Abstract: A computer-based system and method for classifying users of a database including obtaining an activity rate time series describing activity level of a database user versus time, extracting features from the activity rate time series, the features including a measure of repetition in the activity level, mean activity load and a percentage of the time in which the user is active, and determining a type of the database user based on the extracted at least one feature. The measure of repetition in the user activity is calculated by performing a Fourier transform on the activity rate time series to produce a transformed series; detecting spikes in the transformed series; and measuring a percentage of information in the transformed series which is included in the spikes.

Abstract: Automated classification of sensitive data in a database, which includes: Retrieving a catalog of a database. Sampling record values from at least some of the columns. Generating a map of probable associations between different columns of tables of the database. Applying a machine learning classifier to the sampled record values, to classify the columns of the sampled records into multiple data classes, some being sensitive data classes. Classifying columns of non-sampled record values according to the classification of the sampled record values, based on the map. Searching all objects of the database for existence of record values of the classified columns, to output value and field name pairs. Scoring the pairs according to a measure of their repetitiveness in the output. Increasing the score of the pairs whose field names are similar. Based on the scores, indicating which fields of the database are likely to include sensitive data.

Abstract: A computer-based system and method for classifying data in real-time for data streaming may include: capturing a plurality of data packets flowing between a data source machine and a data client; searching at least one of the data packets for tokens associated with sensitive information; if tokens associated with sensitive information are not found in a data packet: allowing the data packet to flow between the data source machine and the data client; and sending the data packet to a comprehensive security analysis; and if tokens associated with sensitive information are found in the data packet: preventing the data packet form flowing between the data source machine and the data client; and sending the data packet to a comprehensive security analysis.

Abstract: A computer-based system and method for classifying data in real-time for data streaming may include: capturing a plurality of data packets flowing between a data source machine and a data client; searching at least one of the data packets for tokens associated with sensitive information; if tokens associated with sensitive information are not found in a data packet: allowing the data packet to flow between the data source machine and the data client; and sending the data packet to a comprehensive security analysis; and if tokens associated with sensitive information are found in the data packet: preventing the data packet form flowing between the data source machine and the data client; and sending the data packet to a comprehensive security analysis.

Abstract: A computer-based system and method for optimizing execution of regular expression rules, each including one or more sub-rules, may include: testing, by a processor, the sub-rules against a data sample; measuring, by a processor and based on the testing, the probability for every sub-rule that it appears in the data sample, and the processing time of each sub-rule; and finding, by a processor, an order of execution of at least a subset of the sub-rules to shorten the total execution time of validating the regular expression rules, based to the probability and the execution time of each of the sub-rules.

Abstract: In a present invention embodiment, time series data is received including information pertaining to a corresponding attribute of monitored activity on a processing device. An upper bound of the time series data is determined based on a weighted combination of a prior upper bound and a current value derived from the time series data. Greater weight is provided to greater values in the time series data based on an exponent applied to the prior upper bound and the current value and an effect of older values in the time series data decays over time based on a smoothing factor applied to exponential values of the prior upper bound and the current value. The upper bound is applied to a profile of an entity, and abnormal activity on the processing device is detected based on a comparison of the upper bound to a corresponding bound of the profile.

Abstract: An example system includes a processor to monitor activity on a database server to generate an events stream. The processor can convert the events stream into a time series that approximates activity load at the database server using an exponential smoothing. The processor can also send the time series to a streaming analytics engine.

Abstract: A computer-based system and method for classifying users of a database including obtaining an activity rate time series describing activity level of a database user versus time, extracting features from the activity rate time series, the features including a measure of repetition in the activity level, mean activity load and a percentage of the time in which the user is active, and determining a type of the database user based on the extracted at least one feature. The measure of repetition in the user activity is calculated by performing a Fourier transform on the activity rate time series to produce a transformed series; detecting spikes in the transformed series; and measuring a percentage of information in the transformed series which is included in the spikes.

Abstract: Techniques for detecting network intrusions are disclosed. An example intrusion detection system includes a storage device to store audit data generated by a network traffic analyzer in accordance with an audit policy that determines an auditing level. The system also includes a processor to receive a case defined by a case definition, wherein the case definition comprises a plurality of symptoms and each symptom is defined by a separate symptom definition. The processor performs queries of the audit data in accordance with each of the symptoms to generate captured symptom data. The symptoms are scored based on the captured symptom data to generate symptom scores, and the symptom scores are summed to generate a case score. If the case score exceeds an alert threshold specified by the case definition, the processor issues an alert.

Abstract: A computer-based system and method for monitoring of movement of data in a computer network, including: parsing a message, the message including one of a data access command sent to a computer database and a response to a data access command, to extract a template, metadata and data of the data access command, examining the template, metadata and data of the message to identify messages related to movement of data that is classified as sensitive, and generating a flow graph indicative of new locations of the sensitive data. Policy rules may be applied to the new locations of the sensitive data to monitor access to the new location.

