Abstract: An event can be analyzed for association with a security violation. Characters or other values of event data (e.g., command-line text) associated with the event can be provided sequentially to a trained representation mapping to determine respective representation vectors. Respective indicators can be determined by applying the vectors to a trained classifer. A token in the event data can be located based on the indicators. The event's can be determined to be associated with a security violation based on the token satisfying a token-security criterion. The representation mapping can be trained by adjusting model parameters so the trained representation predicts, based on a character of training command-line text, an immediately following character in the training command-line text. The classifier can be determined based on the trained representation mapping and classification training data indicating whether respective portions of training event data are associated with security violations.

Abstract: Event vectors can be determined for respective events based on respective command-line records and a trained representation mapping. Respective coordinate vectors can be determined, each having fewer elements than the respective event vector. Respective representations of at least some of the events can be presented via an electronic display at the respective coordinate vectors. A selection of a first representation can be received via a user interface. The events can be clustered based on the event vectors. A first cluster can be selected based on the selection. An indication of a tag can be received via the user interface. Each event of the first cluster can be associated with the tag. Some examples include transmitting a security command to cause a monitored computing device associated with an event in the first cluster to perform a mitigation action.

Abstract: An event can be associated with a monitored computing device and a command-line record. An event vector can be determined for each of a plurality of events based at least in part on at least a portion of the respective command-line record and on a trained representation mapping. A respective reduced event vector can be determined having fewer elements. The reduced event vectors can be clustered to determine cluster identifiers. A first event can be determined to be associated with a security violation based on a corresponding cluster identifier matching a cluster identifier of a second event that is associated with a security violation. In some examples, a cluster can include a relatively larger first group of events and a relatively smaller second group of events. That cluster can be determined to satisfy a criterion based on the numbers of events in at least one of the groups.

Abstract: Example techniques herein determine that an event associated with a monitored computing device is associated with a security violation. Terms are extracted from at least two command lines associated with the event. Term representations of the at least two terms are determined based at least in part on a trained representation mapping. Two or more first filter outputs are determined based at least in part on the term representations of terms in a respective first subset of the terms. An indication of whether the event is associated with a security violation is determined at least partly by operating a trained classification computational model (CM) based at least in part on the two or more first filter outputs. Various examples train a word2vec or other x2vec model to provide the representation mapping. Various examples train a CM having convolutional and classification sections to provide the indication.

Abstract: An event can be analyzed for association with a security violation. Characters or other values of event data (e.g., command-line text) associated with the event can be provided sequentially to a trained representation mapping to determine respective representation vectors. Respective indicators can be determined by applying the vectors to a trained classifer. A token in the event data can be located based on the indicators. The event's can be determined to be associated with a security violation based on the token satisfying a token-security criterion. The representation mapping can be trained by adjusting model parameters so the trained representation predicts, based on a character of training command-line text, an immediately following character in the training command-line text. The classifier can be determined based on the trained representation mapping and classification training data indicating whether respective portions of training event data are associated with security violations.

Abstract: An event can be associated with a monitored computing device and a command-line record. An event vector can be determined for each of a plurality of events based at least in part on at least a portion of the respective command-line record and on a trained representation mapping. A respective reduced event vector can be determined having fewer elements. The reduced event vectors can be clustered to determine cluster identifiers. A first event can be determined to be associated with a security violation based on a corresponding cluster identifier matching a cluster identifier of a second event that is associated with a security violation. In some examples, a cluster can include a relatively larger first group of events and a relatively smaller second group of events. That cluster can be determined to satisfy a criterion based on the numbers of events in at least one of the groups.

Abstract: Event vectors can be determined for respective events based on respective command-line records and a trained representation mapping. Respective coordinate vectors can be determined, each having fewer elements than the respective event vector. Respective representations of at least some of the events can be presented via an electronic display at the respective coordinate vectors. A selection of a first representation can be received via a user interface. The events can be clustered based on the event vectors. A first cluster can be selected based on the selection. An indication of a tag can be received via the user interface. Each event of the first cluster can be associated with the tag. Some examples include transmitting a security command to cause a monitored computing device associated with an event in the first cluster to perform a mitigation action.

Abstract: Example techniques herein determine that an event associated with a monitored computing device is associated with a security violation. Terms are extracted from at least two command lines associated with the event. Term representations of the at least two terms are determined based at least in part on a trained representation mapping. Two or more first filter outputs are determined based at least in part on the term representations of terms in a respective first subset of the terms. An indication of whether the event is associated with a security violation is determined at least partly by operating a trained classification computational model (CM) based at least in part on the two or more first filter outputs. Various examples train a word2vec or other x2vec model to provide the representation mapping. Various examples train a CM having convolutional and classification sections to provide the indication.

Abstract: A security service system and method for using a process based on ancestry relationship as a pattern for identifying a suspicious activity, such as a possible malicious attack or malware, are described herein. The security service system identifies a trigger command in a process running on a monitored computing device, identifies an ancestry command associated with the trigger command, determines an ancestry level of the ancestry command, and upon determining that the ancestry level of the ancestry command is different from an expected ancestry level of the ancestry command for the trigger command, identify a pattern based on the trigger command, the ancestry command, and the ancestry level of the ancestry command.