Abstract: There are disclosed techniques for use in providing security in a computer network. In one embodiment, the techniques comprise a method including multiple steps. The method comprises receiving user access data characterizing user access with a protected resource within a computer network. The method also comprises evaluating the user access data to extract information therefrom that describes user access with respect to a feature of user access. The method also comprises determining a cardinality value in connection with the feature based on the extracted information and a maximum cardinality threshold. It should be appreciated that the cardinality value is limited by the maximum cardinality threshold such that the cardinality value cannot exceed the maximum cardinality threshold. The method also comprises presenting the cardinality value for facilitating fraud detection.

Abstract: A processing device in one embodiment comprises a processor coupled to a memory and is configured to generate access profiles for respective user identifiers, to obtain data characterizing a current access for a given one of the user identifiers, to extract a plurality of features from the data characterizing the current access for the given user identifier, and to generate feature risk scores based on the extracted features and the access profile for the given user identifier. The processing device is further configured to aggregate the feature risk scores into a composite risk score. The aggregation illustratively comprises weighting the feature risk scores utilizing automatically-set feature risk score weights. The composite risk score is compared to a threshold, and an alert is generated relating to the current access based on a result of comparing the composite risk score to the threshold.

Abstract: There are disclosed herein techniques for use in fraud detection. In one embodiment, there is disclosed a technique comprising receiving a request to authenticate an electronic transaction described by a particular value of an authentication factor. The technique also comprises analysing transaction data relating to prior electronic transactions to determine information in connection with the particular value of the authentication factor. The analysing comprising a first part and a second part that separately analyse transaction data relating to at least one prior electronic transaction such that one of the first and second parts distinguishes itself from the other of the first and second parts by the extent to which that one part discriminates against the at least one prior electronic transaction based on its age.

Abstract: Techniques of authenticating a new user involve classifying a new user as a member of a group based on the new user's current activity. Along these lines, when a new user enrolls in an authentication system, the authentication system places the new user in a group of new users that have not made any requests and are assumed to be high risks of making fraudulent requests. Once the new user makes a request to access a resource, the authentication system classifies the new user as a member of another group according to authentication factors describing activities surrounding the request.

Abstract: Methods and apparatus are provided for detecting suspicious network activity, such as in an enterprise network. An exemplary method comprises obtaining network event data for a plurality of user-server communications for a given user, determining a number of distinct servers the user communicated with during a predefined time window; determining a number of distinct servers the user failed in authenticating to during the predefined time window; and assigning a risk score to the user based on the number of distinct servers the user communicated with and the number of distinct servers the user failed in authenticating to during the predefined time window. Generally, the risk score provides a measure of an anomalousness of the user communicating with the number of servers during the predefined time window. An absolute score is optionally assigned based on an evaluation of the number of distinct servers the user communicated with during the predefined time window relative to a predefined threshold number.

Abstract: Methods and apparatus are provided for detecting suspicious network activity by new devices. An exemplary method comprises: obtaining network event data for a given entity that comprises a user or a user device; determining a number of distinct other entities associated with the given entity during a predefined short time window, wherein the distinct other entities comprise user devices used by the user if the given entity comprises a user and comprise users of the user device if the given entity comprises a user device; determining a number of distinct other entities associated with the given entity during a predefined longer time window; and assigning a risk score to the given entity based on (i) the number during the predefined short time window relative to the number during the predefined longer time window, and/or (ii) the number during the predefined short time window relative to a predefined number.

Abstract: Technology for providing risk-based authentication, in which a location N-gram is generated for each historical transaction, the location N-gram indicating both a location from which the historical transaction originated and at least one location from which at least one previous transaction performed by the user that performed the historical transaction originated. A counter corresponding to the location N-gram is identified and incremented in a behavior profile for the user. An anomalousness risk score for a current user transaction having the same location N-gram may be calculated based on a value of the counter. If the risk score exceeds a threshold, an alert may be issued or other action taken with regard to the current transaction. Techniques are provided that limit complexity resulting from using a series of locations to detect anomalous user behavior, and that reduce the sparseness of the generated historical behavior data.

