Abstract: Methods, apparatus and computer program products implement embodiments of the present invention that include collecting data packets transmitted between multiple entities over a network, and grouping the packets at least according to their source and destination entities and their times, into connections to which the packets belong. Pairs of the connections are identified having identical source and destination entities and times that are together within a specified time window, and sets of features are generated for the identified pairs of the connections. The features in the pairs are evaluated in order to detect a given pair of connections indicating malicious activity, and an alert is generated for the malicious activity.

Abstract: Identifying causal relationships between outlier telemetry events in telemetry metric data using machine learning ensembles of an autoencoder and an attention mechanism provides an automated framework for root cause analysis. Outlier telemetry events are detected across a cloud of telemetry events using unsupervised learning models. To establish a causal relationship between outlier telemetry events, autoencoder/attention mechanism ensembles are trained for pairs of telemetry metrics. When inputs of sequences of telemetry events of a first telemetry metric and a second telemetry metric to the ensemble have sufficiently high loss value, a causal relationship is inferred. Internal node values of the attention mechanism from the input identify specific time stamps for the first telemetry metric that have a causal relationship with the outlier telemetry event.

Abstract: A method, including collecting communication sessions, and generating samples from the sessions. Classifiers are applied to the samples, thereby computing a classifier prediction for each sample, and based on the classifier predictions, respective aggregated predictions are determined for the samples. Based on the classifier and the aggregated predictions, a precision and a hit rate for each classifier and a positive rate are computed, and based on the aggregated predictions, a subset of the samples are selected. Using the selected subset, a model including the classifiers is computed based on the precisions, the hit rates and the positive rate, and the model is applied to the samples, thereby updating the classifier and the aggregate predictions. The steps of computing the precision and the hit rate, selecting the subset, computing the model and applying the model are repeated until meeting a halting condition, and using the model, additional communication sessions are scanned.

Abstract: A report generated from analysis of a software sample is obtained and parsed. A root node of a causality tree is determined based on source-target relationships and a primary malware instance indicated in the report. Actions, behaviors, and additional malware instances are identified based on the report. Additional relationships among the data which are not explicitly represented are extracted from further parsing and processing of the report by tracing the relationships in the report data starting from the data of the entity represented by the root node, with child nodes added for processes and files discovered from the tracing. For each entity for which a node is added to the causality tree, counts of the related behaviors and actions are determined and associated with the node along with the corresponding details. A GUI depiction of the resulting causality tree is generated and displayed for visualizing and navigating the causality tree.

Abstract: Methods, apparatus and computer program products implement embodiments of the present invention that include collecting data packets transmitted between multiple entities over a network, and grouping the packets at least according to their source and destination entities and their times, into connections to which the packets belong. Pairs of the connections are identified having identical source and destination entities and times that are together within a specified time window, and sets of features are generated for the identified pairs of the connections. The features in the pairs are evaluated in order to detect a given pair of connections indicating malicious activity, and an alert is generated for the malicious activity.

Abstract: Methods, apparatus and computer program products implement embodiments of the present invention that include collecting data packets transmitted between multiple entities over a network, and grouping the packets at least according to their source and destination entities and their times, into connections to which the packets belong. Pairs of the connections are identified having identical source and destination entities and times that are together within a specified time window, and sets of features are generated for the identified pairs of the connections. The features in the pairs are evaluated in order to detect a given pair of connections indicating malicious activity, and an alert is generated for the malicious activity.

Abstract: A method including extracting, from initial data transmitted on a network, multiple events, each of the events including a user accessing a resource. First and second sets of records are created, each first set record including a sub-group of the events of a user, each second set record including a sub-group of the events of a multiple users during respective sub-periods of a training period. Safe labels are assigned to the first set records and suspicious labels are assigned to the second set records. An analysis fits, to the first and the second set records and their respective labels, a model for predicting the label for a given record. The model filters subsequent network data to identify, in the subsequent data, sequences of events predicted to be labeled suspicious by the model, and upon detecting a given sequence of events predicted as suspicious by the model, an alert is generated.

Abstract: A method for computer system forensics includes receiving an identification of at least one host computer that has exhibited an anomalous behavior, in a computer network comprising multiple host computers. Respective images of the host computers in the network are assembled using image information collected with regard to the host computers. A comparison is made between at least one positive image of the at least one host computer, assembled using the image information collected following occurrence of the anomalous behavior, and one or more negative images assembled using the image information collected with respect to one or more of the host computers not exhibiting the anomalous behavior. Based on the comparison, a forensic indicator of the anomalous behavior is extracted from the positive and negative images.

Abstract: A method, including collecting information on data transmitted at respective times between multiple endpoints and multiple Internet sites having respective domains, and acquiring, from one or more external or internal sources, maliciousness information for the domains. An access time profile is generated based on the times of the transmissions to the domains, and a popularity profile is generated based on the transmissions to the domains. A malicious domain profile is generated based on the acquired maliciousness information, and the collected information is modeled using the access time profile, the popularity profile and the malicious domain profile. Based on their respective modeled collected information, one or more of the domains is predicted to be suspicious, and an alert is generated for the one or more identified domains.

Abstract: Methods, apparatus and computer program products implement embodiments of the present invention that include collecting data packets transmitted between multiple entities over a network, and grouping the packets at least according to their source and destination entities and their times, into connections to which the packets belong. Pairs of the connections are identified having identical source and destination entities and times that are together within a specified time window, and sets of features are generated for the identified pairs of the connections. The features in the pairs are evaluated in order to detect a given pair of connections indicating malicious activity, and an alert is generated for the malicious activity.

