Abstract: A system and method is described for providing custom predictive models for detecting electronic security threats within an enterprise computer network. The custom models may be defined in a declarative language. The custom models, along with native models, may be combined together to provide custom machine learning (ML) use cases.

Abstract: A computing device includes a processor and a medium storing instructions. The instructions are executable by the processor to: receive a database query for an approximate aggregation of a numerical value of a plurality of records, wherein each record includes the numerical value and a filter value; in response to the database query, determine a count of records that have filter values within an importance threshold associated with the database query; and determine the approximate aggregation of the numerical value based on the count of records and the importance threshold associated with the database query.

Abstract: An apparatus may include a processor that may be caused to access a distribution of a plurality of values, each value of the plurality of values quantifying an event of an event type in a computer network. The processor may determine a mean of the plurality of values and a second highest value of the plurality of values, generate an expected maximum of the distribution based on the mean and the second highest value, and access a first value quantifying a first event of the event type in the computer network. The processor may further determine that the first event is an anomalous event based on the first value and the expected maximum.

Abstract: An apparatus may include a processor that may be caused to access a distribution of a plurality of values, each value of the plurality of values quantifying an event of an event type in a computer network. The processor may determine a mean of the plurality of values and a second highest value of the plurality of values, generate an expected maximum of the distribution based on the mean and the second highest value, and access a first value quantifying a first event of the event type in the computer network. The processor may further determine that the first event is an anomalous event based on the first value and the expected maximum.

Abstract: A file fingerprint may be provided as a composite of multiple hashes of different portions of the file. The composite hash allows the fingerprinting process to be interrupted while still providing information about a likely hood of two files being identical.

Abstract: A computing device includes a processor and a medium storing instructions. The instructions are executable by the processor to: receive a database query for an approximate aggregation of a numerical value of a plurality of records, wherein each record includes the numerical value and a filter value; in response to the database query, determine a count of records that have filter values within an importance threshold associated with the database query; and determine the approximate aggregation of the numerical value based on the count of records and the importance threshold associated with the database query.

Abstract: The present invention provides a method, system and computer program product for analyzing risks, for example associated with potential data leakage. Risk for activities may be measured as a function of risk components related to: persons involved in the activity; sensitivity of data at risk; endpoint receiving data at risk; and type the activity. Risk may account for the probability of a leakage event given an activity as well as a risk cost which reflects the above risk components. Manually and/or automatically tuned parameters may be used to affect the risk calculation. Risk associated with persons and/or files may be obtained by: initializing risk scores of persons or files based on a rule set; adjusting the risk scores in response to ongoing monitoring of events; identifying commonalities across persons or files; and propagating risk scores based on the commonalities.

Abstract: The systems and methods described herein, given a population of entities each with associated information technology (IT) security risk scores, computes an aggregate risk score which quantifies the overall risk of the population. The method works for any arbitrary population of any size, and of any combination of different entity types and results in normalized risk scores for the arbitrary population (i.e. in the [0,1] range, regardless of population size or makeup). Since the risk scores are normalized, it affords comparison across different arbitrary entity populations having different combinations of entity types (e.g. users, servers, and printers). The aggregation technique allows for sensitivity to small numbers of high risk entities, which is a highly desirable characteristic for risk-based applications, and allows for sensitivity to different entity types or other relevant factors such as higher risk users, different threat types.

Abstract: Humans as well as non-human actors may interact with computer devices on a computer network. As described herein, it is possible to train and apply human vs. non-human detection models to provide an indication of the probability that a human or a non-human actor was interacting with a computer device during a particular time period. The probability that a human or non-human was interacting with computers during a particular time may be used to improve various actions, including selecting one or more different threat detection models to apply during the particular time, selecting data to use with threat detection models during the time, or selecting data from the particular time to store.

Abstract: The present invention provides a method, system and computer program product for analyzing risks, for example associated with potential data leakage. Risk for activities may be measured as a function of risk components related to: persons involved in the activity; sensitivity of data at risk; endpoint receiving data at risk; and type the activity. Risk may account for the probability of a leakage event given an activity as well as a risk cost which reflects the above risk components. Manually and/or automatically tuned parameters may be used to affect the risk calculation. Risk associated with persons and/or files may be obtained by: initializing risk scores of persons or files based on a rule set; adjusting the risk scores in response to ongoing monitoring of events; identifying commonalities across persons or files; and propagating risk scores based on the commonalities.

