Abstract: Unauthorized use of user credentials in a network is detected. Data indicative of text strings being used to access resources in the network is accessed. Regex models are determined for the text strings. Troupings of the regex models are determined based on an optimization of a cumulative weighted function. A regex model having a cumulative weighted function that exceeds a predetermined threshold is identified. An alert is generated when the cumulative weighted function for the identified regex model exceeds the predetermined threshold.

Abstract: An anomalous action security assessor is disclosed. An anomaly is received from a set of anomalies. A series of linked queries associated with the anomaly is presented to the user. The series of linked queries includes a base query and a subquery. The base query tests an attribute of the anomaly and resolves to a plurality of outcomes of the base query. The subquery is associated with an outcome of the plurality of outcomes of the base query. The series of linked queries finally resolve to one of tag the anomaly and dismiss the anomaly. A security alert is issued if the series of linked queries finally resolves to tag the anomaly.

Abstract: A system to determine an intrusion risk and take action is described. The system collaboratively filters a combination based on a user access and a network item in a computer network to determine an associated recommendation score. The system determines connected components of a model of the computer network and separately collaboratively filters the connected components to determine the recommendation score as a measure of intrusion risk. An action is taken on the user access based on the intrusion risk.

Abstract: Generally discussed herein are devices, systems, and methods for improving cloud resource security. A method can include obtaining a cloud resource management log that details actions performed by users of cloud resources in a cloud portal, the actions including entries comprising at least two of a user identification (ID) of a user of the users, an operation of operations performed on the cloud resource, a uniform resource identifier (URI) of a cloud resource of the cloud resources that is a target of the operation, or a time the operation was performed. The method can include determining a respective score for each action in the cloud resource management log, comparing the respective score to a specified criterion, and providing an indication of anomalous action in response to determining the respective score satisfies the specified criterion.

Abstract: Generally discussed herein are devices, systems, and methods for improving cloud resource security. A method can include obtaining a cloud resource management log that details actions performed by users of cloud resources in a cloud portal, the actions including entries comprising at least two of a user identification (ID) of a user of the users, an operation of operations performed on the cloud resource, a uniform resource identifier (URI) of a cloud resource of the cloud resources that is a target of the operation, or a time the operation was performed. The method can include determining a respective score for each action in the cloud resource management log, comparing the respective score to a specified criterion, and providing an indication of anomalous action in response to determining the respective score satisfies the specified criterion.

Abstract: The embodiments described herein are directed to generating labels for alerts and utilizing such labels to train a machine learning algorithm for generating more accurate alerts. For instance, alerts may be generated based on log data generated from an application. After an alert is issued, activity of a user in relation to the alert is tracked. The tracked activity is utilized to generate a metric for the alert indicating a level of interaction between the user and the alert. Based on the metric, the log data on which the alert is based is labeled as being indicative of one of suspicious activity or benign activity. During a training process, the labeled log data is provided to a supervised machine learning algorithm that learns what constitutes suspicious activity or benign activity. The algorithm generates a model, which is configured to receive newly-generated log data and issue security alerts based thereon.

Abstract: An indication is received of a security alert. The indication is generated based on a detected anomaly in one of a data plane or a control plane of a computing environment. When the detected anomaly is in the data plane, the control plane is monitored for a subsequent anomaly in the control plane, and otherwise the data plane is monitored for a subsequent anomaly in the data plane. A correlation between the detected anomalies is determined. A notification of the security alert is sent when the correlation exceeds a predetermined threshold.

Abstract: Enriched access data supports anomaly detection to enhance network cybersecurity. Network access data is enriched using service nodes representing resource provision and other services, with geolocation nodes representing grouped access origins, and access values representing access legitimacy confidence. Data enrichment provides a trained model by mapping IP addresses to geolocations, building a bipartite access graph whose inter-node links indicate aspects of accesses from geolocations to services, and generating semantic vectors from the graph. Vector generation may include collaborative filtering, autoencoding, neural net embedding, and other machine learning tools and techniques. Anomaly detection systems then calculate service-geolocation or geolocation-geolocation vector distances with anomaly candidate vectors and the model's graph-based vectors, and treat distances past a threshold as anomaly indicators.

Abstract: Unauthorized use of user credentials in a network is detected. Data indicative of text strings being used to access resources in the network is accessed. Regex models are determined for the text strings. Troupings of the regex models are determined based on an optimization of a cumulative weighted function. A regex model having a cumulative weighted function that exceeds a predetermined threshold is identified. An alert is generated when the cumulative weighted function for the identified regex model exceeds the predetermined threshold.

Abstract: An anomalous action security assessor is disclosed. An anomaly is received from a set of anomalies. A series of linked queries associated with the anomaly is presented to the user. The series of linked queries includes a base query and a subquery. The base query tests an attribute of the anomaly and resolves to a plurality of outcomes of the base query. The subquery is associated with an outcome of the plurality of outcomes of the base query. The series of linked queries finally resolve to one of tag the anomaly and dismiss the anomaly. A security alert is issued if the series of linked queries finally resolves to tag the anomaly.

