Abstract: A computer-implemented method for implementing alert interpretation in enterprise security systems is presented. The computer-implemented method includes employing a plurality of sensors to monitor streaming data from a plurality of computing devices, generating alerts based on the monitored streaming data, and employing an alert interpretation module to interpret the alerts in real-time, the alert interpretation module including a process-star graph constructor for retrieving relationships from the streaming data to construct process-star graph models and an alert cause detector for analyzing the alerts based on the process-star graph models to determine an entity that causes an alert.

Abstract: A method and system are provided for improving threat detection in a computer system by performing an inter-application dependency analysis on events of the computer system. The method includes receiving, by a processor operatively coupled to a memory, a Tracking Description Language (TDL) query including general constraints, a tracking declaration and an output specification, parsing, by the processor, the TDL query using a language parser, executing, by the processor, a tracking analysis based on the parsed TDL query, generating, by the processor, a tracking graph by cleaning a result of the tracking analysis, and outputting, by the processor and via an interface, query results based on the tracking graph.

Abstract: A computer-implemented method, system, and computer program product are provided for anomaly detection. The method includes receiving, by a processor, sensor data from a plurality of sensors in a system. The method also includes generating, by the processor, a relationship model based on the sensor data. The method additionally includes updating, by the processor, the relationship model with new sensor data. The method further includes identifying, by the processor, an anomaly based on a fused single-variant time series fitness score in the relationship model. The method also includes controlling an operation of a processor-based machine to change a state of the processor-based machine, responsive to the anomaly.

Abstract: A computer-implemented method for implementing a knowledge transfer based model for accelerating invariant network learning is presented. The computer-implemented method includes generating an invariant network from data streams, the invariant network representing an enterprise information network including a plurality of nodes representing entities, employing a multi-relational based entity estimation model for transferring the entities from a source domain graph to a target domain graph by filtering irrelevant entities from the source domain graph, employing a reference construction model for determining differences between the source and target domain graphs, and constructing unbiased dependencies between the entities to generate a target invariant network, and outputting the generated target invariant network on a user interface of a computing device.

Abstract: Systems and methods for determining a risk level of a host in a network include modeling a target host's behavior based on historical events recorded at the target host. One or more original peer hosts having behavior similar to the target host's behavior are determined. An anomaly score for the target host is determined based on how the target host's behavior changes relative to behavior of the one or more original peer hosts over time. A security management action is performed based on the anomaly score.

Abstract: Methods and systems for detecting host community include modeling a target host's behavior based on historical events recorded at the target host. One or more original peer hosts having behavior similar to the target host's behavior are found by determining a distance in a latent space that embeds the historical events between events of the target host and events of the one or more original peer hosts. A security management action is performed based on behavior of the target host and the determined one or more original peer hosts.

Abstract: Methods and systems for modeling host behavior in a network include determining a first probability function for observing each of a set of process-level events at a first host based on embedding vectors for the first event and the first host. A second probability function is determined for the first host issuing each of a set of network-level events connecting to a second host based on embedding vectors for the first host and the second host. The first and second probability functions are maximized to determine a set of likely process-level and network-level events for the first host. A security action is performed based on the modeled host behavior.

Abstract: A method is provided that includes transforming training data into a neural network based learning model using a set of temporal graphs derived from the training data. The method includes performing model learning on the learning model by automatically adjusting learning model parameters based on the set of the temporal graphs to minimize differences between a predetermined ground-truth ranking list and a learning model output ranking list. The method includes transforming testing data into a neural network based inference model using another set of temporal graphs derived from the testing data. The method includes performing model inference by applying the inference and learning models to test data to extract context features for alerts in the test data and calculate a ranking list for the alerts based on the extracted context features. Top-ranked alerts are identified as critical alerts. Each alert represents an anomaly in the test data.

Abstract: Methods and systems for detecting anomalous events include detecting anomalous events in monitored system data. An event correlation graph is generated by determining a tendency for a first process to access a system target, including an innate tendency of the first process to access the system target, an influence of previous events from the first process, and an influence of processes other than the first process. Kill chains are generated from the event correlation graph that characterize events in an attack path over time. A security management action is performed based on the kill chains.

Abstract: Methods and systems for detecting anomalous events include detecting anomalous events in monitored system data. An event correlation graph is generated based on the monitored system data that characterizes the tendency of processes to access system targets. Kill chains are generated that connect malicious events over a span of time from the event correlation graph that characterize events in an attack path over time by sorting events according to a maliciousness value and determining at least one sub-graph within the event correlation graph with an above-threshold maliciousness rank. A security management action is performed based on the kill chains.

Abstract: Methods and systems for detecting security intrusions include detecting alerts in monitored system data. Temporal dependencies are determined between the alerts based on a prefix tree formed from the detected alerts. Content dependencies between the alerts are determined based on a distance between alerts in a graph representation of the detected alerts. The alerts are ranked based on an optimization problem that includes the temporal dependencies and the content dependencies. A security management action is performed based on the ranked alerts.

Abstract: A system and method are provided. The system includes a processor. The processor is configured to receive a plurality of events from network devices, the plurality of events including entities that are involved in the plurality of events. The processor is further configured to embed the entities into a common latent space based on co-occurrence of the entities in the plurality of events and model respective pairs of the entities for compatibility according to the embedding of the entities to form a pairwise interaction for the respective pairs of the entities. The processor is additionally configured to weigh the pairwise interaction of different ones of the respective pairs of the entities based on one or more compatibility criterion to generate a probability of an occurrence of an anomaly and alter the configuration of one or more of the network devices based on the probability of the occurrence of the anomaly.

Abstract: Methods and systems for reporting anomalous events include intra-host clustering a set of alerts based on a process graph that models states of process-level events in a network. Hidden relationship clustering is performed on the intra-host clustered alerts based on hidden relationships between alerts in respective clusters. Inter-host clustering is performed on the hidden relationship clustered alerts based on a topology graph that models source and destination relationships between connection events in the network. Inter-host clustered alerts that exceed a threshold level of trustworthiness are reported.

Abstract: Methods and systems for reporting anomalous events include building a process graph that models states of process-level events in a network. A topology graph is built that models source and destination relationships between connection events in the network. A set of alerts is clustered based on the process graph and the topology graph. Clustered alerts that exceed a threshold level of trustworthiness are reported.

Abstract: A computer-implemented method for real-time detecting of abnormal network connections is presented. The computer-implemented method includes collecting network connection events from at least one agent connected to a network, recording, via a topology graph, normal states of network connections among hosts in the network, and recording, via a port graph, relationships established between host and destination ports of all network connections.

Abstract: Methods and systems for detecting anomalous network activity include determining whether a network event exists within an existing topology graph and port graph. A connection probability for the network event is determined if the network does not exist within the existing topology graph and port graph. The network event is identified as abnormal if the connection probability is below a threshold.

Abstract: Methods and systems for detecting malicious processes include modeling system data as a graph comprising vertices that represent system entities and edges that represent events between respective system entities. Each edge has one or more timestamps corresponding respective events between two system entities. A set of valid path patterns that relate to potential attacks is generated. One or more event sequences in the system are determined to be suspicious based on the graph and the valid path patterns using a random walk on the graph.

Abstract: Methods and systems for detecting anomalous communications include simulating a network graph based on community and role labels of each node in the network graph based on one or more linking rules. The community and role labels of each node are adjusted based on differences between the simulated network graph and a true network graph. The simulation and adjustment are repeated until the simulated network graph converges to the true network graph to determine a final set of community and role labels. It is determined whether a network communication is anomalous based on the final set of community and role labels.