Abstract: Methods and apparatus are provided for identifying suspicious domains using common user clustering. An exemplary method comprises obtaining network event data comprising a plurality of network connections; identifying users and domains associated with the network connections in the network event data; creating a connection between each user/domain pair that communicate with one another in the identified users and the identified domains to generate a graph; connecting domains in the graph using inter-domain edges that share common users to obtain a graph of interconnected domains; identifying bi-connected components in the graph of interconnected domains, wherein the bi-connected components comprise node pairs having at least two paths in the graph of interconnected domains between them; and processing the bi-connected components to identify a plurality of suspicious domains that are likely to participate in a computer security attack.

Abstract: Techniques of identifying fraud detection rule strength involve varying the rendering of a graph from transaction data. Along these lines, a rules server computer provides a general graph from a group of transaction entries defining a group of fraudulent and authentic transactions on an electronic display. A user defines selection criteria that the rules server computer applies to the group of transaction entries to generate a subgroup of transaction entries. From the subgroup of transaction entries, the rules server computer provides a focused graph on the electronic display from the subgroup of transaction entries defining a subgroup of the group of fraudulent and authentic transactions. A ratio of the number of fraudulent transactions to the number of authentic transactions represented in the focused graph identifies the strength of the selection criteria for use in a fraud detection rule.

Abstract: A system for generating virtual private network (VPN) sessions from VPN server log messages uses and displays a VPN sessions table in which each row contains attributes of a corresponding VPN session. Processing of a log message causes a session to be generated when there is no ACTIVE session in the table for a username extracted from a log message. A time extracted from the log message is stored as the session start time and as a temporary end time associated with the session. If a gap between a temporary end time and a time extracted from a log message for the associated ACTIVE session is less than a threshold amount, the temporary end time is set to the extracted time. If the gap is equal to or exceeds the threshold, the status of the session is changed from ACTIVE to CLOSED, and a new ACTIVE session is generated.

Abstract: A processing device in one embodiment comprises a processor coupled to a memory and is configured to generate access profiles for respective user identifiers, to obtain data characterizing a current access for a given one of the user identifiers, to extract a plurality of features from the data characterizing the current access for the given user identifier, and to generate feature risk scores based on the extracted features and the access profile for the given user identifier. The processing device is further configured to aggregate the feature risk scores into a composite risk score. The aggregation illustratively comprises weighting the feature risk scores as a function of their relative levels of riskiness. The composite risk score is compared to a threshold, and an alert is generated relating to the current access based on a result of comparing the composite risk score to the threshold.

Abstract: A processing device in one embodiment comprises a processor coupled to a memory and is configured to obtain data characterizing a plurality of network sessions for each of a plurality of user identifiers. The network sessions are initiated from a plurality of user devices over at least one network and may comprise respective virtual private network (VPN) sessions. The processing device is further configured to process the data characterizing the network sessions for a given one of the plurality of user identifiers to generate a network session profile for the given user identifier, the network session profile comprising a plurality of histograms for respective ones of a plurality of features extracted from the data characterizing the plurality of network sessions for the given user identifier. A risk score is generated for a current network session utilizing features extracted from the data characterizing that session and the network session profile.

Abstract: A method includes (a) collecting information on times at which domains were contacted by each device of a set of devices on a network, (b) for each domain contacted by the set of devices, recording a list of time gaps between subsequent contacts to that domain by each device, (c) for each domain, calculating an entropy for the list of time gaps for that domain, a lower entropy indicating that that domain has been accessed at more regular intervals, while a higher entropy indicates that that domain has been accessed at more random intervals, (d) selecting a subset of the set of domains having smaller entropies relative to other domains of the set of domains, and (e) presenting the selected subset to an administrator with directions to review domains of the subset for potential contact with malware installed on devices of the computer network.

