Abstract: A system and method is described for providing custom predictive models for detecting electronic security threats within an enterprise computer network. The custom models may be defined in a declarative language. The custom models, along with native models, may be combined together to provide custom machine learning (ML) use cases.

Abstract: Predictive entity resolution uses a set of identity models to resolve an attribute to one or more associated entities, possibly with respective probabilities, at a particular time. The predictive entity resolution generates the sets of identity models from evidence events received from evidence sources. Each evidence event has at least one attribute and an associated time stamp.

Abstract: First-order anomaly scores are received from related anomaly detectors. Each first-order anomaly score indicates a likelihood of an anomaly at a target system. A relatedness measure of the related anomaly detectors is determined, based on the first-order anomaly scores that have been received. A higher-order anomaly score is determined based on the relatedness measure that has been determined. The higher-order anomaly score indicates a likelihood of an anomaly at the target system. An anomaly at the target system is detected based on the higher-order anomaly score.

Abstract: The present invention provides a method, system and computer program product for analyzing risks, for example associated with potential data leakage. Risk for activities may be measured as a function of risk components related to: persons involved in the activity; sensitivity of data at risk; endpoint receiving data at risk; and type the activity. Risk may account for the probability of a leakage event given an activity as well as a risk cost which reflects the above risk components. Manually and/or automatically tuned parameters may be used to affect the risk calculation. Risk associated with persons and/or files may be obtained by: initializing risk scores of persons or files based on a rule set; adjusting the risk scores in response to ongoing monitoring of events; identifying commonalities across persons or files; and propagating risk scores based on the commonalities.

Abstract: Sensitive data may be anonymized for use in user interfaces by applying a cryptographic hash function to the data. The hashed value may be broken into hash tokens and the hash tokens converted to human readable tokens using a 1:1 conversion function. The human readable tokens can then be concatenated together to provide a human readable identifier of the sensitive data.

Abstract: A system and method is described for providing custom predictive models for detecting electronic security threats within an enterprise computer network. The custom models may be defined in a declarative language. The custom models, along with native models, may be combined together to provide custom machine learning (ML) use cases.

Abstract: The present invention provides methods for providing mathematical regression analysis. In particular, the method for conducting regression analysis comprises the steps of: selecting a regression model; selecting an initial set of regression parameters; applying the regression model to the initial set of regression parameters to create an initial set of regression values; selecting an improved set of regression values, wherein the improved set of regression values is selected from the set of initial regression values; generating a loss function based on the improved set; applying an iterative optimization method to the loss function and the improved set of regression values to generate a resultant set of regression values; and outputting the resultant set of regression values.

Abstract: The present invention provides a method of identifying aggregating and mathematically ranking security alert data having the steps of identifying a plurality of alerts, selecting a subset of the plurality alerts based on at least one preselected theme, applying a function to the subset of the plurality alerts to compute an aggregate risk score, the function based on at least one factor and prioritizing the aggregate risk score in a risk score list.

Abstract: The systems and methods described herein, given a population of entities each with associated information technology (IT) security risk scores, computes an aggregate risk score which quantifies the overall risk of the population. The method works for any arbitrary population of any size, and of any combination of different entity types and results in normalized risk scores for the arbitrary population (i.e. in the [0,1] range, regardless of population size or makeup). Since the risk scores are normalized, it affords comparison across different arbitrary entity populations having different combinations of entity types (e.g. users, servers, and printers). The aggregation technique allows for sensitivity to small numbers of high risk entities, which is a highly desirable characteristic for risk-based applications, and allows for sensitivity to different entity types or other relevant factors such as higher risk users, different threat types.

Abstract: Humans as well as non-human actors may interact with computer devices on a computer network. As described herein, it is possible to train and apply human vs. non-human detection models to provide an indication of the probability that a human or a non-human actor was interacting with a computer device during a particular time period. The probability that a human or non-human was interacting with computers during a particular time may be used to improve various actions, including selecting one or more different threat detection models to apply during the particular time, selecting data to use with threat detection models during the time, or selecting data from the particular time to store.

Abstract: Sensitive data may be anonymized for use in user interfaces by applying a cryptographic hash function to the data. The hashed value may be broken into hash tokens and the hash tokens converted to human readable tokens using a 1:1 conversion function. The human readable tokens can then be concatenated together to provide a human readable identifier of the sensitive data.

