Abstract: A computer-implemented method of generating a security language query from a user input query includes receiving, at a computer system, an input security hunting user query indicating a user intention; selecting, using a trained machine learning model and based on the input security hunting query, an example user security hunting query and corresponding example security language query; generating, using the trained machine learning model, query metadata from the input security hunting query; generating a prompt, the prompt comprising: the input security hunting user query; the selected example user security hunting query and the corresponding example security language query; and the generated query metadata; inputting the prompt to a large language model; receiving a security language query from the large language model corresponding to the input security hunting query reflective of the user intention.

Abstract: Techniques are described herein that are capable of detecting an algorithmic attack against a hosted artificial intelligence (AI) system based on inputs (e.g., queries) and outputs of the hosted AI system. In a first example, a feature-based classifier model is used to generate a classification score based on features that are derived from numerical representations of the queries and the outputs, and an algorithmic attack is detected based on the classification score being greater than or equal to a score threshold. In a second example, a transformer-based model is used to generate a vector by providing a multivariate time series, which is based on attribute(s) of the inputs and attribute(s) of the outputs, as an input to the transformer-based model, and an algorithmic attack is detected based on a distance between the vector and a point corresponding to a reference vector being less than or equal to a distance threshold.

Abstract: Provided herein are methods, systems, and computer program products for intelligent detection of multistage attacks which may arise in computer environments. Embodiments herein leverage adaptive graph-based machine-learning solutions that can incorporate rules as well as supervised learning for detecting multistage attacks. Multistage attacks and attack chains may be detected or identified by collecting data representing events, detections, and behaviors, determining relationships among various data, and analyzing the data and associated relationships. A graph of events, detections, and behaviors which are connected by edges representing relationships between nodes of the graph may be constructed and then subgraphs of the possibly enormous initial graph may be identified which represent likely attacks.

Abstract: In this disclosure, a number of ways that quantum information can be used to help make quantum classifiers more secure or private are disclosed. In particular embodiments, a form of robust principal component analysis is disclosed that can tolerate noise intentionally introduced to a quantum training set. Under some circumstances, this algorithm can provide an exponential speedup relative to other methods. Also disclosed is an example quantum approach for bagging and boosting that can use quantum superposition over the classifiers or splits of the training set to aggregate over many more models than would be possible classically. Further, example forms of k-means clustering are disclosed that can be used to prevent even a powerful adversary from even learning whether a participant even contributed data to the clustering algorithm.

Abstract: Provided herein are methods, systems, and computer program products for intelligent detection of multistage attacks which may arise in computer environments. Embodiments herein leverage adaptive graph-based machine-learning solutions that can incorporate rules as well as supervised learning for detecting multistage attacks. Multistage attacks and attack chains may be detected or identified by collecting data representing events, detections, and behaviors, determining relationships among various data, and analyzing the data and associated relationships. A graph of events, detections, and behaviors which are connected by edges representing relationships between nodes of the graph may be constructed and then subgraphs of the possibly enormous initial graph may be identified which represent likely attacks.

Abstract: In this disclosure, a number of ways that quantum information can be used to help make quantum classifiers more secure or private are disclosed. In particular embodiments, a form of robust principal component analysis is disclosed that can tolerate noise intentionally introduced to a quantum training set. Under some circumstances, this algorithm can provide an exponential speedup relative to other methods. Also disclosed is an example quantum approach for bagging and boosting that can use quantum superposition over the classifiers or splits of the training set to aggregate over many more models than would be possible classically. Further, example forms of k-means clustering are disclosed that can be used to prevent even a powerful adversary from even learning whether a participant even contributed data to the clustering algorithm.

Abstract: A computing system for generating automated responses to improve response times for diagnosing security alerts includes a processor and a memory. An application is stored in the memory and executed by the processor. The application includes instructions for receiving a text phrase relating to a security alert; using a natural language interface with a natural language model to select one of a plurality of intents corresponding to the text phrase; and mapping the selected intent to one of a plurality of actions. Each of the plurality of actions includes at least one of a static response, a dynamic response, and a task. The application includes instructions for sending a response based on the at least one of the static response, the dynamic response, and the task.

Abstract: Lateral movement detection may be performed by employing different detection models to score logon sessions. The different detection models may be implemented by and/or utilize counts computed from historical security event data. The different detection models may include probabilistic intrusion detection models for detecting compromised behavior based on logon behavior, a sequence of security events observed during a logon session, inter-event time between security events observed during a logon session, and/or an attempt to logon using explicit credentials. Scores for each logon session that are output by the different detection models may be combined to generate a ranking score for each logon session. A list of ranked alerts may be generated based on the ranking score for each logon session to identify compromised authorized accounts and/or compromised machines. An attack graph may be automatically generated based on compromised account-machine pairs to visually display probable paths of an attacker.

Abstract: Lateral movement detection may be performed by employing different detection models to score logon sessions. The different detection models may be implemented by and/or utilize counts computed from historical security event data. The different detection models may include probabilistic intrusion detection models for detecting compromised behavior based on logon behavior, a sequence of security events observed during a logon session, inter-event time between security events observed during a logon session, and/or an attempt to logon using explicit credentials. Scores for each logon session that are output by the different detection models may be combined to generate a ranking score for each logon session. A list of ranked alerts may be generated based on the ranking score for each logon session to identify compromised authorized accounts and/or compromised machines. An attack graph may be automatically generated based on compromised account-machine pairs to visually display probable paths of an attacker.

Abstract: Lateral movement detection may be performed by employing different detection models to score logon sessions. The different detection models may be implemented by and/or utilize counts computed from historical security event data. The different detection models may include probabilistic intrusion detection models for detecting compromised behavior based on logon behavior, a sequence of security events observed during a logon session, inter-event time between security events observed during a logon session, and/or an attempt to logon using explicit credentials. Scores for each logon session that are output by the different detection models may be combined to generate a ranking score for each logon session. A list of ranked alerts may be generated based on the ranking score for each logon session to identify compromised authorized accounts and/or compromised machines. An attack graph may be automatically generated based on compromised account-machine pairs to visually display probable paths of an attacker.

Abstract: Lateral movement detection may be performed by employing different detection models to score logon sessions. The different detection models may be implemented by and/or utilize counts computed from historical security event data. The different detection models may include probabilistic intrusion detection models for detecting compromised behavior based on logon behavior, a sequence of security events observed during a logon session, inter-event time between security events observed during a logon session, and/or an attempt to logon using explicit credentials. Scores for each logon session that are output by the different detection models may be combined to generate a ranking score for each logon session. A list of ranked alerts may be generated based on the ranking score for each logon session to identify compromised authorized accounts and/or compromised machines. An attack graph may be automatically generated based on compromised account-machine pairs to visually display probable paths of an attacker.