Abstract: Machine learning techniques can be used to train a classifier, in some embodiments, to accurately detect similarities between different records of user activity for a same user. When more recent data is received, newer data can be analyzed by selectively removing particular sub-groups of data to see if there is any particular data that accounts for a large difference (e.g. when run through a classifier that has been trained to produce similar results for known activity data from a same user). If a sub-group of data is identified as being significantly different from other user data, this may indicate an account breach. Advanced machine learning techniques described herein may be applicable to a variety of different environments.

Abstract: Anomalies in a data set may be difficult to detect when individual items are not gross outliers from a population average. Disclosed is an anomaly detector that includes neural networks such as an auto-encoder and a discriminator. The auto-encoder and the discriminator may be trained on a training set that does not include anomalies. During training, an auto-encoder generates an internal representation from the training set, and reconstructs the training set from the internal representation. The training continues until data loss in the reconstructed training set is below a configurable threshold. The discriminator may be trained until the internal representation is constrained to a multivariable unit normal. Once trained, the auto-encoder and discriminator identify anomalies in the evaluation set. The identified anomalies in an evaluation set may be linked to transaction, security breach or population trends, but broadly, disclosed techniques can be used to identify anomalies in any suitable population.

Abstract: Methods and systems for creating and analyzing low-dimensional representation of webpage sequences are described. Network traffic history data associated with a particular website is retrieved and a word embedding algorithm is applied to the network traffic history data to produce a low dimensional embedding. A prediction model is created based on the low-dimensional embedding. Browsing activity on the particular website is monitored. A set of sessions in the current browsing activity is flagged based on a result of applying the prediction model to the monitored browsing activity.

Abstract: Methods and systems for creating and analyzing low-dimensional representation of webpage sequences are described. Network traffic history data associated with a particular website is retrieved and a word embedding algorithm is applied to the network traffic history data to produce a low dimensional embedding. A prediction model is created based on the low-dimensional embedding. Browsing activity on the particular website is monitored. A set of sessions in the current browsing activity is flagged based on a result of applying the prediction model to the monitored browsing activity.

Abstract: Systems and methods for detecting data exfiltration using domain name system (DNS) queries include, in various embodiments, performing operations that include parsing a DNS query to determine whether that DNS query is likely to contain hidden data that is being exfiltrated from a system or network. Statistical methods can be used to analyze the DNS query to determine a likelihood whether each of a plurality of segments of the DNS query are indicative of data exfiltration methods. If one or multiple DNS queries are deemed suspicious based on the analysis, a security action on the DNS query can be performed, including sending an alert and/or blocking the DNS query from being forwarded.

Abstract: The systems and methods that detect a malicious process using count vectors are provided. Count vectors store a number and types of system calls that a process executed in a configurable time interval. The count vectors are provided to a temporal convolution network and a spatial convolution network. The temporal convolution network generates a temporal output by passing the count vectors through temporal filters that identify temporal features of the process. The spatial convolution network generates a spatial output by passing the count vectors through spatial filters that identify spatial features of the process. The temporal output and the spatial output are merged into a summary representation of the process. The malware detection system uses the summary representation to determine that the process as a malicious process.

Abstract: A system for predicting that a user session will be fraudulent. The system can analyze an incomplete session and determine the likelihood that the session is fraudulent or not by generating completed sessions based on the incomplete session.

Abstract: Methods and systems for creating and analyzing low-dimensional representation of webpage sequences are described. Network traffic history data associated with a particular website is retrieved and a word embedding algorithm is applied to the network traffic history data to produce a low dimensional embedding. A prediction model is created based on the low-dimensional embedding. Browsing activity on the particular website is monitored. A set of sessions in the current browsing activity is flagged based on a result of applying the prediction model to the monitored browsing activity.

Abstract: The systems and methods that detect a malicious process using count vectors are provided. Count vectors store a number and types of system calls that a process executed in a configurable time interval. The count vectors are provided to a temporal convolution network and a spatial convolution network. The temporal convolution network generates a temporal output by passing the count vectors through temporal filters that identify temporal features of the process. The spatial convolution network generates a spatial output by passing the count vectors through spatial filters that identify spatial features of the process. The temporal output and the spatial output are merged into a summary representation of the process. The malware detection system uses the summary representation to determine that the process as a malicious process.

Abstract: Anomalies in a data set may be difficult to detect when individual items are not gross outliers from a population average. Disclosed is an anomaly detector that includes neural networks such as an auto-encoder and a discriminator. The auto-encoder and the discriminator may be trained on a training set that does not include anomalies. During training, an auto-encoder generates an internal representation from the training set, and reconstructs the training set from the internal representation. The training continues until data loss in the reconstructed training set is below a configurable threshold. The discriminator may be trained until the internal representation is constrained to a multivariable unit normal. Once trained, the auto-encoder and discriminator identify anomalies in the evaluation set. The identified anomalies in an evaluation set may be linked to transaction, security breach or population trends, but broadly, disclosed techniques can be used to identify anomalies in any suitable population.

Abstract: Systems and methods for detecting data exfiltration using domain name system (DNS) queries include, in various embodiments, performing operations that include parsing a DNS query to determine whether that DNS query is likely to contain hidden data that is being exfiltrated from a system or network. Statistical methods can be used to analyze the DNS query to determine a likelihood whether each of a plurality of segments of the DNS query are indicative of data exfiltration methods. If one or multiple DNS queries are deemed suspicious based on the analysis, a security action on the DNS query can be performed, including sending an alert and/or blocking the DNS query from being forwarded.

Abstract: Machine learning techniques can be used to train a classifier, in some embodiments, to accurately detect similarities between different records of user activity for a same user. When more recent data is received, newer data can be analyzed by selectively removing particular sub-groups of data to see if there is any particular data that accounts for a large difference (e.g. when run through a classifier that has been trained to produce similar results for known activity data from a same user). If a sub-group of data is identified as being significantly different from other user data, this may indicate an account breach. Advanced machine learning techniques described herein may be applicable to a variety of different environments.

Abstract: A system for predicting that a user session will be fraudulent. The system can analyze an incomplete session and determine the likelihood that the session is fraudulent or not by generating completed sessions based on the incomplete session.