Abstract: Methods and apparatus are provided for detecting suspicious network activity, such as in an enterprise network. An exemplary method comprises obtaining network event data for a plurality of user-server communications for a given user, determining a number of distinct servers the user communicated with during a predefined time window; determining a number of distinct servers the user failed in authenticating to during the predefined time window; and assigning a risk score to the user based on the number of distinct servers the user communicated with and the number of distinct servers the user failed in authenticating to during the predefined time window. Generally, the risk score provides a measure of an anomalousness of the user communicating with the number of servers during the predefined time window. An absolute score is optionally assigned based on an evaluation of the number of distinct servers the user communicated with during the predefined time window relative to a predefined threshold number.

Abstract: Methods and apparatus are provided for detecting suspicious network activity by new devices. An exemplary method comprises: obtaining network event data for a given entity that comprises a user or a user device; determining a number of distinct other entities associated with the given entity during a predefined short time window, wherein the distinct other entities comprise user devices used by the user if the given entity comprises a user and comprise users of the user device if the given entity comprises a user device; determining a number of distinct other entities associated with the given entity during a predefined longer time window; and assigning a risk score to the given entity based on (i) the number during the predefined short time window relative to the number during the predefined longer time window, and/or (ii) the number during the predefined short time window relative to a predefined number.

Abstract: Disclosed are techniques for use in assessing the risk of electronic communications using logon types. In one embodiment, the techniques comprise a method. The method comprises receiving an electronic communication relating to a login request involving a user and a provider of a computerized resource. The method comprises determining a logon type associated with the logon request. The method comprises determining a first value relating to an amount of logon requests associated with the logon type involving the user and the provider over a first time period and a second value relating to an amount of logon requests associated with the logon type involving the user and the provider over a second time period that is greater than the first time period. The method comprises generating a risk score describing the risk associated with the logon request based on the first and the second values.

Abstract: Methods and apparatus are provided for identifying suspicious domains using common user clustering. An exemplary method comprises obtaining network event data comprising a plurality of network connections; identifying users and domains associated with the network connections in the network event data; creating a connection between each user/domain pair that communicate with one another in the identified users and the identified domains to generate a graph; connecting domains in the graph using inter-domain edges that share common users to obtain a graph of interconnected domains; identifying bi-connected components in the graph of interconnected domains, wherein the bi-connected components comprise node pairs having at least two paths in the graph of interconnected domains between them; and processing the bi-connected components to identify a plurality of suspicious domains that are likely to participate in a computer security attack.

Abstract: Techniques of identifying fraud detection rule strength involve varying the rendering of a graph from transaction data. Along these lines, a rules server computer provides a general graph from a group of transaction entries defining a group of fraudulent and authentic transactions on an electronic display. A user defines selection criteria that the rules server computer applies to the group of transaction entries to generate a subgroup of transaction entries. From the subgroup of transaction entries, the rules server computer provides a focused graph on the electronic display from the subgroup of transaction entries defining a subgroup of the group of fraudulent and authentic transactions. A ratio of the number of fraudulent transactions to the number of authentic transactions represented in the focused graph identifies the strength of the selection criteria for use in a fraud detection rule.

Abstract: A system for generating virtual private network (VPN) sessions from VPN server log messages uses and displays a VPN sessions table in which each row contains attributes of a corresponding VPN session. Processing of a log message causes a session to be generated when there is no ACTIVE session in the table for a username extracted from a log message. A time extracted from the log message is stored as the session start time and as a temporary end time associated with the session. If a gap between a temporary end time and a time extracted from a log message for the associated ACTIVE session is less than a threshold amount, the temporary end time is set to the extracted time. If the gap is equal to or exceeds the threshold, the status of the session is changed from ACTIVE to CLOSED, and a new ACTIVE session is generated.

Abstract: A processing device in one embodiment comprises a processor coupled to a memory and is configured to generate access profiles for respective user identifiers, to obtain data characterizing a current access for a given one of the user identifiers, to extract a plurality of features from the data characterizing the current access for the given user identifier, and to generate feature risk scores based on the extracted features and the access profile for the given user identifier. The processing device is further configured to aggregate the feature risk scores into a composite risk score. The aggregation illustratively comprises weighting the feature risk scores as a function of their relative levels of riskiness. The composite risk score is compared to a threshold, and an alert is generated relating to the current access based on a result of comparing the composite risk score to the threshold.

Abstract: A processing device in one embodiment comprises a processor coupled to a memory and is configured to obtain data characterizing a plurality of network sessions for each of a plurality of user identifiers. The network sessions are initiated from a plurality of user devices over at least one network and may comprise respective virtual private network (VPN) sessions. The processing device is further configured to process the data characterizing the network sessions for a given one of the plurality of user identifiers to generate a network session profile for the given user identifier, the network session profile comprising a plurality of histograms for respective ones of a plurality of features extracted from the data characterizing the plurality of network sessions for the given user identifier. A risk score is generated for a current network session utilizing features extracted from the data characterizing that session and the network session profile.

Abstract: A method includes (a) collecting information on times at which domains were contacted by each device of a set of devices on a network, (b) for each domain contacted by the set of devices, recording a list of time gaps between subsequent contacts to that domain by each device, (c) for each domain, calculating an entropy for the list of time gaps for that domain, a lower entropy indicating that that domain has been accessed at more regular intervals, while a higher entropy indicates that that domain has been accessed at more random intervals, (d) selecting a subset of the set of domains having smaller entropies relative to other domains of the set of domains, and (e) presenting the selected subset to an administrator with directions to review domains of the subset for potential contact with malware installed on devices of the computer network.

Abstract: Techniques of identifying anomalous behavior on an electronic network involve iteratively combining groups of adjacent bins of a histogram in such a way as to minimize a measure of error in the histogram. Along these lines, a user behavior analytics server represents a user behavior factor with a histogram. The UBA server reduces a number of bins in the histogram by iteratively selecting groups of adjacent bins for combination. Upon each iteration, the group of bins that is selected for combination is the group which, when its bins are combined, minimizes differences between the values of the bins in that group and a value of the combined bin.