Abstract: In accordance with the methods herein, an incident description characterizing a security incident and a manually-assigned incident characterization label characterizing the same security incident are received. The manually-assigned incident characterization label corresponds to one of a plurality of incident classification categories (including, for example, true positive, false positive) assigned by a user of a security monitoring system such as a SIEM system. A trained incident classification model is applied to the incident description, to classify the security incident in relation to the incident classification categories, thus generating a model classification prediction. The model classification prediction is compared with the manually-assigned incident characterization label and where it is determined that the manually-assigned incident characterization label and the model classification prediction are mismatched, a security mitigation action associated with the security incident is performed.

Abstract: Detecting a volumetric attack on a computer network with fewer false positives and while also requiring fewer processing resources is provided. The systems and methods described herein use observations taken at the network level to observe network traffic to form a predictive model for future traffic. When the network's future traffic sufficiently exceeds the predictive model, the monitoring systems and methods will indicate to the network to take security measures. The traffic to the network may be observed in subsets, corresponding to various groupings of sources, destinations, and protocols so that security measures may be targeted to that subset without affecting other machines in the network.

Abstract: A system for identifying abnormal resource usage in a data center is provided. In some embodiments, the system employs a prediction model for each of a plurality of resources and an abnormal resource usage criterion. For each of a plurality of resources of the data center, the system retrieves current resource usage data for a current time and past resource usage data for that resource. The system then extracts features from the past resource usage data for that resource, predicts using the prediction model for that resource usage data for the current time based on the extracted features, and determines an error between the predicted resource usage data and the current resource usage data. After determining the error data for the resources, the system determines whether errors satisfy the abnormal resource usage criterion. If so, the system indicates that an abnormal resource usage has occurred.

Abstract: In an example embodiment, a computer-implemented method comprises obtaining labels from messages associated with an email service provider, wherein the labels indicate for each message IP how many spam and non-spam messages have been received; obtaining network data features from a cloud service provider; providing the labels and network data features to a machine learning application; generating a prediction model representing an algorithm for determining whether a particular set of network data features are spam or not; applying the prediction model to network data features for an unlabeled message; and generating an output of the prediction model indicating a likelihood that the unlabeled message is spam.

Abstract: A system for detecting an attack by a virtual or physical machine on one or more auto-generated websites is provided. The system includes a processor, a memory, and an application. The application is stored in the memory and includes instructions, which are executable by the processor. The instructions are configured to: access an index of a search engine server computer and determine uniform resource locators (URLs) of auto-generated websites, where the auto-generated websites include the one or more auto-generated websites; and access Internet protocol (IP) address-URL entries stored in a domain name system server computer.

Abstract: Use machine learning to train a classifier to classify entities to increase confidence with respect to an entity being part of a distributed denial of service attack. The method includes training a classifier to use a first classification method, to identify probabilities that entities from a set of entities are performing denial of service attacks. The method further includes identifying a subset of entities meeting a threshold probability of performing a denial of service attack. The method further includes using a second classification method, identifying similarity of entities in the subset of entities. The method further includes based on the similarity, classifying individual entities.

Abstract: A system for detecting an attack by a virtual or physical machine on one or more auto-generated websites is provided. The system includes a processor, a memory, and an application. The application is stored in the memory and includes instructions, which are executable by the processor. The instructions are configured to: access an index of a search engine server computer and determine uniform resource locators (URLs) of auto-generated websites, where the auto-generated websites include the one or more auto-generated websites; and access Internet protocol (IP) address-URL entries stored in a domain name system server computer.

Abstract: Use machine learning to train a classifier to classify entities to increase confidence with respect to an entity being part of a distributed denial of service attack. The method includes training a classifier to use a first classification method, to identify probabilities that entities from a set of entities are performing denial of service attacks. The method further includes identifying a subset of entities meeting a threshold probability of performing a denial of service attack. The method further includes using a second classification method, identifying similarity of entities in the subset of entities. The method further includes based on the similarity, classifying individual entities.

Abstract: In an example embodiment, a computer-implemented method comprises obtaining labels from messages associated with an email service provider, wherein the labels indicate for each message IP how many spam and non-spam messages have been received; obtaining network data features from a cloud service provider; providing the labels and network data features to a machine learning application; generating a prediction model representing an algorithm for determining whether a particular set of network data features are spam or not; applying the prediction model to network data features for an unlabeled message; and generating an output of the prediction model indicating a likelihood that the unlabeled message is spam.

Abstract: Detecting a volumetric attack on a computer network with fewer false positives and while also requiring fewer processing resources is provided. The systems and methods described herein use observations taken at the network level to observe network traffic to form a predictive model for future traffic. When the network's future traffic sufficiently exceeds the predictive model, the monitoring systems and methods will indicate to the network to take security measures. The traffic to the network may be observed in subsets, corresponding to various groupings of sources, destinations, and protocols so that security measures may be targeted to that subset without affecting other machines in the network.

Abstract: A system for providing care to a ward that alerts a caregiver of the caregiver's capacity to deal competently with the ward's needs.

