Abstract: In some examples, a system is to, given an anomaly score threshold over which at least one anomalous point is to be observed in a test set of points with a specified probability, determine, using raw anomaly scores for a training set of points, a first mapping between raw anomaly scores in a first range and first transformed anomaly scores using a first transformation technique. The system is to determine, using the raw anomaly scores for the training set of points, a second mapping between raw anomaly scores in a second range greater than the first range and second transformed anomaly scores using a second transformation technique different from the first transformation technique. The system is to use the first mapping and the second mapping to detect an anomaly in a computing environment based on the test set of points.

Abstract: In some examples, a system computes risk scores relating to points corresponding to events in a computing environment, using a plurality of different risk score computation techniques, and generates a plurality of visualizations representing the points. The plurality of visualizations include a first visualization representing the points and including the risk scores computed using a first risk score computation technique of the different risk score computation techniques, and a second visualization representing the points and including the risk scores computed using a second risk score computation technique of the different risk score computation techniques.

Abstract: In some examples, a system constructs, based on event data representing a plurality of events in a system, a representation of the plurality of events, the representation including information relating the events, and computes issue indications corresponding to potential issues in the system. The system adds information based on the issue indications to the representation to form an enriched representation, and searches the enriched representation to find a chain of events representing an issue in the system.

Abstract: In some examples, for a given authentication event between a plurality of devices in a network, a system identifies a set of events, at the devices, that are temporally related to the given authentication event. The system extracts features from the set of events by aggregating event data of the set of events. The system provides the extracted features to a classifier that detects unauthorized authentication events.

Abstract: In some examples, a system extracts features from event data representing events in a computing environment, trains ensembles of machine-learning models for respective analytics modules of a plurality of different types of analytics modules, and detects, by the different types of analytics modules using the respective trained ensembles of machine-learning models, an anomalous entity in response to further event data.

Abstract: Storing time series data for a search query includes identifying a time series whose representation is to be pre-computed based on available memory storage, pre-computing at least one representation of the identified time series, and storing the at least one representation in the memory storage.

Abstract: Points around a point of interest are sampled. The points and the point of interest each have a value for each of a number of input features. The points and the point of interest each have a corresponding output score for a machine learning model. A feature contribution vector for the input features is determined by locally approximating the machine learning model at the points and the point of interest using a model, such as a ridge regression model. The ridge regression model can have a loss function, which can include a Kullback-Leibler (KL) divergence term. The feature contribution vector approximates for any point a contribution of each input feature to the output score of this point by the machine learning model. The input features most responsible for the machine learning model having provided the corresponding output score for the point of interest, based on the feature contribution vector, are provided.

Abstract: In some examples, for a given authentication event between a plurality of devices in a network, a system identifies a set of events, at the devices, that are temporally related to the given authentication event. The system extracts features from the set of events by aggregating event data of the set of events. The system provides the extracted features to a classifier that detects unauthorized authentication events.

Abstract: In some examples, a system extracts features from event data representing events in a computing environment, trains ensembles of machine-learning models for respective analytics modules of a plurality of different types of analytics modules, and detects, by the different types of analytics modules using the respective trained ensembles of machine-learning models, an anomalous entity in response to further event data.

Abstract: In some examples, a system balances a number of positive data points and a number of negative data points, to produce a balanced training data set, where the positive data points comprise features associated with authentication events that are positive with respect to an unauthorized classification, and the negative data points comprise features associated with authentication events that are negative with respect to the unauthorized classification. The system trains a plurality of models using the balanced training data set, wherein the plurality of models are trained according to respective different machine learning techniques. The system selects a model from the trained plurality of models based on relative performance of the plurality of models.

Abstract: In some examples, for a given authentication event between a plurality of devices in a network, a system identifies a set of events, at the devices, that are temporally related to the given authentication event. The system applies a classifier on a collection of features associated with the set of events, and determines, based on an output of the classifier, whether the given authentication event is an unauthorized authentication event.

Abstract: A model is provided that produces predicted sensor data as a function of at least one input feature that includes an adjustable setting of a cooling infrastructure. The model is able to model a non-linear relationship between the predicted sensor data and the adjustable setting.

Abstract: In some examples, a system generates a graphical representation of entities associated with a computing environment, and derives features for the entities represented by the graphical representation, the features comprising neighborhood features and link-based features, a neighborhood feature for a first entity of the entities derived based on entities that are neighbors of the first entity in the graphical representation, and a link-based feature for the first entity derived based on relationships of other entities in the graphical representation with the first entity. The system determines, using a plurality of anomaly detectors based on respective features of the derived features, whether the first entity is exhibiting anomalous behavior.

Abstract: In some examples, a system receives anomaly scores regarding an entity from a plurality of detectors, produces a weighted anomaly score for the entity based on the anomaly scores and respective weights assigned to the plurality of detectors, the weights based on historical performance of the plurality of detectors, determines an impact based on a context of the entity, wherein the impact is indicative of an effect that the entity would have on a computing environment if the entity were to exhibit anomalous behavior, and computes a risk score for the entity based on the weighted anomaly score and the determined impact.

Abstract: A technique that includes predicting data acquired by a network of sensors based at least in part on a graphical model of the network, where the graphical model includes true value nodes, observed value nodes and edge factors based at least in part on historical pairwise dependencies for the observed value nodes. The technique includes detecting anomalous sensor data based at least in part on the predicted data.

Abstract: In some examples, an alert relating to an issue in a computing arrangement is received. It is determined that the received alert is similar to a given alert in an information repository containing information of past processes performed to address respective issues, the determining comprising comparing a property associated with the received alert to a property of alerts associated with the past processes, and the information contained in the information repository comprising actions taken in the past processes to address the respective issues. Performance of a remediation action is triggered that comprises an action, identified by the information in the information repository, taken to respond to the given alert.

Abstract: In some examples, an alert relating to an issue in a computing arrangement is received. Contextual information is determined for the alert, the determined contextual information comprising spatial and temporal distributions of previous instances of the alert or similar alerts. The contextual information is communicated for use in addressing the issue in the computing arrangement.

Abstract: In some examples, a plurality of alerts relating to issues in a computing arrangement are received, where the plurality of alerts generated based on events in the computing arrangement. A subset of the plurality of alerts is grouped into a bundle of alerts, the grouping being based on a criterion. The bundle of alerts is communicated to cause processing of the alerts in the bundle of alerts together.

Abstract: Detecting fraud in resource distribution systems includes determining a meter of a resource in a resource distribution system exhibits a characteristic indicative of fraud and increasing a collection frequency of measurements of a usage of the resource of the meter per unit of time.

Abstract: Method, systems, and computer-readable storage devices for updating a prediction model are described. In one aspect, a statistical analysis group assignment may be received. The statistical analysis group assignment may group partition-level worker node and a first set of partition-level worker nodes as a statistical analysis group. A statistical analysis phase may then be executed where a group-level decision tree is generated from statistical data and other statistical data received from the first set of partition-level worker nodes. A decision tree analysis phase may then be executed, where a step decision tree may be generated based on a selection from the group-level tree and other group-level trees received from other statistical analysis groups. The prediction model may be caused to be updated using the step decision tree.