Abstract: Generally discussed herein are devices, systems, and methods for improving legacy cyber security solutions. A method can include receiving a sequence of traffic data, the sequence of traffic data representing operations performed by devices communicatively coupled in a network, generating, by cyber security event detection logic, actions corresponding to the sequence of traffic data, the actions corresponding to a cyber security event in the network, creating a training dataset based on the sequence of traffic data, the training dataset including the actions as labels, training a machine learning model based on the training dataset to generate a classification indicating a likelihood of the cyber security event, and distributing the trained machine learning model in place of the cyber security event detection logic.

Abstract: Generally discussed herein are devices, systems, and methods for improving cloud resource security. A method can include obtaining a cloud resource management log that details actions performed by users of cloud resources in a cloud portal, the actions including entries comprising at least two of a user identification (ID) of a user of the users, an operation of operations performed on the cloud resource, a uniform resource identifier (URI) of a cloud resource of the cloud resources that is a target of the operation, or a time the operation was performed. The method can include determining a respective score for each action in the cloud resource management log, comparing the respective score to a specified criterion, and providing an indication of anomalous action in response to determining the respective score satisfies the specified criterion.

Abstract: Opaque module processing costs may be reduced without substantial loss of efficacy, e.g., security costs may be reduced with little or no loss of security. The processing cost of the opaque module is correlated with particular sets of input data, and the efficacy of the output resulting from processing samples of those sets is measured. Data whose processing is the most expensive or the most efficacious is identified. A data cluster is delimited by a parameter set, which may be supplied by a user or a machine learning model. Inputs to security tools may serve as parameters. The incremental cost and incremental efficacy of processing the cluster is determined. Security efficacy may be measured using alert counts, content, severity, and confidence. Processing cost and efficacy may then be managed by including or excluding particular datasets that match the parameters, either proactively pursuant to a policy, or per user selections.

Abstract: Disclosed herein is a system for predicting, given a pattern of triggered alerts, a next alert in order to identify malicious activity that is about to occur on resource(s) being monitored by a security operations center. A resource can include a server, a storage device, a user device (e.g., a personal computer, a tablet computer, a smartphone, etc.), a virtual machine, networking equipment, etc. Accordingly, the next alert is speculatively triggered in advance and a security analyst can be notified of a pattern of activity that is likely to be malicious. The security analyst can then investigate the pattern of triggered alerts and the speculatively triggered alert to determine whether steps to mitigate the malicious activity before it occurs should be taken.

Abstract: A system to determine an intrusion risk and take action is described. The system collaboratively filters a combination based on a user access and a network item in a computer network to determine an associated recommendation score. The system determines connected components of a model of the computer network and separately collaboratively filters the connected components to determine the recommendation score as a measure of intrusion risk. An action is taken on the user access based on the intrusion risk.

Abstract: An anomalous user session detector is disclosed. A sequence of operations in a logon session for an authorized user is gathered. A supervised learning model is trained to identify the authorized user from the sequence of operations. An anomalous session is detected by querying the supervised learning model.

Abstract: Cybersecurity anomaly explainability is enhanced, with particular attention to collaborative filter-based anomaly detection. An enhanced system obtains user behavior vectors derived from a trained collaborative filter, computes a similarity measure of user behavior based on a distance between user behavior vectors and a similarity threshold, and automatically produces an explanation of a detected cybersecurity anomaly. The explanation describes a change in user behavior similarity, in human-friendly terms, such as “User X from Sales is now behaving like a network administrator.” Each user behavior vector includes latent features, and corresponds to access attempts or other behavior of a user with respect to a monitored computing system. Users may be sorted according to behavioral similarity. Explanations may associate a collaborative filter anomaly detection result with a change in behavior of an identified user or cluster of users, per specified explanation structures.

Abstract: Unauthorized use of user credentials in a network is detected. Data indicative of text strings being used to access resources in the network is accessed. Regex models are determined for the text strings. Groupings of the regex models are determined based on an optimization of a cumulative weighted function. A regex model having a cumulative weighted function that exceeds a predetermined threshold is identified. An alert is generated when the cumulative weighted function for the identified regex model exceeds the predetermined threshold.

Abstract: Methods, systems, and apparatuses are provided for detecting a missing security alert by receiving an alert sequence generated by a network security provider, applying the received alert sequence to a security incident model, receiving an indication from the security incident model that the received alert sequence corresponds to a security incident defined by a predetermined sequence of alerts that includes at least one alert missing from the received alert sequence, and generating a notification to the network security provider that indicates at least one of the security incident or the missing alert(s). In addition, the security incident model may be generated by providing a set of historical alerts and a set of historical security incidents to a machine learning algorithm to generate the security incident model.

Abstract: Methods, systems, and apparatuses are provided for detecting a missing security alert by receiving an alert sequence generated by a network security provider, applying the received alert sequence to a security incident model, receiving an indication from the security incident model that the received alert sequence corresponds to a security incident defined by a predetermined sequence of alerts that includes at least one alert missing from the received alert sequence, and generating a notification to the network security provider that indicates at least one of the security incident or the missing alert(s). In addition, the security incident model may be generated by providing a set of historical alerts and a set of historical security incidents to a machine learning algorithm to generate the security incident model.