Abstract: Embodiments described herein are directed to generating a machine learning (ML) model. A plurality of vectors are accessed, each vector of the plurality of vectors including a first set of features associated with a corresponding data item. A second set of features is identified by expanding the first set of features. A ML model is trained using vectors including the expanded set of features, and it is determined that an accuracy of the ML model trained using the vectors increased. A third set of features is identified by determining a measure of importance for different subsets of features in the second set and replacing subsets having a low measure of importance with new features. A ML model is trained using vectors that include the third set, and it is determined that an accuracy of the model increased due to the replacing.

Abstract: A method and system for determining abnormal configuration of network objects deployed in a cloud computing environment are provided. The method includes collecting network object data on a plurality of network objects deployed in the cloud computing environment; constructing a network graph based on the collected network object data, wherein the network graph includes a visual representation of network objects identified in the cloud computing environment; determining relationships between the identified network objects in the network graph, wherein the determined relationships between the identified network objects includes descriptions of connections between the identified network objects; and analyzing the network graph and the determined relationships to generate insights, wherein the generated insights include at least a list of abnormal connections between the identified network objects.

Abstract: Embodiments described herein are directed to generating a machine learning (ML) model. A plurality of vectors are accessed, each vector of the plurality of vectors including a first set of features associated with a corresponding data item. A second set of features is identified by expanding the first set of features. A ML model is trained using vectors including the expanded set of features, and it is determined that an accuracy of the ML model trained using the vectors increased. A third set of features is identified by determining a measure of importance for different subsets of features in the second set and replacing subsets having a low measure of importance with new features. A ML model is trained using vectors that include the third set, and it is determined that an accuracy of the model increased due to the replacing.

Abstract: A method and system for cataloging network objects in a cloud environment are presented. The system includes collecting at least network object data on a plurality of network objects operable in a cloud environment, wherein the plurality of network objects are operable at different layers of the cloud environment; identifying the plurality of network objects operable in the cloud environment; constructing at least a network graph based on the identified network objects; determining relationships between the identified network objects in the at least a network graph; generating at least an insight for least one of the identified network objects, wherein the insight is generated in response to the network graph and the determined relationships; and tagging each of the plurality of network objects for which an insight is generated.

Abstract: Providing fluid external access to a resource that is internal to a network from external to that network. From within the network, the internal user simply provides an internal identifier, and the external user accesses not the internal identifier, but an external uniform resource identifier (URL) that the external user can simply select to obtain access to the internal resource of the network. This is accomplished by translating the internal identifier to an external URL having a proxy server as its domain name. When the external URL selects the URL, a request with that external URL is made to the proxy server, which translates the external URL back to the internal identifier, and coordinates with the network to obtain the resource for the external user.

Abstract: Computer interfaces are provided for managing and deploying contextually relevant event canvases based on entity roles. Some systems are configured for identifying events and generating contextually relevant canvases associated with those events, which are contextually based on roles assigned to the events. A master canvas is also provided for facilitating navigation between the various canvases and to assign roles to the canvases, as well as for facilitating management configuration of the canvases. The master canvas includes a tabbed interface that allows navigation, configuration, and insight into the various canvases.

Abstract: A method and proxy device for securing an access to a cloud-based application are presented. In an embodiment, the method includes receiving an authentication token that includes an identity of a user of a client device requesting an access to the cloud-based application. The method further includes receiving, from an agent executed in the client device, a client certificate; retrieving, from a compliance server, a device posture of the client device, wherein the device posture is retrieved respective of the received client certificate; identifying an access policy for the client device to access the cloud-based application, and determining whether to grant an access to the cloud-based application based in part on the compliance of the client device with the identified access policy. In an embodiment, the access policy is identified based at least on the retrieved device posture.

Abstract: Methods, systems and computer program products are described to improve machine learning (ML) model-based classification of data items by identifying and removing inaccurate training data. Inaccurate training samples may be identified, for example, based on excessive variance in vector space between a training sample and a mean of category training samples, and based on a variance between an assigned category and a predicted category for a training sample. Suspect or erroneous samples may be selectively removed based on, for example, vector space variance and/or prediction confidence level. As a result, ML model accuracy may be improved by training on a more accurate revised training set. ML model accuracy may (e.g., also) be improved, for example, by identifying and removing suspect categories with excessive (e.g., weighted) vector space variance. Suspect categories may be retained or revised. Users may (e.g., also) specify a prediction confidence level and/or coverage (e.g., to control accuracy).

Abstract: Embodiments described herein are directed to generating a machine learning (ML) model. A plurality of vectors are accessed, each vector of the plurality of vectors including a first set of features associated with a corresponding data item. A second set of features is identified by expanding the first set of features. A ML model is trained using vectors including the expanded set of features, and it is determined that an accuracy of the ML model trained using the vectors increased. A third set of features is identified by determining a measure of importance for different subsets of features in the second set and replacing subsets having a low measure of importance with new features. A ML model is trained using vectors that include the third set, and it is determined that an accuracy of the model increased due to the replacing.

Abstract: Embodiments described herein are directed to improving machine learning (ML) model-based techniques for automatically labeling data items based on identifying and resolving labels that are problematic. An ML model may be trained to predict labels for any given data item. The ML model may be validated to determine a confusion metric with respect to each distinct pair of labels predicted by the ML model. Each confusion metric indicates how a particular label is being mistaken for another particular label. The confusion metrics are analyzed to determine whether any of the ML model-generated labels are problematic (e.g., a label conflicts with another label, a label that is rarely predicted, a label that is incorrectly predicted, etc.). Steps for resolving the problematic labels are implemented, and the ML model is retrained based on the resolution steps. By doing so, the ML model generates a more accurate label for a data item.

