Abstract: Machine learning techniques can be used to train a classifier, in some embodiments, to accurately detect similarities between different records of user activity for a same user. When more recent data is received, newer data can be analyzed by selectively removing particular sub-groups of data to see if there is any particular data that accounts for a large difference (e.g. when run through a classifier that has been trained to produce similar results for known activity data from a same user). If a sub-group of data is identified as being significantly different from other user data, this may indicate an account breach. Advanced machine learning techniques described herein may be applicable to a variety of different environments.

Abstract: Anomalies in a data set may be difficult to detect when individual items are not gross outliers from a population average. Disclosed is an anomaly detector that includes neural networks such as an auto-encoder and a discriminator. The auto-encoder and the discriminator may be trained on a training set that does not include anomalies. During training, an auto-encoder generates an internal representation from the training set, and reconstructs the training set from the internal representation. The training continues until data loss in the reconstructed training set is below a configurable threshold. The discriminator may be trained until the internal representation is constrained to a multivariable unit normal. Once trained, the auto-encoder and discriminator identify anomalies in the evaluation set. The identified anomalies in an evaluation set may be linked to transaction, security breach or population trends, but broadly, disclosed techniques can be used to identify anomalies in any suitable population.

Abstract: Systems and methods for anomaly detection includes accessing first data comprising a plurality of historical reversion transactions. A plurality of legitimate transactions are determined from the plurality of historical reversion transactions. An autoencoder is trained using the plurality of legitimate transactions to generate a trained autoencoder capable of measuring a given transaction for similarity to the plurality of legitimate transactions. A first reconstructed transaction is generated by the trained autoencoder using a first transaction. The first transaction is determined to be anomalous based on a reconstruction difference between the first transaction and the first reconstructed transaction.

Abstract: Aspects of the present disclosure involve systems, methods, devices, and the like for generating compact tree representations applicable to machine learning. In one embodiment, a system is introduced that can retrieve a decision tree structure to generate a compact tree representation model. The compact tree representation model may come in the form of a matrix design to maintain the relationships expressed by the decision tree structure.

Abstract: Aspects of the present disclosure involve systems, methods, devices, and the like for generating compact tree representations applicable to machine learning. In one embodiment, a system is introduced that can retrieve a decision tree structure to generate a compact tree representation model. The compact tree representation model may come in the form of a matrix design to maintain the relationships expressed by the decision tree structure.

Abstract: Systems and methods for detecting data exfiltration using domain name system (DNS) queries include, in various embodiments, performing operations that include parsing a DNS query to determine whether that DNS query is likely to contain hidden data that is being exfiltrated from a system or network. Statistical methods can be used to analyze the DNS query to determine a likelihood whether each of a plurality of segments of the DNS query are indicative of data exfiltration methods. If one or multiple DNS queries are deemed suspicious based on the analysis, a security action on the DNS query can be performed, including sending an alert and/or blocking the DNS query from being forwarded.

Abstract: The systems and methods that detect a malicious process using count vectors are provided. Count vectors store a number and types of system calls that a process executed in a configurable time interval. The count vectors are provided to a temporal convolution network and a spatial convolution network. The temporal convolution network generates a temporal output by passing the count vectors through temporal filters that identify temporal features of the process. The spatial convolution network generates a spatial output by passing the count vectors through spatial filters that identify spatial features of the process. The temporal output and the spatial output are merged into a summary representation of the process. The malware detection system uses the summary representation to determine that the process as a malicious process.

Abstract: Systems and methods for anomaly detection includes accessing first data comprising a plurality of historical reversion transactions. A plurality of legitimate transactions are determined from the plurality of historical reversion transactions. An autoencoder is trained using the plurality of legitimate transactions to generate a trained autoencoder capable of measuring a given transaction for similarity to the plurality of legitimate transactions. A first reconstructed transaction is generated by the trained autoencoder using a first transaction. The first transaction is determined to be anomalous based on a reconstruction difference between the first transaction and the first reconstructed transaction.

Abstract: The systems and methods that detect malware from count vectors are provided. A count vector having multiple components is generated. The count vector tracks a number and types of system calls generated by a process. Each component in the count vector is mapped to a type of a system call that exists in an operating system. Multiple system calls generated by the process are received over a first time interval. Each system call is mapped to a component in the count vector. The count vectors are aggregated according to a second time interval into a vector packet. The vector packet is transmitted over a network to a malware detection system that uses the count vectors in the vector packet to determine whether the process is a malware process.

Abstract: The systems and methods that detect a malicious process using count vectors are provided. Count vectors store a number and types of system calls that a process executed in a configurable time interval. The count vectors are provided to a temporal convolution network and a spatial convolution network. The temporal convolution network generates a temporal output by passing the count vectors through temporal filters that identify temporal features of the process. The spatial convolution network generates a spatial output by passing the count vectors through spatial filters that identify spatial features of the process. The temporal output and the spatial output are merged into a summary representation of the process. The malware detection system uses the summary representation to determine that the process as a malicious process.

Abstract: Systems and methods for detecting data exfiltration using domain name system (DNS) queries include, in various embodiments, performing operations that include parsing a DNS query to determine whether that DNS query is likely to contain hidden data that is being exfiltrated from a system or network. Statistical methods can be used to analyze the DNS query to determine a likelihood whether each of a plurality of segments of the DNS query are indicative of data exfiltration methods. If one or multiple DNS queries are deemed suspicious based on the analysis, a security action on the DNS query can be performed, including sending an alert and/or blocking the DNS query from being forwarded.

Abstract: Anomalies in a data set may be difficult to detect when individual items are not gross outliers from a population average. Disclosed is an anomaly detector that includes neural networks such as an auto-encoder and a discriminator. The auto-encoder and the discriminator may be trained on a training set that does not include anomalies. During training, an auto-encoder generates an internal representation from the training set, and reconstructs the training set from the internal representation. The training continues until data loss in the reconstructed training set is below a configurable threshold. The discriminator may be trained until the internal representation is constrained to a multivariable unit normal. Once trained, the auto-encoder and discriminator identify anomalies in the evaluation set. The identified anomalies in an evaluation set may be linked to transaction, security breach or population trends, but broadly, disclosed techniques can be used to identify anomalies in any suitable population.

Abstract: Aspects of the present disclosure involve systems, methods, devices, and the like for generating compact tree representations applicable to machine learning. In one embodiment, a system is introduced that can retrieve a decision tree structure to generate a compact tree representation model. The compact tree representation model may come in the form of a matrix design to maintain the relationships expressed by the decision tree structure.

Abstract: Machine learning techniques can be used to train a classifier, in some embodiments, to accurately detect similarities between different records of user activity for a same user. When more recent data is received, newer data can be analyzed by selectively removing particular sub-groups of data to see if there is any particular data that accounts for a large difference (e.g. when run through a classifier that has been trained to produce similar results for known activity data from a same user). If a sub-group of data is identified as being significantly different from other user data, this may indicate an account breach. Advanced machine learning techniques described herein may be applicable to a variety of different environments.

Abstract: The systems and methods that detect malware from count vectors are provided. A count vector having multiple components is generated. The count vector tracks a number and types of system calls generated by a process. Each component in the count vector is mapped to a type of a system call that exists in an operating system. Multiple system calls generated by the process are received over a first time interval. Each system call is mapped to a component in the count vector. The count vectors are aggregated according to a second time interval into a vector packet. The vector packet is transmitted over a network to a malware detection system that uses the count vectors in the vector packet to determine whether the process is a malware process.