Abstract: In some aspects, the techniques described herein relate to a method for detecting malicious emails, the method including: receiving an email, wherein the email is associated with a markup payload; determining, based on the markup payload, text data associated with the email; determining, using the text data and a first machine learning model, a first representation of the email representing text associated with the email; rendering the email to generate image data that represents a rendering of the email; determining, using the image data and a second machine learning model, a second representation of the email that represents at least the rendering of the email; and determining a prediction for the email based on the first representation and the second representation, wherein the prediction represents whether the email is predicted to be malicious based on the first representation and the second representation.

Abstract: In one embodiment, a device obtains input features for a neural network-based model. The device pre-defines a set of neurons of the model to represent known behaviors associated with the input features. The device constrains weights for a plurality of outputs of the model. The device trains the neural network-based model using the constrained weights for the plurality of outputs of the model and by excluding the pre-defined set of neurons from updates during the training.

Abstract: In one embodiment, a device obtains input features for a neural network-based model. The device pre-defines a set of neurons of the model to represent known behaviors associated with the input features. The device constrains weights for a plurality of outputs of the model. The device trains the neural network-based model using the constrained weights for the plurality of outputs of the model and by excluding the pre-defined set of neurons from updates during the training.

Abstract: Techniques for an email-security system to screen emails, extract information from the emails, analyze the extracted information, assign probability scores to the emails, and classify the email as suspicious or not. A method is disclosed that includes analyzing an email and extracting a first sender attribute and a second sender attribute from the email. Identifying one or more sender-specific models associated with a sending device, and applying one or more sender-specific models to determine a first probability value associated with the first sender attribute that conveys a likelihood that the first sender attribute is a misused sender attribute. Applying one or more sender-specific models to determine a second probability value associated with the second sender attribute is a second misused sender attribute, and determining, by using the first probability value and the second probability value, an overall probability value associated with a likelihood that the email is suspicious or not.

Abstract: In some aspects, the techniques described herein relate to a method for detecting malicious emails, the method including: receiving an email, wherein the email is associated with a markup payload; determining, based on the markup payload, text data associated with the email; determining, using the text data and a first machine learning model, a first representation of the email representing text associated with the email; rendering the email to generate image data that represents a rendering of the email; determining, using the image data and a second machine learning model, a second representation of the email that represents at least the rendering of the email; and determining a prediction for the email based on the first representation and the second representation, wherein the prediction represents whether the email is predicted to be malicious based on the first representation and the second representation.

Abstract: A method to perform the techniques described herein includes receiving a first email from a first sender to a first receiver. The method may include determining a first maliciousness prediction that indicates a first likelihood that the first email is malicious. The method may include determining that the first maliciousness prediction fails to satisfy a maliciousness pattern associated with malicious emails. The method may include receiving a second email from the first sender to the first receiver. The method may include determining that the first email and second email were received within a threshold period of time. The method may include determining an overall maliciousness prediction that indicates an overall likelihood that the first email and second email in combination are malicious. The method may include determining that the overall maliciousness prediction satisfies the maliciousness pattern.

Abstract: In one embodiment, a device obtains input features for a neural network-based model. The device pre-defines a set of neurons of the model to represent known behaviors associated with the input features. The device constrains weights for a plurality of outputs of the model. The device trains the neural network-based model using the constrained weights for the plurality of outputs of the model and by excluding the pre-defined set of neurons from updates during the training.

Abstract: Techniques and architecture are described for converting tree structured data such as, for example, JavaScript Object Notation (JSON) data, into multiple feature vectors to train multiple instance learning (MIL) models for providing cybersecurity in networks. In particular, a data set is provided, wherein the data set comprises a sample configured as a hierarchal tree. The sample is converted into a set of path and value pairs, e.g., flattened into a set of path and value pairs, where the path is a sequence of field names and array indices encoding a position of a value. Each path and value pair of the set of path and value pairs is converted into a respective feature vector to form a set of feature vectors. The set of feature vectors is used to train a multiple instance learning (MIL) model, wherein each feature vector has a same, fixed length.

Abstract: Inverse imbalance subspace searching techniques are used to detect potential malware among samples of network communication data. A large number of samples of network communication data, such as proxy log data and/or network flows, are received and analyzed by a malware detection system. A number of the samples are associated with known malware, while other unlabeled samples are either benign or may be associated with unknown malware. An inverse imbalance subspace search may be performed, in which the sample sets are divided into subsets based on random feature thresholds, and each subset is evaluated based on the ratio of known malware samples to unlabeled samples. Unlabeled samples within subsets having high malware sample ratios may be identified, aggregated, and processed as potential malware.

Abstract: In one embodiment, a device obtains input features for a neural network-based model. The device pre-defines a set of neurons of the model to represent known behaviors associated with the input features. The device constrains weights for a plurality of outputs of the model. The device trains the neural network-based model using the constrained weights for the plurality of outputs of the model and by excluding the pre-defined set of neurons from updates during the training.

Abstract: Techniques are described for detecting attacks that employ a display name in an email to impersonate an email sender. A computing infrastructure hosting an email security platform may determine a similarity between the display name and an email address from which the email was received. The email security platform may determine the similarity by comparing a string associated with the display name and a string associated with the sender address. The email security platform may generate a similarity value based on a result of the display name being compared with the sender address. The email security platform may determine that the email includes the display name impersonating a name of the sender, based on the similarity value meeting or exceeding a threshold value indicative of impersonation. The email security platform may delete or quarantine the email from an inbox associated with a user account.

