Abstract: A method includes obtaining an array of sorted identifiers to be stored in a designated portion of a memory of a given computing system, determining a segment size for splitting elements of the array into a plurality of segments, splitting the array into the plurality of segments based at least in part on the determined segment size, and compressing the plurality of segments to create a plurality of compressed segments. The method also includes generating a balanced binary search tree comprising a plurality of nodes each identifying a range of elements of the array corresponding to a given one of the segments and comprising a pointer to a given compressed segment corresponding to the given segment. The method further includes maintaining the balanced binary search tree and the compressed segments in the designated portion of the memory, and processing queries to the array utilizing the balanced binary search tree.

Abstract: A method includes extracting variable length strings from text data, associating the extracted strings with indexes in an indexing structure that maintain identifiers for instances of the strings in the text data, selecting a set of the strings having corresponding indexes whose size exceeds a threshold size value, and determining whether to merge a first index corresponding to a first string with a second index corresponding to a second string, the second string being a sub string of the first string, wherein the determination is based at least in part on a comparison of a first size of the first index and a second size of the second index. The method further includes merging the first index with the second index to create a merged index in the indexing structure responsive to the determination, and processing queries to the text data utilizing the indexing structure with the merged index.

Abstract: A method includes monitoring user behavior in an enterprise system, identifying a given user of the enterprise system associated with a given portion of the monitored user behavior, determining a predicted impact of compromise of the given user on the enterprise system, generating a risk score for the given user based on the predicted impact of compromise and the given portion of the monitored user behavior, and identifying one or more remedial actions to reduce the risk score for the given user. The method also includes implementing, prior to detecting compromise of the given user, at least one of the remedial actions to modify a configuration of at least one asset in the enterprise system, the at least one asset comprising at least one of a physical computing resource and a virtual computing resource in the enterprise system.

Abstract: Techniques are provided for client-side encryption and/or processing of telemetry data. An illustrative method comprises providing, by a telemetry server, a query request to a telemetry client, wherein the provided query request comprises a query and an encrypted payload over which the query operates; obtaining a query result from the telemetry client, wherein the telemetry client (a) decrypts the encrypted payload using at least one decryption key, (b) processes the query request using the decrypted payload, and (c) provides the query result to the telemetry server; and aggregating the query results obtained from one or more of the telemetry clients. The telemetry client can (i) validate the decrypted payload using a signature within the decrypted payload, and/or (ii) evaluate a query type of the query to determine whether the telemetry client opted in to the query type being executed.

Abstract: Techniques are provided for generating activity-based network profiles for devices, and for ranking such devices using the activity-based network profiles. One method comprises evaluating device communications to identify services that communicated with devices of an enterprise; generating an activity-based network profile for each device based on the services that communicated with each respective device; clustering the devices into a plurality of clusters based on a functional characterization of the devices derived from the activity-based network profiles; and ranking the devices within a cluster based on network activity and/or network exposure.

Abstract: A method includes obtaining data from a plurality of data sources associated with an n-gram indexing data structure and storing at least a portion of the obtained data in a first storage, the stored data comprising one or more n-gram strings. The method also includes estimating frequencies of occurrence of respective ones of the n-gram strings in the stored data, the estimated frequency of occurrence of a given n-gram string being based at least in part on a size of a given n-gram index in the n-gram indexing data structure corresponding to the given n-gram string. The method further includes, in response to detecting one or more designated conditions, selecting a portion of the stored data based at least in part on the estimated frequencies and moving the selected portion of the stored data from the first storage to a second storage having different read and write access times.

Abstract: Techniques are provided for multiset encoding and evaluation. One method comprises encoding a multi set comprised of entities as a product of a prime number assigned to each entity in the multiset to obtain an integer representation of the multiset; adding a first entity to the multiset by multiplying the integer representation of the multiset by the prime number assigned to the first entity; removing a second entity from the multiset by dividing the integer representation of the multiset by the prime number assigned to the second entity; and identifying the entities in the multi set by decomposing the integer representation into a product of the prime numbers assigned to each of the entities in the multiset. The entities in the multiset can be, for example, devices that a given user was connected to at the given time; and/or the users connected to a given device at the given time.

