Abstract: A method is disclosed that includes receiving, at a computing device, an event log including events derived from machine data, and determining a score by comparing an event from the event log with frequent patterns of features. Determining the score includes determining a length of a frequent pattern within the event in the event log and a count of occurrences of the frequent pattern within the events, determining a contribution of the frequent pattern based on the length and the count, determining a penalty for an unmatched feature of the first event based on a cardinality of the events, and averaging the contribution and the penalty to obtain the score. The method further includes issuing an alert identifying the first event as an anomaly using the first score and an anomaly score threshold.

Abstract: Systems, methods, and computer-readable media for controlling link selection and aggregation across multiple wireless networks based on a location of a mobile device. A location of a mobile device in a physical environment can be identified. At least portions of the physical environment can be in wireless range of a first wireless network and a second wireless network. Whether to access network services through either or both the first wireless network and the second wireless network can be determined based on the location of the mobile device in the physical environment. Further, a first interface at the mobile device to the first wireless network and a second interface at the mobile device to the second wireless network can be selectively toggled according to whether it is determined to access the network services through either or both the first wireless network and the second wireless network based on the location.

Abstract: One or more embodiments are directed multistage device clustering. A log including network traffic of multiple devices in a network is received. From the log, features of the devices are extracted and an aggregated feature matrix generated. A traffic behavior subset of the features in the aggregated feature matrix is selected, and a topic modeling algorithm applied thereto to obtain traffic behavior device groups. An application behavior subset of the features in the aggregated feature matrix is selected. On a per traffic behavior device group basis, the topic modeling algorithm is applied to the application behavior subset to obtain application behavior device subgroups. One or more devices are assigned to at least one of the plurality of application behavior device subgroups to obtain an assignment.

Abstract: Embodiments of the present invention are directed to facilitating detection of suspicious access to resources. In accordance with aspects of the present disclosure, an access graph is generated. The access graph contains access data that includes observed accesses between entities and resources. Access scores can be determined for entity-resource pairs in the access graph by applying a set of access rules to the entity-resource pairs in the access graph. The access scores indicate an extent of relatedness between the corresponding entity and resource. Thereafter, the access scores can be used to train a probabilistic prediction model that predicts suspiciousness of accesses between entities and resources.

Abstract: A network connection between a server group of a data intake and query system and each of one or more source network nodes is established. Source data at the server group is received from at least one of the one or more source network nodes via the respective network connections and transformed, by the indexer server, to timestamped data entries of machine data. A model management server detects data constraints for a security model that include a data element used by the security model and an availability requirement set. Using the timestamped data entries, the data constraints are validated, and the validation used to determine a data availability assessment of the security model.

Abstract: Correlating devices and clients across addresses may be provided. A first address associated with a client device may be received. When the client device is not connected to a network, first location data associated with the first address may be obtained using a passive technique. A second address and second location data associated with the second address may then be obtained using an active technique. It may then be determined that the first location data and the second location data correlate. In response to determining that the first location data and the second location data correlate, it may be determined that the client device has changed from the first address to the second address.

Abstract: A method is disclosed that includes receiving, at a computing device, an event log including events derived from machine data, and determining a score by comparing an event from the event log with frequent patterns of features. Determining the score includes determining a length of a frequent pattern within the event in the event log and a count of occurrences of the frequent pattern within the events, determining a contribution of the frequent pattern based on the length and the count, determining a penalty for an unmatched feature of the first event based on a cardinality of the events, and averaging the contribution and the penalty to obtain the score. The method further includes issuing an alert identifying the first event as an anomaly using the first score and an anomaly score threshold.

Abstract: Correlating devices and clients across addresses may be provided. A first address associated with a client device may be received. When the client device is not connected to a network, first location data associated with the first address may be obtained using a passive technique. A second address and second location data associated with the second address may then be obtained using an active technique. It may then be determined that the first location data and the second location data correlate. In response to determining that the first location data and the second location data correlate, it may be determined that the client device has changed from the first address to the second address.

Abstract: A method is disclosed that includes receiving, at a computing device, an event log including multiple events, where the events are derived from machine data, determining a first score associated with a first granularity level by comparing an event from the event log with a first frequent patterns generated for the first granularity level, and determining a second score associated with a second granularity level by comparing the event with a second frequent patterns generated for the second granularity level. The method further includes determining an aggregate score for the event based on the first score and the second score, and comparing the aggregate score for the event with an anomaly score threshold. Further, the method includes issuing an alert identifying the event as an anomaly based on the aggregate score exceeding the anomaly score threshold.

Abstract: Techniques are described for analyzing data regarding activity in an IT environment to determine information regarding the entities associated with the activity and using the information to detect anomalous activity that may be indicative of malicious activity. In an embodiment, a plurality of events reflecting activity by a plurality of entities in an IT environment are processed to resolve the identities of the entities, discover how the entities fit within a topology of the IT environment, and determine what the entities are. This information is then used to generate an entity relationship graph that includes nodes representing the entities in the IT environment and edges connecting the nodes representing interaction relationships between the entities. In some embodiments, baselines are established by monitoring the activity between entities. This baseline information can be represented in the entity relationship graph in the form of directionality applied to the edges.

