Abstract: A system for determining whether a velocity event is fake or real is provided. The system accesses a data store of velocity events, each of which specifies a pair of addresses that share the velocity event. For each address of the velocity events, the system sets a score for that address based on the number of addresses that share a velocity event with that address. When the score for that address satisfies an originating address criterion, the system designates that address as an originating address. The system may determine that a velocity event is real when both addresses of the velocity event are originating addresses.

Abstract: When processing events associated with a group comprising multiple different sub-groups, a hash function can be applied to the sub-group identifier to map the events associated with the sub-group to different computational elements used to process the group's events. The hash value can be a number between 1 and n or 0 and n?1 where n is the number of computational elements available to the group. Data concerning the last time a particular value for a property was encountered in an event stream can be retained. On each computational element assigned to the group, the detection of a particular property value in an event of a sub-group can be collected, periodically aggregated and sent to each of the computational elements used by the group, thereby enabling the first detection of a new property value within a group of events to be determined.

Abstract: Embodiments detect unauthorized access to cloud-based resources. One technique analyzes cloud-based events to distinguish potentially malicious velocity incidents from benign velocity incidents. A velocity incident occurs when the same user causes events from two geographically remote locations in a short time. Benign velocity incidents are distinguished from malicious velocity incidents by comparing an event with past events that have the same features. Embodiments probabilistically determine if a velocity incident is malicious or benign based on a weighted multi-feature analysis. For each feature of an event, a probability is calculated based on past events that have the same feature. Then, each feature is associated with a weight based on a relative frequency of past events having that feature. A weighted average of probabilities is calculated, and the resulting probability is compared to a defined threshold to determine if the velocity incident is likely malicious or benign.

Abstract: An anomaly detection system is provided and includes a processor, a memory, and a security application that is stored in the memory and includes instructions. The instructions are configured to collect information of behavior data for the users of an organization accessing cloud applications via a distributed network. The behavior data includes one or more parameters tracked over time for the users. The instructions are further configured to: establish baselines for each of the users and for each of the cloud applications or types of cloud applications of the organization; detect anomalies based on the baselines; provide aggregated anomaly data by aggregating anomalies corresponding to two or more of the baselines and a same behavior or corresponding to multiple users of a same cloud application during a same period of time; determine a risk value based on the aggregated anomaly data; and perform a countermeasure based on the risk value.

Abstract: A device configured to operate in a distributed network system includes a key-value processing system to generate at least one of a first request and a second request. The first request is to retrieve a selected one of a plurality of sub-groups of data. The first request includes a plurality of keys each including a first value identifying the selected one of the plurality of sub-groups and a respective one of a plurality of second values. Each of the second values identifies a respective subset of data within the selected one of the plurality of sub-groups. The second request is to retrieve a selected one of the subsets of data within the selected one of the plurality of sub-groups and includes a key. The key includes the first value and a selected one of the second values, and the selected one of the second values corresponds to a hash value.

Abstract: Embodiments detect unauthorized access to cloud-based resources. One technique analyzes cloud-based events to distinguish potentially malicious velocity incidents from benign velocity incidents. A velocity incident occurs when the same user causes events from two geographically remote locations in a short time. Benign velocity incidents are distinguished from malicious velocity incidents by comparing an event with past events that have the same features. Embodiments probabilistically determine if a velocity incident is malicious or benign based on a weighted multi-feature analysis. For each feature of an event, a probability is calculated based on past events that have the same feature. Then, each feature is associated with a weight based on a relative frequency of past events having that feature. A weighted average of probabilities is calculated, and the resulting probability is compared to a defined threshold to determine if the velocity incident is likely malicious or benign.

Abstract: A storage cluster includes a plurality of key-value storage nodes categorized into sub-groups of data associated with a first value identifying the sub-group and second values identifying respective subsets of data. A key-value processing system receives at least one of a first request to retrieve a selected one of the sub-groups of data, the first request including a plurality of keys, each of the plurality of keys including the first value and a respective one of the second values, and a second request to retrieve a selected one of the subsets of data. The second request includes a key having the first value and a selected one of the second values. The selected one of the second values corresponds to a hash value. The storage cluster selectively provides at least one of the selected one of the sub-groups of data and the selected one of the subsets of data.

Abstract: When processing events associated with a group comprising multiple different sub-groups, a hash function can be applied to the sub-group identifier to map the events associated with the sub-group to different computational elements used to process the group's events. The hash value can be a number between 1 and n or 0 and n?1 where n is the number of computational elements available to the group. Data concerning the last time a particular value for a property was encountered in an event stream can be retained. On each computational element assigned to the group, the detection of a particular property value in an event of a sub-group can be collected, periodically aggregated and sent to each of the computational elements used by the group, thereby enabling the first detection of a new property value within a group of events to be determined.

Abstract: An anomaly detection system is provided and includes a processor, a memory and a security application stored in the memory and including instructions. The instructions are for collecting behavior data corresponding to users of an organization accessing cloud applications. The behavior data includes parameters tracked over time for the users. The instructions are for: creating a first model based on the behavior data tracked for the users; creating a second model corresponding to a first user based on the parameters tracked for the users except the first user, where the second model excludes behavior data pertaining to the first user; scoring the second model based on the first model to generate a first score; determining whether the first user is an outlier based on the first score; and removing the behavior data corresponding to the first user from the first model if the first user is an outlier.

