Abstract: Methods, systems, and techniques for facilitating identification of electronic data exfiltration. A message transmission log and screenshot metadata are obtained. A screenshot corresponding to the screenshot metadata is matched to a sent electronic message, such as an email, having a file attachment represented in the message transmission log to generate an event. The screenshot metadata indicates that the screenshot was captured prior to when the message transmission log indicates the electronic message was sent. An anomaly score is determined for the sent electronic message is determined by applying unsupervised machine learning, such as by applying an isolation forest, to score the sent electronic message relative to a baseline. The anomaly score meeting or exceeding an anomaly threshold is treated as potentially being indicative of electronic data exfiltration.

Abstract: Systems and methods for monitoring suspicious communication network traffic. The methods include obtaining data associated with a sequence of communication events transmitted via the communication network and determining an entropy approximation measure associated at least one event attribute for the sequence of communication events. The method includes generating a threat prediction value based on an anomaly classification model and the entropy approximation measure. The anomaly classification model is trained based on prior sequences of communication events to identify a non-outlier anomaly range associated with the at least one event attribute. The threat prediction value is generated based on classification of the entropy approximation measure relative to the non-outlier anomaly range associated with the at least one attribute for identifying a potential threat. The method includes transmitting a signal for communicating that the sequence is a potential threat within the communication network.

Abstract: Methods, systems, and techniques for facilitating identification of electronic data exfiltration. A message transmission log and screenshot metadata are obtained. A screenshot corresponding to the screenshot metadata is matched to a sent electronic message, such as an email, having a file attachment represented in the message transmission log to generate an event. The screenshot metadata indicates that the screenshot was captured prior to when the message transmission log indicates the electronic message was sent. An anomaly score is determined for the sent electronic message is determined by applying unsupervised machine learning, such as by applying an isolation forest, to score the sent electronic message relative to a baseline. The anomaly score meeting or exceeding an anomaly threshold is treated as potentially being indicative of electronic data exfiltration.

Abstract: Systems and methods for monitoring suspicious communication network traffic. The methods include obtaining data associated with a sequence of communication events transmitted via the communication network and determining an entropy approximation measure associated at least one event attribute for the sequence of communication events. The method includes generating a threat prediction value based on an anomaly classification model and the entropy approximation measure. The anomaly classification model is trained based on prior sequences of communication events to identify a non-outlier anomaly range associated with the at least one event attribute. The threat prediction value is generated based on classification of the entropy approximation measure relative to the non-outlier anomaly range associated with the at least one attribute for identifying a potential threat. The method includes transmitting a signal for communicating that the sequence is a potential threat within the communication network.

Abstract: Systems and methods for database access monitoring are provided. The system comprises at least one processor and a memory storing instructions which when executed by the at least one processor configure the at least one processor to perform the method. The method comprises receiving login event data, generating a vector representation of a subject entity and a vector representation of an object entity associated with a login event in the login event data, determining a distance between the subject entity and the object entity, and determining an anomaly score for the subject entity and the object entity. The anomaly score based at least in part on the distance between the subject entity and object entity.

Abstract: Systems and methods for adaptively identifying anomalous network communication traffic. The system includes a processor and a memory coupled to the processor. The memory includes processor-executable instructions that configure the processor to: obtain data associated with a sequence of network communication events; determine that the sequence of communication events is generated by a computing agent based on a symmetricity measure associated with the sequence of network communication events; generate a threat prediction value for the sequence of network communication events prior-generated by the computing agent based on a combination of the symmetricity measure and a randomness measure associated with the network communication events; and transmit a signal for communicating that the sequence of network communication events is a potential malicious sequence of network communication events based on the threat prediction value.

Abstract: Systems and methods for monitoring suspicious communication network traffic. The methods include obtaining data associated with a sequence of communication events transmitted via the communication network and determining an entropy approximation measure associated at least one event attribute for the sequence of communication events. The method includes generating a threat prediction value based on an anomaly classification model and the entropy approximation measure. The anomaly classification model is trained based on prior sequences of communication events to identify a non-outlier anomaly range associated with the at least one event attribute. The threat prediction value is generated based on classification of the entropy approximation measure relative to the non-outlier anomaly range associated with the at least one attribute for identifying a potential threat. The method includes transmitting a signal for communicating that the sequence is a potential threat within the communication network.