Abstract: Techniques for detecting network intrusions are disclosed. An example intrusion detection system includes a storage device to store audit data generated by a network traffic analyzer in accordance with an audit policy that determines an auditing level. The system also includes a processor to receive a case defined by a case definition, wherein the case definition comprises a plurality of symptoms and each symptom is defined by a separate symptom definition. The processor performs queries of the audit data in accordance with each of the symptoms to generate captured symptom data. The symptoms are scored based on the captured symptom data to generate symptom scores, and the symptom scores are summed to generate a case score. If the case score exceeds an alert threshold specified by the case definition, the processor issues an alert.

Abstract: An example system includes a processor to monitor a user interface to generate activity logs including step-flows. The processor is to extract features and common variables from unstructured data in the activity logs and generate structured log events based on the extracted features and the common variables. The processor is to generate a workflow model based on the structured log events. The processor is to automate or assist workflow based on the generated workflow model.

Abstract: A computer-implemented method, computerized apparatus and computer program product for hierarchical objects linkage data visualization. A visualization of linkage data comprising a plurality of connections between a set of source objects and a set of target objects is obtained with respect to a predetermined level of hierarchy defined over attributes of at least one of the sets, wherein attributes of the objects and connections therebetween are represented in the visualization as nodes and links of a bipartite graph respectively. A spatial layout of links of a node is modified based on a relative position of each neighbor node thereof in an adjacent level, wherein neighboring nodes represent attributes of one or more objects which share in common an attribute represented by the node, wherein the relative position is determined based on a visualization restricted to the neighboring nodes so as to obtain a position preserving layout.

Abstract: Detecting malware attacks is described herein. A computer-implemented method may include receiving, via a processor, events from a plurality of activity monitors. The method also include extracting, via the processor, a plurality of behavioral features from the received events. The method may further include detecting, via the processor, a malware attack based on the extracted behavioral features using a malware identification model trained on private data and public data using a machine learning technique, wherein the private data includes private enterprise attack findings. The method may also include executing, via the processor, an ad hoc protection improvement based on the detected malware attack.

Abstract: Automated classification of sensitive data in a database, which includes: Retrieving a catalog of a database. Sampling record values from at least some of the columns. Generating a map of probable associations between different columns of tables of the database. Applying a machine learning classifier to the sampled record values, to classify the columns of the sampled records into multiple data classes, some being sensitive data classes. Classifying columns of non-sampled record values according to the classification of the sampled record values, based on the map. Searching all objects of the database for existence of record values of the classified columns, to output value and field name pairs. Scoring the pairs according to a measure of their repetitiveness in the output. Increasing the score of the pairs whose field names are similar. Based on the scores, indicating which fields of the database are likely to include sensitive data.

Abstract: Embodiments of the present invention may provide the capability to identify security breaches in computer systems from clustering properties of clusters generated based on monitored behavior of users of the computer systems by using techniques that provide improved performance and reduced resource requirements. For example, behavior of users or resources may be monitored and analyzed to generate clusters and train clustering models. Labeling information relating to some user or resource may be received. When users or resources are clustered and when a cluster contains some labeled users/resources then an anomaly score can be determined for a user/resource belonging to the cluster. A user or resource may be detected to be an outlier of at least one cluster to which the user or resource has been assigned, and an alert indicating detection of the outlier may be generated.

Abstract: A method, system and computer program product, the method comprising: sampling data from a computer network for training a monitoring system, comprising: obtaining information about the computer network to be monitored; obtaining indicators of available resources for collecting training data from the computer network; receiving mandatory objects to be monitored within the computer network; selecting at least one object to be monitored from under-monitored objects within the computer network, said selecting based upon monitoring resources remaining after reducing resources required for monitoring the mandatory objects, from the available resources; and sampling data in accordance with the selection.

Abstract: In some examples, a system for detecting unauthorized data access can include a processor to detect a suspicious operation to be executed by the system and review a plurality of highlights corresponding to the suspicious operation. The processor can also determine that a predefined cyber security image corresponding to the highlights and the suspicious operation does not exist and generate the predefined cyber security image based on a plurality of sub-cyber security images. Furthermore, the processor can store the predefined cyber security image in a cyber security image repository and prevent the suspicious operation from being executed.

Abstract: In some examples, a system for detecting unauthorized user actions can include a processor to identify a plurality of objects and at least one user event to be monitored. The processor can also map the plurality of objects and the at least one user event to separate hyperplanes of a multi-dimensional visualization and apply at least one force to the plurality of objects. Additionally, the processor can detect a malicious user based on a movement of at least one of the objects as a result of applying the at least one force, and execute a security command to prevent the malicious user from accessing data.

Abstract: In some examples, a system or detecting unauthorized user actions can include a processor to identify a plurality of objects and at least one user event to be monitored. The processor can also map the plurality of objects and the at least one user event to separate hyperplanes of a multi-dimensional visualization and apply at least one force to the plurality of objects. Additionally, the processor can detect as malicious user based on a movement of at least one of the objects as a result of applying the at least one force, and execute a security command to prevent the malicious user from accessing data.

