Abstract: A method of evaluating alerts generated by security agents installed in endpoints includes: receiving a locality-sensitive hash (LSH) value associated with an alert generated by a security agent installed in one of the endpoints; performing a search for centroids that are within a threshold distance from the received LSH value, wherein the centroids are each an LSH value that is representative of one of a plurality of groups of alerts; and assigning a security risk indicator to the alert associated with the received LSH value based on results of the search and transmitting the security risk indicator to a security analytics platform of the endpoints.

Abstract: A method of scoring alerts generated by a plurality of endpoints includes the steps of: in response to a new alert generated by a first endpoint of the plurality of endpoints, generating an anomaly score of the new alert; identifying a rule that triggered the new alert and determining a threat score associated with the rule; and generating a security risk score for the new alert based on the anomaly score and the threat score and transmitting the security risk score to a security analytics platform of the endpoints.

Abstract: Systems and methods are described for employing event context to improve threat detection. Systems and methods of embodiments of the disclosure measure both process deviation and path deviation to determine whether processes are benign or represent threats. Both a process deviation model and a path deviation model are deployed. The process deviation model determines the similarity of a process to past processes, and the path deviation model estimates whether processes have been called out of turn. In this manner, systems and methods of embodiments of the disclosure are able to detect both whether a process is in itself unusual, and whether it is called at an unusual time. This added context contributes to improved threat detection.

Abstract: Techniques for optimized performance data collection at client nodes are disclosed. In one embodiment, a client node in a client-server environment may include at least one processing resource and a computer-readable storage medium having computer-readable program code embodied therewith. The computer-readable program code being configured to obtain resource utilization data associated with a plurality of processes running on the client node, determine a list of processes having resource utilization greater than a threshold based on the resource utilization data, organize the list of processes based on predetermined criteria and the resource utilization data, generate a report including a predefined number of processes from the organized list, and transmit the report to a management node for performance monitoring.

Abstract: Techniques for optimized performance data collection at client nodes are disclosed. In one embodiment, a client node in a client-server environment may include at least one processing resource and a computer-readable storage medium having computer-readable program code embodied therewith. The computer-readable program code being configured to obtain resource utilization data associated with a plurality of processes running on the client node, determine a list of processes having resource utilization greater than a threshold based on the resource utilization data, organize the list of processes based on predetermined criteria and the resource utilization data, generate a report including a predefined number of processes from the organized list, and transmit the report to a management node for performance monitoring.