Abstract: In one embodiment, a device distributes sets of training records from a training dataset for a random forest-based classifier among a plurality of workers of a computing cluster. Each worker determines whether it can perform a node split operation locally on the random forest by comparing a number of training records at the worker to a predefined threshold. The device determines, for each of the split operations, a data size and entropy measure of the training records to be used for the split operation. The device applies a machine learning-based predictor to the determined data size and entropy measure of the training records to be used for the split operation, to predict its completion time. The device coordinates the workers of the computing cluster to perform the node split operations in parallel such that the node split operations in a given batch are grouped based on their predicted completion times.

Abstract: A humidifier including a humidifier housing with an adjustable backplane configured to fit to a variety of humidifier pad sizes. Different sizes of humidifier pads are available, and the choice of humidifier pad may depend on the capacity of the HVAC system. The backplane of this disclosure may be adjusted by moving to one position to accommodate a larger humidifier pad or to a second position for a smaller humidifier pad. The backplane of the humidifier housing is configured to mount over an opening of an air duct of an HVAC system such that air is directed along an air path defined by the humidifier housing, through the humidifier pad positioned in front of the air duct and into the air stream of the HVAC system. Water flows through inlet tubing to a water distributor, which may direct the water to the top of the humidifier pad.

Abstract: Techniques are described for detecting attacks that employ a display name in an email to impersonate an email sender. A computing infrastructure hosting an email security platform may determine a similarity between the display name and an email address from which the email was received. The email security platform may determine the similarity by comparing a string associated with the display name and a string associated with the sender address. The email security platform may generate a similarity value based on a result of the display name being compared with the sender address. The email security platform may determine that the email includes the display name impersonating a name of the sender, based on the similarity value meeting or exceeding a threshold value indicative of impersonation. The email security platform may delete or quarantine the email from an inbox associated with a user account.

Abstract: Inverse imbalance subspace searching techniques are used to detect potential malware among samples of network communication data. A large number of samples of network communication data, such as proxy log data and/or network flows, are received and analyzed by a malware detection system. A number of the samples are associated with known malware, while other unlabeled samples are either benign or may be associated with unknown malware. An inverse imbalance subspace search may be performed, in which the sample sets are divided into subsets based on random feature thresholds, and each subset is evaluated based on the ratio of known malware samples to unlabeled samples. Unlabeled samples within subsets having high malware sample ratios may be identified, aggregated, and processed as potential malware.

Abstract: In one embodiment, a traffic analysis service obtains telemetry data regarding encrypted traffic associated with a particular device in the network, wherein the telemetry data comprises Transport Layer Security (TLS) features of the traffic. The service determines, based on the TLS features from the obtained telemetry data, a set of one or more TLS fingerprints for the traffic associated with the particular device. The service calculates a measure of similarity between the set of one or more TLS fingerprints for the traffic associated with the particular device and a set of one or more TLS fingerprints of traffic associated with a second device. The service determines, based on the measure of similarity, that the particular device and the second device were operated by the same user.

Abstract: In one embodiment, a device obtains input features for a neural network-based model. The device pre-defines a set of neurons of the model to represent known behaviors associated with the input features. The device constrains weights for a plurality of outputs of the model. The device trains the neural network-based model using the constrained weights for the plurality of outputs of the model and by excluding the pre-defined set of neurons from updates during the training.

Abstract: A humidifier including a humidifier housing with an adjustable backplane configured to fit to a variety of humidifier pad sizes. Different sizes of humidifier pads are available, and the choice of humidifier pad may depend on the capacity of the HVAC system. The backplane of this disclosure may be adjusted by moving to one position to accommodate a larger humidifier pad or to a second position for a smaller humidifier pad. The backplane of the humidifier housing is configured to mount over an opening of an air duct of an HVAC system such that air is directed along an air path defined by the humidifier housing, through the humidifier pad positioned in front of the air duct and into the air stream of the HVAC system. Water flows through inlet tubing to a water distributor, which may direct the water to the top of the humidifier pad.

Abstract: In one embodiment, a traffic analysis service obtains telemetry data regarding encrypted traffic associated with a particular device in the network, wherein the telemetry data comprises Transport Layer Security (TLS) features of the traffic. The service determines, based on the TLS features from the obtained telemetry data, a set of one or more TLS fingerprints for the traffic associated with the particular device. The service calculates a measure of similarity between the set of one or more TLS fingerprints for the traffic associated with the particular device and a set of one or more TLS fingerprints of traffic associated with a second device. The service determines, based on the measure of similarity, that the particular device and the second device were operated by the same user.

Abstract: In one embodiment, a device trains a machine learning-based malware classifier using a first randomly selected subset of samples from a training dataset. The classifier comprises a random decision forest. The device identifies, using at least a portion of the training dataset as input to the malware classifier, a set of misclassified samples from the training dataset that the malware classifier misclassifies. The device retrains the malware classifier using a second randomly selected subset of samples from the training dataset and the identified set of misclassified samples. The device adjusts prediction labels of individual leaves of the random decision forest of the retrained malware classifier based in part on decision changes in the forest that result from assessing the entire training dataset with the classifier. The device sends the malware classifier with the adjusted prediction labels for deployment into a network.