Abstract: A new approach is proposed to support integration of EDR data from a plurality of EDR tools/sources into an Open XDR framework in an automated manner. First, EDR data generated by each of the plurality of EDR tools covering a plurality of assets is ingested into the Open XDR framework. The ingested EDR data is then normalized through a unified EDR data model. The normalized EDR data is further enriched with one or more new data fields to better correlate the EDR normalized data from the plurality of EDR tools. A plurality of alerts are then generated from the normalized and enriched data along one or more alert pathways to improve fidelity of the plurality of alerts. The plurality of alerts are correlated with the contextual information of the plurality of assets as well as information from other data sources to identify a set of incidents of suspicious activities.

Abstract: Systems and methods for predicting road conditions and traffic volume is provided. The method includes generating a graph of one or more road regions including a plurality of road intersections and a plurality of road segments, wherein the road intersections are represented as nodes and the road segments are represented as edges. The method can also include embedding the nodes from the graph into a node space, translating the edges of the graph into nodes of a line graph, and embedding the nodes of the line graph into the node space. The method can also include aligning the nodes from the line graph with the nodes from the graph, and optimizing the alignment, outputting a set of node and edge representations that predicts the traffic flow for each of the road segments and road intersections based on the optimized alignment of the nodes.

Abstract: Methods and systems for detecting and responding to an intrusion in a computer network include generating an adversarial training data set that includes original samples and adversarial samples, by perturbing one or more of the original samples with an integrated gradient attack to generate the adversarial samples. The original and adversarial samples are encoded to generate respective original and adversarial graph representations, based on node neighborhood aggregation. A graph-based neural network is trained to detect anomalous activity in a computer network, using the adversarial training data set. A security action is performed responsive to the detected anomalous activity.

Abstract: A computer-implemented method for graph structure based anomaly detection on a dynamic graph is provided. The method includes detecting anomalous edges in the dynamic graph by learning graph structure changes in the dynamic graph with respect to target edges to be evaluated in a given time window repeatedly applied to the dynamic graph. The target edges correspond to particular different timestamps. The method further includes predicting a category of each of the target edges as being one of anomalous and non-anomalous based on the graph structure changes. The method also includes controlling a hardware based device to avoid an impending failure responsive to the category of at least one of the target edges.

Abstract: Methods and systems for detecting and responding to an intrusion in a computer network include generating an adversarial training data set that includes original samples and adversarial samples, by perturbing one or more of the original samples with an integrated gradient attack to generate the adversarial samples. The original and adversarial samples are encoded to generate respective original and adversarial graph representations, based on node neighborhood aggregation. A graph-based neural network is trained to detect anomalous activity in a computer network, using the adversarial training data set. A security action is performed responsive to the detected anomalous activity.

Abstract: Systems and methods for predicting road conditions and traffic volume is provided. The method includes generating a graph of one or more road regions including a plurality of road intersections and a plurality of road segments, wherein the road intersections are represented as nodes and the road segments are represented as edges. The method can also include embedding the nodes from the graph into a node space, translating the edges of the graph into nodes of a line graph, and embedding the nodes of the line graph into the node space. The method can also include aligning the nodes from the line graph with the nodes from the graph, and optimizing the alignment, outputting a set of node and edge representations that predicts the traffic flow for each of the road segments and road intersections based on the optimized alignment of the nodes.

Abstract: A computer-implemented method for graph structure based anomaly detection on a dynamic graph is provided. The method includes detecting anomalous edges in the dynamic graph by learning graph structure changes in the dynamic graph with respect to target edges to be evaluated in a given time window repeatedly applied to the dynamic graph. The target edges correspond to particular different timestamps. The method further includes predicting a category of each of the target edges as being one of anomalous and non-anomalous based on the graph structure changes. The method also includes controlling a hardware based device to avoid an impending failure responsive to the category of at least one of the target edges.

Abstract: Methods for querying a database and database systems include optimizing a database query for parallel execution using spatial and temporal information relating to elements in the database, the optimized database query being split into sub-queries with sub-queries being divided spatially according to host and temporally according to time window. The sub-queries are executed in parallel. The results of the database query are outputted progressively.

Abstract: Automated security systems and methods include a set monitored systems, each having one or more corresponding monitors configured to record system state information. A progressive software behavioral query language (PROBEQL) database is configured to store the system state information from the monitored systems. A query optimizing module is configured to optimize a database query for parallel execution using spatial and temporal information relating to elements in the PROBEQL database. The optimized database query is split into sub-queries with sub-queries being divided spatially according to host and temporally according to time window. A parallel execution module is configured to execute the sub-queries on the PROBEQL database in parallel. A results module is configured to output progressive results of the database query. A security control system is configured to perform a security control action in accordance with the progressive results.

Abstract: Automated security systems and methods include a set monitored systems, each having one or more corresponding monitors configured to record system state information. A progressive software behavioral query language (PROBEQL) database is configured to store the system state information from the monitored systems. A query optimizing module is configured to optimize a database query for parallel execution using spatial and temporal information relating to elements in the PROBEQL database. The optimized database query is split into sub-queries with sub-queries being divided spatially according to host and temporally according to time window. A parallel execution module is configured to execute the sub-queries on the PROBEQL database in parallel. A results module is configured to output progressive results of the database query. A security control system is configured to perform a security control action in accordance with the progressive results.

Abstract: Methods for querying a database and database systems include optimizing a database query for parallel execution using spatial and temporal information relating to elements in the database, the optimized database query being split into sub-queries with sub-queries being divided spatially according to host and temporally according to time window. The sub-queries are executed in parallel. The results of the database query are outputted progressively.