Abstract: A virtual private network (VPN) security system obtains data regarding a VPN session including (i) for each of a plurality of first subnets, a number of allowed connection attempts by a computer system to that first subnet, (ii) for each of a plurality of second subnets, a number of blocked connection attempts by the computer system to that second subnet, (iii) for each of a plurality of first network ports, a number of allowed connection attempts by the computer system using that first network port, and (iv) for each of a plurality of second network ports, a number of blocked connection attempts by the computer system using that second network port. The security system determines, using a neural network, a metric representing an estimated likelihood that the VPN session is associated with a malicious activity, and controls the VPN session based on the metric.

Abstract: Systems and methods include a computer-implemented method for detecting anomalous user logins. User login data for users is filtered, including monitoring workstations and servers accessed by users to obtain the user login data for the users. User login records are created for a current time period based, at least in part, on the user login data. An anomaly score is determined for each user, where the anomaly score indicates a deviation by the user from historical login patterns of the user. A user machine learning (ML) model is updated based on the predicting. User period login records are maintained over time using processed user login data. The user ML model is trained using the user periodic login records. Enriched login statistics are generated using the user ML model and the user periodic login records. A report that includes the enriched login statistics is generated in a graphical user interface.

Abstract: An automated method for detecting anomalous activity in a private computer network comprises: collecting, over a current time period at an ingesting network device of the computer network, non-routable network packets routed to the ingesting network device from other network devices of the computer network; parsing the current collected network packets into corresponding current network flow records each including a source field and a destination field representing a non-routable network address; and for each distinct source identified in the source fields of the current network flow records: aggregating the current network flow records of that source into a current aggregated flow record; analyzing the current aggregated flow record using an anomaly detection module trained through machine learning on previous aggregated flow records of that source from previous time periods in order to detect anomalous activity in that source; and acting in response to detecting the anomalous activity in that source.

Abstract: A virtual private network (VPN) security system obtains data regarding a VPN session including (i) for each of a plurality of first subnets, a number of allowed connection attempts by a computer system to that first subnet, (ii) for each of a plurality of second subsets, a number of blocked connection attempts by the computer system to that second subset, (iii) for each of a plurality of first network ports, a number of allowed connection attempts by the computer system using that first network port, and (iv) for each of a plurality of second network ports, a number of blocked connection attempts by the computer system using that second network port. The security system determines, using a neural network, a metric representing an estimated likelihood that the VPN session is associated with a malicious activity, and controls the VPN session based on the metric.

Abstract: Systems and methods include a computer-implemented method for detecting anomalous user logins. User login data for users is filtered, including monitoring workstations and servers accessed by users to obtain the user login data for the users. User login records are created for a current time period based, at least in part, on the user login data. An anomaly score is determined for each user, where the anomaly score indicates a deviation by the user from historical login patterns of the user. A user machine learning (ML) model is updated based on the predicting. User period login records are maintained over time using processed user login data. The user ML model is trained using the user periodic login records. Enriched login statistics are generated using the user ML model and the user periodic login records. A report that includes the enriched login statistics is generated in a graphical user interface.