Abstract: Methods, systems, and apparatus, including computer programs encoded on computer storage media, for detecting malicious activities. One of the methods includes obtaining a collection of user event logs or receiving user events through real-time feeds; using data from the user event logs/feeds to determine IP address properties for individual IP addresses and IP address ranges; and for each incoming event, updating the IP address properties for the corresponding IP address and IP prefix properties.

Abstract: Methods, systems, and apparatus, including computer programs encoded on computer storage media, for detecting suspicious users. One of the methods includes obtaining a collection of event logs or event feeds associated with a plurality of users to generate a collection of user properties; using the user properties to generate a plurality of groups of events; determining whether one or more groups are suspicious groups; and in response to a determination that one or more groups are suspicious, determining whether there are malicious accounts or events associated with each suspicious group.

Abstract: Methods, systems, and apparatus, including computer programs encoded on computer storage media, for detecting malicious attacks. One of the methods includes generating a collection of hypergraphs representing user events across a collection of users; analyzing the collection of hypergraphs to determine a group of malicious user accounts or account activities satisfying a threshold confidence; using the group of malicious user accounts or account activities as training data for a machine learning system that generates one or more classifiers; and using the one or more generated classifiers to output additional malicious user accounts or account activities.

Abstract: Methods, systems, and apparatus, including computer programs encoded on computer storage media, for detecting suspicious user activities. One of the methods includes generating hypergraphs, wherein the hypergraphs include nodes corresponding to feature profiles and edges between particular nodes representing a measure of similarity between nodes; using the generated hypergraphs to detect suspicious graph nodes; and using the suspicious graph nodes to detect malicious user communities.

Abstract: Methods, systems, and apparatus, including computer programs encoded on computer storage media, for displaying information about computer network resources identified as engaging in malicious activities. One of the systems includes one or more computers including one or more processors and one or more memory devices, the one or more computers configured to: identify resources associated with an attack, and provide an attach resource dashboard user interface that displays information related to attack resources, wherein the user interface presents resource information comparing behavior of a particular resource at a single online service with behavior of the resource at other online services, and comparing the behavior of that resource with behavior of other resources.

Abstract: Methods, systems, and apparatus, including computer programs encoded on computer storage media, for presenting data to visualize and interact with results of a user analytics engine. One of the systems include one or more computers including one or more processors and one or more memory devices, the one or more computers configured to: identify fraudulent user accounts through analysis of obtained client data; and provide a campaign user interface that plots groups of fraudulent user accounts to visualize them as attack campaigns, rather than displaying by listing individual fraudulent user accounts.