Abstract: A system for identifying abnormal resource usage in a data center is provided. In some embodiments, the system employs a prediction model for each of a plurality of resources and an abnormal resource usage criterion. For each of a plurality of resources of the data center, the system retrieves current resource usage data for a current time and past resource usage data for that resource. The system then extracts features from the past resource usage data for that resource, predicts using the prediction model for that resource usage data for the current time based on the extracted features, and determines an error between the predicted resource usage data and the current resource usage data. After determining the error data for the resources, the system determines whether errors satisfy the abnormal resource usage criterion. If so, the system indicates that an abnormal resource usage has occurred.

Abstract: A system for identifying abnormal resource usage in a data center is provided. In some embodiments, the system employs a prediction model for each of a plurality of resources and an abnormal resource usage criterion. For each of a plurality of resources of the data center, the system retrieves current resource usage data for a current time and past resource usage data for that resource. The system then extracts features from the past resource usage data for that resource, predicts using the prediction model for that resource usage data for the current time based on the extracted features, and determines an error between the predicted resource usage data and the current resource usage data. After determining the error data for the resources, the system determines whether errors satisfy the abnormal resource usage criterion. If so, the system indicates that an abnormal resource usage has occurred.

Abstract: A system for identifying abnormal resource usage in a data center is provided. In some embodiments, the system employs a prediction model for each of a plurality of resources and an abnormal resource usage criterion. For each of a plurality of resources of the data center, the system retrieves current resource usage data for a current time and past resource usage data for that resource. The system then extracts features from the past resource usage data for that resource, predicts using the prediction model for that resource usage data for the current time based on the extracted features, and determines an error between the predicted resource usage data and the current resource usage data. After determining the error data for the resources, the system determines whether errors satisfy the abnormal resource usage criterion. If so, the system indicates that an abnormal resource usage has occurred.

Abstract: A computer program product comprising: a non-transitory computer readable medium; and a description of a first block comprising: a definition of one or more output port groups each comprising one or more output ports; a definition of two or more input ports, the input ports receive object streams of identical length; one or more instructions for processing input data received in the input ports and for outputting processed data in the output port groups, wherein the instructions are operative to output a same number of output objects to each output port in a same output port group, whereby the output ports of the output port group are operative to output objects stream of identical length, and wherein the instructions are operative to receive a same number of input objects from each input port, whereby the input ports are operative to receive object streams of identical length; and an indication of whether there is a constant ratio between a number of items in input streams received by the first block and a n

Abstract: A computer program product comprising: a non-transitory computer readable medium; and a description of a first block comprising: a definition of one or more output port groups each comprising one or more output ports; a definition of two or more input ports, the input ports receive object streams of identical length; one or more instructions for processing input data received in the input ports and for outputting processed data in the output port groups, wherein the instructions are operative to output a same number of output objects to each output port in a same output port group, whereby the output ports of the output port group are operative to output objects stream of identical length, and wherein the instructions are operative to receive a same number of input objects from each input port, whereby the input ports are operative to receive object streams of identical length; and an indication of whether there is a constant ratio between a number of items in input streams received by the first block and a n

Abstract: A recommendation system and method includes extracting patient features for a current patient to generate representation of the current patient. The patient features for the current patient are compared to physician features of one or more physicians and patient-to-physician features of a group of patients from medically related records. Outcome measures associated with physicians are compared related to a current query. A future outcome for patient, physician pairs are predicted for the current patient based upon at least one predictive model constructed from the features and outcome measures to output.

Abstract: An apparatus, a computer program product and a computer-implemented method performed by a computerized device, comprising: receiving a description of a workflow, the workflow comprising a plurality of blocks, wherein each block comprises one or more instructions, the plurality of blocks comprising at least a first block and a second block, wherein the first block is adapted to output information, and the second block is adapted to receive the information wherein at least one of the plurality of blocks is associated with a ratio between a number of records input into the block and a number of records output by the block; and validating that the workflow can operate properly, using the ratio, wherein during execution, each of the first block and the second block can keep an internal state and request to receive again data previously received as input.

Abstract: An apparatus, a computer program product and a computer-implemented method performed by a computerized device, comprising: receiving a description of a workflow, the workflow comprising a plurality of blocks, wherein each block comprises one or more instructions, the plurality of blocks comprising at least a first block and a second block, wherein the first block is adapted to output information, and the second block is adapted to receive the information wherein at least one of the plurality of blocks is associated with a ratio between a number of records input into the block and a number of records output by the block; and validating that the workflow can operate properly, using the ratio, wherein during execution, each of the first block and the second block can keep an internal state and request to receive again data previously received as input.

Abstract: A recommendation system and method includes extracting patient features for a current patient to generate representation of the current patient. The patient features for the current patient are compared to physician features of one or more physicians and patient-to-physician features of a group of patients from medically related records. Outcome measures associated with physicians are compared related to a current query. A future outcome for patient, physician pairs are predicted for the current patient based upon at least one predictive model constructed from the features and outcome measures to output.