Abstract: Embodiments provide for a security information and event management (SIEM) system utilizing distributed agents that can intelligently traverse a network to exfiltrate data in an efficient and secure manner. A plurality of agent devices can dynamically learn behavioral patterns and/or service capabilities of other agent devices in the networking environment, and select optimal routes for exfiltrating event data from within the network. The agent devices can independently, selectively, or collectively pre-process event data for purposes of detecting a suspect event from within the network. When a suspect event is detected, agent devices can select a target device based on the learned service capabilities and networking environment, and communicate the pre-processed event data to the target device. The pre-processed event data is thus traversed through the network along an optimal route until it is exfiltrated from the network and stored on a remote server device for storage and further analysis.

Abstract: Embodiments provide for a security information and event management (SIEM) system utilizing distributed agents that can intelligently traverse a network to exfiltrate data in an efficient and secure manner. A plurality of agent devices can dynamically learn behavioral patterns and/or service capabilities of other agent devices in the networking environment, and select optimal routes for exfiltrating event data from within the network. The agent devices can independently, selectively, or collectively pre-process event data for purposes of detecting a suspect event from within the network. When a suspect event is detected, agent devices can select a target device based on the learned service capabilities and networking environment, and communicate the pre-processed event data to the target device. The pre-processed event data is thus traversed through the network along an optimal route until it is exfiltrated from the network and stored on a remote server device for storage and further analysis.

Abstract: Various implementations provide an approach to control testing frequency based on behavior change detection. Behavior change detection is utilized, instead of a pre-defined patterns approach, to look at a system's behavior and detect any variances from what would otherwise be normal operating behavior. In at least some implementations, a behavior change detection system collects behavior from a service, such as an online service, and detects behavior changes, either permanent or transient, in the service. In this way, the changes may be used to compute a volatility score, which the system uses to control testing frequency of one or more services, such as URLs that are part of a particular service.

Abstract: Template identification techniques for control of testing are described. In one or more implementations, a method is described to control testing of one or more services by one or more computing devices using inferred template identification. Templates are inferred, by the one or more computing devices, that are likely used for documents for respective services of a service provider that are available via corresponding universal resource locators (URLs) to form an inferred dataset. Overlaps are identified by the one or computing devices in the inferred dataset to cluster services together that have likely used corresponding templates. Testing is controlled by the one or more computing devices of the one or more services based at least in part on the clusters.

Abstract: A behavior change detection system collects behavior from a service, such as an online service, and detects behavior changes, either permanent or transient, in the service. Machine learning hierarchical (agglomerative) clustering techniques are utilized to compute deviations between clustered data sets representing an “answer” that the service presents to a series of requests.

Abstract: Template identification techniques for control of testing are described. In one or more implementations, a method is described to control testing of one or more services by one or more computing devices using inferred template identification. Templates are inferred, by the one or more computing devices, that are likely used for documents for respective services of a service provider that are available via corresponding universal resource locators (URLs) to form an inferred dataset. Overlaps are identified by the one or computing devices in the inferred dataset to cluster services together that have likely used corresponding templates. Testing is controlled by the one or more computing devices of the one or more services based at least in part on the clusters.

Abstract: Various embodiments provide an approach to classifying security events based on the concept of behavior change detection or “volatility.” Behavior change detection is utilized, in place of a pre-defined patterns approach, to look at a system's behavior and detect any variances from what would otherwise be normal operating behavior. In operation, machine learning techniques are utilized as an event classification mechanism which facilitates implementation scalability. The machine learning techniques are iterative and continue to learn over time. Operational scalability issues are addressed by using the computed volatility of the events in a time series as input for a classifier. During a learning process (i.e., the machine learning process), the system identifies relevant features that are affected by security incidents. When in operation, the system evaluates those features in real-time and provides a probability that an incident is about to occur.

Abstract: Various implementations provide an approach to control of testing frequency based on the concept of behavior change detection or “volatility.” Behavior change detection is utilized, in place of a pre-defined patterns approach, to look at a system's behavior and detect any variances from what would otherwise be normal operating behavior. In at least some implementations, a behavior change detection system collects behavior from a service, such as an online service, and detects behavior changes, either permanent or transient, in the service. In this way, the changes may be used to compute a volatility score that describes an amount of change in the behaviors. The changes in behavior as reflected by the volatility scores are then usable to control a testing frequency of the services, such as URLs that are part of the service. This may be performed dynamically to reflect ongoing changes in volatility.

Abstract: Various embodiments provide an approach to classifying security events based on the concept of behavior change detection or “volatility.” Behavior change detection is utilized, in place of a pre-defined patterns approach, to look at a system's behavior and detect any variances from what would otherwise be normal operating behavior. In operation, machine learning techniques are utilized as an event classification mechanism which facilitates implementation scalability. The machine learning techniques are iterative and continue to learn over time. Operational scalability issues are addressed by using the computed volatility of the events in a time series as input for a classifier. During a learning process (i.e., the machine learning process), the system identifies relevant features that are affected by security incidents. When in operation, the system evaluates those features in real-time and provides a probability that an incident is about to occur.

Abstract: A behavior change detection system collects behavior from a service, such as an online service, and detects behavior changes, either permanent or transient, in the service. Machine learning hierarchical (agglomerative) clustering techniques are utilized to compute deviations between clustered data sets representing an “answer” that the service presents to a series of requests.