Abstract: Balancing the observed signals used to train network intrusion detection models allows for a more accurate allocation of computing resources to defend the network from malicious parties. The models are trained against live data defined within a rolling window and historic data to detect user-defined features in the data. Automated attacks ensure that various kinds of attacks are always present in the rolling training window. The set of models are constantly trained to determine which model to place into production, to alert analysts of intrusions, and/or to automatically deploy countermeasures. The models are continually updated as the features are redefined and as the data in the rolling window changes, and the content of the rolling window is balanced to provide sufficient data of each observed type by which to train the models. When balancing the dataset, low-population signals are overlaid onto high-population signals to balance their relative numbers.

Abstract: Detecting compromised devices and user accounts within an online service via multi-signal analysis allows for fewer false positives and thus a more accurate allocation of computing resources and human analyst resources. Individual scopes of analysis, related to devices, accounts, or processes are specified and multiple behaviors over a period of time are analyzed to detect persistent (and slow acting) threats as well as brute force (and fast acting) threats. Analysts are alerted to individually affected scopes suspected of being compromised and may address them accordingly.

Abstract: Detecting emergent abnormal behavior in a computer network faster and more accurately allows for the security of the network against malicious parties to be improved. To detect abnormal behavior, outbound traffic is examined from across several devices and processes in the network to identify rarely communicated-with destinations that are associated with rarely-executed processes. As a given destination and process is used more frequently over time by the network, the level of suspicion associated with that destination and process is lowered as large groups of devices are expected to behave the same when operating properly and not under the control of a malicious party. Analysts are alerted in near real-time to the destinations associated with the activities deemed most suspicious.

Abstract: Detecting compromised devices and user accounts within an online service via multi-signal analysis allows for fewer false positives and thus a more accurate allocation of computing resources and human analyst resources. Individual scopes of analysis, related to devices, accounts, or processes are specified and multiple behaviors over a period of time are analyzed to detect persistent (and slow acting) threats as well as brute force (and fast acting) threats. Analysts are alerted to individually affected scopes suspected of being compromised and may address them accordingly.

Abstract: Detecting compromised devices and user accounts within an online service via multi-signal analysis allows for fewer false positives and thus a more accurate allocation of computing resources and human analyst resources. Individual scopes of analysis, related to devices, accounts, or processes are specified and multiple behaviors over a period of time are analyzed to detect persistent (and slow acting) threats as well as brute force (and fast acting) threats. Analysts are alerted to individually affected scopes suspected of being compromised and may address them accordingly.

Abstract: Balancing the observed signals used to train network intrusion detection models allows for a more accurate allocation of computing resources to defend the network from malicious parties. The models are trained against live data defined within a rolling window and historic data to detect user-defined features in the data. Automated attacks ensure that various kinds of attacks are always present in the rolling training window. The set of models are constantly trained to determine which model to place into production, to alert analysts of intrusions, and/or to automatically deploy countermeasures. The models are continually updated as the features are redefined and as the data in the rolling window changes, and the content of the rolling window is balanced to provide sufficient data of each observed type by which to train the models. When balancing the dataset, low-population signals are overlaid onto high-population signals to balance their relative numbers.

Abstract: Balancing the observed signals used to train network intrusion detection models allows for a more accurate allocation of computing resources to defend the network from malicious parties. The models are trained against live data defined within a rolling window and historic data to detect user-defined features in the data. Automated attacks ensure that various kinds of attacks are always present in the rolling training window. The set of models are constantly trained to determine which model to place into production, to alert analysts of intrusions, and/or to automatically deploy countermeasures. The models are continually updated as the features are redefined and as the data in the rolling window changes, and the content of the rolling window is balanced to provide sufficient data of each observed type by which to train the models. When balancing the dataset, low-population signals are overlaid onto high-population signals to balance their relative numbers.

Abstract: Detecting compromised devices and user accounts within an online service via multi-signal analysis allows for fewer false positives and thus a more accurate allocation of computing resources and human analyst resources. Individual scopes of analysis, related to devices, accounts, or processes are specified and multiple behaviors over a period of time are analyzed to detect persistent (and slow acting) threats as well as brute force (and fast acting) threats. Analysts are alerted to individually affected scopes suspected of being compromised and may address them accordingly.

Abstract: Detecting emergent abnormal behavior in a computer network faster and more accurately allows for the security of the network against malicious parties to be improved. To detect abnormal behavior, outbound traffic is examined from across several devices and processes in the network to identify rarely communicated-with destinations that are associated with rarely-executed processes. As a given destination and process is used more frequently over time by the network, the level of suspicion associated with that destination and process is lowered as large groups of devices are expected to behave the same when operating properly and not under the control of a malicious party. Analysts are alerted in near real-time to the destinations associated with the activities deemed most suspicious.

Abstract: Balancing the observed signals used to train network intrusion detection models allows for a more accurate allocation of computing resources to defend the network from malicious parties. The models are trained against live data defined within a rolling window and historic data to detect user-defined features in the data. Automated attacks ensure that various kinds of attacks are always present in the rolling training window. The set of models are constantly trained to determine which model to place into production, to alert analysts of intrusions, and/or to automatically deploy countermeasures. The models are continually updated as the features are redefined and as the data in the rolling window changes, and the content of the rolling window is balanced to provide sufficient data of each observed type by which to train the models. When balancing the dataset, low-population signals are overlaid onto high-population signals to balance their relative numbers.

Abstract: Disclosed are systems and methods for application streaming over HTTP. A virtual application running on a host computing device may detect the need for a page of memory that is not present on the host computing device. Accordingly, the virtual application may send a request to a virtual application server, seeking the absent memory page. The virtual application server may send to a web server an HTTP GET byte range request for the desired memory page. The web server may retrieve the requested block, which may be a portion of the virtual application image file. The requested data is returned to the host computing device via the virtual application server. The virtual application continues running on the host device using the requested data.

Abstract: Disclosed are systems and methods for application streaming over HTTP. A virtual application running on a host computing device may detect the need for a page of memory that is not present on the host computing device. Accordingly, the virtual application may send a request to a virtual application server, seeking the absent memory page. The virtual application server may send to a web server an HTTP GET byte range request for the desired memory page. The web server may retrieve the requested block, which may be a portion of the virtual application image file. The requested data is returned to the host computing device via the virtual application server. The virtual application continues running on the host device using the requested data.