Abstract: Techniques of identifying anomalous behavior on an electronic network involve iteratively combining groups of adjacent bins of a histogram in such a way as to minimize a measure of error in the histogram. Along these lines, a user behavior analytics server represents a user behavior factor with a histogram. The UBA server reduces a number of bins in the histogram by iteratively selecting groups of adjacent bins for combination. Upon each iteration, the group of bins that is selected for combination is the group which, when its bins are combined, minimizes differences between the values of the bins in that group and a value of the combined bin.

Abstract: Techniques of information sharing involve processing queries from exchanges with multiple, non-colluding servers. Along these lines, each server stores a share of the query data such that readable query data may be reproduced only through combining the shares stored on a minimum number of the servers. In addition, a client wishing to submit a query encrypts any query input as well as a query function that provides an answer to the query. The client then sends a portion of the garbled query function to each of the servers. Each of the servers then evaluates their respective portion of the garbled query function using Yao's protocol in a serial manner so that one of the servers produces a garbled output. The client then determines the answer to the query by decoding the garbled output.

Abstract: Techniques of performing impersonation detection involve using encrypted access request data. Along these lines, an impersonation detection server stores historical access request data only in encrypted form and has no way to decrypt such data. When a new access request is received by a client, the client sends the username associated with the request to the server, which in turns sends the client the encrypted historical access request data. In addition, the server sends the client instructions to perform impersonation detection. The client then carries out the instructions based on the encrypted historical access request data and data contained in the new access request.

Abstract: Techniques of performing queries involve adapting a query to whether query data is encrypted. Along these lines, a data sensitivity policy defines which types of data is encrypted prior to storage in a data analytics database and which other types of data remain unencrypted. When a client formulates a query, the client encrypts a query input and then conceals the encrypted query input and query function to form concealed query logic. When the concealed query logic is received by a data analytics server, the data analytics server determines whether the query data to be input into the concealed query logic is encrypted or unencrypted. If the query data is unencrypted, then the concealed query logic is unconcealed and the query input unencrypted so that the data analytics server may evaluate the query function without concealment to produce a query result.

Abstract: A system that permits authentication based on a partial password, in which a risk score is assigned to an authentication request, and a minimum partial password size is generated based on the risk score. User-entered password characters are compared to one or more partial passwords having lengths equal to or greater than the minimum partial password size. If a match is found, the user is authenticated. A password similarity threshold for the request may also be generated based on the risk score, indicating a minimum level of similarity required between the user-entered password characters and the characters in a partial password, in order for there to be a match. When the user-entered password characters match a partial password, and the requesting user is authenticated, the system may stop inputting user-entered password characters, and/or transmitting the user-entered password characters to a server computer.

Abstract: A computer-implemented technique provides security to an enterprise. The technique involves receiving, by processing circuitry, personal information belonging to users of the enterprise. The technique further involves providing, by the processing circuitry, lists of user identifiers based on user relationships defined by the personal information. The lists of user identifiers respectively identify clusters of users of the enterprise. The technique further involves electronically imposing, by the processing circuitry, security classes on the clusters of users of the enterprise based on the lists of user identifiers. Along these lines, such classification can be used for risk assessment (e.g., authentication), alert filtering (e.g., filtering false alarms), and permission/privilege monitoring and/or assignment, among others.

Abstract: A server is configured to communicate with a group of clients over a network in one embodiment. The server maps the group of clients into a plurality of subgroups of bounded size, communicates to a given one of the clients information identifying the particular subgroup to which that client belongs as well as the other clients in that subgroup. The given client utilizes the communicated information to generate a ring signature over the corresponding subgroup of clients based on the communicated information. The subgroup size may be bounded to a minimum size and a maximum size in accordance with a variable privacy parameter. The server can increase or decrease the value of the parameter in order to provide respective increased or decreased privacy to the clients, by making it respectively more or less difficult to determine which client in a corresponding one of the subgroups produced the received ring signature.