Abstract: One or more iterations are performed. Each iteration includes calculating, for each of a number of data points that each have a label probability distribution, a label quality measure based on the label probability distribution of the data point. Each iteration includes updating the label probability distribution of each of at least one of the data points using either or both of a classification technique and a constrained clustering technique based on the data points and the label quality measure of each data point.

Abstract: Network traffic is monitored over a period of time (e.g., network traffic of a corporate network). Based on the monitored network traffic: an abstract temporal graph of the network traffic is generated; graph-based node embeddings of the abstract temporal graph are learned; edge tabular embeddings for edges of the abstract temporal graph are learned; and hybrid embeddings are computed. The computed hybrid embeddings are based on the learned graph-based node embeddings for the abstract temporal graph and the learned edge tabular embedding for the edges of the abstract temporal graph. This process is then repeated over multiple time periods and temporal trajectories are computed using the computed hybrid embeddings for each time period. The temporal trajectories are then used for analysis of the network. For example, the temporal trajectories are used to identify anomalies for prevention of security breaches of the network.

Abstract: For each item represented within log events that have a power law-oriented distribution, first and second metrics for the item are computed based on the log events which pertain to the item. The items are organized over bins according to the first metric. The bins correspond to different ranges of the first metric. For each bin, the items in the bin are ordered according to the second metric. A plot of the bins over which the items have been organized according to the first metric, is graphically displayed, which includes displaying, for each bin, the items in the bin as have been ordered according to the second metric.

Abstract: A security rule associated with an application is identified. This may be done continuously and verified using machine learning models to ensure that the environment characterized by the data has not changed. For example, a security rule may be which ports are open/closed on a firewall. In response to identifying the security rule associated with the application, a security test based on the security rule is generated. For example, the security test may be to test all the ports on the firewall to see which ports are open/closed. The security test against the application is executed to determine if the security rule has been implemented properly by the application.

Abstract: Log entries and baseline log entries have timestamps, and can be structured over columns of respective data types. Temporal inconsistency can be identified by comparing a probability distribution of time differences between the timestamps of the log entries with a probability distribution of time differences between the timestamps of the baseline log entries. Data type inconsistency can be identified by comparing a data type of each column of the log entries with a data type of a corresponding column of the baseline log entries. Columnar inconsistency can be identified by comparing a number of the columns of the log entries with a number of the columns of the baseline log entries. In response to identification of temporal, data type, and/or columnar inconsistency, that an abnormality exists in collecting the log entries is detected.

Abstract: Network communication events are filtered to remove the network communication events having a predicted unrelatedness to beaconing. Each network communication event has a timestamp, a source entity, and a destination entity. The filtered network communication events are aggregated by unique source entity-destination entity pairs. For each unique source entity-destination entity pair, the network communication events are timestamp-sorted, time differentials between the timestamps of adjacent network communication events are calculated, and a beacon likelihood metric is calculated from the calculated time differentials. Which of the unique source entity-destination entity pairs are indicative of beaconing are identified based on the beacon likelihood metric calculated for each unique source entity-destination entity pair.

Abstract: According to examples, an apparatus may include a processor and a non-transitory computer readable medium on which is stored machine readable instructions that may cause the processor to identify Internet protocol (IP) addresses and connection attributes associated with the IP addresses. The instructions may also cause the processor to train a machine learning model using the IP addresses as inputs to the machine learning model and connection contexts as outputs of the machine learning model. The machine learning model may learn a first weight matrix corresponding to the IP addresses and a second weight matrix corresponding to the connection contexts. In addition, the connection contexts may be concatenations of the connection attributes associated with a corresponding IP address.

Abstract: In some examples, an alert relating to an issue in a computing arrangement is received. Contextual information is determined for the alert, the determined contextual information comprising spatial and temporal distributions of previous instances of the alert or similar alerts. The contextual information is communicated for use in addressing the issue in the computing arrangement.

Abstract: In some examples, a system balances a number of positive data points and a number of negative data points, to produce a balanced training data set, where the positive data points comprise features associated with authentication events that are positive with respect to an unauthorized classification, and the negative data points comprise features associated with authentication events that are negative with respect to the unauthorized classification. The system trains a plurality of models using the balanced training data set, wherein the plurality of models are trained according to respective different machine learning techniques. The system selects a model from the trained plurality of models based on relative performance of the plurality of models.

