Abstract: Systems are provided for improving computer security systems that are based on user risk scores. These systems can be used to improve both the accuracy and usability of the user risk scores by applying multiple tiers of machine learning to different the user risk profile components used to generate the user risk scores and in such a manner as to dynamically generate and modify the corresponding user risk scores.

Abstract: Systems are provided for improving computer security systems that are based on user risk scores. These systems can be used to improve both the accuracy and usability of the user risk scores by applying multiple tiers of machine learning to different the user risk profile components used to generate the user risk scores and in such a manner as to dynamically generate and modify the corresponding user risk scores.

Abstract: Methods, systems, apparatuses, and computer-readable storage mediums described herein are configured to detect anomalous post-authentication behavior/state change(s) with respect to a workload identity. For example, audit logs that specify actions performed with respect to the workload identity of a platform-based identity service, a causing state change(s), while another identity is authenticated with the platform-based identity service, are analyzed. The audit log(s) are analyzed via a model for anomaly prediction based on actions. The model generates an anomaly score indicating a probability whether a particular sequence of the actions is indicative of anomalous behavior/state change(s). A determination is made that an anomalous behavior has occurred based on the anomaly score, and when anomalous behavior has occurred, a mitigation action may be performed that mitigates the anomalous behavior.

Abstract: Methods, systems, apparatuses, and computer-readable storage mediums described herein are configured to detect anomalous post-authentication behavior with respect to a user identity. For example, one or more audit logs that specify a plurality of actions performed with respect to the user identity of a platform-based identity service, while the user identity is authenticated with the platform-based identity service, are analyzed. The audit log(s) are analyzed via an anomaly prediction model that generates an anomaly score indicating a probability whether a particular sequence of actions of the plurality of actions is indicative of anomalous behavior. A determination is made that an anomalous behavior has occurred based on the anomaly score. In response to determining that anomalous behavior has occurred, a mitigation action may be performed that mitigates the anomalous behavior.

Abstract: Some embodiments improve the security of service principals, service accounts, and other application identity accounts by detecting compromise of account credentials. Application identity accounts provide computational services with access to resources, as opposed to human identity accounts which operate on behalf of a particular person. Authentication attempt access data is submitted to a machine learning model which is trained specifically to detect application identity account anomalies. Heuristic rules are applied to the anomaly detection result to reduce false positives, yielding a compromise assessment suitable for access control mechanism usage. Embodiments reflect differences between application identity accounts and human identity accounts, in order to avoid inadvertent service interruptions, improve compromise detection for application identity accounts, and facilitate compromise containment and recovery efforts by focusing on credentials individually.

Abstract: To detect identity spray attacks, a machine learning model classifies account access attempts as authorized or unauthorized, based on dozens of different pieces of information (machine learning model features). Boosted tree, neural net, and other machine learning model technologies may be employed. Model training data may include user agent reputation data, IP address reputation data, device or agent or location familiarity indications, protocol identifications, aggregate values, and other data. Account credential hash sets or hash lists may serve as model inputs. Hashes may be truncated to further protect user privacy. Classifying an access attempt as unauthorized may trigger application of multifactor authentication, password change requirements, account suspension, or other security enhancements. Statistical or heuristic detections may supplement the model.

Abstract: To detect identity spray attacks, a machine learning model classifies account access attempts as authorized or unauthorized, based on dozens of different pieces of information (machine learning model features). Boosted tree, neural net, and other machine learning model technologies may be employed. Model training data may include user agent reputation data, IP address reputation data, device or agent or location familiarity indications, protocol identifications, aggregate values, and other data. Account credential hash sets or hash lists may serve as model inputs. Hashes may be truncated to further protect user privacy. Classifying an access attempt as unauthorized may trigger application of multifactor authentication, password change requirements, account suspension, or other security enhancements. Statistical or heuristic detections may supplement the model.

Abstract: Methods, systems, and computer program products are provided for real-time compromise detection based on behavioral analytics. The detection runs in real-time, during user authentication, for example, with respect to a resource. The probability that the authentication is coming from a compromised account is assessed. The features of the current authentication are compared with the features from past authentications of the user. After comparison, a match score is generated. The match score is indicative of the similarity of the authentication to the user's history of authentication. This score is then discretized into risk levels based on the empirical probability of compromise based on known past compromised user authentications. The risk levels may be used to detect whether user authentication is occurring via compromised credentials.

Abstract: Systems are provided for utilizing crowdsourcing and machine learning to improve computer system security processes associated with user risk profiles and sign-in profiles. Risk profiles of known users and logged sign-ins are confirmed by user input as either safe or compromised. This input is used as crowdsourced feedback to generate label data for training/refining machine learning algorithms used to generate corresponding risky profile reports. The risky profile reports are used to provide updated assessments and initial assessments of known users and logged sign-ins, as well as newly discovered users and new sign-in attempts, respectively. These assessments are further confirmed or modified to further update the machine learning and risky profile reports.

Abstract: Methods, systems, and computer program products are provided for real-time compromise detection based on behavioral analytics. The detection runs in real-time, during user authentication, for example, with respect to a resource. The probability that the authentication is coming from a compromised account is assessed. The features of the current authentication are compared with the features from past authentications of the user. After comparison, a match score is generated. The match score is indicative of the similarity of the authentication to the user's history of authentication. This score is then discretized into risk levels based on the empirical probability of compromise based on known past compromised user authentications. The risk levels may be used to detect whether user authentication is occurring via compromised credentials.

Abstract: Systems are provided for utilizing crowdsourcing and machine learning to improve computer system security processes associated with user risk profiles and sign-in profiles. Risk profiles of known users and logged sign-ins are confirmed by user input as either safe or compromised. This input is used as crowdsourced feedback to generate label data for training/refining machine learning algorithms used to generate corresponding risky profile reports. The risky profile reports are used to provide updated assessments and initial assessments of known users and logged sign-ins, as well as newly discovered users and new sign-in attempts, respectively. These assessments are further confirmed or modified to further update the machine learning and risky profile reports.

Abstract: Systems are provided for improving computer security systems that are based on user risk scores. These systems can be used to improve both the accuracy and usability of the user risk scores by applying multiple tiers of machine learning to different the user risk profile components used to generate the user risk scores and in such a manner as to dynamically generate and modify the corresponding user risk scores.

Abstract: The sensor adaptation technique applicable to non-contact biometric authentication, specifically in iris recognition, is designed to handle the sensor mismatch problem which occurs when enrollment iris samples and test iris samples are acquired with different sensors. The present system and method are capable of adapting iris data collected from one sensor to another sensor by transforming the iris samples in a fashion bringing the samples belonging to the same person closer than those samples belonging to different persons, irrespective of the sensor acquiring the samples. The sensor adaptation technique is easily incorporable into existing iris recognition systems and uses the training iris samples acquired with different sensors for learning adaptation parameters and subsequently applying the adaptation parameters for sensor adaptation during verification stage to significantly improve the recognition system performance.