Abstract: Disclosed is a scalable, graph-based approach to detecting anomalous accesses to resources in a computer network. Access events are represented as edges between resource nodes and accessing nodes (e.g., corresponding to users) in a bipartite graph, from which vector representations of the nodes that reflect the connections can be computed by graph embedding. For an access event of interest, an anomaly score may be computed based on dissimilarities, in terms of their embedding distances, between the associated accessing node and other accessing nodes that have accessed the same resource, and/or between the associated resource node and other resource nodes that have been accessed by the same accessing node.

Abstract: Disclosed are systems and methods for temporal link prediction based on (generalized) random dot product graphs (RDPGs), as well as applications of such temporal link prediction to network anomaly detection. In various embodiments, starting from a time series of adjacency matrices characterizing the evolution of the network, spectral embeddings and time-series models are used to predict estimated link probabilities for a future point in time, and the predicted link probabilities are compared against observed links to identify anomalous behavior. In some embodiments, element-wise independent models are used in the prediction to take network dynamics into account at the granularity of individual nodes or edges.

Abstract: In network security systems, graph-based techniques can be used to identify, for any given security incident including a collection of security events, other incidents that are similar. In example embodiments, similarity is determined based on graph representations of the incidents in which security events are represented as nodes, using graph matching techniques or incident thumbprints computed from node embeddings. The identified similar incidents can provide context to inform threat assessment and the selection of appropriate mitigating actions.

Abstract: Embodiments of the present disclosure provide systems, methods, and non-transitory computer storage media for identifying malicious enterprise behaviors within a large enterprise. At a high level, embodiments of the present disclosure identify sub-graphs of behaviors within an enterprise based on probabilistic and deterministic methods. For example, starting with the node or edge having the highest risk score, embodiments of the present disclosure iteratively crawl a list of neighbors associated with the nodes or edges to identify subsets of behaviors within an enterprise that indicate potentially malicious activity based on the risk scores of each connected node and edge. In another example, embodiments select a target node and traverse the connected nodes via edges until a root-cause condition is met. Based on the traversal, a sub-graph is identified indicating a malicious execution path of traversed nodes with associated insights indicating the meaning or activity of the node.

Abstract: Disclosed is a scalable, graph-based approach to detecting anomalous accesses to resources in a computer network. Access events are represented as edges between resource nodes and accessing nodes (e.g., corresponding to users) in a bipartite graph, from which vector representations of the nodes that reflect the connections can be computed by graph embedding. For an access event of interest, an anomaly score may be computed based on dissimilarities, in terms of their embedding distances, between the associated accessing node and other accessing nodes that have accessed the same resource, and/or between the associated resource node and other resource nodes that have been accessed by the same accessing node.

Abstract: Embodiments of the present disclosure provide systems, methods, and non-transitory computer storage media for identifying malicious enterprise behaviors within a large enterprise. At a high level, embodiments of the present disclosure identify sub-graphs of behaviors within an enterprise based on probabilistic and deterministic methods. For example, starting with the node or edge having the highest risk score, embodiments of the present disclosure iteratively crawl a list of neighbors associated with the nodes or edges to identify subsets of behaviors within an enterprise that indicate potentially malicious activity based on the risk scores of each connected node and edge. In another example, embodiments select a target node and traverse the connected nodes via edges until a root-cause condition is met. Based on the traversal, a sub-graph is identified indicating a malicious execution path of traversed nodes with associated insights indicating the meaning or activity of the node.

Abstract: Disclosed are systems and methods for temporal link prediction based on (generalized) random dot product graphs (RDPGs), as well as applications of such temporal link prediction to network anomaly detection. In various embodiments, starting from a time series of adjacency matrices characterizing the evolution of the network, spectral embeddings and time-series models are used to predict estimated link probabilities for a future point in time, and the predicted link probabilities are compared against observed links to identify anomalous behavior. In some embodiments, element-wise independent models are used in the prediction to take network dynamics into account at the granularity of individual nodes or edges.

Abstract: Disclosed are systems and methods for temporal link prediction based on (generalized) random dot product graphs (RDPGs), as well as applications of such temporal link prediction to network anomaly detection. In various embodiments, starting from a time series of adjacency matrices characterizing the evolution of the network, spectral embeddings and time-series models are used to predict estimated link probabilities for a future point in time, and the predicted link probabilities are compared against observed links to identify anomalous behavior. In some embodiments, element-wise independent models are used in the prediction to take network dynamics into account at the granularity of individual nodes or edges.

Abstract: In a computer network monitored for security threats, security incidents corresponding to groups of mutually related security alerts may be ranked based on values of a diversity metric computed for each incident from attribute values of an attribute, or multiple attributes, associated with the security alerts. In some embodiments, values of attribute-specific sub-metrics are determined for each incident and combined, e.g., upon conversion to p-values, into respective values of the overall diversity metric. Based on the ranking, an output may be generated. For example, a ranked list of the security incidents (or a subset thereof) may be communicated to a security administrator, and/or may trigger an automated mitigating action.

Abstract: Embodiments of the present disclosure provide systems, methods, and non-transitory computer storage media for identifying malicious enterprise behaviors within a large enterprise. At a high level, embodiments of the present disclosure identify sub-graphs of behaviors within an enterprise based on probabilistic and deterministic methods. For example, starting with the node or edge having the highest risk score, embodiments of the present disclosure iteratively crawl a list of neighbors associated with the nodes or edges to identify subsets of behaviors within an enterprise that indicate potentially malicious activity based on the risk scores of each connected node and edge. In another example, embodiments select a target node and traverse the connected nodes via edges until a root-cause condition is met. Based on the traversal, a sub-graph is identified indicating a malicious execution path of traversed nodes with associated insights indicating the meaning or activity of the node.

Abstract: Disclosed are systems and methods for temporal link prediction based on (generalized) random dot product graphs (RDPGs), as well as applications of such temporal link prediction to network anomaly detection. In various embodiments, starting from a time series of adjacency matrices characterizing the evolution of the network, spectral embeddings and time-series models are used to predict estimated link probabilities for a future point in time, and the predicted link probabilities are compared against observed links to identify anomalous behavior. In some embodiments, element-wise independent models are used in the prediction to take network dynamics into account at the granularity of individual nodes or edges.

Abstract: Described herein is a system and method for filtering content of a document (e.g., web page). Based on content of an element of a received document, using a filter a model is applied (e.g., naïve Bayes classifier) to calculate an approximate probability or score that the element comprises non-desired content. Based upon the calculated approximate probability or score, a determination is made that the element comprises non-desired content (e.g., probability greater than or equal to a threshold). An action is taken with respect to the element based upon the determination that the element comprises non-desired content. The action taken with respect to the element can include, for example, removing, blocking out, highlighting, applying an opaque filter and/or colorizing.