Abstract: According to examples, an apparatus may include a processor and a memory on which are stored machine-readable instructions that, when executed by the processor, may cause the processor to receive event data to be placed in a plurality of queues. The processor may determine logical partitions for the received event data and may store the event data in the plurality of queues based on the determined logical partitions. A first queue of the plurality of queues may be mapped to a first logical partition range and a second queue of the plurality of queues may be mapped to a second logical partition range. Based on respective loads at the plurality of queues, the processor may update a mapping of the determined logical partitions to the plurality of queues by transferring logical partitions between the first queue and the second queue.

Abstract: According to examples, an apparatus may include a processor and a memory on which are stored machine-readable instructions that, when executed by the processor, may cause the processor to receive event data to be placed in a plurality of queues. The processor may determine logical partitions for the received event data and may store the event data in the plurality of queues based on the determined logical partitions. A first queue of the plurality of queues may be mapped to a first logical partition range and a second queue of the plurality of queues may be mapped to a second logical partition range. Based on respective loads at the plurality of queues, the processor may update a mapping of the determined logical partitions to the plurality of queues by transferring logical partitions between the first queue and the second queue.

Abstract: According to examples, an apparatus may include a processor and a memory on which is stored machine-readable instructions that when executed by the processor, may cause the processor to access a plurality of features pertaining to an event, apply an anomaly detection model on the accessed plurality of features, in which the anomaly detection model may output a reconstruction of the accessed plurality of features. The processor may calculate a reconstruction error of the reconstruction, determine whether a combination of the plurality of features is anomalous based on the calculated reconstruction error, and based on a determination that the combination of the plurality of features is anomalous, output a notification that the event is anomalous.

Abstract: Methods, systems and computer program products are provided for detection of slow brute force attacks based on user-level time series analysis. A slow brute force attack may be detected based on one or more anomalous failed login events associated with a user, alone or in combination with one or more post-login anomalous activities associated with the user, security alerts associated with the user, investigation priority determined for the user and/or successful logon events associated with the user. An alert may indicate a user is the target of a successful or unsuccessful slow brute force attack. Time-series data (e.g., accounted for in configurable time intervals) may be analyzed on a user-by-user basis to identify localized anomalies and global anomalies, which may be scored and evaluated (e.g., alone or combined with other information) to determine an investigation priority and whether and what alert to issue for a user.

Abstract: Computing environment resource popularity is assessed, using a computed ratio of accumulations of resource usage values and a relationship condition, thereby providing inputs as guidance for automatic system enhancement utilizations such as anomaly detection, resource management, and access or maintenance prioritization. Unlike V1 approaches that base resource popularity on at most two resource usage values, the V2 assessment approaches taught herein consider a distribution of usage values across an entire group of resources, thereby providing finer grained actionable results. Usage value accumulations may be scaled. Popularity or rareness of one or more resources of various types may be determined. A cache or other decay model may be employed to optimize assessment efficiency by reducing usage value retrieval I/O transactions. Specific utilizations of resource popularity assessments for enhancing system usability, security, functionality, and effectiveness are discussed.

Abstract: Methods, systems and computer program products are provided for detection of slow brute force attacks based on user-level time series analysis. A slow brute force attack may be detected based on one or more anomalous failed login events associated with a user, alone or in combination with one or more post-login anomalous activities associated with the user, security alerts associated with the user, investigation priority determined for the user and/or successful logon events associated with the user. An alert may indicate a user is the target of a successful or unsuccessful slow brute force attack. Time-series data (e.g., accounted for in configurable time intervals) may be analyzed on a user-by-user basis to identify localized anomalies and global anomalies, which may be scored and evaluated (e.g., alone or combined with other information) to determine an investigation priority and whether and what alert to issue for a user.