Abstract: In some examples, a system constructs, based on event data representing a plurality of events in a system, a representation of the plurality of events, the representation including information relating the events, and computes issue indications corresponding to potential issues in the system. The system adds information based on the issue indications to the representation to form an enriched representation, and searches the enriched representation to find a chain of events representing an issue in the system.

Abstract: In some examples, a system is to, given an anomaly score threshold over which at least one anomalous point is to be observed in a test set of points with a specified probability, determine, using raw anomaly scores for a training set of points, a first mapping between raw anomaly scores in a first range and first transformed anomaly scores using a first transformation technique. The system is to determine, using the raw anomaly scores for the training set of points, a second mapping between raw anomaly scores in a second range greater than the first range and second transformed anomaly scores using a second transformation technique different from the first transformation technique. The system is to use the first mapping and the second mapping to detect an anomaly in a computing environment based on the test set of points.

Abstract: In some examples, a system determines a dependency among a plurality of anomaly detectors, the determining comprising clustering anomaly detectors of the plurality of anomaly detectors into clusters of anomaly detectors. The system aggregates anomaly scores produced by anomaly detectors in a first cluster of anomaly detectors, to generate a first aggregate anomaly score, and detects an anomaly using the first aggregate anomaly score.

Abstract: In some examples, an alert relating to an issue in a computing arrangement is received. It is determined that the received alert is similar to a given alert in an information repository containing information of past processes performed to address respective issues, the determining comprising comparing a property associated with the received alert to a property of alerts associated with the past processes, and the information contained in the information repository comprising actions taken in the past processes to address the respective issues. Performance of a remediation action is triggered that comprises an action, identified by the information in the information repository, taken to respond to the given alert.

Abstract: In some examples, a plurality of alerts relating to issues in a computing arrangement are received, where the plurality of alerts generated based on events in the computing arrangement. A subset of the plurality of alerts is grouped into a bundle of alerts, the grouping being based on a criterion. The bundle of alerts is communicated to cause processing of the alerts in the bundle of alerts together.

Abstract: According to examples, an apparatus may include a memory on which is stored instructions that when executed by a processor, cause the processor to extract, from network traffic data, a connectivity matrix that identifies connectivity data between entities and group the entities into a plurality of clusters based on the extracted connectivity matrix. The processor may also, for each cluster of the plurality of clusters, identify at least one representative entity that is to represent the entities in the cluster and output the identified at least one representative entity for identification of group behaviors of the entities in the plurality of clusters, in which the identified group behaviors are to be used for information technology management.

Abstract: First-order anomaly scores are received from related anomaly detectors. Each first-order anomaly score indicates a likelihood of an anomaly at a target system. A relatedness measure of the related anomaly detectors is determined, based on the first-order anomaly scores that have been received. A higher-order anomaly score is determined based on the relatedness measure that has been determined. The higher-order anomaly score indicates a likelihood of an anomaly at the target system. An anomaly at the target system is detected based on the higher-order anomaly score.

Abstract: In some examples, for a given authentication event between a plurality of devices in a network, a system identifies a set of events, at the devices, that are temporally related to the given authentication event. The system applies a classifier on a collection of features associated with the set of events, and determines, based on an output of the classifier, whether the given authentication event is an unauthorized authentication event.

Abstract: In some examples, a system receives anomaly scores regarding an entity from a plurality of detectors, produces a weighted anomaly score for the entity based on the anomaly scores and respective weights assigned to the plurality of detectors, the weights based on historical performance of the plurality of detectors, determines an impact based on a context of the entity, wherein the impact is indicative of an effect that the entity would have on a computing environment if the entity were to exhibit anomalous behavior, and computes a risk score for the entity based on the weighted anomaly score and the determined impact.

Abstract: According to examples, an apparatus may include a processor and a non-transitory computer readable medium on which is stored machine readable instructions that may cause the processor to identify Internet protocol (IP) addresses and connection attributes associated with the IP addresses. The instructions may also cause the processor to train a machine learning model using the IP addresses as inputs to the machine learning model and connection contexts as outputs of the machine learning model. The machine learning model may learn a first weight matrix corresponding to the IP addresses and a second weight matrix corresponding to the connection contexts. In addition, the connection contexts may be concatenations of the connection attributes associated with a corresponding IP address.

Abstract: In some examples, a system determines a dependency among a plurality of anomaly detectors, the determining comprising clustering anomaly detectors of the plurality of anomaly detectors into clusters of anomaly detectors. The system aggregates anomaly scores produced by anomaly detectors in a first cluster of anomaly detectors, to generate a first aggregate anomaly score, and detects an anomaly using the first aggregate anomaly score.