Abstract: Providing fluid external access to a resource that is internal to a network from external to that network. From within the network, the internal user simply provides an internal identifier, and the external user accesses not the internal identifier, but an external uniform resource identifier (URL) that the external user can simply select to obtain access to the internal resource of the network. This is accomplished by translating the internal identifier to an external URL having a proxy server as its domain name. When the external URL selects the URL, a request with that external URL is made to the proxy server, which translates the external URL back to the internal identifier, and coordinates with the network to obtain the resource for the external user.

Abstract: Computer interfaces are provided for accessing and displaying content from disparate and remotely connected computer systems and that can be used for facilitating collaboration and visualization of physical and cloud resources for distributed event management. Systems are provided for generating, modifying, deploying, accessing, and otherwise managing the computer interfaces. Templates are used to build canvas interfaces that are contextually relevant for different entities based on the context of associated events and assigned roles of the entities with respect to the different events. The canvas interfaces can be used to access and orchestrate resources associated with the different events.

Abstract: Mitigating false positives for impossible travel alerts. A first user access location for a user is provided, for a first user access of computing resources identified using a first identification process, to a user behavior analytics service. The first identification process identifies a real world indicator of location for a device associated with the first user access. A second user location is provided for the user, for a second user access of computing resources, to the user behavior analytics service, using a second identification process. The second identification process identifies a location associated with an egress point to which communication to and from a device is routed to access computing resources, such that the user behavior analytics service receives a location associated with the egress point as the second user location. At the user behavior analytics service, the second user location is filtered from being used for impossible travel detection.

Abstract: Computer interfaces are provided for managing and deploying contextually relevant event canvases based on entity roles. Some systems are configured for identifying events and generating contextually relevant canvases associated with those events, which are contextually based on roles assigned to the events. A master canvas is also provided for facilitating navigation between the various canvases and to assign roles to the canvases, as well as for facilitating management configuration of the canvases. The master canvas includes a tabbed interface that allows navigation, configuration, and insight into the various canvases.

Abstract: Computer interfaces are provided for dynamically binding event data with standard operating procedures. Systems are provided for identifying an event and an event context from received event data streams. Procedures are generated that are related to the context of the event. Content tiles that include event data streams are then dynamically bound to the procedures in a way that allows content tiles to be surfaced or modified when the procedures utilized. Systems are also configured for dynamically updating procedures based on detecting a change in the context of an underlying event.

Abstract: Computer interfaces are provided for accessing and displaying content from disparate and remotely connected computer systems and that can be used for facilitating collaboration and visualization of physical and cloud resources for distributed event management. Systems are provided for generating, modifying, deploying, accessing, and otherwise managing the computer interfaces. Templates are used to build canvas interfaces that are contextually relevant for different entities based on the context of associated events and assigned roles of the entities with respect to the different events. The canvas interfaces can be used to access and orchestrate resources associated with the different events.

Abstract: A method and system for protecting cloud-based applications executed in a cloud computing platform are presented. The method includes intercepting traffic flows from a plurality of client devices to the cloud computing platform, wherein each of the plurality of client devices is associated with a user attempting to access a cloud-based application; extracting at least one parameter from the intercepted traffic related to at least each client device and a respective user attempting to access the cloud-based application; determining based on, the at least one parameter and at least a set of parameters combining cloud-based application risk factors for a provider of the cloud computing platform, a risk indicator for the user attempting to access the cloud-based application; and performing an action to mitigate a potential risk to the cloud computing platform based on the determined risk indicator.

Abstract: Mitigating false positives for impossible travel alerts. A first user access location for a user is provided, for a first user access of computing resources identified using a first identification process, to a user behavior analytics service. The first identification process identifies a real world indicator of location for a device associated with the first user access. A second user location is provided for the user, for a second user access of computing resources, to the user behavior analytics service, using a second identification process. The second identification process identifies a location associated with an egress point to which communication to and from a device is routed to access computing resources, such that the user behavior analytics service receives a location associated with the egress point as the second user location. At the user behavior analytics service, the second user location is filtered from being used for impossible travel detection.

Abstract: Techniques for reconstructing application-layer traffic flowing between client devices and a cloud computing platform are provided. In an embodiment, the method allows for non-intrusive reconstructing application-layer traffic including requests and responses even in cases including packet drops, re-transmitted packets, and jittered packets. The method includes saving received packets into a zero-copy queue and analyzing the packets saved in the zero-copy memory to identify their respective sessions. Then, each identified session is reconstructed into a session window having a configurable size. In an embodiment, each reconstructed session includes application-layer requests and responses; The method further includes for, each identified session, matching each application-layer request to a corresponding application-layer response based on a matching identifier and time-interval threshold.

Abstract: A method and proxy device for detecting cyber threats against cloud-based application are presented. The method includes receiving a request from a client device, the request directed to a cloud-based application computing platform, wherein the client device is associated with a user attempting to access the cloud-based application; determining whether the received request belongs to a current session of the client device accessing the cloud-based application; extracting, from the received request, at least one application-layer parameter of the current session; comparing the at least one extracted application-layer parameter to application-layer parameters extracted from previous sessions to determine at least one risk factor; and computing a risk score based on the determined at least one risk factor, wherein the risk score is indicative of a potential cyber threat.