Abstract: Methods, systems, and apparatus, including computer programs encoded on computer storage media, for classifying user behavior as anomalous. One of the methods includes obtaining user behavior data representing behavior of a user in a subject system. An initial model is generated from training data, the initial model having first characteristic features of the training data. A resampling model is generated from the training data and from multiple instances of the first representation for a test time period. A difference between the initial model and the resampling model is computed. The user behavior in the test time period is classified as anomalous based on the difference between the initial model and the resampling model.

Abstract: Various embodiments of methods for detecting anomalous activity in a computer network are disclosed. A method includes a computer system receiving an indication of a current session establishing a secure channel to a computing device within a network. The computer system evaluates information relating to the current session, as well as information relating to one or more other sessions. Using this information, the computing system performs monitoring to detect the presence of anomalous lateral movement within the network, for example based on detecting multiple user credentials. Based on the evaluating performed, the computer system generates a score for the current session and reports whether the score is indicative of anomalous lateral movement.

Abstract: Methods, systems, and apparatus, including computer programs encoded on computer storage media, for classifying user behavior as anomalous. One of the methods includes obtaining user behavior data representing behavior of a user in a subject system. An initial model is generated from training data, the initial model having first characteristic features of the training data. A resampling model is generated from the training data and from multiple instances of the first representation for a test time period. A difference between the initial model and the resampling model is computed. The user behavior in the test time period is classified as anomalous based on the difference between the initial model and the resampling model.

Abstract: A method for the detection of multi-killchain alerts is disclosed. The method includes receiving, by a computer system, a plurality of alerts indicative of activity within a computer network, wherein a given alert specifies one or more events having attributes, and extracting attributes from events included in the plurality of alerts. The method further includes determining attribute similarity for pairs of events based on whether a given pair of events has common values for one or more attributes and whether attribute values of the given pair of events indicates lateral movement within computers of the computer network. Linked pairs are then identified based on the determined attribute similarity and added to a graph data structure. The method further includes the computer system analyzing the graph data structure to find clusters of events relating to a security attack.

Abstract: Methods, computer readable media, and devices to automatically construct kill-chain from security alerts are disclosed. One method may include collecting a plurality of security alerts, receiving a selection of a high severity security alert associated with a node and a user from among the plurality of security alerts, creating a security narrative for the high severity security alert by providing a set of historical security alerts to a deep learning architecture, the set including security alerts selected based on a relation to the node and the user, and identifying a subset of the set of historical security alerts, including security alerts relevant to the high severity security alert, in a reverse time order by the deep learning architecture, and providing the security narrative as part of a response to the high severity security alert.

Abstract: Methods, systems, and apparatus, including computer programs encoded on computer storage media, for classifying user behavior as anomalous. One of the methods includes obtaining user behavior data representing behavior of a user in a subject system. An initial model is generated from training data, the initial model having first characteristic features of the training data. A resampling model is generated from the training data and from multiple instances of the first representation for a test time period. A difference between the initial model and the resampling model is computed. The user behavior in the test time period is classified as anomalous based on the difference between the initial model and the resampling model.

Abstract: Methods, systems, and apparatus, including computer programs encoded on computer storage media, for classifying user behavior as anomalous. One of the methods includes obtaining user behavior data representing behavior of a user in a subject system. An initial model is generated from training data, the initial model having first characteristic features of the training data. A resampling model is generated from the training data and from multiple instances of the first representation for a test time period. A difference between the initial model and the resampling model is computed. The user behavior in the test time period is classified as anomalous based on the difference between the initial model and the resampling model.

Abstract: Techniques and architectures for privilege escalation detection. User login information for multiple users in a multiuser secure computing environment is analyzed to generate multiple user evaluations. The multiple user evaluations are analyzed to generate at least a population evaluation for the multiuser secure computing environment. Node scores are generated for nodes in the population evaluation to determine one or more entry nodes for the multiple users in the multiuser secure computing environment. The node scores are compared to one or more threshold values to determine whether the user login information corresponding to one or more of the multiple users indicates a privilege escalation condition. A security response action occurs in response to detecting a privilege escalation condition.

Abstract: Various embodiments of methods for detecting anomalous activity in a computer network are disclosed. A method includes a computer system receiving an indication of a current session establishing a secure channel to a computing device within a network. The computer system evaluates information relating to the current session, as well as information relating to one or more other sessions. Using this information, the computing system performs monitoring to detect the presence of anomalous lateral movement within the network, for example based on detecting multiple user credentials. Based on the evaluating performed, the computer system generates a score for the current session and reports whether the score is indicative of anomalous lateral movement.