Abstract: An example system includes a processor to monitor a user interface to generate activity logs including step-flows. The processor is to extract features and common variables from unstructured data in the activity logs and generate structured log events based on the extracted features and the common variables. The processor is to generate a workflow model based on the structured log events. The processor is to automate or assist workflow based on the generated workflow model.

Abstract: A system and method for dynamically determining a trust level of an end-to-end link of a computer database, including: in a preparation stage: capturing a first set of messages of an end-to-end link; compressing a skeleton of each message of the first set of messages to generate a construct of each message of the first set of messages, the skeleton includes the message without a value field; creating a characteristic histogram of the constructs of the first set of messages; and during an operation stage: capturing a second set of messages of the end-to-end link; compressing a skeleton of each message of the second set of messages to generate a construct of each of the second set of messages; creating a work histogram of the constructs of the second set of messages; and determining a trust level of the end-to-end link by comparing the work histogram with the characteristic histogram.

Abstract: A computer-based system and method for monitoring of movement of data in a computer network, including: parsing a message, the message including one of a data access command sent to a computer database and a response to a data access command, to extract a template, metadata and data of the data access command, examining the template, metadata and data of the message to identify messages related to movement of data that is classified as sensitive, and generating a flow graph indicative of new locations of the sensitive data. Policy rules may be applied to the new locations of the sensitive data to monitor access to the new location.

Abstract: A system and method for dynamically determining a trust level of an end-to-end link of a computer database, including: in a preparation stage: capturing a first set of messages of an end-to-end link; compressing a skeleton of each message of the first set of messages to generate a construct of each message of the first set of messages, the skeleton includes the message without a value field; creating a characteristic histogram of the constructs of the first set of messages; and during an operation stage: capturing a second set of messages of the end-to-end link; compressing a skeleton of each message of the second set of messages to generate a construct of each of the second set of messages; creating a work histogram of the constructs of the second set of messages; and determining a trust level of the end-to-end link by comparing the work histogram with the characteristic histogram.

Abstract: In some examples, a system for detecting unauthorized user actions can include a processor to identify a plurality of objects and at least one user event to be monitored. The processor can also map the plurality of objects and the at least one user event to separate hyperplanes of a multi-dimensional visualization and apply at least one force to the plurality of objects. Additionally, the processor can detect a malicious user based on a movement of at least one of the objects as a result of applying the at least one force, and execute a security command to prevent the malicious user from accessing data.

Abstract: A computer-based system and method for optimizing execution of regular expression rules, each including one or more sub-rules, may include: testing, by a processor, the sub-rules against a data sample; measuring, by a processor and based on the testing, the probability for every sub-rule that it appears in the data sample, and the processing time of each sub-rule; and finding, by a processor, an order of execution of at least a subset of the sub-rules to shorten the total execution time of validating the regular expression rules, based to the probability and the execution time of each of the sub-rules.

Abstract: A computer-based system and method for classifying data in real-time for data streaming may include: capturing a plurality of data packets flowing between a data source machine and a data client; searching at least one of the data packets for tokens associated with sensitive information; if tokens associated with sensitive information are not found in a data packet: allowing the data packet to flow between the data source machine and the data client; and sending the data packet to a comprehensive security analysis; and if tokens associated with sensitive information are found in the data packet: preventing the data packet form flowing between the data source machine and the data client; and sending the data packet to a comprehensive security analysis.

Abstract: A computer-based system and method for classifying examined data in a computerized database may include: calculating statistics of the examined data; comparing the statistics of the examined data with known statistics of a first data category to provide a statistics score; and determining a probability that the category of the examined data matches the first data category based on the statistics score.

Abstract: Techniques for detecting network intrusions are disclosed. An example intrusion detection system includes a storage device to store audit data generated by a network traffic analyzer in accordance with an audit policy that determines an auditing level. The system also includes a processor to receive a case defined by a case definition, wherein the case definition comprises a plurality of symptoms and each symptom is defined by a separate symptom definition. The processor performs queries of the audit data in accordance with each of the symptoms to generate captured symptom data. The symptoms are scored based on the captured symptom data to generate symptom scores, and the symptom scores are summed to generate a case score. If the case score exceeds an alert threshold specified by the case definition, the processor issues an alert.

Abstract: An example system includes a processor to monitor a user interface to generate activity logs including step-flows. The processor is to extract features and common variables from unstructured data in the activity logs and generate structured log events based on the extracted features and the common variables. The processor is to generate a workflow model based on the structured log events. The processor is to automate or assist workflow based on the generated workflow model.