Abstract: The present invention provides a method, system and computer program product for analyzing risks, for example associated with potential data leakage. Risk for activities may be measured as a function of risk components related to: persons involved in the activity; sensitivity of data at risk; endpoint receiving data at risk; and type the activity. Risk may account for the probability of a leakage event given an activity as well as a risk cost which reflects the above risk components. Manually and/or automatically tuned parameters may be used to affect the risk calculation. Risk associated with persons and/or files may be obtained by: initializing risk scores of persons or files based on a rule set; adjusting the risk scores in response to ongoing monitoring of events; identifying commonalities across persons or files; and propagating risk scores based on the commonalities.

Abstract: The present invention provides a method, system and computer program product for analyzing risks, for example associated with potential data leakage. Risk for activities may be measured as a function of risk components related to: persons involved in the activity; sensitivity of data at risk; endpoint receiving data at risk; and type the activity. Risk may account for the probability of a leakage event given an activity as well as a risk cost which reflects the above risk components. Manually and/or automatically tuned parameters may be used to affect the risk calculation. Risk associated with persons and/or files may be obtained by: initializing risk scores of persons or files based on a rule set; adjusting the risk scores in response to ongoing monitoring of events; identifying commonalities across persons or files; and propagating risk scores based on the commonalities.

Abstract: The present invention provides a method of identifying aggregating and mathematically ranking security alert data having the steps of identifying a plurality of alerts, selecting a subset of the plurality alerts based on at least one preselected theme, applying a function to the subset of the plurality alerts to compute an aggregate risk score, the function based on at least one factor and prioritizing the aggregate risk score in a risk score list.

Abstract: The present invention provides methods for providing mathematical regression analysis. In particular, the method for conducting regression analysis comprises the steps of: selecting a regression model; selecting an initial set of regression parameters; applying the regression model to the initial set of regression parameters to create an initial set of regression values; selecting an improved set of regression values, wherein the improved set of regression values is selected from the set of initial regression values; generating a loss function based on the improved set; applying an iterative optimization method to the loss function and the improved set of regression values to generate a resultant set of regression values; and outputting the resultant set of regression values.

Abstract: A report rendering system and method of filtering and navigating reports on mobile devices are provided. The report rendering system comprises a scene generator for generating a scene of a report in response to a request to view the report or a subset of the report and a navigation module for storing selected components within the scene. The method comprises the steps of generating a scene of a report in response to a request to view the report or a subset of the report and storing selected components within the scene.

Abstract: The present invention provides a method, system and computer program product for analyzing risks, for example associated with potential data leakage. Risk for activities may be measured as a function of risk components related to: persons involved in the activity; sensitivity of data at risk; endpoint receiving data at risk; and type the activity. Risk may account for the probability of a leakage event given an activity as well as a risk cost which reflects the above risk components. Manually and/or automatically tuned parameters may be used to affect the risk calculation. Risk associated with persons and/or files may be obtained by: initializing risk scores of persons or files based on a rule set; adjusting the risk scores in response to ongoing monitoring of events; identifying commonalities across persons or files; and propagating risk scores based on the commonalities.

Abstract: A report representation system and method of transforming report outputs into a standard representation format are provided. The report representation system comprises a report parser for parsing a report output, a code generator for generating a standard representation code of the report output and a code compiler for converting the standard representation code into a format representable as a fixed schema repository. The method comprises the steps of parsing a report output, generating a standard representation code of the report output and converting the standard representation code into a format representable as a fixed schema repository.

Abstract: A report representation system and method of transforming report outputs into a standard representation format are provided. The report representation system comprises a report parser for parsing a report output, a code generator for generating a standard representation code of the report output and a code compiler for converting the standard representation code into a format representable as a fixed schema repository. The method comprises the steps of parsing a report output, generating a standard representation code of the report output and converting the standard representation code into a format representable as a fixed schema repository.

Abstract: A report rendering system and method of filtering and navigating reports on mobile devices are provided. The report rendering system comprises a scene generator for generating a scene of a report in response to a request to view the report or a subset of the report and a navigation module for storing selected components within the scene.