Abstract: Sensitive data may be anonymized for use in user interfaces by applying a cryptographic hash function to the data. The hashed value may be broken into hash tokens and the hash tokens converted to human readable tokens using a 1:1 conversion function. The human readable tokens can then be concatenated together to provide a human readable identifier of the sensitive data.

Abstract: A system and method is described for providing custom predictive models for detecting electronic security threats within an enterprise computer network. The custom models may be defined in a declarative language. The custom models, along with native models, may be combined together to provide custom machine learning (ML) use cases.

Abstract: The present invention provides methods for providing mathematical regression analysis. In particular, the method for conducting regression analysis comprises the steps of: selecting a regression model; selecting an initial set of regression parameters; applying the regression model to the initial set of regression parameters to create an initial set of regression values; selecting an improved set of regression values, wherein the improved set of regression values is selected from the set of initial regression values; generating a loss function based on the improved set; applying an iterative optimization method to the loss function and the improved set of regression values to generate a resultant set of regression values; and outputting the resultant set of regression values.

Abstract: The present invention provides a method of identifying aggregating and mathematically ranking security alert data having the steps of identifying a plurality of alerts, selecting a subset of the plurality alerts based on at least one preselected theme, applying a function to the subset of the plurality alerts to compute an aggregate risk score, the function based on at least one factor and prioritizing the aggregate risk score in a risk score list.

Abstract: A file fingerprint may be provided as a composite of multiple hashes of different portions of the file. The composite hash allows the fingerprinting process to be interrupted while still providing information about a likely hood of two files being identical.

Abstract: The systems and methods described herein, given a population of entities each with associated information technology (IT) security risk scores, computes an aggregate risk score which quantifies the overall risk of the population. The method works for any arbitrary population of any size, and of any combination of different entity types and results in normalized risk scores for the arbitrary population (i.e. in the [0,1] range, regardless of population size or makeup). Since the risk scores are normalized, it affords comparison across different arbitrary entity populations having different combinations of entity types (e.g. users, servers, and printers). The aggregation technique allows for sensitivity to small numbers of high risk entities, which is a highly desirable characteristic for risk-based applications, and allows for sensitivity to different entity types or other relevant factors such as higher risk users, different threat types.

Abstract: Humans as well as non-human actors may interact with computer devices on a computer network. As described herein, it is possible to train and apply human vs. non-human detection models to provide an indication of the probability that a human or a non-human actor was interacting with a computer device during a particular time period. The probability that a human or non-human was interacting with computers during a particular time may be used to improve various actions, including selecting one or more different threat detection models to apply during the particular time, selecting data to use with threat detection models during the time, or selecting data from the particular time to store.

Abstract: Sensitive data may be anonymized for use in user interfaces by applying a cryptographic hash function to the data. The hashed value may be broken into hash tokens and the hash tokens converted to human readable tokens using a 1:1 conversion function. The human readable tokens can then be concatenated together to provide a human readable identifier of the sensitive data.

Abstract: The present invention provides a method, system and computer program product for analyzing risks, for example associated with potential data leakage. Risk for activities may be measured as a function of risk components related to: persons involved in the activity; sensitivity of data at risk; endpoint receiving data at risk; and type the activity. Risk may account for the probability of a leakage event given an activity as well as a risk cost which reflects the above risk components. Manually and/or automatically tuned parameters may be used to affect the risk calculation. Risk associated with persons and/or files may be obtained by: initializing risk scores of persons or files based on a rule set; adjusting the risk scores in response to ongoing monitoring of events; identifying commonalities across persons or files; and propagating risk scores based on the commonalities.

Abstract: The present invention provides a method, system and computer program product for analyzing risks, for example associated with potential data leakage. Risk for activities may be measured as a function of risk components related to: persons involved in the activity; sensitivity of data at risk; endpoint receiving data at risk; and type the activity. Risk may account for the probability of a leakage event given an activity as well as a risk cost which reflects the above risk components. Manually and/or automatically tuned parameters may be used to affect the risk calculation. Risk associated with persons and/or files may be obtained by: initializing risk scores of persons or files based on a rule set; adjusting the risk scores in response to ongoing monitoring of events; identifying commonalities across persons or files; and propagating risk scores based on the commonalities.