Abstract: The present disclosure relates to a machine-learning system, method, and computer program for ranking security alerts from multiple sources. The system self-learns risk levels associated with alerts by calculating risk probabilities for the alerts based on characteristics of the alerts and historical alert data. In response to receiving a security alert from one of a plurality of alert-generation sources, the alert-ranking system evaluates the security alert with respect to a plurality of feature indicators. The system creates a feature vector for the security alert based on the feature indicator values identified for the alert. The system then calculates a probability that the security alert relates to a cybersecurity risk in the computer network based on the created feature vector and historical alert data in the network. The system ranks alerts from a plurality of different sources based on the calculated cybersecurity risk probabilities.

Abstract: The present disclosure describes a system, method, and computer program for detecting unmanaged and unauthorized assets on an IT network by identifying anomalously-named assets. A recurrent neural network (RNN) is trained to identify patterns in asset names in a network. The RNN learns the character distribution patterns of the names of all observed assets in the training data, effectively capturing the hidden naming structures followed by a majority of assets on the network. The RNN is then used to identify assets with names that deviate from the hidden naming structures. Specifically, the RNN is used to measure the reconstruction errors of input asset name strings. Asset names with high reconstruction errors are anomalous since they cannot be explained by learned naming structures. After filtering for attributes or circumstances that mitigate risk, such assets are associated with a higher cybersecurity risk.

Abstract: A cybersecurity system, method, and computer program is provided for detecting whether an entity's collection of processes during an interval is abnormal compared to the historical collection of processes observed for the entity during previous intervals of the same length. Logs from a training period are used to calculate global and local risk probabilities for each process based on the process's execution history during the training period. Risk probabilities may be computed using a Bayesian framework. For each entity in a network, an entity risk score is calculated by summing the applicable risk probabilities of the unique processes executed by the entity during an interval. An entity's historical risk scores form a score distribution. If an entity's current score is an outlier on the historical score distribution, an alert of potentially malicious behavior is generated with respect to the entity. Additional post-processing may be performed to reduce false positives.

Abstract: The present disclosure describes a system, method, and computer program for automatically classifying user accounts within an entity's computer network, using machine-based-learning modeling and keys from an identity management system. A system uses supervised machine learning to create a statistical model that maps individual keys or sets of keys to a probability of being associated with a first type of user account (e.g., a service account). To classify an unclassified user account, the system identifies identity management keys associated with the unclassified user account. The system creates an N-dimensional vector from the keys (where N=the number of keys), and uses the vector and the statistical model to calculate a probability that the unclassified user account is the first type of user account. In response to the probability exceeding a first threshold, the system classifies the unclassified user account as the first type of user account.

Abstract: The present disclosure describes a self-learning system, method, and computer program for detecting cybersecurity threats in a computer network based on anomalous user behavior and multi-domain data. A computer system tracks user behavior during a user session across multiple data domains. For each domain observed in a user session, a domain risk is calculated. The user's session risk is then calculated as the weighted sum of the domain risks. A domain risk is based on individual event-level risk probabilities and a session-level risk probability from the domain. The individual event-level risk probabilities and a session-level risk probability for a domain are derived from user events of the domain during the session and are based on event-feature indicators and session-feature indicators for the domain.

Abstract: The present disclosure describes a system, method, and computer program for automatically classifying user accounts within an entity's computer network, using machine-based-learning modeling and keys from an identity management system. A system uses supervised machine learning to create a statistical model that maps individual keys or sets of keys to a probability of being associated with a first type of user account (e.g., a service account). To classify an unclassified user account, the system identifies identity management keys associated with the unclassified user account. The system creates an N-dimensional vector from the keys (where N=the number of keys), and uses the vector and the statistical model to calculate a probability that the unclassified user account is the first type of user account. In response to the probability exceeding a first threshold, the system classifies the unclassified user account as the first type of user account.

Abstract: The present disclosure relates a system, method, and computer program for detecting anomalous user network activity based on multiple data sources. The system extracts user event data for n days from multiple data sources to create a baseline behavior model that reflects the user's daily volume and type of IT events. In creating the model, the system addresses data heterogeneity in multi-source logs by categorizing raw events into meta events. Thus, baseline behavior model captures the user's daily meta-event pattern and volume of IT meta events over n days. The model is created using a dimension reduction technique. The system detects any anomalous pattern and volume changes in a user's IT behavior on day n by comparing user meta-event activity on day n to the baseline behavior model. A score normalization scheme allows identification of a global threshold to flag current anomalous activity in the user population.

Abstract: The present disclosure describes a system, method, and computer program for determining the cybersecurity risk associated with a first-time access event in a computer network. In response to receiving an alert that a user has accessed a network entity for the first time, a user behavior analytics system uses a factorization machine to determine the affinity between the accessing user and the accessed entity. The affinity measure is based on the accessing user's historical access patterns in the network, as wells as context data for both the accessing user and the accessed entity. The affinity score for an access event may be used to filter first-time access alerts or weight first-time access alerts in performing a risk assessment of the accessing user's network activity. The result is that many false-positive first-time access alerts are suppressed and not factored (or not factored heavily) into cybersecurity risk assessments.

