Abstract: A system includes a log receiving module, an authentication graph module, a sampling module, an embedding module, a training module, a link prediction module, and an anomaly detection module. The log receiving module is configured to receive a first plurality of network-level authentication logs. The authentication graph module is configured to generate an authentication graph. The sampling module is configured to generate a plurality of sequences. The embedding module is configured to tune a plurality of node embeddings according to the plurality of sequences. The training module is configured to train a link predictor according to the plurality of node embeddings and ground-truth edge information from the authentication graph. The link prediction module is configured to apply the link predictor to performs a link prediction. The anomaly detection module is configured to perform anomaly detection according to the link prediction.

Abstract: The graph-based source code vulnerability detection system that uses a code-similarity style technique to identify highly modified vulnerable code clones while remaining generic to all vulnerability types. The system abstracts vulnerabilities in source code to the graph domain, allowing it to identify key relationships between textual elements that are not directly discernible from the text alone. Additionally, the system analyzes the patched code in addition to the vulnerable code to identify specific relationships in the graph that are tied directly to the vulnerable code segment, the patched code segment, and the contextual code of a particular vulnerability. By separating the vulnerability representation into these three components, a matching algorithm identifies vulnerable code clones while tolerating modifications at each level independently, providing more robust detection of modified vulnerable code clones.

Abstract: A system includes a log receiving module, an authentication graph module, a sampling module, an embedding module, a training module, a link prediction module, and an anomaly detection module. The log receiving module is configured to receive a first plurality of network-level authentication logs. The authentication graph module is configured to generate an authentication graph. The sampling module is configured to generate a plurality of sequences. The embedding module is configured to tune a plurality of node embeddings according to the plurality of sequences. The training module is configured to train a link predictor according to the plurality of node embeddings and ground-truth edge information from the authentication graph. The link prediction module is configured to apply the link predictor to performs a link prediction. The anomaly detection module is configured to perform anomaly detection according to the link prediction.