Abstract: A method includes, at a server in a network, detecting for a user device network incidents relating to one or more security threats in the network using a plurality of threat detectors over a predetermined time period, each of the network incidents including one or more behavior indicators; assigning the network incidents into one or more groups, wherein each group corresponds to a type of security threat; generating a graph for a particular group of the user device, wherein the graph includes a plurality of nodes each representing a behavior indicator in the particular group, and wherein generating the graph includes assigning an edge to connect two nodes of the plurality of nodes if the two nodes correspond to behavior indicators that belong to a same network incident; and displaying the graph on a graphical user interface for a user.

Abstract: In one embodiment, a device distributes sets of training records from a training dataset for a random forest-based classifier among a plurality of workers of a computing cluster. Each worker determines whether it can perform a node split operation locally on the random forest by comparing a number of training records at the worker to a predefined threshold. The device determines, for each of the split operations, a data size and entropy measure of the training records to be used for the split operation. The device applies a machine learning-based predictor to the determined data size and entropy measure of the training records to be used for the split operation, to predict its completion time. The device coordinates the workers of the computing cluster to perform the node split operations in parallel such that the node split operations in a given batch are grouped based on their predicted completion times.

Abstract: A method includes, at a server in a network, detecting for a user device network incidents relating to one or more security threats in the network using a plurality of threat detectors over a predetermined time period, each of the network incidents including one or more behavior indicators; assigning the network incidents into one or more groups, wherein each group corresponds to a type of security threat; generating a graph for a particular group of the user device, wherein the graph includes a plurality of nodes each representing a behavior indicator in the particular group, and wherein generating the graph includes assigning an edge to connect two nodes of the plurality of nodes if the two nodes correspond to behavior indicators that belong to a same network incident; and displaying the graph on a graphical user interface for a user.

Abstract: A method includes, at a server in a network, detecting for a user device network incidents relating to one or more security threats in the network using a plurality of threat detectors over a predetermined time period, each of the network incidents including one or more behavior indicators; assigning the network incidents into one or more groups, wherein each group corresponds to a type of security threat; generating a graph for a particular group of the user device, wherein the graph includes a plurality of nodes each representing a behavior indicator in the particular group, and wherein generating the graph includes assigning an edge to connect two nodes of the plurality of nodes if the two nodes correspond to behavior indicators that belong to a same network incident; and displaying the graph on a graphical user interface for a user.

Abstract: Techniques for enriching encrypted traffic analytics are presented. In one embodiment, a method includes obtaining telemetry data for one or more domains within a network. The telemetry data includes both encrypted traffic analytics information and traffic flow information associated with the network traffic. For each domain of the one or more domains, the method also includes generating a model comprising a mapping from a plurality of traffic flow information features to at least one encrypted traffic analytics feature. The method includes generating a database comprising generated models for each of the domains and obtaining telemetry data for a target domain that includes traffic flow information, but does not include encrypted traffic analytics information. At least one encrypted traffic analytics feature of the target domain is determined based on a plurality of traffic flow information features of the target domain using the database.

Abstract: In one embodiment, a security device in a computer network detects potential domain generation algorithm (DGA) searching activity using a domain name service (DNS) model to detect abnormally high DNS requests made by a host attempting to locate a command and control (C&C) server in the computer network. The server device also detects potential DGA communications activity based on applying a hostname-based classifier for DGA domains associated with any server internet protocol (IP) address in a data stream from the host. The security device may then correlate the potential DGA searching activity with the potential DGA communications activity, and identifies DGA performing malware based on the correlating, accordingly.

Abstract: In one embodiment, a device trains a machine learning-based malware classifier using a first randomly selected subset of samples from a training dataset. The classifier comprises a random decision forest. The device identifies, using at least a portion of the training dataset as input to the malware classifier, a set of misclassified samples from the training dataset that the malware classifier misclassifies. The device retrains the malware classifier using a second randomly selected subset of samples from the training dataset and the identified set of misclassified samples. The device adjusts prediction labels of individual leaves of the random decision forest of the retrained malware classifier based in part on decision changes in the forest that result from assessing the entire training dataset with the classifier. The device sends the malware classifier with the adjusted prediction labels for deployment into a network.

Abstract: A method includes, at a server in a network, detecting for a user device network incidents relating to one or more security threats in the network using a plurality of threat detectors over a predetermined time period, each of the network incidents including one or more behavior indicators; assigning the network incidents into one or more groups, wherein each group corresponds to a type of security threat; generating a graph for a particular group of the user device, wherein the graph includes a plurality of nodes each representing a behavior indicator in the particular group, and wherein generating the graph includes assigning an edge to connect two nodes of the plurality of nodes if the two nodes correspond to behavior indicators that belong to a same network incident; and displaying the graph on a graphical user interface for a user.

Abstract: In one embodiment, a computing device provides a feature vector as input to a random decision forest comprising a plurality of decision trees trained using a training dataset, each decision tree being configured to output a classification label prediction for the input feature vector. For each of the decision trees, the computing device determines a conditional probability of the decision tree based on a true classification label and the classification label prediction from the decision tree for the input feature vector. The computing device generates weightings for the classification label predictions from the decision trees based on the determined conditional probabilities. The computing device applies a final classification label to the feature vector based on the weightings for the classification label predictions from the decision trees.

Abstract: Techniques for enriching encrypted traffic analytics are presented. In one embodiment, a method includes obtaining telemetry data for one or more domains within a network. The telemetry data includes both encrypted traffic analytics information and traffic flow information associated with the network traffic. For each domain of the one or more domains, the method also includes generating a model comprising a mapping from a plurality of traffic flow information features to at least one encrypted traffic analytics feature. The method includes generating a database comprising generated models for each of the domains and obtaining telemetry data for a target domain that includes traffic flow information, but does not include encrypted traffic analytics information. At least one encrypted traffic analytics feature of the target domain is determined based on a plurality of traffic flow information features of the target domain using the database.