Abstract: An electronic device is provided. The electronic device includes a memory, a communication circuitry, and a processor configured to transmit, a first signal for requesting to access an external device, to the external device, receive, a second signal for requesting to provide a token stored in the electronic device, from the external device, the token being generated based on at least part of a block chain including at least one block that is respectively associated with at least one external device that has been accessed by the electronic device, in response to the reception, transmit, information on the token, to the external device, receive, a third signal indicating allowed the access, from the external device, the third signal being transmitted from the external device in response to identifying, by the external device, to validate the token in all of the plurality of external devices, and access the external device based on the third signal.

Abstract: Systems, methods, and computer program products for detecting network anomalies using node scoring. A network analysis system designates each server computer in a distributed computing network as a node in a graph. The network analysis system constructs a first graph of the distributed computing network for a training period. The system then determines a respective first node score of each node. The system constructs a second graph of the distributed computing network for a test time period. The system then reduces the second graph by removing those edges from the second graph that appear in both the first graph and the second graph. The system determines a respective second node score of each node in the reduced second graph. The system computes differences between the first node scores and the second node scores. The system designates nodes associated with the highest differences as anomalous nodes.

Abstract: Methods, systems, and apparatus, including computer programs encoded on computer storage media, for classifying user behavior as anomalous. One of the methods includes obtaining user behavior data representing behavior of a user in a subject system. An initial model is generated from training data, the initial model having first characteristic features of the training data. A resampling model is generated from the training data and from multiple instances of the first representation for a test time period. A difference between the initial model and the resampling model is computed. The user behavior in the test time period is classified as anomalous based on the difference between the initial model and the resampling model.

Abstract: Techniques and architectures for privilege escalation detection. User login information for multiple users in a multiuser secure computing environment is analyzed to generate multiple user evaluations. The multiple user evaluations are analyzed to generate at least a population evaluation for the multiuser secure computing environment. Node scores are generated for nodes in the population evaluation to determine one or more entry nodes for the multiple users in the multiuser secure computing environment. The node scores are compared to one or more threshold values to determine whether the user login information corresponding to one or more of the multiple users indicates a privilege escalation condition. A security response action occurs in response to detecting a privilege escalation condition.

Abstract: Methods, systems, and apparatus, including computer programs encoded on computer storage media, for classifying user behavior as anomalous. One of the methods includes obtaining user behavior data representing behavior of a user in a subject system. An initial model is generated from training data, the initial model having first characteristic features of the training data. A resampling model is generated from the training data and from multiple instances of the first representation for a test time period. A difference between the initial model and the resampling model is computed. The user behavior in the test time period is classified as anomalous based on the difference between the initial model and the resampling model.

Abstract: One or more proxy logs are processed in order to generate a plurality of domain sequences. One or more domain sequences which have low support and high confidence within the plurality of domain sequences are identified. The identified domain sequences are flagged as including one or more of the following: an infected watering hole domain or an exploit kit host.

Abstract: An electronic device is provided. The electronic device includes a memory, a communication circuitry, and a processor configured to transmit, a first signal for requesting to access an external device, to the external device, receive, a second signal for requesting to provide a token stored in the electronic device, from the external device, the token being generated based on at least part of a block chain including at least one block that is respectively associated with at least one external device that has been accessed by the electronic device, in response to the reception, transmit, information on the token, to the external device, receive, a third signal indicating allowed the access, from the external device, the third signal being transmitted from the external device in response to identifying, by the external device, to validate the token in all of the plurality of external devices, and access the external device based on the third signal.

Abstract: One or more proxy logs are processed in order to generate a graph of domains, wherein those domain pairs in the graph that are connected have low support and high confidence. One or more domains within the graph that are highly connected to other domains in the graph are identified. The identified domains are flagged as suspicious domains.

Abstract: Virtual machine capacity planning techniques are disclosed. In various embodiments, a set of time series data is constructed based at least in part on virtual machine related metric values observed with respect to a virtual machine during a training period. The constructed time series data is used to build a forecast model for the virtual machine. The forecast model is used to forecast future values for one or more of the virtual machine related metrics. The forecasted future values are used to determine whether an alert condition is predicted to be met.

Abstract: Techniques to reduce false positives in detecting anomalous use of resources are disclosed. In various embodiments, resource access data indicating for each resource in a set of resources respective usage data for each of one or more users of the resource is received. Cluster analysis is performed to determine one or more clusters of users. For each cluster, a set of recommended resources to be associated with the cluster is determined. For each of at least a subset of users, a temporal behavior based model for each user that reflects one or more resources included in the set of recommended resources associated with a corresponding cluster of which the user is a member is generated.

Abstract: Methods, systems, and apparatus, including computer programs encoded on computer storage media, for classifying user behavior as anomalous. One of the methods includes obtaining user behavior data representing behavior of a user in a subject system. An initial model is generated from training data, the initial model having first characteristic features of the training data. A resampling model is generated from the training data and from multiple instances of the first representation for a test time period. A difference between the initial model and the resampling model is computed. The user behavior in the test time period is classified as anomalous based on the difference between the initial model and the resampling model.