Abstract: An apparatus comprises a processing device configured to select a first data field of a first type that is associated with a second data field of a second type in a document, to determine an embedding of terms of unstructured text data in the first data field and to identify a subset of paired data fields from an unstructured text database based at least in part on metrics characterizing similarity between (i) the embedding of terms in the first data field and (ii) embeddings of terms in data fields of the first type in the paired data fields. The processing device is further configured to determine syntactic differences between the unstructured text data in the first data field and the identified subset of paired data fields, and to provide recommendations for unstructured text data to fill the second data field in the document based on the syntactic differences.

Abstract: A method includes identifying two or more vulnerabilities, each vulnerability affecting a set of one or more assets of an enterprise system. The method also includes assigning a weight to each vulnerability, the weight assigned to each of the vulnerabilities being based at least in part on the set of assets affected by that vulnerability, asset criticalities associated with the set of assets affected by that vulnerability, and at least one of (i) an exploitability potential of that vulnerability and (ii) an impact potential of that vulnerability. The method further includes determining an order in which to apply remediation actions in the enterprise system to address at least one of the vulnerabilities based at least in part on the weights assigned to the vulnerabilities, and applying, in accordance with the determined order, at least one of the remediation actions to at least one of the assets in the enterprise system.

Abstract: A method in an illustrative embodiment comprises receiving a plurality of indicators relating to an entity of a computer network, arranging the indicators in a plurality of categories of increasing risk, assigning weights to the indicators in the categories as a function of the number of categories and the number of indicators in each category, generating a risk score for the indicators based at least in part on the assigned weights, and initiating at least one automated action relating to the entity of the computer network based at least in part on the risk score. The risk score generation is configured such that a weighted contribution to the risk score of indicators in a relatively low one of the categories decreases as a number of indicators in a relatively high one of the categories increases. Similarly, a weighted contribution to the risk score of indicators in a relatively low one of the categories increases as a number of indicators in a relatively high one of the categories decreases.

Abstract: An apparatus comprises a processing device configured to obtain an unstructured version of a document comprising text data having a nested hierarchical structure comprising two or more levels, and to determine a syntax parse tree for the nested hierarchical structure specifying one or more list types associated with items in at least a given one of the levels in the nested hierarchical structure. The processing device is also configured to identify, in the document, a plurality of items each having one of the specified one or more list types in the syntax parse tree, to extract, from the document, portions of the text data corresponding to respective ones of the plurality of items, and to generate a structured version of the document that associates the extracted portions of the text data with the corresponding ones of the plurality of items.

Abstract: Techniques are provided for generating activity-based network profiles for devices, and for ranking such devices using the activity-based network profiles. One method comprises evaluating device communications to identify services that communicated with devices of an enterprise; generating an activity-based network profile for each device based on the services that communicated with each respective device; clustering the devices into a plurality of clusters based on a functional characterization of the devices derived from the activity-based network profiles; and ranking the devices within a cluster based on network activity and/or network exposure.

Abstract: Techniques are provided for client-side encryption and/or processing of telemetry data. An illustrative method comprises providing, by a telemetry server, a query request to a telemetry client, wherein the provided query request comprises a query and an encrypted payload over which the query operates; obtaining a query result from the telemetry client, wherein the telemetry client (a) decrypts the encrypted payload using at least one decryption key, (b) processes the query request using the decrypted payload, and (c) provides the query result to the telemetry server; and aggregating the query results obtained from one or more of the telemetry clients. The telemetry client can (i) validate the decrypted payload using a signature within the decrypted payload, and/or (ii) evaluate a query type of the query to determine whether the telemetry client opted in to the query type being executed.

Abstract: A method includes obtaining assembly code of a first software module, the assembly code comprising one or more assembly functions each comprising at least one basic block. The method also includes computing fingerprints of the basic blocks of the first software module by application of a fuzzy hash function, generating a representation of the first software module as a set of assembly functions each represented as a sequence of fingerprints of its associated basic blocks, and determining a similarity score between the first software module and at least a second software module classified as a given software module type. The similarity score is based on distances between the fingerprints of the basic blocks of the assembly functions of the first software module and corresponding fingerprints of the second software module. The method further includes determining a measure of code sharing between the first and second software modules based on the similarity score.