Abstract: In one embodiment, a computing device trains a multi-class classifier (having a plurality of classes) on a training dataset, and evaluates the multi-class classifier on a testing dataset to determine a performance of each of the plurality of classes. The plurality of classes may then be partitioned into either learnable or unlearnable based on whether the performance each particular class surpasses a particular threshold, and then a predicting classifier can be trained on the training dataset, where data of the training dataset is labelled as either learnable or unlearnable based on the particular class to which the data corresponds. Accordingly, the computing device may then use the predicting classifier on a new class to predict whether samples associated with the new class are learnable or unlearnable, and may retrain the multi-class classifier with the samples associated with the new class in response to predicting that the samples are learnable.

Abstract: In one embodiment, a device distributes sets of training records from a training dataset for a random forest-based classifier among a plurality of workers of a computing cluster. Each worker determines whether it can perform a node split operation locally on the random forest by comparing a number of training records at the worker to a predefined threshold. The device determines, for each of the split operations, a data size and entropy measure of the training records to be used for the split operation. The device applies a machine learning-based predictor to the determined data size and entropy measure of the training records to be used for the split operation, to predict its completion time. The device coordinates the workers of the computing cluster to perform the node split operations in parallel such that the node split operations in a given batch are grouped based on their predicted completion times.

Abstract: A user behavior activity detection method is provided in which network traffic relating to user behavior activities in a network is monitored. Data is stored representing network traffic within a plurality of time periods, each of the time periods serving as a transaction. Subsets of the network traffic in the transactions are identified as traffic suspected of relating to certain user behavior activities. The subsets of the network traffic in the transactions are assigned into one or more groups. A determination is made of one or more detection rules for each of the one or more groups based on identifying, for each of the groups, a number of user behavior activities common to each of the subsets of the network traffic. The one or more detection rules are used to monitor future network traffic in the network to detect occurrence of the certain user behavior activities.

Abstract: Systems described herein preemptively detect newly registered network domains that are likely to be malicious before network behavior of the domains is actually observed. A network security device (e.g., a router) receives domain registration data that associates network domains with keys and generating a graph representing the domain registration data. Each edge of the graph connects a vertex representing a domain and a vertex representing a registration attribute (e.g., a registrant email address). The network security device identifies a connected component of the graph that meets a graph robustness threshold. The network security device determines whether a domain of the connected component whose behavior has not yet been observed is malicious using a predictive model based on existing maliciousness labels for other domains of the connected component.

Abstract: In one embodiment, a computing device provides a feature vector as input to a random decision forest comprising a plurality of decision trees trained using a training dataset, each decision tree being configured to output a classification label prediction for the input feature vector. For each of the decision trees, the computing device determines a conditional probability of the decision tree based on a true classification label and the classification label prediction from the decision tree for the input feature vector. The computing device generates weightings for the classification label predictions from the decision trees based on the determined conditional probabilities. The computing device applies a final classification label to the feature vector based on the weightings for the classification label predictions from the decision trees.

Abstract: In one embodiment, a method including accessing a trained classifier, the trained classifier trained based at least on a first data item and including both decision determination information of the first data item and decision explanation information of at least one second data item, the second data item being distinct from the first data item; receiving an item for classification; using the trained classifier to classify the item for classification; and providing item decision information regarding a reason for classifying the item for classification, the item decision information being based on at least a part of the decision explanation information. Other embodiments are also described.

Abstract: In one embodiment, a security device in a computer network detects potential domain generation algorithm (DGA) searching activity using a domain name service (DNS) model to detect abnormally high DNS requests made by a host attempting to locate a command and control (C&C) server in the computer network. The server device also detects potential DGA communications activity based on applying a hostname-based classifier for DGA domains associated with any server internet protocol (IP) address in a data stream from the host. The security device may then correlate the potential DGA searching activity with the potential DGA communications activity, and identifies DGA performing malware based on the correlating, accordingly.

Abstract: In one embodiment, a computing device trains a multi-class classifier (having a plurality of classes) on a training dataset, and evaluates the multi-class classifier on a testing dataset to determine a performance of each of the plurality of classes. The plurality of classes may then be partitioned into either learnable or unlearnable based on whether the performance each particular class surpasses a particular threshold, and then a predicting classifier can be trained on the training dataset, where data of the training dataset is labelled as either learnable or unlearnable based on the particular class to which the data corresponds. Accordingly, the computing device may then use the predicting classifier on a new class to predict whether samples associated with the new class are learnable or unlearnable, and may retrain the multi-class classifier with the samples associated with the new class in response to predicting that the samples are learnable.

Abstract: In one embodiment, a device in a network receives domain information from a plurality of traffic flows in the network. The device identifies a particular address from the plurality of traffic flows as part of an onion routing system based on the received domain information. The device distinguishes the particular address during analysis of the traffic flows by a traffic flow analyzer that includes a domain generation algorithm (DGA)-based traffic classifier. The device detects a malicious traffic flow from among the plurality of traffic flows using the traffic flow analyzer. The device causes performance of a mitigation action based on the detected malicious traffic flow.

Abstract: In one embodiment, a computing device provides a feature vector as input to a random decision forest comprising a plurality of decision trees trained using a training dataset, each decision tree being configured to output a classification label prediction for the input feature vector. For each of the decision trees, the computing device determines a conditional probability of the decision tree based on a true classification label and the classification label prediction from the decision tree for the input feature vector. The computing device generates weightings for the classification label predictions from the decision trees based on the determined conditional probabilities. The computing device applies a final classification label to the feature vector based on the weightings for the classification label predictions from the decision trees.