Abstract: Techniques are provided for data-driven ensemble-based malware detection. An exemplary method comprises obtaining a file; extracting metadata from the file; obtaining a plurality of malware detection procedures; selecting a subset of the plurality of malware detection procedures to apply to the file utilizing a likelihood that each of the plurality of malware detection procedures will result in a malware detection for the file based on the extracted metadata; applying the selected subset of the malware detection procedures to the file; and processing results of the subset of malware detection procedures using a machine learning model to determine a probability of the file being malware.

Abstract: At least one security incident indicative of at least one security event that may impact or has impacted one or more assets associated with an organization is obtained. The at least one security incident is automatically ranked based on one or more of: (i) one or more rankings associated with one or more security incidents that precede the at least one security incident in time; and (ii) one or more values attributed to the one or more assets of the organization. The ranking of the at least one security incident is presented to an entity to make an assessment of the security event.

Abstract: At least one security feed indicative of at least one security event that may impact or has impacted one or more assets associated with an organization is obtained. The at least one security feed is automatically classified as being relevant or not relevant. The at least one security feed is automatically ranked in response to the at least one security feed being classified as relevant. The ranking of the at least one security feed is presented to an entity to make an assessment of the security event.

Abstract: Techniques are provided for anomaly-based ransomware detection of encrypted files. One exemplary method comprises obtaining metadata for an encrypted file; applying an anomaly detection technique to the metadata to compare at least one attribute in the metadata to one or more corresponding historical baseline values for the at least one attribute; and determining whether the encrypted file comprises a ransomware encryption based on the comparison. In some embodiments, one or more of file extension attributes, file size attributes and file name attributes in the metadata are compared to the one or more corresponding historical baseline values to identify a ransomware attack.

Abstract: Techniques are provided for correcting sensor data in a multi-sensor environment. An exemplary method comprises obtaining sensor data from a first sensor; applying an anomaly detection technique to detect an anomaly in the sensor data from the first sensor based on additional sensor data from one or more of the first sensor and at least one additional sensor in proximity to the first sensor; and correcting the anomalous sensor data from the first sensor using additional sensor data from one or more of the first sensor and the at least one additional sensor. In some embodiments, additional sensor data from a plurality of neighboring sensors is used to predict the sensor data from the first sensor. The anomalous sensor data is optionally corrected substantially close in time to the detection of the anomaly in the sensor data.

Abstract: A customer blockchain data store is provided. An exemplary method comprises obtaining a blockchain associated with a given customer of an enterprise having multiple customer communication channels, wherein the blockchain comprises transaction data for the given customer with the customer communication channels; obtaining new transaction data for the given customer for a given one of the customer communication channels; providing the new transaction data for the given customer to additional customer communication channels; receiving a validation of the new transaction data from the additional customer communication channels based on one or more predefined validation criteria; and storing the validated new transaction data for the given customer in the blockchain associated with the given customer.

Abstract: Techniques are provided for system operational analytics using additional features over time-series counters for health score computation. An exemplary method comprises: obtaining log data from data sources of a monitored system; applying a counting function to the log data to obtain time-series counters for a plurality of distinct features within the log data; applying an additional function to the time-series counters for the plurality of distinct features; and processing an output of the additional function using a machine learning model to obtain a health score for the monitored system based on the output of the additional function.

Abstract: Techniques are provided for decompression of compressed log data, such as for a real-time viewing of compressed log data. An exemplary method comprises: obtaining a compressed log file comprised of a plurality of compressed log messages, wherein a given compressed log message is comprised of one or more message variables and a message signature corresponding to a message template of the given compressed log message; and presenting a first subset of the compressed log file by translating, in memory, the message templates of the compressed log messages within the first subset to corresponding message signatures using a decompression index that maps a plurality of the message signatures to corresponding message templates. The first subset of the compressed log file optionally comprises a predefined number of lines surrounding a requested line of the compressed log file. In further variations, at least one additional subset of the compressed log file is precomputed using the disclosed decompression techniques.

