Abstract: Systems and methods for identifying incorrect labels and improving label correction for machine learning for security. The systems and methods including receiving data with labels; training one or more Machine Learning (ML) models to label the received data; identifying disagreements between the labels provided by the one or more ML models and the labels received with the data; and providing one or more groups of the data for review for incorrect labels.

Abstract: Systems and methods for learning from mistakes to improve detection rates of Machine Learning (ML) models. The systems and methods including receiving data with labels; running the data through a trained ML model for predictions; identifying errors in the predictions based on the labels received with the data; adjusting weights associated with samples in the data based on the identified errors; and retraining the ML model with the adjusted weights.

Abstract: Systems and methods include performing inline monitoring of production traffic between users, the Internet, and cloud services via a cloud-based system; utilizing a trained machine learning model to inspect static properties of files in the production traffic; and classifying the traffic as one of malicious or benign based on the trained machine learning model.

Abstract: Systems and methods include receiving a trained machine learning model that has been processed with training information removed therefrom, wherein the training information is utilized in training of the trained machine learning model; monitoring traffic, inline at the node, including processing the traffic with the trained machine learning model; obtaining a verdict on the traffic based on the trained machine learning model; and performing an action on the traffic based on the verdict.

Abstract: Systems and methods of sandboxing a file include responsive to receiving a file associated with a user, obtaining policy for the user; analyzing the file with a machine learning model; and based on a combination of the policy for the user and a verdict of the machine learning model, one of quarantining the file for analysis in a sandbox and allowing the file to the user. The present disclosure presents a smart quarantine with a goal of minimizing the number of files quarantined, the number of malicious files passed through to an end user, and a number of files scanned by a sandbox.

Abstract: Systems and methods include receiving network transaction data for a plurality of users monitored by a cloud-based system; creating a relationship graph based on the plurality of user's recent network transactions for a time period, wherein the relationship graph includes vertices for domains and edges for transactions by users between the domains having some number of transaction in the time period; and analyzing the relationship graph to detect previously undetected suspicious anomalies. The weights on each edge are based on a relationship between two domains where the relationship includes any of malware, Internet Protocol (IP) addresses, Autonomous System Number (ASN), registration, and redirects.

Abstract: Systems and methods include determining a plurality of features associated with executable files, wherein the plurality of features are each based on static properties in predefined structure of the executable files; obtaining training data that includes samples of benign executable files and malicious executable files; extracting the plurality of features from the training data; and utilizing the extracted plurality of features to train a machine learning model to detect malicious executable files.

Abstract: Systems and methods include obtaining file identifiers associated with files in production data; obtaining lab data from one or more public repositories of malware samples based on the file identifiers for the production data; and utilizing the lab data for training a machine learning process for classifying malware in the production data. The obtaining file identifiers can be based on monitoring of users associated with the files, and only the file identifiers are maintained based on the monitoring. The lab data can include samples from the one or more public repositories matching the corresponding file identifiers for the production data. The lab data can include samples from the one or more public repositories that have features closely related to features of the production data.

Abstract: Systems and methods include obtaining a file associated with a user for processing; utilizing a combination of policy for the user and machine learning to determine whether to i) quarantine the file and scan the file in a sandbox, ii) allow the file to the user and scan the file in the sandbox, and iii) allow the file to the user without the scan; responsive to the quarantine of the file and the sandbox determining the file is malicious, blocking the file; and, responsive to the quarantine of the file and the sandbox determining the file is benign, allowing the file.

Abstract: Systems and methods include obtaining log data for a plurality of users of an enterprise where the log data relates to usage of a plurality of applications by the plurality of users and user metadata; analyzing the log data to determine one or more sequential patterns of application access; determining i) app-segments that are groupings of application of the plurality of applications and ii) user-groups that are groupings of users of the plurality of users, based on the log data and the one or more sequential patterns of application access; and providing access policy of the plurality of applications based on the user-groups and the app-segments. The one or more sequential patterns of application access include a sequence of accessing a plurality of applications in a given time period.

