Abstract: The present invention relates to a method for simulating security analysis of network data, comprising: receiving a dataset of network data records from which data relative to specific predefined fields are extracted; creating sessions by preprocessing the extracted data, wherein each session is defined by a single identification of a device; clustering the data in accordance with one or more of the created sessions; and evolving the dataset by updating the clustered data with new extracted data from the dataset.

Abstract: Methods and apparatus are provided for risk-based authentication between two servers on behalf of a user. A method is provided for controlling access by a consumer to a service provider on behalf of a user. An authentication request is issued responsive to an initial access request from the consumer to access the service provider on behalf of the user. An access token is provided to the consumer upon approval from the user to grant access to the consumer. Upon receiving a subsequent access request from the consumer with the access token to access the service provider on behalf of the user; a risk analysis is performed to determine if the subsequent access request should be granted. The risk analysis can determine if the subsequent access complies with one or more rules of the user. The user is optionally prompted to specify whether to allow the subsequent access request and/or future similar transactions.

Abstract: A technique provides alert prioritization. The technique involves selecting attributes to use as alert scoring factors. The technique further involves updating, for an incoming alert having particular attribute values for the selected attributes, count data to represent encounter of the incoming alert from perspectives of the selected attributes. The technique further involves generating an overall significance score for the incoming alert based on the updated count data. The overall significance score is a measure of alert significance relative to other alerts. Scored alerts then can be sorted so that investigators focus on the alerts with the highest significance scores. Such a technique is well suited for adaptive authentication (AA) and Security Information and Event Management (SIEM) systems among other alert-based systems such as churn analysis systems, malfunction detection systems, and the like.

Abstract: There is disclosed some techniques for processing an authentication request. In one example, a method comprises the step of determining the velocity between authentication requests of a user associated with the requests. Additionally, the method determines the likelihood that a location associated with one of the requests is associated with the user location. Furthermore, the method generates an authentication result based on the likelihood that a location associated with one of the requests is associated with the user location.

Abstract: An information processing system implements a security system. The security system comprises a classifier configured to process information characterizing events in order to generate respective risk scores, and a data store coupled to the classifier and configured to store feedback relating to one or more attributes associated with an assessment of the risk scores by one or more users. The classifier is configured to utilize the feedback regarding the risk scores to learn riskiness of particular events and to adjust its operation based on the learned riskiness, such that the risk score generated by the classifier for a given one of the events is based at least in part on the feedback received regarding risk scores generated for one or more previous ones of the events.

Abstract: There is disclosed a technique for detecting risky domains. The technique comprises collecting information in connection with a domain. The technique also comprises generating a profile comprising at least one metric associated with the domain based on the collected information. The technique further comprises determining the riskiness in connection with the domain based on the generated profile.

Abstract: A processing device comprises a processor coupled to a memory and is configured to determine a first set of features from domain name system (DNS) information, the first set of features being defined over a domain, and to determine a second set of features from the DNS information, the second set of features being defined over internet protocol (IP) addresses returned for the domain. The processing device is further configured to compute a fast-flux score based on the first and second sets of features, and to utilize the fast-flux score to characterize fast-flux activity relating to the domain. For example, the processing device can be configured to compare the fast-flux score to a threshold, and to generate an indicator of the presence or absence of fast-flux activity based on a result of the comparison. The processing device may be implemented in a computer network or network security system.

Abstract: An improved technique involves processing network traffic data to automatically establish whether a device on the network satisfies a particular set of constraints. Along these lines, a SIEM server observes and processes incoming and outgoing traffic data corresponding to a particular device at an address of the network. The SIEM server then analyzes this traffic data in order to determine whether the data satisfies a set of constraints satisfied by a client, or another set of constraints satisfied by a server. The SIEM server then applies the label of “client” or “server” to the device according to which set of constraints the SIEM server determines the data to have satisfied.

