common domain name exceeds a threshold, and in response to determining that the measure of the amount of data relating to the DNS queries containing the common domain name exceeds the threshold, trigger a countermeasure action to address a threat associated with the DNS queries.

Abstract: In some examples, a system constructs, based on event data representing a plurality of events in a system, a representation of the plurality of events, the representation including information relating the events, and computes issue indications corresponding to potential issues in the system. The system adds information based on the issue indications to the representation to form an enriched representation, and searches the enriched representation to find a chain of events representing an issue in the system.

Abstract: In some examples, a Domain Name System (DNS) server is to receive, over a network, a DNS query containing a domain name, the DNS query sent by a device. The DNS server is to determine whether the domain name is potentially generated by malware. In response to determining that the domain name is potentially generated by malware, the DNS server is to generate a DNS response containing information indicating that the domain name is potentially generated by malware, and send the DNS response to the network.

Abstract: Points around a point of interest are sampled. The points and the point of interest each have a value for each of a number of input features. The points and the point of interest each have a corresponding output score for a machine learning model. A feature contribution vector for the input features is determined by locally approximating the machine learning model at the points and the point of interest using a model, such as a ridge regression model. The ridge regression model can have a loss function, which can include a Kullback-Leibler (KL) divergence term. The feature contribution vector approximates for any point a contribution of each input feature to the output score of this point by the machine learning model. The input features most responsible for the machine learning model having provided the corresponding output score for the point of interest, based on the feature contribution vector, are provided.

Abstract: According to examples, an apparatus may include a processor and a memory on which is stored machine readable instructions executable by the processor to: access network traffic data pertaining to data flows among nodes in a network; partition the network traffic data into a plurality of windows; for each of the plurality of windows, aggregate data flows between pairs of nodes; compute a data distribution of each of the aggregated data flows; select a summary structure for each of the aggregated data flows based on the computed data distributions of the aggregated data flows; generate a summary of each of the aggregated data flows using the selected summary structures for the aggregated data flows; and store the generated summaries.

Abstract: In some examples, for a device that transmitted domain names, a system determines a dissimilarity between the domain names, compares a value derived from the determined dissimilarity to a threshold, and identifies the device as malware infected in response to the comparing.

Abstract: According to examples, an apparatus may include a processor and a memory on which is stored machine readable instructions to cause the processor to access network traffic traces including a plurality of timestamps, the plurality of timestamps having an order with respect to each other. The instructions may also cause the processor to encrypt the plurality of timestamps to anonymize the plurality of timestamps while preserving the order of the plurality of timestamps with respect to each other and to store the encrypted plurality of timestamps in a data store.

Abstract: In some examples, a system counts a number of digits in a domain name. The system compares a value based on the number of digits to a threshold, and indicates that the domain name is potentially generated by malware in response to the value having a specified relationship with respect to the threshold.

Abstract: In some examples, a system identifies, in a domain name, n-grams that do not appear in words of a given language, where n is greater than two. The system compares a value based on a number of the identified n-grams to a threshold, and indicates that the domain name is potentially generated by malware in response to the value having a specified relationship with respect to the threshold.

Abstract: According to examples, an apparatus may include a processor and a memory on which is stored machine readable instructions executable by the processor to access network activity data collected over a time period associated with a plurality of network entities, in which each of the network entities is assigned a distinct internet protocol (IP) address including a network prefix set of bits and a network entity identifier set of bits. The instructions may also cause the processor to generate representations of the network activity data corresponding to the respective network entities and display the generated representations of the network activity data corresponding to the respective network entities on an IP address block map according to the network entity identifier set of bits of the respective network entities.

Abstract: According to examples, an apparatus may include a processor and a memory on which is stored machine readable instructions executable by the processor to: access network traffic data pertaining to data flows among nodes in a network; partition the network traffic data into a plurality of windows; for each of the plurality of windows, aggregate data flows between pairs of nodes; compute a data distribution of each of the aggregated data flows; select a summary structure for each of the aggregated data flows based on the computed data distributions of the aggregated data flows; generate a summary of each of the aggregated data flows using the selected summary structures for the aggregated data flows; and store the generated summaries.

Abstract: A technique includes dynamically assigning, by a server, network addresses selected from a plurality of network addresses to network devices of a network based on a schedule. The schedule represents a time during which a given network address is to remain unassigned. The technique includes, based on the schedule, detecting anomalous behavior associated with the network.

Abstract: Overlay networks of application components are managed. Applicant components may create overlay networks based on policies of the application components and an environment of the overlay network. The overlay network may be adjusted based on changes to the policies or the environment.

Abstract: A technique that includes predicting data acquired by a network of sensors based at least in part on a graphical model of the network, where the graphical model includes true value nodes, observed value nodes and edge factors based at least in part on historical pairwise dependencies for the observed value nodes. The technique includes detecting anomalous sensor data based at least in part on the predicted data.

Abstract: Detecting fraud in resource distribution systems includes determining a meter of a resource in a resource distribution system exhibits a characteristic indicative of fraud and increasing a collection frequency of measurements of a usage of the resource of the meter per unit of time.

Abstract: Examples herein involve managing overlay networks of application components. In examples herein, application components may create overlay networks based on policies of the application components and an environment of the overlay network. The overlay network may be adjusted based on changes to the policies or the environment.

Abstract: Examples relate to distributed anomaly management. In one example, a computing device may: receive real-time anomaly data for a first set of client devices, wherein the received anomaly data includes: anomalous network behavior data received from a network intrusion detection system (NICKS) monitoring network traffic behavior, anomalous host event data received from a host intrusion detection system (HIDS) monitoring host events originating from client devices in the first set, and anomalous process activity data received from a trace intrusion detection system (TIDS) monitoring process activity performed by client devices in the first set; for each client device in the first set of client devices for which anomaly data is received, associate the received anomaly data with the client device; and determine, for a particular client device, a measure of risk, wherein the measure of risk is dynamically adjusted based on the received real-time anomaly data.

Abstract: Examples of meter data management testing are disclosed. In one example implementation according to aspects of the present disclosure, a computing device may include one or more processors, a memory for storing machine readable instructions, and a data store. The computing device may further include a meter data management testing module stored in the memory and executing on at least one of the one or more processors to test a meter data management system using a data set of representative metering data and a user-generated test scenario specifying a plurality of metering parameters.