Abstract: Systems and methods are described for employing event context to improve threat detection. Systems and methods of embodiments of the disclosure measure both process deviation and path deviation to determine whether processes are benign or represent threats. Both a process deviation model and a path deviation model are deployed. The process deviation model determines the similarity of a process to past processes, and the path deviation model estimates whether processes have been called out of turn. In this manner, systems and methods of embodiments of the disclosure are able to detect both whether a process is in itself unusual, and whether it is called at an unusual time. This added context contributes to improved threat detection.

Abstract: Mapping of applications by the most common file path in which they are installed or found to be running. Embodiments of the disclosure may determine the most commonly occurring hash values appearing in events generated by a virtualized network. These most commonly occurring hash values may correspond to the hash values of file paths associated with the greatest number of detected events. The database may then be queried to determine the most commonly occurring file path for each of these hash values. A table of such most commonly occurring file paths and their associated hash values may then be compiled and stored. Use of the most commonly occurring file path in lieu of an alert's actual file path may prevent undesired or malicious processes from going undetected by simply adopting a new file path that has yet to be recognized as being associated with undesired behavior.

Abstract: An example method of classifying alerts generated by endpoints in a virtualized computing system includes: receiving, at an alert processing engine executing in the virtualized computing system, a stream of the alerts generated by security agents executing in the endpoints; extracting fields from the alerts at the alert processing engine; computing, at the alert processing engine, features from the alerts based on the fields; computing, at the alert processing engine, a plurality of model scores for each alert using the features as parametric input to a plurality of models; aggregating, by the alert processing engine, the plurality of model scores into a final score for each alert; and annotating each of the alerts with a respective final score.