Abstract: According to examples, an apparatus may include a processor and a memory having instructions that are to cause processor to access an event log that lists an event item corresponding to an event that occurred at a network appliance, determine that the event item matches an item listed in a user log that lists records of user information and a plurality of items, in which the records correspond to user events in a network, identify the user information corresponding to the matching item, determine a confidence level that the identified user information corresponds to the event item, determine whether the confidence level exceeds a certain threshold value, in response to a determination that the confidence level exceeds the certain threshold, correlate the user information to the event item, and insert an entry into a database that the user information corresponds to the event item.

Abstract: A device configured to operate in a distributed network system includes a key-value processing system to generate at least one of a first request and a second request. The first request is to retrieve a selected one of a plurality of sub-groups of data. The first request includes a plurality of keys each including a first value identifying the selected one of the plurality of sub-groups and a respective one of a plurality of second values. Each of the second values identifies a respective subset of data within the selected one of the plurality of sub-groups. The second request is to retrieve a selected one of the subsets of data within the selected one of the plurality of sub-groups and includes a key. The key includes the first value and a selected one of the second values, and the selected one of the second values corresponds to a hash value.

Abstract: A storage cluster includes a plurality of key-value storage nodes categorized into sub-groups of data associated with a first value identifying the sub-group and second values identifying respective subsets of data. A key-value processing system receives at least one of a first request to retrieve a selected one of the sub-groups of data, the first request including a plurality of keys, each of the plurality of keys including the first value and a respective one of the second values, and a second request to retrieve a selected one of the subsets of data. The second request includes a key having the first value and a selected one of the second values. The selected one of the second values corresponds to a hash value. The storage cluster selectively provides at least one of the selected one of the sub-groups of data and the selected one of the subsets of data.

Abstract: An anomaly detection system is provided and includes a processor, a memory, and a security application that is stored in the memory and includes instructions. The instructions are configured to collect information of behavior data for the users of an organization accessing cloud applications via a distributed network. The behavior data includes one or more parameters tracked over time for the users. The instructions are further configured to: establish baselines for each of the users and for each of the cloud applications or types of cloud applications of the organization; detect anomalies based on the baselines; provide aggregated anomaly data by aggregating anomalies corresponding to two or more of the baselines and a same behavior or corresponding to multiple users of a same cloud application during a same period of time; determine a risk value based on the aggregated anomaly data; and perform a countermeasure based on the risk value.

Abstract: An anomaly detection system is provided and includes a processor, a memory and a security application stored in the memory and including instructions. The instructions are for collecting behavior data corresponding to users of an organization accessing cloud applications. The behavior data includes parameters tracked over time for the users. The instructions are for: creating a first model based on the behavior data tracked for the users; creating a second model corresponding to a first user based on the parameters tracked for the users except the first user, where the second model excludes behavior data pertaining to the first user; scoring the second model based on the first model to generate a first score; determining whether the first user is an outlier based on the first score; and removing the behavior data corresponding to the first user from the first model if the first user is an outlier.

Abstract: A system for determining whether a velocity event is fake or real is provided. The system accesses a data store of velocity events, each of which specifies a pair of addresses that share the velocity event. For each address of the velocity events, the system sets a score for that address based on the number of addresses that share a velocity event with that address. When the score for that address satisfies an originating address criterion, the system designates that address as an originating address. The system may determine that a velocity event is real when both addresses of the velocity event are originating addresses.

Abstract: A system and method for planning, manipulating, processing and editing DNA molecules utilizing a core operation on a given input DNA molecule to produce a targeted DNA molecule.

Abstract: A method for manufacturing synthetic genes and combinatorial DNA and protein libraries, termed here Divide and Conquer-DNA synthesis (D&C-DNA synthesis) method. The method can be used in a systematic and automated way to synthesize any long DNA molecule and, more generally, any combinatorial molecular library having the mathematical property of being a regular set of strings. The D&C-DNA synthesis method is an algorithm design paradigm that works by recursively breaking down a problem into two or more sub-problems of the same type. The division of long DNA sequences is done in silico. The assembly of the sequence is done in vitro. The D&C-DNA synthesis method protocol consists of a tree, in which each node represents an intermediate sequence. The internal nodes are created in elongation reactions from their daughter nodes, and the leaves are synthesized directly. After each elongation only one DNA strand passes to the next level in the tree until receiving the final product.

Abstract: A method for manufacturing synthetic genes and combinatorial DNA and protein libraries, termed here Divide and Conquer-DNA synthesis (D&C-DNA synthesis) method. The method can be used in a systematic and automated way to synthesize any long DNA molecule and, more generally, any combinatorial molecular library having the mathematical property of being a regular set of strings. The D&C-DNA synthesis method is an algorithm design paradigm that works by recursively breaking down a problem into two or more sub-problems of the same type. The division of long DNA sequences is done in silico. The assembly of the sequence is done in vitro. The D&C-DNA synthesis method protocol consists of a tree, in which each node represents an intermediate sequence. The internal nodes are created in elongation reactions from their daughter nodes, and the leaves are synthesized directly. After each elongation only one DNA strand passes to the next level in the tree until receiving the final product.

Abstract: A method, apparatus and system for performing single molecule PCR for amplification from single stranded polynucleotides.

Abstract: A method of generating a cell lineage tree of a plurality of cells of an individual is provided. The method comprising: (a) determining at least one genotypic marker for each cell of the plurality of cells; and (b) computationally clustering data representing the at least one genotypic marker to thereby generate the cell lineage tree of the plurality of cells of the individual.