Abstract: Methods, systems, and apparatuses are provided for detecting a missing security alert by receiving an alert sequence generated by a network security provider, applying the received alert sequence to a security incident model, receiving an indication from the security incident model that the received alert sequence corresponds to a security incident defined by a predetermined sequence of alerts that includes at least one alert missing from the received alert sequence, and generating a notification to the network security provider that indicates at least one of the security incident or the missing alert(s). In addition, the security incident model may be generated by providing a set of historical alerts and a set of historical security incidents to a machine learning algorithm to generate the security incident model.

Abstract: Generally discussed herein are devices, systems, and methods for computer or other network device security.

Abstract: Generally discussed herein are devices, systems, and methods for computer or other network device security. A method can include identifying a profile associated with event data regarding an operation performed on a cloud resource, determining whether the event data is associated with anomalous customer interaction with the cloud resource, in response to determining the event data is associated with anomalous customer interaction, identifying whether another cloud resource of the cloud resources with a lower granularity profile that is associated with the profile of the cloud resource has previously been determined to be a target of an anomalous operation, and providing a single alert to a client device indicating the anomalous behavior on the cloud resource in response to determining both the event data is associated with anomalous customer interaction and the another cloud resource is determined to be the target of the anomalous operation.

Abstract: Anomalous sequences are detected by approximating user sessions with heuristically extracted event sequences, allowing behavior analysis even without user identification or session identifiers. Extraction delimiters may include event count or event timing constraints. Event sequences extracted from logs or other event lists are vectorized and embedded in a vector space. A machine learning model similarity function measures anomalousness of a candidate sequence relative to a specified history, thus computing an anomaly score. Restrictions may be placed on the history to focus on a particular IP address or time frame, without retraining the model. Anomalous sequences may generate alerts, prompt investigations by security personnel, trigger automatic mitigation, trigger automatic acceptance, trigger tool configuration actions, or result in other cybersecurity actions.

Abstract: A machine learning model is trained using tuples that identify an actor, a resource, and a rating based on a normalized count of the actor's attempts to access the resource. Actors may be users, groups, IP addresses, or otherwise defined. Resources may be storage, virtual machines, APIs, or otherwise defined. A risk assessor code feeds an actor—resource pair to the trained model, which computes a recommendation score using collaborative filtering. The risk assessor inverts the recommendation score to obtain a risk measurement; a low recommendation score corresponds to a high risk, and vice versa. The risk assessor code or other code takes cybersecurity action based on the recommendation score. Code may accept a risk R, or aid mitigation of the risk R, where R denotes a risk that the scored pair represents an unauthorized attempt by the pair actor to access the pair resource.

Abstract: Malicious computer behavior is detected automatically based on a user session. A user session comprising a sequence of process events is identified and a text-based representation is generated, wherein process events correspond to words and a sequence of words corresponds to a sentence. Subsequently, a text-based classifier classifies the session as malicious or non-malicious based on the sequence of events within the session in the text representation.

Abstract: A method and device for detecting botnets in a cloud-computing infrastructure are provided. The method includes gathering data feeds over a predefined detection time window to produce a detection dataset, wherein the detection dataset includes at least security events and a first set of bot-labels related to the activity of each of at least one virtual machine in the cloud-computing infrastructure during the detection time window; generating, using the detection dataset, a features vector for each of a plurality of virtual machines in the cloud-computing infrastructure, wherein the features vector is based on idiosyncratic (iSync) scores related to botnet activity; transmitting each generated features vector to a supervised machine learning decision model to generate a label indicating if each of the plurality of virtual machines is a bot based on the respective features vector; and determining each virtual machine labeled as a bot as being part of a botnet.

Abstract: A system for predicting vulnerability of network resources is provided. The system can calculate an initial vulnerability score for each of the network resources and use the initial vulnerability scores along with activity data of the network resources to train a vulnerability model. After training, the vulnerability model can predict the vulnerability of the network resources based on new activity data collected from the network resources. Based on the predicted vulnerability, vulnerable network resources can be identified. Further analysis can be performed by comparing the activities of the vulnerable network resources and other network resources to identify activity patterns unique to the vulnerable network resources as attack patterns. Based on the attack patterns, one or more actions can be taken to increase the security of the vulnerable network resources to avoid further vulnerability.

Abstract: Tools and techniques are described to automate triage of security and operational alerts. Insight instances extracted from raw event data associated with an alert are aggregated, vectorized, and assigned confidence scores through classification based on machine learning. Confidence scoring enables heavily loaded administrators and controls to focus attention and resources where they are most likely to protect or improve the functionality of a monitored system. Feature vectors receive a broad base in the underlying instance values through aggregation, even when the number of instance values is unknown prior to receipt of the event data. Visibility into the confidence scoring process may be provided, to allow tuning or inform further training of a classifier model. Performance metrics are defined, and production level performance may be achieved.

Abstract: Systems, methods, and apparatuses are provided for clustering incidents in a computing environment. An incident notification relating to an event (e.g., a potential cyberthreat or any other alert) in the computing environment is received and a set of features may be generated based on the incident notification. The set of features may be provided as an input to a machine-learning engine to identify a similar incident notification in the computing environment. The similar incident notification may include a resolved incident notification or an unresolved incident notification. An action to resolve the incident notification may be received, and the received action may thereby be executed. In some implementations, in addition to resolving the received incident notification, the action may be executed to resolve a similar unresolved incident notification identified by the machine-learning engine.

