Abstract: Disclosed is an improved approach for managing security alerts to automatically isolate malicious security alerts from benign alerts using an ensemble model of pattern recognition techniques. In some embodiments, the approach provides for automatically isolating security alerts of malicious attack from security alerts that correspond to undesirable, yet benign, activity in computer networks, cloud infrastructures and SAAS applications. Specifically, the approach provides for qualitative contextual assessments of these alerts using an ensemble of models. These ensemble models leverage a history of security events on a computer network, cloud infrastructure and SAAS applications to determine a level of relevance for received alerts and determine, based on that level of relevance, how or if they should be presented to an administrator.

Abstract: Disclosed is an improved approach for translating entity prioritization rules to a continuous numerical space. In some embodiments, the approach provided is a system for using qualitative prioritization criteria to train a system that generates quantitative urgency scores for entities. In some embodiments, this comprises an embedding scheme that enables the translation of entity information and their related alerts to a set of qualitative labels based on at least quantitative information. Generally, the system includes a set of analyst actions that establish desired mappings which are used to train a more general model that maps entity embeddings to responses. In some embodiments, the approach comprises one or more models that receive an entity embedding as an input and outputs a score that characterizes the urgency of the response warranted for that entity. In some embodiments, this is performed using various features (e.g., importance, actor type, velocity, and breadth).

Abstract: Disclosed is an approach for detecting malicious network activity (e.g. based on a data hoarding activity identifies using a graph mixture density neural network (GraphMDN)). Generally, the approach includes generating embeddings using a graph convolution process and then processing the embeddings using a mixture density neural network. The approach may include collecting network activity data, generating a graph representing the network activity, or an aggregation thereof that maintains the inherent graphical nature and characteristics of the data, and training a GraphMDN in order to generate pluralities of distributions characterizing one or more aspects of the graph representing the network activity. The approach may also include capturing new network activity data, and evaluating that data using the distributions generated by the trained GraphMDN, and generation corresponding detection results.

Abstract: Disclosed is an improved approach for detecting potentially malicious activity on a network. The present improved approach generates a multi-dimensional activity model based on captured network activity. Additional network activity is captured, and relative activity values are determined therefor. Determination of whether the additional network activity corresponds to potentially malicious activity is obtained by fitting the relative activity values of the additional network activity to the multi-dimensional relative activity model.

Abstract: Disclosed is an approach for detecting malicious network activity (e.g. based on a data hoarding activity identifies using a graph mixture density neural network (GraphMDN)). Generally, the approach includes generating embeddings using a graph convolution process and then processing the embeddings using a mixture density neural network. The approach may include collecting network activity data, generating a graph representing the network activity, or an aggregation thereof that maintains the inherent graphical nature and characteristics of the data, and training a GraphMDN in order to generate pluralities of distributions characterizing one or more aspects of the graph representing the network activity. The approach may also include capturing new network activity data, and evaluating that data using the distributions generated by the trained GraphMDN, and generation corresponding detection results.

Abstract: Disclosed is an improved approach for detecting potentially malicious activity on a network. The present improved approach generates a multi-dimensional activity model based on captured network activity. Additional network activity is captured, and relative activity values are determined therefor. Determination of whether the additional network activity corresponds to potentially malicious activity is obtained by fitting the relative activity values of the additional network activity to the multi-dimensional relative activity model.