Abstract: Embodiments for feature engineering by one or more processors are described. A plurality of transformations are applied to a set of features in each of a plurality of datasets. An output of each of the plurality of transformations is a score. For each of the sets of features, selecting those of the plurality of transformations for which said score is above a predetermined threshold. A signal representative of said selection is generated.

Abstract: Embodiments for feature engineering by one or more processors are described. A plurality of transformations are applied to a set of features in each of a plurality of datasets. An output of each of the plurality of transformations is a score. For each of the sets of features, selecting those of the plurality of transformations for which said score is above a predetermined threshold. A signal representative of said selection is generated.

Abstract: A computer-implemented method for adjusting suspiciousness scores in event-correlation graphs may include (1) detecting a suspicious event involving a first actor and a second actor within a computing system, (2) constructing an event-correlation graph that includes (i) a representation of the first actor, (ii) a representation of the suspicious event, and (iii) a representation of the second actor, and (3) adjusting a suspiciousness score associated with at least one representation in the event-correlation graph based at least in part on a suspiciousness score associated with at least one other representation in the event-correlation graph such that the adjusted suspiciousness score associated with the at least one representation is influenced by the suspicious event. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A computer-implemented method for using event-correlation graphs to detect attacks on computing systems may include (1) detecting a suspicious event involving a first actor within a computing system, (2) constructing an event-correlation graph that includes a first node that represents the first actor, a second node that represents a second actor, and an edge that interconnects the first node and the second node and represents a suspicious event involving the first actor and the second actor, (3) calculating, based at least in part on the additional suspicious event, an attack score for the event-correlation graph, (4) determining that the attack score is greater than a predetermined threshold, and (5) determining, based at least in part on the attack score being greater than the predetermined threshold, that the suspicious event may be part of an attack on the computing system. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A computer-implemented method for using event-correlation graphs to detect attacks on computing systems may include (1) detecting a suspicious event involving a first actor within a computing system, (2) constructing an event-correlation graph that includes a first node that represents the first actor, a second node that represents a second actor, and an edge that interconnects the first node and the second node and represents a suspicious event involving the first actor and the second actor, (3) calculating, based at least in part on the additional suspicious event, an attack score for the event-correlation graph, (4) determining that the attack score is greater than a predetermined threshold, and (5) determining, based at least in part on the attack score being greater than the predetermined threshold, that the suspicious event may be part of an attack on the computing system. Various other methods, systems, and computer-readable media are also disclosed.