Abstract: The disclosure is directed to systems, methods, and computer storage media, for, among other things, employing nested model structures to enforce compliance, within a computational system, to at least one policy. One method includes receiving a digital record that encodes content. A plurality of models (e.g., integrated models and/or model droplets) is employed to analyze the records. The plurality of models is configured and arranged within a nested structure of a hierarchy of models. Each of the plurality of models analyzes at least a portion of the record. Based on the nested structure, the hierarchy combines the analysis from each of the plurality of models to determine that the content violates a policy of a system. In response to determining that the content violates the policy, at least one mitigation (or intervention) action are performed. The at least one mitigation action may alter subsequent transmissions of the record.

Abstract: The technology described herein determines whether a candidate text is in a requested class by using a generative model that may not be trained on the requested class. The present technology may use of a model trained primarily in an unsupervised mode, without requiring a large number of manual user-input examples of a label class. The may produce a semantically rich positive example of label text from a candidate text and label. Likewise, the technology may produce from the candidate text and the label a semantically rich negative example of label text. The labeling service makes use of a generative model to produce a generative result, which estimates the likelihood that the label properly applies to the candidate text. In another aspect, the technology is directed toward a method for obtaining a semantically rich example that is similar to a candidate text.

Abstract: Methods, systems, and computer storage media for providing a multi-attribute cluster-identifier that supports identifying malicious activity in computing environments. An instance of an activity having an attribute set can be assessed. The attribute set of the instance of the activity is analyzed to determine whether the instance of the activity is a malicious activity. The attribute set of the instance of the activity is compared to a plurality of multi-attribute cluster-identifiers of previous instances of the activity, such that, a determination that the instance of the activity is a malicious activity is made when the attribute set of the instance of the activity corresponds to an identified multi-attribute cluster-identifier. The identified multi-attribute cluster-identifier has a risk score and an attribute set that indicate a likelihood that the instance of the activity is a malicious activity. A visualization that identifies the instance of the activity as a malicious activity is generated.

Abstract: Methods, systems, and computer storage media for providing a multi-attribute cluster-identifier that supports identifying malicious activity in computing environments. An instance of an activity having an attribute set can be assessed. The attribute set of the instance of the activity is analyzed to determine whether the instance of the activity is a malicious activity. The attribute set of the instance of the activity is compared to a plurality of multi-attribute cluster-identifiers of previous instances of the activity, such that, a determination that the instance of the activity is a malicious activity is made when the attribute set of the instance of the activity corresponds to an identified multi-attribute cluster-identifier. The identified multi-attribute cluster-identifier has a risk score and an attribute set that indicate a likelihood that the instance of the activity is a malicious activity. A visualization that identifies the instance of the activity as a malicious activity is generated.

Abstract: Methods, systems, and computer storage media for providing a multi-attribute cluster-identifier that supports identifying malicious activity in computing environments. An instance of an activity having an attribute set can be assessed. The attribute set of the instance of the activity is analyzed to determine whether the instance of the activity is a malicious activity. The attribute set of the instance of the activity is compared to a plurality of multi-attribute cluster-identifiers of previous instances of the activity, such that, a determination that the instance of the activity is a malicious activity is made when the attribute set of the instance of the activity corresponds to an identified multi-attribute cluster-identifier. The identified multi-attribute cluster-identifier has a risk score and an attribute set that indicate a likelihood that the instance of the activity is a malicious activity. A visualization that identifies the instance of the activity as a malicious activity is generated.

Abstract: The disclosure is directed to systems, methods, and computer storage media, for, among other things, employing nested model structures to enforce compliance, within a computational system, to at least one policy. One method includes receiving a digital record that encodes content. A plurality of models (e.g., integrated models and/or model droplets) is employed to analyze the records. The plurality of models is configured and arranged within a nested structure of a hierarchy of models. Each of the plurality of models analyzes at least a portion of the record. Based on the nested structure, the hierarchy combines the analysis from each of the plurality of models to determine that the content violates a policy of a system. In response to determining that the content violates the policy, at least one mitigation (or intervention) action are performed. The at least one mitigation action may alter subsequent transmissions of the record.

Abstract: The disclosure is directed to systems, methods, and computer storage media, for, among other things, generating, training, and tuning lexicon-based classifier models. The models may be employed in various compliance enforcement applications and/or tasks. The tradeoff between the model's false positive error rate (FPR) and the model's false negative rate (FNR) may be “tuned” via a balance parameter supplied by the user. The classifier model may classify content (e.g., text records) as either belonging to a “positive” class or a “negative” class. The positive class may be associated with non-compliance, while the negative class may be associated with compliance (or vice-versa). In some embodiments, the classifier model may be a probabilistic probability model that provides a probability (or degree of belief) that the content is associated with the positive and/or negative class.

