Abstract: Methods, systems, and apparatus, including computer programs encoded on computer storage media, for detecting fraudulent accounts. One of the methods includes obtaining raw data from network events associated with a collection of user accounts of an online service; processing the raw data including determining a feature set and applying the feature set to generate user groups each comprising one or more user account; evaluating each user group based on feature distributions including performing one or more Major-Key-Shared (MKS) correlation calculations on pairs of features from the feature set for the group; scoring each group based on the evaluation; and identifying groups having a score that exceeds a specified threshold as fraudulent.

Abstract: Methods, systems, and apparatus, including computer programs encoded on computer storage media, for fraud detection. One of the methods includes partitioning a feature space into a plurality of sub feature spaces, wherein the feature space comprises features associated with user account events for an online service; generating one or more clusters of users for each of one or more sub feature spaces; comparing a feature profile of one or more of the clusters with a global feature profile to determine features of one or more the clusters that have concentrated key values that exceed a respective threshold value; for each of the one or more clusters, scoring the cluster including aggregating the degree to which the key values for features exceed the corresponding threshold values; and based on the scores of the one or more clusters, determining one or more fraud detection actions.

Abstract: Methods, systems, and apparatus, including computer programs encoded on computer storage media, for online fraud protection. One of the methods includes receiving a query associated with a user account of an online service provider; providing the query to a deep neural network model to generate a prediction of whether the user account is fraudulent, wherein the deep neural network model is trained using anonymized event data for a collection of users received from one or more online service providers; and providing the prediction to the online service provider.

Abstract: Methods, systems, and apparatus, including computer programs encoded on computer storage media, for detecting network attacks. One of the methods includes obtaining input data associated with a plurality of accounts associated with a particular entity; extracting features from the input data; performing unsupervised attack ring detection using the extracted features, wherein the unsupervised attack ring detection identifies suspicious clusters of accounts that have strong similarity or correlations in the high dimensional feature space; and generating an output for the detected attack rings.

Abstract: Methods, systems, and apparatus, including computer programs encoded on computer storage media, for rule generation and interaction. A rules engine is provided that does not require manual effort to generate or maintain high-quality rules over time for detecting malicious accounts or events. Rules no longer need to be manually added, tuned, or removed from the system. The system is able to determine the health of each rule and automatically add, tune, and remove rules to maintain a consistent, effective rule set.

Abstract: Methods, systems, and apparatus, including computer programs encoded on computer storage media, for detecting malicious activities. One of the methods includes obtaining a collection of user event logs or receiving user events through real-time feeds; using data from the user event logs/feeds to determine IP address properties for individual IP addresses and IP address ranges; and for each incoming event, updating the IP address properties for the corresponding IP address and IP prefix properties.

Abstract: Methods, systems, and apparatus, including computer programs encoded on computer storage media, for detecting malicious activities. One of the methods includes obtaining a collection of user event logs or receiving user events through real-time feeds; using data from the user event logs/feeds to determine IP address properties for individual IP addresses and IP address ranges; and for each incoming event, updating the IP address properties for the corresponding IP address and IP prefix properties.

Abstract: Methods, systems, and apparatus, including computer programs encoded on computer storage media, for detecting suspicious users. One of the methods includes obtaining a collection of event logs or event feeds associated with a plurality of users to generate a collection of user properties; using the user properties to generate a plurality of groups of events; determining whether one or more groups are suspicious groups; and in response to a determination that one or more groups are suspicious, determining whether there are malicious accounts or events associated with each suspicious group.

Abstract: Methods, systems, and apparatus, including computer programs encoded on computer storage media, for detecting malicious attacks. One of the methods includes generating a collection of hypergraphs representing user events across a collection of users; analyzing the collection of hypergraphs to determine a group of malicious user accounts or account activities satisfying a threshold confidence; using the group of malicious user accounts or account activities as training data for a machine learning system that generates one or more classifiers; and using the one or more generated classifiers to output additional malicious user accounts or account activities.

Abstract: Methods, systems, and apparatus, including computer programs encoded on computer storage media, for detecting suspicious user activities. One of the methods includes generating hypergraphs, wherein the hypergraphs include nodes corresponding to feature profiles and edges between particular nodes representing a measure of similarity between nodes; using the generated hypergraphs to detect suspicious graph nodes; and using the suspicious graph nodes to detect malicious user communities.

Abstract: Methods, systems, and apparatus, including computer programs encoded on computer storage media, for displaying information about computer network resources identified as engaging in malicious activities. One of the systems includes one or more computers including one or more processors and one or more memory devices, the one or more computers configured to: identify resources associated with an attack, and provide an attach resource dashboard user interface that displays information related to attack resources, wherein the user interface presents resource information comparing behavior of a particular resource at a single online service with behavior of the resource at other online services, and comparing the behavior of that resource with behavior of other resources.

Abstract: Methods, systems, and apparatus, including computer programs encoded on computer storage media, for presenting data to visualize and interact with results of a user analytics engine. One of the systems include one or more computers including one or more processors and one or more memory devices, the one or more computers configured to: identify fraudulent user accounts through analysis of obtained client data; and provide a campaign user interface that plots groups of fraudulent user accounts to visualize them as attack campaigns, rather than displaying by listing individual fraudulent user accounts.