Abstract: A method includes obtaining messages associated with assets in an enterprise system, splitting each of the messages into a set of tokens, determining a count of a number of occurrences of each of the tokens, and assigning weights to the tokens based at least in part on the counts of the number of occurrences of the tokens. The method also includes determining a score for each of the messages based at least in part on a combined sum of the weights for the set of tokens of that message, generating a summary of the messages by selecting a subset of the messages for based at least in part on the scores. The method further includes identifying remedial actions to be applied to assets in the enterprise system based at least in part on the summary of the messages, and implementing at least one of the identified remedial actions.

Abstract: Techniques are provided for determining reasons for unsupervised anomaly decisions. One method comprises obtaining values of predefined features associated with a remote user device; applying the predefined feature values to an unsupervised anomaly detection model that generates an unsupervised anomaly decision; applying the predefined feature values to a supervised anomaly detection model that generates a supervised anomaly decision; determining a third anomaly decision using the unsupervised anomaly decision; and determining reasons for the third anomaly decision by analyzing the supervised anomaly decision. The supervised anomaly detection model can be trained using the unsupervised anomaly decision and/or anomalous training data based on known anomalies. The third anomaly decision can be based on the supervised anomaly decision and the unsupervised anomaly decision using ensemble techniques.

Abstract: There is disclosed herein techniques for categorizing computerized messages into categories. In one embodiment, there is disclosed a method. The method comprising performing an analysis of one or more computerized messages that includes identifying a set of discriminatory tokens in the one or more computerized messages that are representative of a category and determining for each discriminatory token a respective weight by which the token describes the category. The method also comprises determining a similarity between a computerized message and the category based on the content of the computerized message, the set of discriminatory tokens and the respective weights. The method further comprises classifying the computerized message as belonging to the category upon determining that the computerized message and the category are similar.

Abstract: Techniques are provided for multiset encoding and evaluation. One method comprises encoding a multi set comprised of entities as a product of a prime number assigned to each entity in the multiset to obtain an integer representation of the multiset; adding a first entity to the multiset by multiplying the integer representation of the multiset by the prime number assigned to the first entity; removing a second entity from the multiset by dividing the integer representation of the multiset by the prime number assigned to the second entity; and identifying the entities in the multi set by decomposing the integer representation into a product of the prime numbers assigned to each of the entities in the multiset. The entities in the multiset can be, for example, devices that a given user was connected to at the given time; and/or the users connected to a given device at the given time.

Abstract: Techniques are provided for adaptive usage of storage resources using data source models and data source representations generated using the data source models. One method comprises sampling data from a data source; fitting a data model to the sampled data to obtain a representation of the sampled data from the data source; obtaining a classification of data from the data source into one of multiple predefined retention models; and adapting a usage of one or more storage resources that store the data from the data source based at least in part on the representation and the classification. The data model may comprise, for example, a parametric model, a non-parametric model, a descriptive statistics model, a time series model, decision trees and an ensemble of decision trees. The adaptive storage resource usage may comprise, for example: (i) varying a data retention model based on data age; (ii) evicting cache data based on the representation; (iii) storage tier movements; and (iv) data retention timing.

Abstract: A method includes obtaining information regarding authentication events for users accessing assets of an enterprise system. The method also includes determining a likelihood of a given asset of the enterprise system becoming compromised responsive to compromise of a given user of the enterprise system. The method further includes determining an importance of the given asset based at least in part on a criticality value associated with the given asset, and generating a risk score for the given asset based at least in part on the determined likelihood of the given asset becoming compromised responsive to compromise of the given user and the determined importance of the given asset. The method further includes identifying remedial actions to reduce the risk score for the given asset and implementing, prior to detecting compromise of the given user, at least one of the remedial actions to modify a configuration of the given asset.