Abstract: A method, including collecting data transmitted from endpoints to Internet sites having respective domains and respective IP addresses, and transmissions to IP addresses of ASN numbers or ASN names included in a list of ASNs. An ASN data traffic model is generated by modeling, for each given ASN, data transmitted to any of the IP address of the given ASN based on the data, and for each given ASN and a set of keywords, multiple web searches are performed, each of the web searches including a given keyword and an ASN name or a number for the given ASN. Based on the web searches, a model of relationships between the keywords and the ASNs is generated, and one or more of the ASNs are predicted to be suspicious based on their respective modeled data transmissions and their respective modeled relationships between the keywords and the one or more ASNs.

Abstract: A method, including collecting communication sessions, and generating samples from the sessions. Classifiers are applied to the samples, thereby computing a classifier prediction for each sample, and based on the classifier predictions, respective aggregated predictions are determined for the samples. Based on the classifier and the aggregated predictions, a precision and a hit rate for each classifier and a positive rate are computed, and based on the aggregated predictions, a subset of the samples are selected. Using the selected subset, a model including the classifiers is computed based on the precisions, the hit rates and the positive rate, and the model is applied to the samples, thereby updating the classifier and the aggregate predictions. The steps of computing the precision and the hit rate, selecting the subset, computing the model and applying the model are repeated until meeting a halting condition, and using the model, additional communication sessions are scanned.

Abstract: A method for computer system forensics includes receiving an identification of at least one host computer that has exhibited an anomalous behavior, in a computer network comprising multiple host computers. Respective images of the host computers in the network are assembled using image information collected with regard to the host computers. A comparison is made between at least one positive image of the at least one host computer, assembled using the image information collected following occurrence of the anomalous behavior, and one or more negative images assembled using the image information collected with respect to one or more of the host computers not exhibiting the anomalous behavior. Based on the comparison, a forensic indicator of the anomalous behavior is extracted from the positive and negative images.

Abstract: A method for monitoring includes defining a plurality of different types of administrative activities in a computer system. Each administrative activity in the plurality includes an action performed by one of the computers in the system that can be invoked only by a user having an elevated level of privileges in the system. The administrative activities performed by at least a group of the computers in the system are tracked automatically. Upon detecting that a given computer in the system has performed an anomalous combination of at least two of the different types of administrative activities, an action is initiated to inhibit malicious exploitation of the given computer.

Abstract: A method for computer system forensics includes receiving an identification of an anomalous message transmitted by a host computer in a computer network comprising multiple host computers. Messages transmitted by the host computers are monitored so as to detect, for each monitored message, a respective process that initiated the message. Responsively to the identification, a forensic indicator is extracted of the respective process that initiated the anomalous message.

Abstract: A method for computer system forensics includes receiving an identification of at least one host computer (26) that has exhibited an anomalous behavior, in a computer network (24) comprising multiple host computers. Respective images (68) of the host computers in the network are assembled using image information collected with regard to the host computers. A comparison is made between at least one positive image of the at least one host computer, assembled using the image information collected following occurrence of the anomalous behavior, and one or more negative images assembled using the image information collected with respect to one or more of the host computers not exhibiting the anomalous behavior. Based on the comparison, a forensic indicator of the anomalous behavior is extracted from the positive and negative images.

Abstract: A method, including collecting information on data transmitted at respective times between multiple endpoints and multiple Internet sites having respective domains, and acquiring, from one or more external or internal sources, maliciousness information for the domains. An access time profile is generated based on the times of the transmissions to the domains, and a popularity profile is generated based on the transmissions to the domains. A malicious domain profile is generated based on the acquired maliciousness information, and the collected information is modeled using the access time profile, the popularity profile and the malicious domain profile. Based on their respective modeled collected information, one or more of the domains is predicted to be suspicious, and an alert is generated for the one or more identified domains.

Abstract: A method, including collecting data transmitted from endpoints to Internet sites having respective domains and respective IP addresses, and transmissions to IP addresses of ASN numbers or ASN names included in a list of ASNs. An ASN data traffic model is generated by modeling, for each given ASN, data transmitted to any of the IP address of the given ASN based on the data, and for each given ASN and a set of keywords, multiple web searches are performed, each of the web searches including a given keyword and an ASN name or a number for the given ASN. Based on the web searches, a model of relationships between the keywords and the ASNs is generated, and one or more of the ASNs are predicted to be suspicious based on their respective modeled data transmissions and their respective modeled relationships between the keywords and the one or more ASNs.

Abstract: A method including extracting, from initial data transmitted on a network, multiple events, each of the events including a user accessing a resource. First and second sets of records are created, each first set record including a sub-group of the events of a user, each second set record including a sub-group of the events of a multiple users during respective sub-periods of a training period. Safe labels are assigned to the first set records and suspicious labels are assigned to the second set records. An analysis fits, to the first and the second set records and their respective labels, a model for predicting the label for a given record. The model filters subsequent network data to identify, in the subsequent data, sequences of events predicted to be labeled suspicious by the model, and upon detecting a given sequence of events predicted as suspicious by the model, an alert is generated.

Abstract: A method for monitoring includes defining a plurality of different types of administrative activities in a computer system. Each administrative activity in the plurality includes an action performed by one of the computers in the system that can be invoked only by a user having an elevated level of privileges in the system. The administrative activities performed by at least a group of the computers in the system are tracked automatically. Upon detecting that a given computer in the system has performed an anomalous combination of at least two of the different types of administrative activities, an action is initiated to inhibit malicious exploitation of the given computer.