Abstract: Detecting malware attacks is described herein. A computer-implemented method may include receiving, via a processor, events from a plurality of activity monitors. The method also include extracting, via the processor, a plurality of behavioral features from the received events. The method may further include detecting, via the processor, a malware attack based on the extracted behavioral features using a malware identification model trained on private data and public data using a machine learning technique, wherein the private data includes private enterprise attack findings. The method may also include executing, via the processor, an ad hoc protection improvement based on the detected malware attack.

Abstract: Detecting malware attacks is described herein. A computer-implemented method may include receiving, via a processor, events from a plurality of activity monitors. The method also include extracting, via the processor, a plurality of behavioral features from the received events. The method may further include detecting, via the processor, a malware attack based on the extracted behavioral features using a malware identification model trained on private data and public data. The method may also include executing, via the processor, an ad hoc protection improvement based on the detected malware attack.

Abstract: A computer-implemented method, computerized apparatus and computer program product for hierarchical objects linkage data visualization. A visualization of linkage data comprising a plurality of connections between a set of source objects and a set of target objects is obtained with respect to a predetermined level of hierarchy defined over attributes of at least one of the sets, wherein attributes of the objects and connections therebetween are represented in the visualization as nodes and links of a bipartite graph respectively. A spatial layout of links of a node is modified based on a relative position of each neighbor node thereof in an adjacent level, wherein neighboring nodes represent attributes of one or more objects which share in common an attribute represented by the node, wherein the relative position is determined based on a visualization restricted to the neighboring nodes so as to obtain a position preserving layout.

Abstract: A system for detecting cyber security events can include a processor to generate a first set of a plurality of time series and aggregate statistics based on a plurality of properties corresponding to user actions for each user in a set of users. The processor can also separate the set of users into a plurality of clusters based on the first set of the plurality of time series or aggregate statistics for each user and assign an identifier to each of the plurality of clusters. Additionally, the processor can generate a second set of a plurality of time series based on properties of the plurality of clusters, wherein the properties of a cluster correspond to a membership, a diameter, and a centroid and detect an anomaly based on a new value stored in the second set of the time series. Furthermore, the processor can execute a prevention instruction.

Abstract: In some examples, a system or detecting unauthorized user actions can include a processor to identify a plurality of objects and at least one user event to be monitored. The processor can also map the plurality of objects and the at least one user event to separate hyperplanes of a multi-dimensional visualization and apply at least one force to the plurality of objects. Additionally, the processor can detect as malicious user based on a movement of at least one of the objects as a result of applying the at least one force, and execute a security command to prevent the malicious user from accessing data.

Abstract: Detecting malware attacks is described herein. A computer-implemented method may include receiving, via a processor, events from a plurality of activity monitors. The method also include extracting, via the processor, a plurality of behavioral features from the received events. The method may further include detecting, via the processor, a malware attack based on the extracted behavioral features using a malware identification model trained on private data and public data. The method may also include executing, via the processor, an ad hoc protection improvement based on the detected malware attack.

Abstract: A method, computer program product and/or system receives information pertaining to network data traffic from and/or to a network accessible resource, analyzes the information to determine whether a user is engaged in potential hacking transaction(s) with respect to the resource. On condition that the user is determined to be engaged in potential hacking transaction(s), a “scarecrow” message designed for display to the user, is generated and sent to the user.

Abstract: Methods, computing systems and computer program products implement embodiments of the present invention that include assigning, to multiple users, respective sets of original roles for accessing data stored on a computer system, and performing, in response to requests from the users, multiple operations on the data. While performing the multiple operations on the data, a transaction log is generated that includes a plurality of entries, each of the entries storing attributes of a given operation. Based on the entries in the log file, a respective set of learned roles for respective users is identified, and the respective sets of the learned roles are assigned to the respective users.

Abstract: A system for detecting cyber security events can include a processor to generate a first set of a plurality of time series and aggregate statistics based on a plurality of properties corresponding to user actions for each user in a set of users. The processor can also separate the set of users into a plurality of clusters based on the first set of the plurality of time series or aggregate statistics for each user and assign an identifier to each of the plurality of clusters. Additionally, the processor can generate a second set of a plurality of time series based on properties of the plurality of clusters, wherein the properties of a cluster correspond to a membership, a diameter, and a centroid and detect an anomaly based on a new value stored in the second set of the time series. Furthermore, the processor can execute a prevention instruction.

Abstract: In some examples, a system for detecting unauthorized data access can include a processor to detect a suspicious operation to be executed by the system and review a plurality of highlights corresponding to the suspicious operation. The processor can also determine that a predefined cyber security image corresponding to the highlights and the suspicious operation does not exist and generate the predefined cyber security image based on a plurality of sub-cyber security images. Furthermore, the processor can store the predefined cyber security image in a cyber security image repository and prevent the suspicious operation from being executed.