Abstract: Methods, systems, and computer program products are described herein for detecting malicious cloud-based resource allocations. Such detection may be achieved using machine learning-based techniques that analyze sequences of cloud-based resource allocations to determine whether such sequences are performed with a malicious intent. For instance, a sequence classification model may be generated by training a machine learning-based algorithm on both resource allocation sequences that are known to be used for malicious purposes and resource allocation sequences that are known to be used for non-malicious or benign purposes. Using these sequences, the machine learning-based algorithm learns what constitutes a malicious resource allocation sequence and generates the sequence classification model.

Abstract: Methods, systems, and media are shown for generating access control rules for computer resources involving collecting historical access data for user accesses to a computer resource and separating the historical access data into a training data set and a validation data set. An access control rule is generated for the computer resource based on the properties of the user accesses to the computer resource in the training data set. The rule is validated against the validation data set to determine whether the rule produces a denial rate level is below a threshold when the rule is applied to the validation data set. If the rule is valid, then it is provided to an administrative interface so that an administrator can select the rule for application to incoming user requests.

Abstract: In one example, a system includes a processor, memory, and a botnet detection application stored in memory and executed by the processor and configured to: obtain (i) Netflow data indicating one or more IP addresses accessed by a computer and (ii) passive Domain Name System (DNS) data indicating respective one or more domains associated with each of the one or more IP addresses; generate features associated with the computer based on the Netflow data and passive DNS data; generate probability data based on the Netflow data and passive DNS data, wherein the probability data indicates a probability that the computer accessed the one or more domains; assign weights to the features based on the probability data to provide weighted features; and determine whether the computer is likely to be part of a botnet based on the weighted features.

Abstract: A computer implemented method of mapping multimedia analytics of multimedia objects into a resilient distributed dataset (RDD), comprising one or more processors adapted to obtain an RDD of a cluster computing framework executed by a cluster comprising a plurality of computing nodes, the RDD comprises a plurality of entries each comprising a pointer to one of a plurality of multimedia objects stored in a shared storage, instruct each of a plurality of framework tasks executed by at least some members of the cluster to apply a docker operator for retrieving and executing one of a plurality of multimedia containers each associated with a respective one of the multimedia objects and comprising a multimedia processing algorithm for processing the respective multimedia object, receive from the framework tasks multimedia analytics results generated simultaneously by the multimedia containers and map the multimedia analytics results into the RDD.

Abstract: Described technologies enhance cybersecurity by leveraging collaborative filtering tools and techniques for security use by scoring attempts to access items in digital storage. Examples provided illustrate usage of accessor IDs and storage item IDs to compute recommendation scores which then operate as inverse measures of intrusion risk. Actions taken in response to recommendation scores that fall below a specified threshold may include preventing or terminating access, or alerting an administrator, for instance. A requested access may be allowed when the computed recommendation score is above a specified threshold, which indicates an acceptably low risk that the access is an unauthorized intrusion. Described cybersecurity technologies may be used by, or incorporated within, cloud services, cloud infrastructure, or virtual machines. Described cybersecurity technologies may also be used outside a cloud, e.g.

Abstract: A system to detect domain name server tunneling includes a processor and machine readable instructions stored on a tangible machine readable medium, which when executed by the processor, configure the processor to collect, during a predetermined time period, responses received from a domain name server to queries sent to the domain name server by a computing device, the responses including internet protocol (IP) addresses; collect IP addresses accessed by the computing device during the predetermined time period; compare the IP addresses received by the computing device in the responses from the domain name server to the IP addresses accessed by the computing device; and detect domain name server tunneling based on the comparison.

Abstract: Malicious computer behavior is detected automatically based on a user session. A user session comprising a sequence of process events is identified and a text-based representation is generated, wherein process events correspond to words and a sequence of words corresponds to a sentence. Subsequently, a text-based classifier classifies the session as malicious or non-malicious based on the sequence of events within the session in the text representation.

Abstract: A computer implemented method, a computerized system and a computer program product for detecting scalable trends in a personalized search context. The computer implemented method comprising obtaining search results matching a search query, wherein the search query is a query defined by a user, wherein the search results comprise occurrences of events, wherein each occurrence is associated with a timestamp. The method further comprises calculating, by a processor, in response to obtaining the search results, trend scores for the events based on the occurrences comprised by the search results. The method further comprises providing an output to the user based on the trend scores.

Abstract: Software that uses data collected from queries performed on a graph database to dynamically improve graph partitioning. The software performs the following operations: (i) identifying a partitioned graph database including a set of edges and a set of vertices, wherein each vertex of the set of vertices is associated with one or more edges of the set of edges; (ii) determining an edge traversal value for one or more edges of the set of edges, wherein the edge traversal value for a respective edge relates to a number of times that the respective edge is traversed in response to one or more queries of the graph database; and (iii) calculating a first vertex score for a first vertex on a first graph partition, based, at least in part, on the edge traversal value(s) for one or more edges associated with the first vertex.

Abstract: In one example, a system includes a processor, memory, and a botnet detection application stored in memory and executed by the processor and configured to: obtain (i) Netflow data indicating one or more IP addresses accessed by a computer and (ii) passive Domain Name System (DNS) data indicating respective one or more domains associated with each of the one or more IP addresses; generate features associated with the computer based on the Netflow data and passive DNS data; generate probability data based on the Netflow data and passive DNS data, wherein the probability data indicates a probability that the computer accessed the one or more domains; assign weights to the features based on the probability data to provide weighted features; and determine whether the computer is likely to be part of a botnet based on the weighted features.