Abstract: Disclosed herein is a system for predicting, given a pattern of triggered alerts, a next alert in order to identify malicious activity that is about to occur on resource(s) being monitored by a security operations center. A resource can include a server, a storage device, a user device (e.g., a personal computer, a tablet computer, a smartphone, etc.), a virtual machine, networking equipment, etc. Accordingly, the next alert is speculatively triggered in advance and a security analyst can be notified of a pattern of activity that is likely to be malicious. The security analyst can then investigate the pattern of triggered alerts and the speculatively triggered alert to determine whether steps to mitigate the malicious activity before it occurs should be taken.

Abstract: Systems, methods, and apparatuses are provided for clustering incidents in a computing environment. An incident notification relating to an event (e.g., a potential cyberthreat or any other alert) in the computing environment is received and a set of features may be generated based on the incident notification. The set of features may be provided as an input to a machine-learning engine to identify a similar incident notification in the computing environment. The similar incident notification may include a resolved incident notification or an unresolved incident notification. An action to resolve the incident notification may be received, and the received action may thereby be executed. In some implementations, in addition to resolving the received incident notification, the action may be executed to resolve a similar unresolved incident notification identified by the machine-learning engine.

Abstract: Methods, systems, and media are shown for generating access control rules for computer resources involving collecting historical access data for user accesses to a computer resource and separating the historical access data into a training data set and a validation data set. An access control rule is generated for the computer resource based on the properties of the user accesses to the computer resource in the training data set. The rule is validated against the validation data set to determine whether the rule produces a denial rate level is below a threshold when the rule is applied to the validation data set. If the rule is valid, then it is provided to an administrative interface so that an administrator can select the rule for application to incoming user requests.

Abstract: Embodiments described herein are directed to securing network-based compute resources. The foregoing may be achieved by determining a tag representative of non-malicious network addresses. The tag is determined by analyzing network data traffic received by a plurality of compute resources. Machine-learning based techniques may be used to automatically classify each network address that communicates with a particular compute resource as being malicious or non-malicious. Determined non-malicious network addresses for a particular compute resource are automatically associated with a tag. The tag is used to configure a firewall application to prevent access to a corresponding compute resource by malicious network addresses not represented by the tag. The number of non-malicious network addresses associated with a tag may be expanded by clustering compute resources having a similar set of network addresses that communicate therewith.

Abstract: A system for predicting vulnerability of network resources is provided. The system can calculate an initial vulnerability score for each of the network resources and use the initial vulnerability scores along with activity data of the network resources to train a vulnerability model. After training, the vulnerability model can predict the vulnerability of the network resources based on new activity data collected from the network resources. Based on the predicted vulnerability, vulnerable network resources can be identified. Further analysis can be performed by comparing the activities of the vulnerable network resources and other network resources to identify activity patterns unique to the vulnerable network resources as attack patterns. Based on the attack patterns, one or more actions can be taken to increase the security of the vulnerable network resources to avoid further vulnerability.

Abstract: Disclosed herein is a system for predicting, given a pattern of triggered alerts, a next alert in order to identify malicious activity that is about to occur on resource(s) being monitored by a security operations center. A resource can include a server, a storage device, a user device (e.g., a personal computer, a tablet computer, a smartphone, etc.), a virtual machine, networking equipment, etc. Accordingly, the next alert is speculatively triggered in advance and a security analyst can be notified of a pattern of activity that is likely to be malicious. The security analyst can then investigate the pattern of triggered alerts and the speculatively triggered alert to determine whether steps to mitigate the malicious activity before it occurs should be taken.

Abstract: Embodiments described herein are directed to securing network-based compute resources. The foregoing may be achieved by determining a tag representative of non-malicious network addresses. The tag is determined by analyzing network data traffic received by a plurality of compute resources. Machine-learning based techniques may be used to automatically classify each network address that communicates with a particular compute resource as being malicious or non-malicious. Determined non-malicious network addresses for a particular compute resource are automatically associated with a tag. The tag is used to configure a firewall application to prevent access to a corresponding compute resource by malicious network addresses not represented by the tag. The number of non-malicious network addresses associated with a tag may be expanded by clustering compute resources having a similar set of network addresses that communicate therewith.

Abstract: A system for predicting vulnerability of network resources is provided. The system can calculate an initial vulnerability score for each of the network resources and use the initial vulnerability scores along with activity data of the network resources to train a vulnerability model. After training, the vulnerability model can predict the vulnerability of the network resources based on new activity data collected from the network resources. Based on the predicted vulnerability, vulnerable network resources can be identified. Further analysis can be performed by comparing the activities of the vulnerable network resources and other network resources to identify activity patterns unique to the vulnerable network resources as attack patterns. Based on the attack patterns, one or more actions can be taken to increase the security of the vulnerable network resources to avoid further vulnerability.

Abstract: Systems, methods, and apparatuses are provided for clustering incidents in a computing environment. An incident notification relating to an event (e.g., a potential cyberthreat or any other alert) in the computing environment is received and a set of features may be generated based on the incident notification. The set of features may be provided as an input to a machine-learning engine to identify a similar incident notification in the computing environment. The similar incident notification may include a resolved incident notification or an unresolved incident notification. An action to resolve the incident notification may be received, and the received action may thereby be executed. In some implementations, in addition to resolving the received incident notification, the action may be executed to resolve a similar unresolved incident notification identified by the machine-learning engine.

Abstract: Methods, systems, and media are shown for generating access control rules for computer resources involving collecting historical access data for user accesses to a computer resource and separating the historical access data into a training data set and a validation data set. An access control rule is generated for the computer resource based on the properties of the user accesses to the computer resource in the training data set. The rule is validated against the validation data set to determine whether the rule produces a denial rate level is below a threshold when the rule is applied to the validation data set. If the rule is valid, then it is provided to an administrative interface so that an administrator can select the rule for application to incoming user requests.