Abstract: In one embodiment, a device in a serial network de-multiplexes a stream of traffic in the serial network into a plurality of data streams. The device determines that data from a particular data stream should be reported to an entity external to the serial network based on an event indicated by the data from the particular data stream. The device quantizes the data from the particular data stream. The device applies compression to the quantized data to form a compressed representation of the particular data stream. The applied compression is selected based on a data type associated with the data. The device sends a compressed representation of the particular data stream to the external entity as Internet Protocol (IP) traffic.

Abstract: Correlating devices and clients across addresses may be provided. A first address associated with a client device may be received. When the client device is not connected to a network, first location data associated with the first address may be obtained using a passive technique. A second address and second location data associated with the second address may then be obtained using an active technique. It may then be determined that the first location data and the second location data correlate. In response to determining that the first location data and the second location data correlate, it may be determined that the client device has changed from the first address to the second address.

Abstract: Systems, methods, and computer-readable media for controlling link selection and aggregation across multiple wireless networks based on a location of a mobile device. A location of a mobile device in a physical environment can be identified. At least portions of the physical environment can be in wireless range of a first wireless network and a second wireless network. Whether to access network services through either or both the first wireless network and the second wireless network can be determined based on the location of the mobile device in the physical environment. Further, a first interface at the mobile device to the first wireless network and a second interface at the mobile device to the second wireless network can be selectively toggled according to whether it is determined to access the network services through either or both the first wireless network and the second wireless network based on the location.

Abstract: A network connection between a server group of a data intake and query system and each of one or more source network nodes is established. Source data at the server group is received from at least one of the one or more source network nodes via the respective network connections and transformed, by the indexer server, to timestamped data entries of machine data. A model management server detects data constraints for a security model that include a data element used by the security model and an availability requirement set. Using the timestamped data entries, the data constraints are validated, and the validation used to determine a data availability assessment of the security model.

Abstract: Various embodiments herein disclose scheduling relay of traffic. The method comprises, selecting a second client device from a plurality of client devices. The second client device is located in communication range of the first client device. The first client device is communicating a first portion of a data flow, via a first wireless link, with a first access point of the one or more access points. The method comprises, in response to determining satisfaction of one or more relay criteria: directing the first access point to generate a second wireless link with the second client device; and directing the first access point to provide first metadata including a first set of relay instructions. The first set of relay instructions instructs the second client device to relay a second portion of the data flow between the first access point and the first client device via the second wireless link.

Abstract: Systems, methods, and computer-readable media for controlling link selection and aggregation across multiple wireless networks based on a location of a mobile device. A location of a mobile device in a physical environment can be identified. At least portions of the physical environment can be in wireless range of a first wireless network and a second wireless network. Whether to access network services through either or both the first wireless network and the second wireless network can be determined based on the location of the mobile device in the physical environment. Further, a first interface at the mobile device to the first wireless network and a second interface at the mobile device to the second wireless network can be selectively toggled according to whether it is determined to access the network services through either or both the first wireless network and the second wireless network based on the location.

Abstract: One or more embodiments are directed multistage device clustering. A log including network traffic of multiple devices in a network is received. From the log, features of the devices are extracted and an aggregated feature matrix generated. A traffic behavior subset of the features in the aggregated feature matrix is selected, and a topic modeling algorithm applied thereto to obtain traffic behavior device groups. An application behavior subset of the features in the aggregated feature matrix is selected. On a per traffic behavior device group basis, the topic modeling algorithm is applied to the application behavior subset to obtain application behavior device subgroups. One or more devices are assigned to at least one of the plurality of application behavior device subgroups to obtain an assignment.

Abstract: A network connection between a server group of a data intake and query system and each of one or more source network nodes is established. Source data at the server group is received from at least one of the one or more source network nodes via the respective network connections and transformed, by the indexer server, to timestamped entries of machine data. A model management server detects data constraints for a security model. Using the timestamped entries, the data constraints are validated to obtain a validation result, where validating the data constraints includes determining whether the timestamped entries satisfy the availability requirement set for the data element. The model management server determines a data availability assessment of the security model based on the validation result.

Abstract: One or more embodiments are directed behavioral based device clustering. A network traffic log of devices in the network is received. Features of devices are extracted from the network traffic log and aggregated into an aggregated feature matrix on a per device basis. By applying a topic modeling algorithm to the aggregated feature matrix, the devices are clustered into device groups according to behavior groups. A device is assigned to the device group to create an assignment.

Abstract: Embodiments of the present invention are directed to facilitating detection of suspicious access to resources. In accordance with aspects of the present disclosure, an access graph is generated. The access graph contains access data that includes observed accesses between entities and resources. Access scores can be determined for entity-resource pairs in the access graph by applying a set of access rules to the entity-resource pairs in the access graph. The access scores indicate an extent of relatedness between the corresponding entity and resource. Thereafter, the access scores can be used to train a probabilistic prediction model that predicts suspiciousness of accesses between entities and resources.