Abstract: Disclosed is an improved approach for managing security alerts to automatically isolate malicious security alerts from benign alerts using an ensemble model of pattern recognition techniques. In some embodiments, the approach provides for automatically isolating security alerts of malicious attack from security alerts that correspond to undesirable, yet benign, activity in computer networks, cloud infrastructures and SAAS applications. Specifically, the approach provides for qualitative contextual assessments of these alerts using an ensemble of models. These ensemble models leverage a history of security events on a computer network, cloud infrastructure and SAAS applications to determine a level of relevance for received alerts and determine, based on that level of relevance, how or if they should be presented to an administrator.

Abstract: Disclosed is an improved approach for translating entity prioritization rules to a continuous numerical space. In some embodiments, the approach provided is a system for using qualitative prioritization criteria to train a system that generates quantitative urgency scores for entities. In some embodiments, this comprises an embedding scheme that enables the translation of entity information and their related alerts to a set of qualitative labels based on at least quantitative information. Generally, the system includes a set of analyst actions that establish desired mappings which are used to train a more general model that maps entity embeddings to responses. In some embodiments, the approach comprises one or more models that receive an entity embedding as an input and outputs a score that characterizes the urgency of the response warranted for that entity. In some embodiments, this is performed using various features (e.g., importance, actor type, velocity, and breadth).

Abstract: Disclosed is an improved approach for identifying security risks and breaches in a network by applying machine learning methods that learn resource access patterns in the network. Specifically, by observing the access pattern of the network entities (e.g. accounts, services, and hosts) from authorization requests/responses, the model through unsupervised learning, organizes the entity relationships into an ensemble of hierarchical models. The ensemble of hierarchical models can then be leveraged to create a series of metrics that can be used to identify various types of abnormalities in the access of a resource on the network. For instance, by further classifying the access request for a resource using abnormality scores into detection scenarios, the model is able to detect both an abnormality and the type of abnormality and include such information in a corresponding alarm when a security breach happens.

Abstract: Disclosed is an improved approach for detecting potentially malicious activity on a network. The present improved approach generates a multi-dimensional activity model based on captured network activity. Additional network activity is captured, and relative activity values are determined therefor. Determination of whether the additional network activity corresponds to potentially malicious activity is obtained by fitting the relative activity values of the additional network activity to the multi-dimensional relative activity model.

Abstract: Disclosed is an improved method, system, and computer program product for detecting hosts and connections between hosts that are being used as relays by an actor to gain control of hosts in a network. It can further identify periods of time within the connection when the relay activities occurred. In some embodiments, the invention can also chain successive relays to identify the true source and true target of the relay.

Abstract: Disclosed is an improved approach for identifying security risks and breaches in a network by applying machine learning methods that learn resource access patterns in the network. Specifically, by observing the access pattern of the network entities (e.g. accounts, services, and hosts) from authorization requests/responses, the model through unsupervised learning, organizes the entity relationships into an ensemble of hierarchical models. The ensemble of hierarchical models can then be leveraged to create a series of metrics that can be used to identify various types of abnormalities in the access of a resource on the network. For instance, by further classifying the access request for a resource using abnormality scores into detection scenarios, the model is able to detect both an abnormality and the type of abnormality and include such information in a corresponding alarm when a security breach happens.

Abstract: Disclosed is an improved approach for detecting potentially malicious activity on a network. The present improved approach generates a multi-dimensional activity model based on captured network activity. Additional network activity is captured, and relative activity values are determined therefor. Determination of whether the additional network activity corresponds to potentially malicious activity is obtained by fitting the relative activity values of the additional network activity to the multi-dimensional relative activity model.

Abstract: Disclosed is an improved method, system, and computer program product for detecting hosts and connections between hosts that are being used as relays by an actor to gain control of hosts in a network. It can further identify periods of time within the connection when the relay activities occurred. In some embodiments, the invention can also chain successive relays to identify the true source and true target of the relay.

Abstract: Disclosed is an approach to detect insider threats, by tracking unusual access activity for a specific user or computer with regard to accessing key assets over time. In this way, malicious activity and the different preparation phases of attacks can be identified.

Abstract: A method and system for identifying insider threats within an organization is provided. The approach constructs an internal connectivity graph to identify communities of hosts/users, and checks for abnormal behavior relative to past behaviors.

Abstract: A method and system for identifying insider threats within an organization is provided. The approach constructs an internal connectivity graph to identify communities of hosts/users, and checks for abnormal behavior relative to past behaviors.

Abstract: Disclosed is an approach to detect insider threats, by tracking unusual access activity for a specific user or computer with regard to accessing key assets over time. In this way, malicious activity and the different preparation phases of attacks can be identified.