Abstract: Autoencoder-based anomaly detection methods have been used in identifying anomalous users from large-scale enterprise logs with the assumption that adversarial activities do not follow past habitual patterns. Most existing approaches typically build models by reconstructing single-day and individual-user behaviors. However, without capturing long-term signals and group-correlation signals, the models cannot identify low-signal yet long-lasting threats, and will incorrectly report many normal users as anomalies on busy days, which, in turn, leads to a high false positive rate. A method is provided based on compound behavior, which takes into consideration long-term patterns and group behaviors. The provided method leverages a novel behavior representation and an ensemble of deep autoencoders and produces an ordered investigation list.

Abstract: Autoencoder-based anomaly detection methods have been used in identifying anomalous users from large-scale enterprise logs with the assumption that adversarial activities do not follow past habitual patterns. Most existing approaches typically build models by reconstructing single-day and individual-user behaviors. However, without capturing long-term signals and group-correlation signals, the models cannot identify low-signal yet long-lasting threats, and will incorrectly report many normal users as anomalies on busy days, which, in turn, leads to a high false positive rate. A method is provided based on compound behavior, which takes into consideration long-term patterns and group behaviors. The provided method leverages a novel behavior representation and an ensemble of deep autoencoders and produces an ordered investigation list.

Abstract: The presently disclosed method and system exploits information and traces contained in DNS data to determine the maliciousness of a domain based on the relationship it has with other domains. A method may comprise providing data to a machine learning module that was previously trained on domain and IP address attributes or classifiers. The method then may comprise classifying apex domains and IP addresses based on the IP address and domain attributes or classifiers. Additionally, the method may comprise associated each of the domains and IP addresses based on the corresponding classification. The method may further comprise building a weighted domain graph at real-time utilizing the DNS data based on the aforementioned associations among domains. The method may then comprise assessing the maliciousness of a domain based on the weighted domain graph that was built.