Abstract: A dormant account identifier is disclosed. An inactive account can be determined based on whether a user activity of the account is outside a threshold amount. A determination can be made as to whether the inactive account is a dormant account based on account activity of a peer account to the inactive account.

Abstract: Conditionally initiating a security measure in response to an estimated increase in risk imposed related to a particular user of a computing network. The risk is determined using a rolling time window. Accordingly, sudden increases in risk are quickly detected, allowing security measures to be taken quickly within that computing network. Thus, improper infiltration into a computing network is less likely to escalate or move laterally to other users or resources within the computing network. Furthermore, the security measure may be automatically initiated using settings pre-configured by the entity. Thus, the security measures go no further than what the entity instructed, thereby minimizing risk of overreaching with the security measure.

Abstract: Generally discussed herein are devices, systems, and methods for improving computer resource security. A method can include receiving a computer activity log detailing activities of users in a computer network. The method can include identifying activities of the activities in the computer activity log that include a specified user identification (ID) value. The method can include mapping each of the identified activities to a predicate group of predicate groups and a subject group of subject groups. The method can include generating a behavior profile for a user associated with the user ID, the behavior profile including, for each activity the predicate group and the subject group to which the activity mapped in place of a description and action of the activity. The method can include based on the generated behavior profile, monitoring the computer network for malicious activity.

Abstract: According to examples, an apparatus may include a processor and a memory on which is stored machine-readable instructions that when executed by the processor, may cause the processor to identify a timing at which a user activity occurred and may apply an anomaly detection model on the identified timing at which the user activity occurred, in which the anomaly detection model is to output a risk score corresponding to a deviation of the timing at which the user activity occurred from timings at which the user normally performs user activities. The processor may also determine whether the timing at which the user activity occurred is anomalous based on the risk score and, based on a determination that the timing at which the user activity occurred is anomalous, may output an alert regarding the anomalous timing of the user activity occurrence.

Abstract: According to examples, an apparatus may include a processor and a memory on which is stored machine-readable instructions that when executed by the processor, may cause the processor to access a plurality of features pertaining to an event, apply an anomaly detection model on the accessed plurality of features, in which the anomaly detection model may output a reconstruction of the accessed plurality of features. The processor may calculate a reconstruction error of the reconstruction, determine whether a combination of the plurality of features is anomalous based on the calculated reconstruction error, and based on a determination that the combination of the plurality of features is anomalous, output a notification that the event is anomalous.

Abstract: Conditionally initiating a security measure in response to an estimated increase in risk imposed related to a particular user of a computing network. The risk is determined using a rolling time window. Accordingly, sudden increases in risk are quickly detected, allowing security measures to be taken quickly within that computing network. Thus, improper infiltration into a computing network is less likely to escalate or move laterally to other users or resources within the computing network. Furthermore, the security measure may be automatically initiated using settings pre-configured by the entity. Thus, the security measures go no further than what the entity instructed, thereby minimizing risk of overreaching with the security measure.

Abstract: Techniques are described herein that are capable of using weighted peer groups to selectively trigger a security alert. A determination is made that an entity performs an operation. The entity has peers that are categorized among peer groups. For each peer group, an extent to which the peers in the peer group perform the operation is determined. Weights are assigned to the respective peer groups. For each peer group, the extent to which the peers in the peer group perform the operation and the weight that is assigned to the peer group are combined to provide a respective weighted group value. A risk score, which is based at least in part on the weighted group values of the peer groups, is assigned to the operation. The security alert regarding the operation is selectively triggered based at least in part on the risk score.

Abstract: Distributed computing system (DCS) performance is enhanced by caching optimizations. The DCS includes nodes with local caches. Resource accessors such as users are clustered based on their similarity, and the clusters are assigned to nodes. Then processing workloads are distributed among the nodes based on the accessors the workloads implicate, and based on which nodes were assigned to those accessors' clusters. Clustering may place security peers together in a cluster, and hence place peers together on a node. Security peers tend to access the same resources, so those resources will more often be locally cached, improving performance. Workloads implicating peers also tend to access the same resources, such as peers' behavior histories, so those resources will likewise tend to be cached locally, thus optimizing performance as compared for example to randomly assigning accessors to nodes without clustering and without regard to security peer groupings.

Abstract: Distributed computing system (DCS) performance is enhanced by caching optimizations. The DCS includes nodes with local caches. Resource accessors such as users are clustered based on their similarity, and the clusters are assigned to nodes. Then processing workloads are distributed among the nodes based on the accessors the workloads implicate, and based on which nodes were assigned to those accessors' clusters. Clustering may place security peers together in a cluster, and hence place peers together on a node. Security peers tend to access the same resources, so those resources will more often be locally cached, improving performance. Workloads implicating peers also tend to access the same resources, such as peers' behavior histories, so those resources will likewise tend to be cached locally, thus optimizing performance as compared for example to randomly assigning accessors to nodes without clustering and without regard to security peer groupings.

Abstract: A dormant account identifier is disclosed. An inactive account can be determined based on whether a user activity of the account is outside a threshold amount. A determination can be made as to whether the inactive account is a dormant account based on account activity of a peer account to the inactive account.

Abstract: Techniques for user impact potential based security alert management in computer systems are disclosed. One example technique includes receiving an alert indicating that a security rule has been violated by a user. The example technique can also include, in response to receiving the data representing the alert, determining an impact score of the user based on the profile of the user. The impact score represents a deviation of an assigned value to the profile of the user and a mean value of assigned values of profiles of all users in the organization. The example technique can further include calculating a ranking value of the alert in relation to other alerts based on the determine impact score and other impacts scores corresponding to the other alerts and selectively surfacing the alert to a system analyst based on the calculated ranking value in relation to other alerts.