Abstract: Technologies are shown for detection of identity misconfiguration that involve collecting identity/role binding and role/access rules data from multiple clusters supported by a computing resource system. Access rules for identities are extracted from the collected data and an access rule prediction model created to predict access rules for identities. An identity definition request for a tenant is received having a requested identity and a role assigned to the identity. A set of access rules is obtained for the role assigned to the identity and a predicted set of access rules is obtained for the requested identity from the prediction model. The access rules for the requested role are compared to the predicted set of access rules and a misconfiguration alert generated when there is a difference between the set of access rules for the requested role and the predicted set of access rules for the requested identity.

Abstract: Malware activity detection for networked computing systems is described. A network session record is provided to a machine learning (ML) model configured to generate an indication of whether the provided network session record evidences malware activity. The network session record indicates network traffic activity in a time period. Responsive to an indication by the ML model, correlation scores are calculated by, for each process session record in a process session record set, calculating a correlation score indicative of a correlation between the provided network session record and the process session record. Each process session record in the process session record set corresponds to a process executed by a computing device in the time period. A determination that a correlation score indicates a corresponding process session record is indicative of the evidenced malware activity is made. Responsive to the determination, a malware activity alert is generated.

Abstract: A computing system is configured for detecting anomalies in deployment configurations of container images at a container network. One or more datasets associated with deployment configurations of a container imager are collected, and a plurality of features are extracted based on the one or more datasets for an ID of the container image. A probability score is then generated based on the plurality of features, using a machine-learning model trained on datasets associated with historical deployment configurations of the container image that have been performed via the container orchestration service. The probability score indicates a probability of whether the deployment configurations of the container image are anomalous or not anomalous when compared historical deployment configurations of the container image. An allow list is generated that includes container images and their respective IDs that have a majority of their deployment configurations that are not anomalous.

Abstract: A computing system generates from received user input an initial profile. The initial profile specifies expected behavioral patterns of datasets that are to be received by the computing system. The computing system extracts from received datasets features that are indicative of behavioral patterns of the received datasets. The computing system provides the initial profile to first machine-learning models. The first machine-learning models have been trained using a subset of the received datasets. The first machine-learning models use the initial profile to determine if the behavioral patterns of the received datasets are anomalous. The computing system includes second machine-learning models that have been trained using a subset of the received datasets. The second machine-learning models train a second profile based on the extracted features to specify behavioral patterns of the received datasets that are learned by the second machine-learning model.

Abstract: A system to determine an intrusion risk and take action is described. The system collaboratively filters a combination based on a user access and a network item in a computer network to determine an associated recommendation score. The system determines connected components of a model of the computer network and separately collaboratively filters the connected components to determine the recommendation score as a measure of intrusion risk. An action is taken on the user access based on the intrusion risk.

Abstract: Systems and methods are described for threat detection for cloud applications. A log that includes a record of a control plane operation executed by a cloud application is received. A feature set is generated based on the record. Respective subsets of the feature set are provided to two or more anomaly detection models. Each anomaly detection model is configured to output a respective anomaly score indicative of a degree to which the execution of the control plane operation is anomalous with respect to a particular context (e.g., application, resource, subscription, tenant) based on the subset provided thereto. A determination that a security alert should be generated is made based at least on the anomaly scores output by the two or more anomaly detection models and an indication that the control plane operation is included in a list of impactful operations. Responsive to the determination, the security alert is generated.

Abstract: According to examples, an apparatus may include a memory on which is stored machine-readable instructions that may cause a processor to identify a privilege level assigned to a principal over a resource and determine whether the assigned privilege level is to be maintained or modified for the principal over the resource. Based on a determination that the assigned privilege level is to be maintained for the principal, the processor may determine whether access by the principal over the resource is to be limited and based on a determination that access to the resource is to be limited, apply a limited access by the principal over the resource.

Abstract: Compromised user accounts are identified by detecting anomalous cloud activities. Cloud activities are determined to be anomalous by comparing the behavior of a particular user with the previous behavior of that user as well as the previous behavior of other, related users. In some configurations, the related users are organized into one or more hierarchies, such as by geographic location or by a logical structure of a cloud service. The behavior of the related users is modeled at different levels in the hierarchy. Anomaly scores from different groups and levels of the hierarchy are compiled and filtered before being used to determine whether to send a security alert. In some configurations, the security alert indicates that the anomalous operation was detected, why the operation was determined to be anomalous, and in some cases, what harm the operation could lead to if the user is in fact compromised.

Abstract: A computing system is configured to detect a request for a deployment of a container at a container orchestration service. One or more datasets associated with the deployment of the container are collected, and a plurality of features associated with the deployment are extracted based on the one or more datasets. A probability score is then generated based on the plurality of features, using a machine-learning model trained on datasets associated with historical deployments of containers that have been performed via the container orchestration service. The probability score indicates a probability that the deployment of the container is anomalous compared to the historical deployments of containers. When the probability score is greater than a threshold, the deployment of the container is determined as anomalous.