Abstract: Authentication systems are provided that select an authentication method to be applied to a given transaction from among a plurality of available authentication methods based on risk reasoning. An authentication request from an authentication requestor for a given transaction is processed by receiving the authentication request from the authentication requester and selecting an authentication method to be applied to the given transaction from among a plurality of available authentication methods based on an evaluation of one or more predefined risk reasons with respect to the available authentication methods. The predefined risk reasons associated with a given transaction comprise, for example, a set of risk reasons that contribute to a risk score that has been assigned to the given transaction. The evaluation may employ one or more of rule-based, heuristic and Bayesian techniques.

Abstract: A technique detects riskiness of a communication in a network based on behavior profiling. The technique involves generating a network history baseline (e.g., normal and abnormal behavior profiles) from prior network communications occurring in the network. The technique further involves, for a new network communication, assigning the new network communication a risk score based on a comparison of the new network communication to the network history baseline. The risk score is a numerical measure of behavioral normalcy relative to the prior network communications occurring in the network. The technique further involves providing an output signal having a first value when the risk score is above a predefined risk threshold to indicate that the communication is risky, and a second value which is different than the first value when the risk score is below the predefined risk threshold to indicate that the communication is not risky.

Abstract: Data driven device detection is provided, whereby a device is detected by obtaining a plurality of feature values for a given device; obtaining a set of device attributes for a plurality of potential devices; calculating a probability value that the given device is each potential device within the plurality of potential devices; identifying a candidate device associated with a maximum probability value among the calculated probability values; and labeling the given device as the candidate device if the associated maximum probability value satisfies a predefined threshold. The predefined threshold can be a function, for example, of whether the given user has previously used this device. The obtained feature values can be obtained for a selected set of features satisfying one or more predefined characteristic criteria. The device attributes can be obtained, for example, from a profile for each of the plurality of potential devices.

Abstract: Techniques are provided for evaluating compromised credential information. A method for evaluating compromised credentials comprises the steps of: collecting data regarding previously compromised credentials that were used to commit an unauthorized activity; applying one or more statistical learning methods to the collected data to identify one or more patterns; and evaluating a risk of credentials that have been compromised by one or more attackers using the identified patterns. According to a further aspect of the invention, a risk score is generated for one or more users and devices. The risk scores are optionally ordered based on an order of risk. The data can be collected, for example, from one or more of anti-fraud servers and information sources.

Abstract: An authentication method and system to combat confirmation bias provides for an authentication system that upon matching an access request to a record for a given user in an authentication system further interrogates a set of secondary sources to determine that the individual requesting access is in fact the correct user.

Abstract: Access of a client device to a protected resource is controlled by issuing an authentication information request for a dynamic sub-set of client-side storage values previously stored on the client device by one or more servers. Authentication information is received from the client device based on the dynamic sub-set of client-side storage values. The client device is authenticated based upon verification of the received authentication information. The received authentication information from the client device is optionally encrypted. The client-side storage values comprise any value stored by one or more servers on the client device. The client-side storage values are substantially specific to the client device. The client-side storage values are optionally stored as a matrix. The requested dynamic sub-set of the client-side storage values may comprise one or more cells from a plurality of records in the matrix.

Abstract: An improved technique of providing computer code to a set of client computers is disclosed. In the improved technique, a set of files is generated, each file in the set of files including computer code configured to be read by an interpreter on each client computer, the computer code in each file including a set of functions, each function in the set of functions having a name, the name of a function in the set of functions in a first file in the set of files differing from the name of a corresponding function in the set of functions in a second file in the set of files, the computer code in the first file and the computer code in the second file being constructed and arranged to produce functionally equivalent sets of computer instructions when run through the interpreter on each client computer.

Abstract: A virtual machine computing platform uses a security virtual machine (SVM) in operational communications with a risk engine which has access to a database including stored patterns corresponding to patterns of filtered operational data that are expected to be generated during operation of the monitored virtual machine when malware is executing. The stored patterns may have been generated during preceding design and training phases. The SVM is operated to (1) receive raw operational data from a virtual machine monitor, the raw operational data obtained from file system operations and network operations of the monitored virtual machine; (2) apply rule-based filtering to the raw operational data to generate filtered operational data; and (3) in conjunction with the risk engine, perform a mathematical (e.g., Bayesian) analysis based on the filtered operational data and the stored patterns in the database to calculate a likelihood that the malware is executing in the monitored virtual machine.