Abstract: An information handling system monitors events of a first time period, forms sequences from the events (first sequences), and determines normal sequences of the events. In one embodiment, it may also form sequences based upon events of a second time period (second sequences), the second time period later than the first time period, match the first sequences against the second sequences, and remove events of the second sequences from the events of the second time period. The information handling systems may then search for anomalous events in the remaining events. In another embodiment, the normal sequences may represent purchases. The information handling systems may compare purchases of a customer to the normal sequences and determine products of possible interest to the customer based upon the comparison.

Abstract: An information handling system includes a storage and a processor. The storage is configured to store network activity logs from a first client system and a second client system. The processor is configured to receive a security alert from the first client system, analyze the security alert to obtain a plurality of indicators, utilize the supplementary indicators to build a statistical security model, and analyze activity on the second client system using the statistical security model to identify an additional security events.

Abstract: An information handling system includes an input and a processor. The processor receives a sequence of events, detects a first event within the sequence of events, determines a first state of a Markov model associated with the first event, detects a second event within the sequence of events, determines a second state of the Markov model associated with the second event, detects a state transition from the first state to the second state in the Markov model, determines a partial match of the sequence of events to a kill sequence of events in response to the state transition from the first state to the second state in the Markov model, and logs all events that occurred in the information handling system in between the first event and the second event.

Abstract: An information handling system includes a storage and a processor. The storage is configured to store network activity logs from a first client system and a second client system. The processor is configured to receive a security alert from the first client system, analyze the security alert to obtain a plurality of indicators, utilize the supplementary indicators to build a statistical security model, and analyze activity on the second client system using the statistical security model to identify an additional security events.

Abstract: An information handling system includes an input and a processor. The processor receives a sequence of events, detects a first event within the sequence of events, determines a first state of a Markov model associated with the first event, detects a second event within the sequence of events, determines a second state of the Markov model associated with the second event, detects a state transition from the first state to the second state in the Markov model, determines a partial match of the sequence of events to a kill sequence of events in response to the state transition from the first state to the second state in the Markov model, and logs all events that occurred in the information handling system in between the first event and the second event.

Abstract: An information handling system matches regular expressions by placing the regular expressions into parent/child relationships. A first regular expression is set as a child of a second regular expression when information about matching the first regular expression against a first string is obtained by matching the second regular expression against the first string. The information handling system forms the regular expressions into a graph. The regular expressions are matched against a second string in an order based upon a structure of the graph. A third regular expression is matched against the second string before a fourth regular expression based upon a vertex representing the fourth regular expression being a child of a vertex representing the third regular expression.

Abstract: An information handling system monitors events of a first time period, forms sequences from the events (first sequences), and determines normal sequences of the events. In one embodiment, it may also form sequences based upon events of a second time period (second sequences), the second time period later than the first time period, match the first sequences against the second sequences, and remove events of the second sequences from the events of the second time period. The information handling systems may then search for anomalous events in the remaining events. In another embodiment, the normal sequences may represent purchases. The information handling systems may compare purchases of a customer to the normal sequences and determine products of possible interest to the customer based upon the comparison.