Abstract: Detecting for anomalous utility usage, including: determining with respect to the subject set of utility usage data a portion that is not associated with a predetermined set of significant components; determining that the portion that is not associated with the predetermined set of significant components exceeds a prescribed threshold; and concluding, based at least in part on the determination that the portion that is not associated with the predetermined set of significant components exceeds the prescribed threshold, that the subject set of utility usage data is anomalous.

Abstract: Anomaly detection is disclosed, including: determining a set of anomalous events associated with an enterprise network; and determining a path of interest based at least in part on at least a subset of the set of anomalous events.

Abstract: Data unavailability and data loss events in a large distributed database system are predicted by proactively and substantially continuously collecting information about appliance states and operations in the database system, forming feature vectors of prescribed key information features, and classifying said feature vectors as indicative of possible DU/DL events based upon their similarity and closeness to stored historical feature vectors known to be relevant to DU/DL events.

Abstract: Techniques to detect fraud through behavioral analysis with low false positives are disclosed. In various embodiments, resource access data indicating for each resource in a set of resources respective usage data for each of one or more users of the resource is received. Hierarchical clustering analysis is performed to determine at each of two or more hierarchical levels a set of one or more clusters of users, resources, or both. A level-specific anomaly score is computed at each of said two or more hierarchical levels. The level-specific anomaly scores are aggregated across said two or more hierarchical levels to determine an aggregate anomaly score. The aggregate anomaly score to determine whether an anomaly has been detected.

Abstract: A method is used in analyzing device similarity. Data describing a device is received and a similarity analysis is applied to the data. Based on the similarity analysis, a measure of similarity between the device and a previously known device is determined.

Abstract: Malware beaconing activity detection is disclosed, including: monitoring a plurality of conversations between an internal device and one or more external destinations; extracting feature sets based at least in part on the plurality of conversations; and determining that a conversation of the plurality of conversations is anomalous based at least in part on the extracted feature sets.

Abstract: Methods, systems, and apparatus, including computer programs encoded on computer storage media for identifying malware attacks collects data traffic information. A system receives data traffic information indicative of communications between computers within a network and computers external to the network. The system parses the data traffic information to identify communication links between the computers within the network and computers external to the network. The system can generate communication link profiles for each of the computers within the network. The system can then group computers within the network into computer clusters based on similarities between the communication link profiles for each computer. The system can identify computer clusters having anomalous communication patterns as being indicative of a malware attack.

Abstract: Methods, systems, and apparatus, including computer programs encoded on computer storage media for identifying malware attacks collects data traffic information. A system receives data traffic information indicative of communications between computers within a network and computers external to the network. The system parses the data traffic information to identify communication links between the computers within the network and computers external to the network. The system can generate communication link profiles for each of the computers within the network. The system can then group computers within the network into computer clusters based on similarities between the communication link profiles for each computer. The system can identify computer clusters having anomalous communication patterns as being indicative of a malware attack.

Abstract: Virtual machine capacity planning techniques are disclosed. In various embodiments, a set of time series data is constructed based at least in part on virtual machine related metric values observed with respect to a virtual machine during a training period. The constructed time series data is used to build a forecast model for the virtual machine. The forecast model is used to forecast future values for one or more of the virtual machine related metrics. The forecasted future values are used to determine whether an alert condition is predicted to be met.

Abstract: A method is used in analyzing device similarity. Data describing a device is received and a model is applied to the data. Based on the modeling, a measure of similarity between the device and a previously known device is determined.

Abstract: Machine generated event log data which includes events occurring over a window of time is received where each event includes a first node, a second node, and a timestamp. The events are aggregated into a plurality of aggregated graph snapshots. Communities within the plurality of aggregated graph snapshots are identified and community tracking links are determined between communities in the plurality of aggregated graph snapshots. A community that has an anomalous evolution in the plurality of aggregated graph snapshots compared to the evolution of other communities is identified based at least in part on the community tracking links. The communities are displayed where the display includes the community tracking links and identifies the community that has the anomalous evolution.

Abstract: Virtual machine capacity planning techniques are disclosed. In various embodiments, a set of time series data is constructed based at least in part on virtual machine related metric values observed with respect to a virtual machine during a training period. The constructed time series data is used to build a forecast model for the virtual machine. The forecast model is used to forecast future values for one or more of the virtual machine related metrics. The forecasted future values are used to determine whether an alert condition is predicted to be met.

Abstract: Anomaly detection is disclosed, including: determining a set of anomalous events associated with an enterprise network; and determining a path of interest based at least in part on at least a subset of the set of anomalous events.

Abstract: Machine generated event log data which includes event(s) occurring over a window of time is received where each event includes one or more events having a first node, a second node, and a timestamp. The events are aggregated into a plurality of aggregated graph snapshots. One or more communities are identified within the plurality of aggregated graph snapshots. One or more community tracking links are determined between communities in the plurality of aggregated graph snapshots. Communities in the plurality of aggregated graph snapshot which are anomalous are identified based on one or more of the following: a community level anomaly or an evolutionary path level anomaly.

Abstract: Potentially infected internal device(s) and potential malware command and control device(s) are identified by generating a bipartite graph that includes internal device(s) inside a network and destination(s) outside the network which communicate over a period of time. The bipartite graph is reduced to obtain a reduced bipartite graph, including by eliminating those connections that include a whitelisted internal device and those connections that include a whitelisted destination. From the reduced graph, a cluster of potentially infected internal device(s) and potential malware command and control device(s) are identified based at least in part on (1) the cluster's degree of isolation from other clusters and (2) an isolation threshold.

Abstract: A bipartite graph is generated which includes one or more source vertices and one or more destination vertices. For a given source vertex, a temporal behavioral matrix is generated using the bipartite graph where a first dimension of the temporal behavioral matrix is associated with time and a second dimension of the temporal behavioral matrix is associated with at least some of the one or more destination vertices. For the given source vertex, a model is generated using at least some portion of the temporal behavioral matrix. Anomaly detection is performed on at least part of the temporal behavioral matrix using the model.

Abstract: Malware beaconing activity detection is disclosed, including: monitoring a plurality of conversations between an internal device and one or more external destinations; extracting feature sets based at least in part on the plurality of conversations; and determining that a conversation of the plurality of conversations is anomalous based at least in part on the extracted feature sets.

Abstract: Anomaly detection is disclosed, including: determining a set of anomalous events associated with an enterprise network; and determining a path of interest based at least in part on at least a subset of the set of anomalous events.

Abstract: Methods, systems, and apparatus, including computer programs encoded on computer storage media for identifying malware attacks collects data traffic information. A system receives data traffic information indicative of communications between computers within a network and computers external to the network. The system parses the data traffic information to identify communication links between the computers within the network and computers external to the network. The system can generate communication link profiles for each of the computers within the network. The system can then group computers within the network into computer clusters based on similarities between the communication link profiles for each computer. The system can identify computer clusters having anomalous communication patterns as being indicative of a malware attack.

Abstract: Malware beaconing activity detection is disclosed, including: monitoring a plurality of conversations between an internal device and one or more external destinations; extracting feature sets based at least in part on the plurality of conversations; and determining that a conversation of the plurality of conversations is anomalous based at least in part on the extracted feature sets.