Abstract: A system to detect abnormal cross authorizations and take action is described. The system determines whether cross authorization event applied to a first trained anomaly detection model and activity post cross authorization event applied to a second trained anomaly detection model is suspicious. An indicator score is determined from rule-based security indications applied to the cross authorization. A security action is taken based on application of the indicator score applied to a threshold.

Abstract: A system to detect an abnormal classic authorizations, such as in a classic authorization system of a resource access management system, and take action is described. The system determines an anomaly score in from a model applied to a classic assignment event. An indicator score is determined from the classic assignment event applied to domain-based rules. The security action is taken based on a combination of the anomaly score and the indicator score.

Abstract: Technologies are shown for detection of identity misconfiguration that involve collecting identity/role binding and role/access rules data from multiple clusters supported by a computing resource system. Access rules for identities are extracted from the collected data and an access rule prediction model created to predict access rules for identities. An identity definition request for a tenant is received having a requested identity and a role assigned to the identity. A set of access rules is obtained for the role assigned to the identity and a predicted set of access rules is obtained for the requested identity from the prediction model. The access rules for the requested role are compared to the predicted set of access rules and a misconfiguration alert generated when there is a difference between the set of access rules for the requested role and the predicted set of access rules for the requested identity.

Abstract: A system to determine an intrusion risk and take action is described. The system collaboratively filters a combination based on a user access and a network item in a computer network to determine an associated recommendation score. The system determines connected components of a model of the computer network and separately collaboratively filters the connected components to determine the recommendation score as a measure of intrusion risk. An action is taken on the user access based on the intrusion risk.

Abstract: Cybersecurity anomaly explainability is enhanced, with particular attention to collaborative filter-based anomaly detection. An enhanced system obtains user behavior vectors derived from a trained collaborative filter, computes a similarity measure of user behavior based on a distance between user behavior vectors and a similarity threshold, and automatically produces an explanation of a detected cybersecurity anomaly. The explanation describes a change in user behavior similarity, in human-friendly terms, such as “User X from Sales is now behaving like a network administrator.” Each user behavior vector includes latent features, and corresponds to access attempts or other behavior of a user with respect to a monitored computing system. Users may be sorted according to behavioral similarity. Explanations may associate a collaborative filter anomaly detection result with a change in behavior of an identified user or cluster of users, per specified explanation structures.

Abstract: Techniques are described herein that are capable of using weighted peer groups to selectively trigger a security alert. A determination is made that an entity performs an operation. The entity has peers that are categorized among peer groups. For each peer group, an extent to which the peers in the peer group perform the operation is determined. Weights are assigned to the respective peer groups. For each peer group, the extent to which the peers in the peer group perform the operation and the weight that is assigned to the peer group are combined to provide a respective weighted group value. A risk score, which is based at least in part on the weighted group values of the peer groups, is assigned to the operation. The security alert regarding the operation is selectively triggered based at least in part on the risk score.

Abstract: Methods, systems and computer program products are provided for detection of hacker tools based on their network signatures. A suspicious process detector (SPD) may be implemented on local computing devices or on servers to identify suspicious (e.g., potentially malicious) or malicious executables. An SPD may detect suspicious and/or malicious executables based on the network signatures they generate when executed as processes. An SPD may include a model, which may be trained based on network signatures generated by multiple processes on multiple computing devices. Computing devices may log information about network events, including the process that generated each network event. Network activity logs may record the network signatures of one or more processes. Network signatures may be used to train a model for a local and/or server-based SPD. Network signatures may be provided to an SPD to detect suspicious or malicious executables using a trained model.

Abstract: According to examples, an apparatus may include a memory on which is stored machine-readable instructions that may cause a processor to identify a privilege level assigned to a principal over a resource and determine whether the assigned privilege level is to be maintained or modified for the principal over the resource. Based on a determination that the assigned privilege level is to be maintained for the principal, the processor may determine whether access by the principal over the resource is to be limited and based on a determination that access to the resource is to be limited, apply a limited access by the principal over the resource.

Abstract: Cybersecurity anomaly explainability is enhanced, with particular attention to collaborative filter-based anomaly detection. An enhanced system obtains user behavior vectors derived from a trained collaborative filter, computes a similarity measure of user behavior based on a distance between user behavior vectors and a similarity threshold, and automatically produces an explanation of a detected cybersecurity anomaly. The explanation describes a change in user behavior similarity, in human-friendly terms, such as “User X from Sales is now behaving like a network administrator.” Each user behavior vector includes latent features, and corresponds to access attempts or other behavior of a user with respect to a monitored computing system. Users may be sorted according to behavioral similarity. Explanations may associate a collaborative filter anomaly detection result with a change in behavior of an identified user or cluster of users, per specified explanation structures.

Abstract: Techniques for user impact potential based security alert management in computer systems are disclosed. One example technique includes receiving an alert indicating that a security rule has been violated by a user. The example technique can also include, in response to receiving the data representing the alert, determining an impact score of the user based on the profile of the user. The impact score represents a deviation of an assigned value to the profile of the user and a mean value of assigned values of profiles of all users in the organization. The example technique can further include calculating a ranking value of the alert in relation to other alerts based on the determine impact score and other impacts scores corresponding to the other alerts and selectively surfacing the alert to a system analyst based on the calculated ranking value in relation to other alerts.