Abstract: In some implementations, a method includes obtaining an unlabeled computer security data log and processing the unlabeled computer security data log using a machine learning model to generate a probability distribution that includes a respective probability for each of a plurality of possible log types. Each of the plurality of possible log types is associated with a corresponding parser that parses logs of the possible log type to extract structured computer security data. The method further includes selecting the possible log type having the highest probability and parsing the unlabeled computer security data log using the parser corresponding to the selected possible log type.

Abstract: Methods, systems, and apparatus, including computer programs encoded on computer storage media, for correcting timestamps in computer security telemetry data. A method includes: receiving, at a computer network security data analysis system, first log data identifying a plurality of first events occurring on a computer network, the first log data including, for each first event, a respective first timestamp identifying when the first event occurred, the first timestamp including a first hour value, a first minute value, and a first second value; and generating first modified log data, the first modified log data including, for each first event, a first modified timestamp including the first minute value and the first second value from the log data and a first modified hour value that represents an hour value from a current time at which the first log data was received at the computer network security data analysis system.

Abstract: The subject matter of this specification generally relates to computer security. In some implementations, a method includes maintaining a first data structure that stores arrays of identifier tuples. Each identifier tuple corresponds to a respective computer security event and includes one or more identifiers for a computing element associated with the computer security event. Each array of identifier tuples corresponds to a respective identifier and only includes identifier tuples that include the corresponding identifier. A second data structure that stores arrays of computer security data is maintained. Each array of computer security data corresponds to a respective identifier tuple stored in the first data structure and only includes computer security data associated with each identifier in the corresponding identifier tuple. A query that specifies a first identifier for a first computing element is received.

Abstract: In some implementations, a method includes obtaining an unlabeled computer security data log and processing the unlabeled computer security data log using a machine learning model to generate a probability distribution that includes a respective probability for each of a plurality of possible log types. Each of the plurality of possible log types is associated with a corresponding parser that parses logs of the possible log type to extract structured computer security data. The method further includes selecting the possible log type having the highest probability and parsing the unlabeled computer security data log using the parser corresponding to the selected possible log type.

Abstract: An incident managing module aggregates related database intrusion incidents and presents them in a manageable manner. A receiving module receives an anomalous query requesting data from a database and a type-identification module identifies anomaly type for the query received. A conversion module converts the anomalous query into a characteristic representation. In some embodiments, this is done by replacing literal field values in the query with representative values. In other embodiments, this is done by creating a tuple describing anomaly parameters for the anomalous query. In still other embodiments, the query is converted into a characteristic representation that distinguishes between injected and non-injected portions of the query. An aggregation module then aggregates into a group the anomalous queries with substantially similar characteristic representations according to anomaly type and a generation module generates a database intrusion incident report describing the group of anomalous queries.