Abstract: A method and system for detecting malicious threat activity or event sequences is disclosed. In an embodiment, the method may include receiving security data from a plurality of data sources and normalizing the security data. The method may include generating one or more statistical profiles for one or more entities based on the normalized data. The method may include generating one or more detectors based on one or more subsequences organized in a plurality of threat chains. The method may include monitoring, via the one or more detectors, telemetric data in real time for the one or more subsequences. The method may include aggregating each detected one or more subsequences. The method may include generating a score based on a correlation of aggregated detected subsequences to the one or more statistical profiles. The method may include, if the score of exceeds a threshold, generating a high severity alert.

Abstract: A method and system for detecting malicious threat activity or event sequences is disclosed. In an embodiment, the method may include generating one or more malicious sequence detection rules defined in a domain specific language. The method may include generating a rules repository configured to receive and store one or more pre-defined rules and one or more curated sets of malicious sequence detection rules. The method may include monitoring networks and/or computing devices to detect malicious threat activity or event sequences based on the one or more curated sets of malicious sequence detection rules. The method may include aggregating malicious threat activity or event sequences detected within a predetermined time frame and generating a threat score and, if the threat score exceeds a threshold score, generating an alert.

Abstract: The present disclosure provides systems and methods for generation of parsing scripts or rules for unstructured or semi-structured system log messages, including systems and methods for identifying and clustering of same or substantially similar system log messages using machine learning. Patterns indicative of the same or substantially similar types system log messages can be generated based on the clustering of the system log messages and calculated similarities of attributes or distances between common features/fields of the system log messages, with the results of the clustering presented for analysis and development or adjustment of parsing scripts.

Abstract: Systems and methods for identifying attack patterns or suspicious activity can include a profile builder, a primitive creator, and a compromise detector. The profile builder can populate one or more baseline activity profiles for each client of the plurality of clients or entities associated therewith. The primitive creator can create primitives by comparing identified or extracted features to information in the one or more baseline activity profiles. The compromise detector can receive primitives, and based on identified combinations or sequences of primitives, generate compromise events to be provided to clients.

Abstract: The present disclosure provides systems and methods for classifying or determined whether a request for a user's information is malicious or safe/legitimate. Request information related to a request for a user's information can be received, and one or more screenshots associated with the request can be obtained and provided to a machine learning model. The machine learning model can generate a probability or confidence level that the request is malicious.

Abstract: Systems and methods for identifying attack patterns or suspicious activity can include a profile builder, a primitive creator, and a compromise detector. The profile builder can populate one or more baseline activity profiles for each client of the plurality of clients or entities associated therewith. The primitive creator can create primitives by comparing identified or extracted features to information in the one or more baseline activity profiles. The compromise detector can receive primitives, and based on identified combinations or sequences of primitives, generate compromise events to be provided to clients.

Abstract: The present disclosure provides systems and methods for classifying or determined whether a request for a user's information is malicious or safe/legitimate. Request information related to a request for a user's information can be received, and one or more screenshots associated with the request can be obtained and provided to a machine learning model. The machine learning model can generate a probability or confidence level that the request is malicious.