Abstract: The disclosure herein describes automatically performing security operations associated with a client system based on aggregated event impact scores of computing events during a rolling time interval. Event data is obtained, wherein the event data is from a plurality of computing devices of the client system associated with computing events occurring during a time interval after an endpoint of the rolling time interval. Event impact scores are calculated for the computing events of the obtained event data over the time interval based at least on cardinality estimation. The calculated event impact scores are merged into the set of aggregated event impact scores associated with the rolling time interval and event impact scores associated with an expired time interval are removed from the set of aggregated event impact scores. Based on the set of aggregated event impact scores, at least one security operation is performed for at least one computing event.

Abstract: The disclosure provides an approach for detecting and preventing attacks in a network. Embodiments include determining a plurality of network behaviors of a process by monitoring the process. Embodiments include generating a plurality of intended states for the process based on subsets of the plurality of network behaviors. Embodiments include determining a plurality of intended state clusters by applying a clustering technique to the plurality of intended states. Embodiments include determining a state of the process. Embodiments include identifying a given cluster of the plurality of intended state clusters that corresponds to the state of the process. Embodiments include selecting a novelty detection technique based on a size of the given cluster. Embodiments include using the novelty detection technique to determine, based on the given cluster and the state of the process, whether to generate a security alert for the process.

Abstract: The disclosure herein describes automatically performing security operations associated with a client system based on aggregated event impact scores of computing events during a rolling time interval. Event data is obtained, wherein the event data is from a plurality of computing devices of the client system associated with computing events occurring during a time interval after an endpoint of the rolling time interval. Event impact scores are calculated for the computing events of the obtained event data over the time interval based at least on cardinality estimation. The calculated event impact scores are merged into the set of aggregated event impact scores associated with the rolling time interval and event impact scores associated with an expired time interval are removed from the set of aggregated event impact scores. Based on the set of aggregated event impact scores, at least one security operation is performed for at least one computing event.

Abstract: Certain aspects of the present disclosure relate to methods and systems for evaluating a first command line interface (CLI) input of a process. The method comprises examining the first CLI input and selecting a first clustering model corresponding to the process, wherein the first clustering model is created based on a first clustering configuration and a first feature type combination. The method further comprises creating a first feature combination for the first CLI input based on the first feature type combination, evaluating the first CLI input using the first clustering model and the first feature combination, wherein the evaluating further comprises determining a similarity score corresponding to a similarity between the first feature combination and the one or more clusters, and determining whether or not the first CLI input corresponds to normal behavior based on the similarity score.

Abstract: Examples herein disclose via use of a physical processor, detecting a specific application programming interface (API) call to interact with an application running on a production server. Based on the detection of the specific API call, die examples assist, using the physical processor, a scanning session based on the specific API call Using the physical processor, the examples identify a modification to the application based on the scanning session.

Abstract: In some examples, an alert relating to an issue in a computing arrangement is received. Contextual information is determined for the alert, the determined contextual information comprising spatial and temporal distributions of previous instances of the alert or similar alerts. The contextual information is communicated for use in addressing the issue in the computing arrangement.

Abstract: The disclosure herein describes automatically performing security operations associated with a client system based on aggregated event impact scores of computing events during a rolling time interval. Event data is obtained, wherein the event data is from a plurality of computing devices of the client system associated with computing events occurring during a time interval after an endpoint of the rolling time interval. Event impact scores are calculated for the computing events of the obtained event data over the time interval based at least on cardinality estimation. The calculated event impact scores are merged into the set of aggregated event impact scores associated with the rolling time interval and event impact scores associated with an expired time interval are removed from the set of aggregated event impact scores. Based on the set of aggregated event impact scores, at least one security operation is performed for at least one computing event.

Abstract: In some examples, a plurality of alerts relating to issues in a computing arrangement are received, where the plurality of alerts generated based on events in the computing arrangement. A subset of the plurality of alerts is grouped into a bundle of alerts, the grouping being based on a criterion. The bundle of alerts is communicated to cause processing of the alerts in the bundle of alerts together.

