Abstract: A method of explaining the reasons for a prediction made by a machine learning ensemble prediction process as to the probability of an outcome for a target observation following training on a plurality of training observations determines the similarity between the target observation and each training observation of a set of said training observations; selects a fraction of the training observations that are most similar to said target observation; ranks the training observations by similarity of each training observation to the target observation; and determines the significance of the features of the ranked training observations to the prediction based upon the increase in variance in a local prediction model when a feature is removed from the local model.

Abstract: A method of explaining the reasons for a prediction made by a machine learning ensemble prediction process as to the probability of an outcome for a target observation following training on a plurality of training observations determines the similarity between the target observation and each training observation of a set of said training observations; selects a fraction of the training observations that are most similar to said target observation; ranks the training observations by similarity of each training observation to the target observation; and determines the significance of the features of the ranked training observations to the prediction based upon the increase in variance in a local prediction model when a feature is removed from the local model.

Abstract: Threat risks to an enterprise are detected and assessed by assembling singular threats identified using both direct and behavioral threat indicators into composite threats to create complex use cases across multiple domains, and to amplify risks along kill chains of known attacks for early detection. Composite threat risk scores are computed from risk scores of singular threats to exponentially increase with the number of events observed along the kill chain. Composite threats are combined with normalized values of static risk and inherent risk for an entity of the enterprise to produce an entity risk score representative of the overall risk to the entity.

Abstract: Anomalous activities in a computer network are detected using adaptive behavioral profiles that are created by measuring at a plurality of points and over a period of time observables corresponding to behavioral indicators related to an activity. Normal kernel distributions are created about each point, and the behavioral profiles are created automatically by combining the distributions using the measured values and a Gaussian kernel density estimation process that estimates values between measurement points. Behavioral profiles are adapted periodically using data aging to de-emphasize older data in favor of current data. The process creates behavioral profiles without regard to the data distribution. An anomaly probability profile is created as a normalized inverse of the behavioral profile, and is used to determine the probability that a behavior indicator is indicative of a threat. The anomaly detection process has a low false positive rate.

Abstract: Threat risks to an enterprise are detected and assessed by assembling singular threats identified using both direct and behavioral threat indicators into composite threats to create complex use cases across multiple domains, and to amplify risks along kill chains of known attacks for early detection. Composite threat risk scores are computed from risk scores of singular threats to exponentially increase with the number of events observed along the kill chain. Composite threats are combined with normalized values of static risk and inherent risk for an entity of the enterprise to produce an entity risk score representative of the overall risk to the entity.

Abstract: Anomalous activities in a computer network are detected using adaptive behavioral profiles that are created by measuring at a plurality of points and over a period of time observables corresponding to behavioral indicators related to an activity. Normal kernel distributions are created about each point, and the behavioral profiles are created automatically by combining the distributions using the measured values and a Gaussian kernel density estimation process that estimates values between measurement points. Behavioral profiles are adapted periodically using data aging to de-emphasize older data in favor of current data. The process creates behavioral profiles without regard to the data distribution. An anomaly probability profile is created as a normalized inverse of the behavioral profile, and is used to determine the probability that a behavior indicator is indicative of a threat. The anomaly detection process has a low false positive rate.