Abstract: Systems and methods include receiving a content item between a user device and a location on the Internet or an enterprise network; utilizing a trained machine learning ensemble model to determine whether the content item is malicious; responsive to the trained machine learning ensemble model determining the content item is malicious or determining the content item is benign but such determining is in a blind spot of the trained ensemble model, performing further processing on the content item; and, responsive to the trained machine learning ensemble model determining the content item is benign with such determination not in a blind spot of the trained machine learning ensemble model, allowing the content item. A blind spot is a location where the trained machine learning ensemble model has not seen any examples with a combination of features at the location or has examples with conflicting labels.

Abstract: Systems and methods include obtaining log data for a plurality of users of an enterprise where the log data relates to usage of a plurality of applications by the plurality of users; determining i) app-segments that are groupings of application of the plurality of applications and ii) user-groups that are groupings of users of the plurality of users; and providing access policy of the plurality of applications based on the user-groups and the app-segments. The steps can further include monitoring the access policy over time based on ongoing log data, manual verification of the access policy, and incidents where users are prevented from accessing any application; and adjusting the determined based on the monitoring.

Abstract: Systems and methods include receiving a trained machine learning model that has been processed with training information removed therefrom, wherein the training information is utilized in training of the trained machine learning model; monitoring traffic, inline at the node, including processing the traffic with the trained machine learning model; obtaining a verdict on the traffic based on the trained machine learning model; and performing an action on the traffic based on the verdict.

Abstract: Systems and methods include training a machine learning model with data for identifying features in monitored traffic in a network; analyzing the trained machine learning model to identify information overhead therein, wherein the information overhead is utilized in part for the training; removing the information overhead in the machine learning model; and providing the machine learning model for runtime use for identifying the features in the monitored traffic, with the removed information overhead from the machine learning model.

Abstract: Systems and methods include determining a plurality of features associated with executable files, wherein the plurality of features are each based on static properties in predefined structure of the executable files; obtaining training data that includes samples of benign executable files and malicious executable files; extracting the plurality of features from the training data; and utilizing the extracted plurality of features to train a machine learning model to detect malicious executable files.

Abstract: Systems and methods include, based on monitoring of content including Office documents, determining distribution of malicious Office documents between documents having malicious macros and documents having malicious embedded objects; determining features for the documents having malicious macros and for the documents having malicious embedded objects; selecting training data for a machine learning model based on the distribution and the features; and training the machine learning model with the selected training data.

Abstract: Systems and methods include obtaining data from Uniform Resource Locator (URL) transactions monitored by a cloud-based system; labeling the data for the URL transactions with a category of a plurality of categories that describe the content of a page associated with the URL; performing preprocessing of raw Hypertext Markup Language (HTML) files for the URL transactions; extracting features from the preprocessed raw HTML files; and creating a machine learning model based on the features, wherein the machine learning model is configured to score content associated with an unknown URL to determine a category of the plurality of categories.

Abstract: Systems and methods include obtaining file identifiers associated with files in production data; obtaining lab data from one or more public repositories of malware samples based on the file identifiers for the production data; and utilizing the lab data for training a machine learning process for classifying malware in the production data. The obtaining file identifiers can be based on monitoring of users associated with the files, and only the file identifiers are maintained based on the monitoring. The lab data can include samples from the one or more public repositories matching the corresponding file identifiers for the production data. The lab data can include samples from the one or more public repositories that have features closely related to features of the production data.

Abstract: Systems and methods include utilizing a grouping model to identify a function of a user of a tenant; utilizing one or more behavior models to identify normal behavior and abnormal behavior of the user based on the function; and utilizing an orchestration model with a plurality of rules to score one or more of current and historical behavior of the user, based on the one or more behavior models; and utilizing an active learning model to improve the efficiency of the orchestration model The systems and methods can further include causing a security technique based on the score. The systems and methods can further include providing feedback based on the score to the one or more behavior models.

Abstract: Systems and methods include receiving a domain for a determination of a likelihood the domain is a command and control site; analyzing the domain with an ensemble of a plurality of trained machine learning models including a Uniform Resource Locator (URL) model that analyzes lexical features of a hostname of the domain and an artifact model that analyzes content features of a webpage associated with the domain; and combining results of the ensemble to predict the likelihood the domain is a command and control site.