Abstract: In one example, the present disclosure describes various methods, computer-readable media, and apparatuses for supporting social engineering attack prevention based on early detection and remediation of various types of social engineering attacks which may be initiated within various contexts. In one example, supporting social engineering attack prevention may include identifying a workflow to be protected, identifying, for the workflow, a set of valid resources of the workflow where the set of valid resources includes a set of artifacts and a set of templates, identifying, from a dataset associated with the workflow and based on the set of artifacts, a communication associated with the workflow, determining, based on an analysis of the communication based on the set of templates, that the communication is malicious, and initiating, based on the determination that the communication is malicious, a remediation action.

Abstract: Generation of behavior profiling reports is provided for enterprise server devices in a network of enterprise server devices, as well as generation and association of severity scores for behavior profiling reports generated for enterprise server devices included in the network of enterprise server devices. A method can comprise receiving historical security event data representing historical security events of a first device and owner data representing an owner of the first device, and, as a function of the historical security event data and the owner data, an anomalous contact established between the first device and the second device can be identified. Further, in response to identifying the existence of the anomalous contact, the second device can be depicted on a connected graph of anomalous contacts established by the first device.

Abstract: A network device that operates as an analysis platform for analysis of event data records that can provide a flexible approach to event data record aggregation. For example, aggregation can be flexibly turned on or off and dynamically adjusted based on event record volume and other factors such as network capacity or throughput. Devices that are instructed to aggregate records can also be instructed to archive the raw records, e.g., to maintain a full fidelity log of events. Devices can further be instructed to utilize a mixed queue approach to determine an order to deliver those records that includes both older records and newer records.

Abstract: Generation of behavior profiling reports is provided for enterprise server devices in a network of enterprise server devices, as well as generation and association of severity scores for behavior profiling reports generated for enterprise server devices included in the network of enterprise server devices. A method can comprise receiving historical security event data representing historical security events of a first device and owner data representing an owner of the first device, and, as a function of the historical security event data and the owner data, an anomalous contact established between the first device and the second device can be identified. Further, in response to identifying the existence of the anomalous contact, the second device can be depicted on a connected graph of anomalous contacts established by the first device.

Abstract: Generation of behavior profiling reports is provided for enterprise server devices in a network of enterprise server devices, as well as generation and association of severity scores for behavior profiling reports generated for enterprise server devices included in the network of enterprise server devices. A method can comprise receiving historical security event data representing historical security events of a first device and owner data representing an owner of the first device, and, as a function of the historical security event data and the owner data, an anomalous contact established between the first device and the second device can be identified. Further, in response to identifying the existence of the anomalous contact, the second device can be depicted on a connected graph of anomalous contacts established by the first device.

Abstract: A network device that operates as an analysis platform for analysis of event data records that can provide a flexible approach to event data record aggregation. For example, aggregation can be flexibly turned on or off and dynamically adjusted based on event record volume and other factors such as network capacity or throughput. Devices that are instructed to aggregate records can also be instructed to archive the raw records, e.g., to maintain a full fidelity log of events. Devices can further be instructed to utilize a mixed queue approach to determine an order to deliver those records that includes both older records and newer records.

Abstract: A network device that operates as an analysis platform for analysis of event data records that can provide a flexible approach to event data record aggregation. For example, aggregation can be flexibly turned on or off and dynamically adjusted based on event record volume and other factors such as network capacity or throughput. Devices that are instructed to aggregate records can also be instructed to archive the raw records, e.g., to maintain a full fidelity log of events. Devices can further be instructed to utilize a mixed queue approach to determine an order to deliver those records that includes both older records and newer records.

Abstract: Generation of behavior profiling reports is provided for enterprise server devices in a network of enterprise server devices, as well as generation and association of severity scores for behavior profiling reports generated for enterprise server devices included in the network of enterprise server devices. A method can comprise receiving historical security event data representing historical security events of a first device and owner data representing an owner of the first device, and, as a function of the historical security event data and the owner data, an anomalous contact established between the first device and the second device can be identified. Further, in response to identifying the existence of the anomalous contact, the second device can be depicted on a connected graph of anomalous contacts established by the first device.

Abstract: A network device that operates as an analysis platform for analysis of event data records that can provide a flexible approach to event data record aggregation. For example, aggregation can be flexibly turned on or off and dynamically adjusted based on event record volume and other factors such as network capacity or throughput. Devices that are instructed to aggregate records can also be instructed to archive the raw records, e.g., to maintain a full fidelity log of events. Devices can further be instructed to utilize a mixed queue approach to determine an order to deliver those records that includes both older records and newer records.

Abstract: Methods, systems, and computer-readable media for identifying potential threats on a network based on anomalous behavior in communication between endpoints are provided. Traffic data for a network is accumulated over some period of time. The traffic data is grouped by one or more keys, such as source IP address, and sets of metric values are calculated for the keys. A mixture distribution, such as a negative binomial mixture distribution, is fitted to each set of metric values, and outlying metric values are determined based on the mixture distribution(s). A list of outliers is then generated comprising key values having outlying metric values in one or more of the sets of metric values.