Abstract: The present disclosure relates to a cybersecurity-monitoring system, method, and computer program for dynamically determining a rule's risk score based on the network and user for which the rule triggered. The methods described herein addresses score inflation problems associated with the fact that rules have different false positive rates in different networks and for different users, even within the same network. In response to a rule triggering, the system dynamically adjusts the default risk points associated with the triggered rule based on a per-rule and per-user probability that the rule triggered due to malicious behavior. In certain embodiments, network context is also a factor in customizing the risk points for a triggered rule.

Abstract: The present disclosure relates a system, method, and computer program for detecting anomalous user network activity based on multiple data sources. The system extracts user event data for n days from multiple data sources to create a baseline behavior model that reflects the user's daily volume and type of IT events. In creating the model, the system addresses data heterogeneity in multi-source logs by categorizing raw events into meta events. Thus, baseline behavior model captures the user's daily meta-event pattern and volume of IT meta events over n days. The model is created using a dimension reduction technique. The system detects any anomalous pattern and volume changes in a user's IT behavior on day n by comparing user meta-event activity on day n to the baseline behavior model. A score normalization scheme allows identification of a global threshold to flag current anomalous activity in the user population.

Abstract: The present disclosure relates a system, method, and computer program for detecting anomalous user network activity based on multiple data sources. The system extracts user event data for n days from multiple data sources to create a baseline behavior model that reflects the user's daily volume and type of IT events. In creating the model, the system addresses data heterogeneity in multi-source logs by categorizing raw events into meta events. Thus, baseline behavior model captures the user's daily meta-event pattern and volume of IT meta events over n days. The model is created using a dimension reduction technique. The system detects any anomalous pattern and volume changes in a user's IT behavior on day n by comparing user meta-event activity on day n to the baseline behavior model. A score normalization scheme allows identification of a global threshold to flag current anomalous activity in the user population.

Abstract: The present disclosure describes a system, method, and computer program for classifying monitored assets based on user labels and for detecting potential misuse of monitored assets based on said classifications. Machine-learning-based modeling is used to classify one or more types of monitored assets with a select user label. A data model is created that reflects monitored assets used by users associated with the select user label. Each a time a user with the select user label accesses an applicable type of monitored asset, the data model is updated to reflect the event. The data model is used to classify one or more monitored assets with the select user label. If a user without the select user label uses a monitored asset classified with the select user label, a potential misuse of the monitored asset is detected.

Abstract: Techniques to detect backup-related anomalies are disclosed. In various embodiments, a processor is used to generate based at least in part on backup log data associated with a training period a predictive model. The predictive model is to detect, using the processor, anomalies in corresponding backup log data associated with a detection period.

Abstract: The present disclosure describes a system, method, and computer program for identifying and classifying service accounts in a network based on account behavior. For each evaluated account in the network, a plurality of behavior indicators are calculated. The behavior indicators correspond to service account behaviors and, for each account, are calculated based on network events associated with the account. Each behavior indicator is compared to a threshold specific to the corresponding behavior. If one or more behavior indicators for an account satisfies the applicable threshold, the account is deemed to display service account behavior. Consistency in which an account displays service account behavior is factored into classifying accounts as service accounts.

Abstract: Techniques to detect backup-related anomalies are disclosed. In various embodiments, a processor is used to generate based at least in part on backup log data associated with a training period a predictive model. The predictive model is to detect, using the processor, anomalies in corresponding backup log data associated with a detection period.

Abstract: Machine generated event log data which includes events occurring over a window of time is received where each event includes a first node, a second node, and a timestamp. The events are aggregated into a plurality of aggregated graph snapshots. Communities within the plurality of aggregated graph snapshots are identified and community tracking links are determined between communities in the plurality of aggregated graph snapshots. A community that has an anomalous evolution in the plurality of aggregated graph snapshots compared to the evolution of other communities is identified based at least in part on the community tracking links. The communities are displayed where the display includes the community tracking links and identifies the community that has the anomalous evolution.

Abstract: Virtual machine capacity planning techniques are disclosed. In various embodiments, a set of time series data is constructed based at least in part on virtual machine related metric values observed with respect to a virtual machine during a training period. The constructed time series data is used to build a forecast model for the virtual machine. The forecast model is used to forecast future values for one or more of the virtual machine related metrics. The forecasted future values are used to determine whether an alert condition is predicted to be met.

Abstract: Methods, systems, and apparatus, including computer programs encoded on computer storage media for identifying malware attacks collects data traffic information. A system receives data traffic information indicative of communications between computers within a network and computers external to the network. The system parses the data traffic information to identify communication links between the computers within the network and computers external to the network. The system can generate communication link profiles for each of the computers within the network. The system can then group computers within the network into computer clusters based on similarities between the communication link profiles for each computer. The system can identify computer clusters having anomalous communication patterns as being indicative of a malware attack.

Abstract: Techniques to detect backup-related anomalies are disclosed. In various embodiments, a processor is used to generate based at least in part on backup log data associated with a training period a predictive model. The predictive model is to detect, using the processor, anomalies in corresponding backup log data associated with a detection period.

Abstract: Techniques to reduce false positives in detecting anomalous use of resources are disclosed. In various embodiments, resource access data indicating for each resource in a set of resources respective usage data for each of one or more users of the resource is received. Cluster analysis is performed to determine one or more clusters of users. For each cluster, a set of recommended resources to be associated with the cluster is determined. For each of at least a subset of users, a temporal behavior based model for each user that reflects one or more resources included in the set of recommended resources associated with a corresponding cluster of which the user is a member is generated.