Abstract: An example method of representing a selected entity in a plurality of entities in a computing system includes: obtaining a graph representation of the plurality of entities, the graph representation having nodes and edges representing a hierarchy of the plurality of entities; extracting a set of paths from the graph representation, each path in the set of paths including a series of edge-connected nodes in the graph representation; processing the set of paths to generate a vector representation of the selected entity, the vector representation having a plurality of elements representing a context of the selected entity within the graph representation; and providing the vector representation as input to an application executing in the computing system.

Abstract: The disclosure provides an approach for detecting and preventing attacks in a network. Embodiments include determining a plurality of network behaviors of a process by monitoring the process. Embodiments include generating a plurality of intended states for the process based on subsets of the plurality of network behaviors. Embodiments include determining a plurality of intended state clusters by applying a clustering technique to the plurality of intended states. Embodiments include determining a state of the process. Embodiments include identifying a given cluster of the plurality of intended state clusters that corresponds to the state of the process. Embodiments include selecting a novelty detection technique based on a size of the given cluster. Embodiments include using the novelty detection technique to determine, based on the given cluster and the state of the process, whether to generate a security alert for the process.

Abstract: Systems and methods for identifying, in a domain name, n-grams that do not appear in words of a given language, where n is greater than two are disclosed. The disclosed systems and methods may include comparing a value based on a number of the identified n-grams to a threshold and indicating that the domain name is potentially generated by malware in response to the value having a specified relationship with respect to the threshold.

Abstract: In some examples, a system counts a number of digits in a domain name. The system compares a value based on the number of digits to a threshold, and indicates that the domain name is potentially generated by malware in response to the value having a specified relationship with respect to the threshold.

Abstract: In some examples, for a device that transmitted domain names, a system determines a dissimilarity between the domain names, compares a value derived from the determined dissimilarity to a threshold, and identifies the device as malware infected in response to the comparing.

Abstract: Certain aspects of the present disclosure relate to methods and systems for evaluating a first command line interface (CLI) input of a process. The method comprises examining the first CLI input and selecting a first clustering model corresponding to the process, wherein the first clustering model is created based on a first clustering configuration and a first feature type combination. The method further comprises creating a first feature combination for the first CLI input based on the first feature type combination, evaluating the first CLI input using the first clustering model and the first feature combination, wherein the evaluating further comprises determining a similarity score corresponding to a similarity between the first feature combination and the one or more clusters, and determining whether or not the first CLI input corresponds to normal behavior based on the similarity score.

Abstract: Examples herein disclose via use of a physical processor, detecting a specific application programming interface (API) call to interact with an application running on a production server. Based on the detection of the specific API call, die examples assist, using the physical processor, a scanning session based on the specific API call Using the physical processor, the examples identify a modification to the application based on the scanning session.

Abstract: A technique includes processing domain name system queries generated by a host to identify a subset of the queries for which domain names were not resolved. The technique includes using a time-based analysis to detect domain generation algorithm-based malware communications by the host, including detecting malicious communications by the host based at least in part on a number of the queries of the identified subset and a time span within which the queries of the subset were generated.

Abstract: In some examples, for a device that transmitted domain names, a system determines a dissimilarity between the domain names, compares a value derived from the determined dissimilarity to a threshold, and identifies the device as malware infected in response to the comparing.

Abstract: In some examples, a system identifies, in a domain name, n-grams that do not appear in words of a given language, where n is greater than two. The system compares a value based on a number of the identified n-grams to a threshold, and indicates that the domain name is potentially generated by malware in response to the value having a specified relationship with respect to the threshold.

Abstract: In some examples, a system counts a number of digits in a domain name. The system compares a value based on the number of digits to a threshold, and indicates that the domain name is potentially generated by malware in response to the value having a specified relationship with respect to the threshold.

Abstract: In some examples, an alert relating to an issue in a computing arrangement is received. Contextual information is determined for the alert, the determined contextual information comprising spatial and temporal distributions of previous instances of the alert or similar alerts. The contextual information is communicated for use in addressing the issue in the computing arrangement.