Abstract: Emails or other communications are labeled with a category label such as “spam” or “good” without using confidential or Personally Identifiable Information (PII). The category label is based on features of the emails such as metadata that do not contain PII. Graphs of inferred relationships between email features and category labels are used to assign labels to emails and to features of the emails. The labeled emails are used as a training dataset for training a machine learning model (“MLM”). The MLM model identifies unwanted emails such as spam, bulk email, phishing email, and emails that contain malware.

Abstract: The technology described herein determines whether a candidate text is in a requested class by using a generative model that may not be trained on the requested class. The present technology may use of a model trained primarily in an unsupervised mode, without requiring a large number of manual user-input examples of a label class. The may produce a semantically rich positive example of label text from a candidate text and label. Likewise, the technology may produce from the candidate text and the label a semantically rich negative example of label text. The labeling service makes use of a generative model to produce a generative result, which estimates the likelihood that the label properly applies to the candidate text. In another aspect, the technology is directed toward a method for obtaining a semantically rich example that is similar to a candidate text.

Abstract: Emails or other communications are labeled with a category label such as “spam” or “good” without using confidential or Personally Identifiable Information (PII). The category label is based on features of the emails such as metadata that do not contain PII. Graphs of inferred relationships between email features and category labels are used to assign labels to emails and to features of the emails. The labeled emails are used as a training dataset for training a machine learning model (“MLM”). The MLM model identifies unwanted emails such as spam, bulk email, phishing email, and emails that contain malware.

Abstract: Methods, systems, and computer storage media for providing a multi-attribute cluster-identifier that supports identifying malicious activity in computing environments. An instance of an activity having an attribute set can be assessed. The attribute set of the instance of the activity is analyzed to determine whether the instance of the activity is a malicious activity. The attribute set of the instance of the activity is compared to a plurality of multi-attribute cluster-identifiers of previous instances of the activity, such that, a determination that the instance of the activity is a malicious activity is made when the attribute set of the instance of the activity corresponds to an identified multi-attribute cluster-identifier. The identified multi-attribute cluster-identifier has a risk score and an attribute set that indicate a likelihood that the instance of the activity is a malicious activity. A visualization that identifies the instance of the activity as a malicious activity is generated.

Abstract: Emails or other communications are labeled with a category label such as “spam” or “good” without using confidential or Personally Identifiable Information (PII). The category label is based on features of the emails such as metadata that do not contain PII. Graphs of inferred relationships between email features and category labels are used to assign labels to emails and to features of the emails. The labeled emails are used as a training dataset for training a machine learning model (“MLM”). The MLM model identifies unwanted emails such as spam, bulk email, phishing email, and emails that contain malware.

Abstract: Embodiments maintain filtering criteria for classifying electronic messages in a multi-tenant environment, including maintaining global filtering criteria for all tenants, as well as tenant-level filtering criteria for each tenant. For each tenant, feedback regarding a messaging campaign is identified. When the messaging campaign has not been categorized, and the feedback signals the messaging campaign as undesirable, the tenant-level filtering criteria for the tenant is updated to signal the messaging campaign as undesirable. When the messaging campaign has previously been categorized as undesirable, and the feedback signals the messaging campaign as desirable, the tenant-level filtering criteria for the tenant is updated to signal the messaging campaign as desirable. A reputation score for each tenant is also calculated.

Abstract: Embodiments maintain filtering criteria for classifying electronic messages in a multi-tenant environment, including maintaining global filtering criteria for all tenants, as well as tenant-level filtering criteria for each tenant. For each tenant, feedback regarding a messaging campaign is identified. When the messaging campaign has not been categorized, and the feedback signals the messaging campaign as undesirable, the tenant-level filtering criteria for the tenant is updated to signal the messaging campaign as undesirable. When the messaging campaign has previously been categorized as undesirable, and the feedback signals the messaging campaign as desirable, the tenant-level filtering criteria for the tenant is updated to signal the messaging campaign as desirable. A reputation score for each tenant is also calculated.

Abstract: A method is provided for protecting an on-line resource using a HIP challenge. The method includes receiving a request to access the on-line resource from a remote client. A HIP challenge is presented to a user associated with the remote client. If a successful response to the HIP challenge is received from the user, a previous response pattern of the user is compared to known response patterns of humans and machines. The user is allowed to access to the on-line resource if the comparison indicates that the user is likely a human.

Abstract: A method is provided for protecting an on-line resource using a HIP challenge. The method includes receiving a request to access the on-line resource from a remote client. A HIP challenge is presented to a user associated with the remote client. If a successful response to the HIP challenge is received from the user, a previous response pattern of the user is compared to known response patterns of humans and machines. The user is allowed to access to the on-line resource if the comparison indicates that the user is likely a human.