Abstract: Various aspects involve determining legitimacy of an email address for risk assessment or other purposes. For instance, a risk assessment computing system receives a risk assessment query that identifies an email address. The risk assessment computing system determines a set of features for the email address. For each feature, the risk assessment computing system calculates an illegitimacy score by calculating a deviation of the feature from an expected safe value for the feature that is determined from historical email addresses. The risk assessment computing system aggregates the illegitimacy scores of the plurality of features into an aggregated illegitimacy score and further transmits a legitimacy risk value to a remote computing system. The legitimacy risk value indicates the aggregated illegitimacy score and can be used in controlling access of a computing device associated with the email address to one or more interactive computing environments.

Abstract: A method described herein involves various operations directed toward network security. The operations include accessing a traffic attribute describing a feature of network traffic. The operations further include determining a baseline distribution for the traffic attribute of a baseline set of transactions involving an online system over a baseline period and, additionally, determining an observed distribution for the traffic attribute of an observed set of transactions involving the online system over an observed period. Using the observed distribution and the baseline distribution, an attribute risk value for the traffic attribute is computed. The operations further include detecting that an anomaly exists in the traffic attribute of the observed set of transactions, based on the attribute risk value.

Abstract: A method described herein involves various operations directed toward network security. The operations include accessing a traffic attribute describing a feature of network traffic. The operations further include determining a baseline distribution for the traffic attribute of a baseline set of transactions involving an online system over a baseline period and, additionally, determining an observed distribution for the traffic attribute of an observed set of transactions involving the online system over an observed period. Using the observed distribution and the baseline distribution, an attribute risk value for the traffic attribute is computed. The operations further include detecting that an anomaly exists in the traffic attribute of the observed set of transactions, based on the attribute risk value.

Abstract: A method described herein involves various operations directed toward network security. The operations include accessing transaction data describing network traffic associated with a web server during an interval. Based on a count of new transactions involving an online entity during the interval according to the transaction data, a short-term trend is determined for the online entity. The operations further include applying exponential smoothing to a history of transactions of the online entity to compute a long-term trend for the online entity. Based on a comparison between the short-term trend and the long-term trend for the online entity, an anomaly is detected with respect to the online entity in the network traffic associated with the web server. Responsive to detecting the anomaly, an access control is implemented between the online entity and the web server.

Abstract: A method described herein involves various operations directed toward network security. The operations include accessing transaction data describing network traffic associated with a web server during an interval. Based on a count of new transactions involving an online entity during the interval according to the transaction data, a short-term trend is determined for the online entity. The operations further include applying exponential smoothing to a history of transactions of the online entity to compute a long-term trend for the online entity. Based on a comparison between the short-term trend and the long-term trend for the online entity, an anomaly is detected with respect to the online entity in the network traffic associated with the web server. Responsive to detecting the anomaly, an access control is implemented between the online entity and the web server.

Abstract: Various aspects involve determining legitimacy of an email address for risk assessment or other purposes. For instance, a risk assessment computing system receives a risk assessment query that identifies an email address. The risk assessment computing system determines a set of features for the email address. For each feature, the risk assessment computing system calculates an illegitimacy score by calculating a deviation of the feature from an expected safe value for the feature that is determined from historical email addresses. The risk assessment computing system aggregates the illegitimacy scores of the plurality of features into an aggregated illegitimacy score and further transmits a legitimacy risk value to a remote computing system. The legitimacy risk value indicates the aggregated illegitimacy score and can be used in controlling access of a computing device associated with the email address to one or more interactive computing environments.

Abstract: A method described herein involves various operations directed toward network security. The operations include accessing transaction data describing network traffic associated with a web server during an interval. Based on a count of new transactions involving an online entity during the interval according to the transaction data, a short-term trend is determined for the online entity. The operations further include applying exponential smoothing to a history of transactions of the online entity to compute a long-term trend for the online entity. Based on a comparison between the short-term trend and the long-term trend for the online entity, an anomaly is detected with respect to the online entity in the network traffic associated with the web server. Responsive to detecting the anomaly, an access control is implemented between the online entity and the web server.

Abstract: A method described herein involves various operations directed toward network security. The operations include accessing a traffic attribute describing a feature of network traffic. The operations further include determining a baseline distribution for the traffic attribute of a baseline set of transactions involving an online system over a baseline period and, additionally, determining an observed distribution for the traffic attribute of an observed set of transactions involving the online system over an observed period. Using the observed distribution and the baseline distribution, an attribute risk value for the traffic attribute is computed. The operations further include detecting that an anomaly exists in the traffic attribute of the observed set of transactions, based on the attribute risk value.