Abstract: Technologies for generating a graphical user interface (GUI) dashboard with a three-dimensional (3D) grid of unit cells are described. An anomaly statistic can be determined for a set of records. A subset of network address identifiers can be identified and sorted according to the anomaly statistic. The subset can have higher anomaly statistics than other network address identifiers. There can be a maximum number in the subset. The GUI dashboard is generated with unit cells organized by the subset of network address identifiers as rows, time intervals as columns, colors as a configurable anomaly score indicator, and a number of network access events as column heights. Each unit cell is a colored, 3D visual object representing a composite score of anomaly scores associated with zero or more network access events corresponding to the respective network address identifier at the respective time interval. The GUI dashboard is rendered on a display.

Abstract: Technologies for generating a set of models for each account, where each model is a fine-grained, unsupervised behavior model trained for each user to monitor and detect anomalous patterns are described. An unsupervised training pipeline can generate user models, each being associated with one of multiple accounts and is trained to detect an anomalous pattern using feature data associated with the one account. Each account is associated with at least one of a user, a machine, or a service. An inference pipeline can detect a first anomalous pattern in first data associated with a first account using a first user model. The inference pipeline can detect a second anomalous pattern in second data associated with a second account using a second user model.

Abstract: Technologies for batching remote descriptors of serialized objects in streaming pipelines are described. One method of a first computing device generates a streaming batch of remote descriptors. Each remote descriptor uniquely identifies a contiguous block of a serialized object. The first computing device sends at least one of the remote descriptors to a second computing device before the streaming batch is completed. At least some contents of a contiguous block are obtained for storage at a second memory associated with the second computing device before the streaming batch is completed.

Abstract: Technologies for enabling downstream components to update upstream states in streaming pipelines are described. One method of a first computing device receives a remote promise object assigned to a first serialized object from a second computing device in the data center over a network fabric. The remote promise object uniquely identifies a first contiguous block of the first serialized object stored in a memory associated with the second computing device. The method obtains contents of the first contiguous block and sends contents of a second serialized object back to the second computing device to release the remote promise object.

Abstract: Technologies for enabling remote direct memory access (RDMA) transport of serialized objects in streaming pipelines are described. One method of a first computing device that stores a serialized object in a first memory can generate a remote descriptor associated with the serialized object. The remote descriptor uniquely identifies the location of the serialized object and a reference count token. The first computing device sends the remote descriptor to a second computing device in the data center over a network fabric. The second computing device uses the remote descriptor to obtain the contiguous block from the first memory for storage at a second memory associated with the second computing device. The value of the reference count token can be updated by receiving a message from the second computing device, and the remote descriptor can be released responsive to the value of the reference count token satisfying a threshold value.

Abstract: Apparatuses, systems, and techniques for detecting that a host device is subject to a malicious network attack using a machine learning (ML) detection system are described. A computing system includes a graphics processing unit (GPU) and an integrated circuit with a network interface, and a hardware acceleration engine. The integrated circuit hosts a hardware-accelerated security service to extract features from network data and metadata from the hardware acceleration engine and sends the extracted features to the GPU. Using the ML detection system, the GPU determines whether the host device is subject to a malicious network attack using the extracted features. The GPU can send an enforcement rule to the integrated circuit responsive to a determination that the host device is subject to the malicious network activity.

Abstract: Apparatuses, systems, and techniques for classifying a candidate uniform resource locator (URL) as malicious using a machine learning (ML) detection system. An integrated circuit is coupled to physical memory of a host device via a host interface. The integrated circuit hosts a hardware-accelerated security service to protect one or more computer programs executed by the host device. The security service extracts a set of features from data stored in the physical memory, the data being words in a candidate URL and numeric features of a URL structure of the candidate URL. The security service classifies, using the ML detection system, the candidate URL as malicious or benign using the set of features. The security service outputs an indication of a malicious URL responsive to the candidate URL being classified as malicious.

Abstract: Apparatuses, systems, and techniques for detecting that one or more computer programs executed by a host device are subject to malicious activity using a machine learning (ML) detection system. An integrated circuit is coupled to physical memory of a host device via a host interface. The integrated circuit hosts a hardware-accelerated security service to protect one or more computer programs executed by the host device. The security service extracts a set of features from data stored in the physical memory, the data being associated with the one or more computer programs. The security service determines, using the ML detection system, whether the one or more computer programs are subject to malicious activity based on the set of features. The security service outputs an indication of the malicious activity responsive to a determination that the one or more computer programs are subject to the malicious activity.

Abstract: Apparatuses, systems, and techniques for classifying one or more computer programs executed by a host device as being ransomware using a machine learning (ML) detection system. An integrated circuit is coupled to physical memory of a host device via a host interface. The integrated circuit hosts a hardware-accelerated security service to protect one or more computer programs executed by the host device. The security service obtains a series of snapshots of data stored in the physical memory and extracts a set of features from each snapshot of the series of snapshots, each snapshot representing the data at a point in time. The security service classifies a process of the one or more computer programs as ransomware or non-ransomware using the set of features and outputs an indication of ransomware responsive to the process being classified as ransomware.

Abstract: Apparatuses, systems, and techniques for classifying one or more candidate uniform resource locators (URLs) as having a domain generation algorithm (DGA) domain using a machine learning (ML) detection system. An integrated circuit is coupled to physical memory of a host device via a host interface. The integrated circuit hosts a hardware-accelerated security service to protect one or more computer programs executed by the host device. The security service extracts a set of features from data stored in the physical memory, the data being domain characters in one or more candidate URLs. The security service classifies, using the ML detection system, the one or more candidate URLs as having a DGA domain or a non-DGA domain using the set of features. The security service outputs an indication of a DGA malware responsive to the one or more candidate URLs being classified as having the DGA domain.

Abstract: A system and method may determine if a class of process (e.g. NN execution, cryptocurrency mining, graphic processing) is executing on a processor, or which class is executing, by calculating or determining features from execution telemetry or measurements collected from processors executing processes, and determining from at least a subset of the features the likelihood that the processor is executing the class of process. Execution telemetry may include data regarding or describing the execution of the process, or describing hardware used to execute the process, such as processor temperature, memory usage, etc.