Abstract: Embodiments for finding a root cause of an anomaly in a network environment by representing assets in the network environment as respective nodes in a causal graph, wherein the nodes have a measurable quality that can be tracked and arcs between pairs of nodes represent causal relationships between nodes of the node pairs designating source nodes as processes at the top of a hierarchy of tracked processes, and sink nodes as processes at the bottom of the hierarchy and having characteristics of interest in the environment; detecting anomalies in the tracked processes embodied in the sink nodes; traversing the causal graph in a reverse order from a node in which an outlier is detected; and analyzing nodes along the traversal path to identify a node of the highest hierarchy that shows unusual behavior as the root cause.

Abstract: Example embodiments of the present invention relate to a method, an apparatus, and a computer program product for predictive behavioral analytics for information technology (IT) operations. The method includes collecting key performance indicators from a plurality of data sources in a network. The method also includes performing predictive behavioral analytics on the collected data and reporting on results of the predictive behavioral analytics.

Abstract: An automated agent for the causal mapping of complex environments. Specifically, a disclosed method and system entails the application of statistical tools, or causality tests, to measure the strength and direction of causal relations between two or more environment components. Further, the execution of the causality tests may be an offline process that may be triggered periodically to account for changes or updates to an environment over time.

Abstract: Embodiments for finding a root cause of an anomaly in a network environment by representing assets in the network environment as respective nodes in a causal graph, wherein the nodes have a measurable quality that can be tracked and arcs between pairs of nodes represent causal relationships between nodes of the node pairs designating source nodes as processes at the top of a hierarchy of tracked processes, and sink nodes as processes at the bottom of the hierarchy and having characteristics of interest in the environment; detecting anomalies in the tracked processes embodied in the sink nodes; traversing the causal graph in a reverse order from a node in which an outlier is detected; and analyzing nodes along the traversal path to identify a node of the highest hierarchy that shows unusual behavior as the root cause.

Abstract: Embodiments include detecting anomalies in an IT environment using model competition and business patterns by collecting time series data for events for the network including devices and interfaces. An analytics module uses competing time series models with customizable business patterns to find the best fit model. It analyzes the residuals of the best fitting model to find the outliers relative to normal zone data points. A user may classify a detected outlier as normal, in which case, the tracking and investigation mechanism suggests alternate business patterns to be matched against this outlier. A user interface displays a dashboard to present the user with anomalies in the chosen time series, such as in interactive graphical format.

Abstract: Embodiments for identifying significant events for finding a root cause of an anomaly collecting time series data for events for each network device by detecting an anomaly in the time series data comprising an outlier on an edge of the time series data by comparing a predicted value of the event to an actual value of the event using a selected forecasting model; declaring the event to be an anomaly at a particular time if a difference between the predicted value and actual value exceed a defined threshold based on residual values for other devices; analyzing in a combined RNN/LSTM process all events for all devices of the network within a time proximity of the particular time of the anomaly to filter usual events and rank each event relative to the anomaly; and displaying a labeled chart of the time series data showing the anomaly in a graph relative to all the events.

Abstract: An apparatus comprises a processing platform configured to implement an expert recommender engine. The expert recommender engine receives information relating to a communication from a user device, and identifies at least one subject matter expert for the communication based on the received information and unstructured text data of a service events database. The expert recommender engine is associated with a clustering module that separates the unstructured text data into topic clusters. The expert recommender engine comprises a collaborative filtering module that receives the topic clusters from the clustering module and utilizes the topic clusters to identify the subject matter expert. The user device is connected with an expert device corresponding to the identified subject matter expert. The expert recommender engine may utilize structured data, social media data and customer satisfaction survey data in combination with the received information and the topic clusters to identify the subject matter expert.

Abstract: Predicting individual drive failures is achieved using machine learning models of drive behavior history based on samples of SMART data attributes collected over distinct time-periods. The drive behavior history is a historical feature added to drive features modeled based on a last sample of SMART data attributes. The drive behavior history feature is used in successive modeling of drive behavior history to increase accuracy in predicting an individual drive's failure over time. Consecutive individual drive failure predictions are aggregated to further increase accuracy in predicting an individual drive's failure. In one embodiment, the system models drive behavior history and other drive features using a machine learning model. Individual drives classified as predicted to fail within a certain period of time are incorporated into a drive replacement strategy that factors in a field-based replacement cost associated with the drive.