Abstract: Methods, systems, and computer-readable media for identifying potential threats on a network based on anomalous behavior in communication between endpoints are provided. Traffic data for a network is accumulated over some period of time. The traffic data is grouped by one or more keys, such as source IP address, and sets of metric values are calculated for the keys. A mixture distribution, such as a negative binomial mixture distribution, is fitted to each set of metric values, and outlying metric values are determined based on the mixture distribution(s). A list of outliers is then generated comprising key values having outlying metric values in one or more of the sets of metric values.

Abstract: Methods, systems, and computer-readable media for identifying potential threats on a network based on anomalous behavior in communication between endpoints are provided. Traffic data for a network is accumulated over some period of time. The traffic data is grouped by one or more keys, such as source IP address, and sets of metric values are calculated for the keys. A mixture distribution, such as a negative binomial mixture distribution, is fitted to each set of metric values, and outlying metric values are determined based on the mixture distribution(s). A list of outliers is then generated comprising key values having outlying metric values in one or more of the sets of metric values.

Abstract: A method and system for determining whether an IP address is part of a bot-network are provided. The IP-address-aggregate associated with the IP address of an e-mail sender is determined. The IP-address-aggregate is associated with an IP-address-aggregate-category based on the current SMTP traffic characteristics of the IP-address-aggregate and the known SMTP traffic characteristics of an IP-address-aggregate-category. A bot-likelihood score of the IP-address-aggregate-category is then associated with IP-address-aggregate. IP-address-aggregate-categories can be established based on historical SMTP traffic characteristics of the IP-address-aggregates. The IP-address-aggregates are grouped based on SMTP characteristics, and the IP-address-aggregate-categories are defined based on a selection of IP-address-aggregates with similar SMTP traffic characteristics that are diagnostic of spam bots vs. non-botnet-controllers spammers.

Abstract: Methods, systems, and computer-readable media for identifying potential threats on a network based on anomalous behavior in communication between endpoints are provided. Traffic data for a network is accumulated over some period of time. The traffic data is grouped by one or more keys, such as source IP address, and sets of metric values are calculated for the keys. A mixture distribution, such as a negative binomial mixture distribution, is fitted to each set of metric values, and outlying metric values are determined based on the mixture distribution(s). A list of outliers is then generated comprising key values having outlying metric values in one or more of the sets of metric values.

Abstract: Methods, systems, and computer-readable media for identifying potential threats on a network based on anomalous behavior in communication between endpoints are provided. Traffic data for a network is accumulated over some period of time. The traffic data is grouped by one or more keys, such as source IP address, and sets of metric values are calculated for the keys. A mixture distribution, such as a negative binomial mixture distribution, is fitted to each set of metric values, and outlying metric values are determined based on the mixture distribution(s). A list of outliers is then generated comprising key values having outlying metric values in one or more of the sets of metric values.

Abstract: Method and apparatus for processing traffic of interest in a network is described. In one example, a baseline profile and at least one threshold is computed using initial aggregated volume data for the traffic of interest. Aggregated volume counts for time periods in a time interval are obtained. Differences between the aggregated volume counts for the time periods and values of the baseline profile for corresponding time periods are computed. An alarm is triggered for each of the differences that exceeds the at least one threshold.

Abstract: Method and apparatus for port sweep detection in a network is described. In one example, log data is obtained for a period of time. The log data is associated with a plurality of devices in the network. The log data is processed to identify connection requests from a source key for a port at a number of target internet protocol (IP) addresses. An alarm is generated if the number of target IP addresses associated with the connection requests from the source key exceeds a threshold.

Abstract: A method and system for determining whether an IP address is part of a bot-network are provided. The IP-address-aggregate associated with the IP address of an e-mail sender is determined. The IP-address-aggregate is associated with an IP-address-aggregate-category based on the current SMTP traffic characteristics of the IP-address-aggregate and the known SMTP traffic characteristics of an IP-address-aggregate-category. A bot-likelihood score of the IP-address-aggregate-category is then associated with IP-address-aggregate. IP-address-aggregate-categories can be established based on historical SMTP traffic characteristics of the IP-address-aggregates. The IP-address-aggregates are grouped based on SMTP characteristics, and the IP-address-aggregate-categories are defined based on a selection of IP-address-aggregates with similar SMTP traffic characteristics that are diagnostic of spam bots vs. non-botnet-controllers spammers.

Abstract: Methods, systems, and computer-readable media for identifying potential threats on a network based on anomalous behavior in communication between endpoints are provided. Traffic data for a network is accumulated over some period of time. The traffic data is grouped by one or more keys, such as source IP address, and sets of metric values are calculated for the keys. A mixture distribution, such as a negative binomial mixture distribution, is fitted to each set of metric values, and outlying metric values are determined based on the mixture distribution(s). A list of outliers is then generated comprising key values having outlying metric values in one or more of the sets of metric values.

Abstract: A method, system and apparatus for detecting anomalous web proxy activity by end-users are disclosed. The techniques include analyzing records from a web proxy log and determining whether the records contain anomalous end-user activity by inspecting a uniform resource locator and a connect instruction included therein. The techniques also include generating an alert in response to the analysis.