Abstract: Anomaly detection in computing environments is disclosed herein. An example method includes receiving an unstructured input stream of data instances from the computing environment, the unstructured input stream being time stamped; categorizing the data instances of the unstructured input stream of data instances, the data instances comprising at least one principle value and a set of categorical attributes determined through machine learning; generating anomaly scores for each of the data instances collected over a period of time; and detecting a change in the categorical attribute that is indicative of an anomaly.

Abstract: The field of the disclosure relates generally to a method and system for analyzing behavior of a computer infrastructure and the displaying the behavior of the computer infrastructure in a graphical manner. The system comprises an analytical engine connected to agents running on devices in the computer infrastructure and analyzing continuous data and asynchronous data.

Abstract: Clustering and outlier detection in anomaly and causation detection for computing environments is disclosed. An example method includes receiving an input stream having data instances, each of the data instances having multi-dimensional attribute sets, identifying any of outliers and singularities in the data instances, extracting the outliers and singularities, grouping two or more of the data instances into one or more groups based on correspondence between the multi-dimensional attribute sets and a clustering type, and displaying the grouped data instances that are not extracted in a plurality of clustering maps on an interactive graphical user interface, wherein each of the plurality of clustering maps is based on a unique clustering type.

Abstract: Real time detection of cyber threats using behavioral analytics is disclosed. An example method includes obtaining, in real time, attributes for an entity within a population of entities, the attributes being indicative of entity behavior; building an entity probability model using the attributes and associated values collected over a period of time; and establishing a control portion of the entity probability model associated with a portion of the period of time. The example method includes comparing any of the entity attribute values and the entity probability model for other portions of the period of time to the control portion to identify one or more anomalous differences, and executing a remediation action based thereon. Some embodiments include determining a set comprising the anomalous differences and additional anomalous differences for the entity or the entity's peer group, and calculating the set's overall probability to determine if the entity is malicious.

Abstract: A system and method for detecting fraudulent activity in the execution of transactions is disclosed. The system comprises a monitoring device for reviewing data relating to execution of transactions, a transaction profile and an alert module. The transaction profile includes a plurality of historic data items relating to typical transactions, which can be compared with current execution of transactions to generate an alert by the alert module if unusual activity is determined.

Abstract: Real time detection of cyber threats using behavioral analytics is disclosed. An example method includes obtaining, in real time, attributes for an entity within a population of entities, the attributes being indicative of entity behavior; building an entity probability model using the attributes and associated values collected over a period of time; and establishing a control portion of the entity probability model associated with a portion of the period of time. The example method includes comparing any of the entity attribute values and the entity probability model for other portions of the period of time to the control portion to identify one or more anomalous differences, and executing a remediation action based thereon. Some embodiments include determining a set comprising the anomalous differences and additional anomalous differences for the entity or the entity's peer group, and calculating the set's overall probability to determine if the entity is malicious.

Abstract: A system and method for the detection of irregularities, such as fraud or malware, running on a device, is disclosed. An example method includes receiving new ones of data items indicative of the device's current operation; determining whether the new ones of data items deviate from the device's typical operation by comparing the new ones of data items to a profile relating to the typical operation of the device, wherein the deviating includes either using an infrequently used one of incoming ports and outgoing ports or continually accessing a new website. The example method can further include based on the determining: updating the device baseline profile to create an updated device baseline profile with the new ones of data items if the new ones of data items do not deviate from the typical operation of the device; and generating an alert if the new ones of data items do deviate from the typical operation of the device.

Abstract: A system and method for the detection of irregularities, such as fraud or malware, running on a device, is disclosed. An example method includes receiving new ones of data items indicative of the device's current operation; determining whether the new ones of data items deviate from the device's typical operation by comparing the new ones of data items to a profile relating to the typical operation of the device, wherein the deviating includes either using an infrequently used one of incoming ports and outgoing ports or continually accessing a new website. The example method can further include based on the determining: updating the device baseline profile to create an updated device baseline profile with the new ones of data items if the new ones of data items do not deviate from the typical operation of the device; and generating an alert if the new ones of data items do deviate from the typical operation of the device.

Abstract: Creating and performing transforms for indexed data on a continuous basis. An example method includes receiving from a user a selection of a source index, the source index comprising data including a collection of documents; receiving from the user a selection of one or more fields; creating a transform of the source index based at least on the selected one or more fields; and updating the transform based at least on the selected one or more fields on a continuous basis in response to new data being ingested into the source index. The example method further includes performing the transform, comprising automatically causing display of a visual representation of the transformed source index on a computer device of the user; and automatically storing the transformed source index to a destination index. Transforms can be used to pivot a user's indexed data into a new entity-centric index.

Abstract: Anomaly and causation detection in computing environments are disclosed. An example method includes receiving an input stream of data instances for a time series, each of the data instances being time stamped and including at least one principle value and a set of categorical attributes; generating anomaly scores for each of the data instances over time intervals; detecting a change in the anomaly scores over the time intervals for the data instances; and identifying which of the set of categorical attributes of the data instances caused the change in the anomaly scores using a counterfactual analysis. The counterfactual analysis may comprise removing a portion of the data instances; regenerating the anomaly scores for each of the remaining data instances over the time intervals; and if the anomaly scores are improved, identifying the portion as a cause of anomalous activity. Recommendations to remediate the cause may be generated.

Abstract: A method and system for analysing data is disclosed. One or more data records are passed to a data analysis system. The data records comprised a plurality of data items and a first one of the data items is selected from the data items in the data record. A statistical model can be retrieved from a store in a computer system and the statistical model used to detect abnormal results from the selected data item and produce a data model. This statistical model is stored with the data record in the data base.

Abstract: Anomaly and causation detection in computing environments are disclosed. An example method includes receiving an input stream of data instances for a time series, each of the data instances being time stamped and including at least one principle value and a set of categorical attributes; generating anomaly scores for each of the data instances over continuous time intervals; detecting a change in the anomaly scores over the continuous time intervals for the data instances; and identifying which of the set of categorical attributes of the data instances caused the change in the anomaly scores using a counterfactual analysis. The counterfactual analysis may comprise removing a portion of the data instances; regenerating the anomaly scores for each of the remaining data instances over the continuous time intervals; and if the anomaly scores are improved, identifying the portion as a cause of anomalous activity. Recommendations to remediate the cause may be generated.

Abstract: A system and method for the detection of irregularities, such as fraud or malware, running on a device, is disclosed. An example method includes receiving new ones of data items indicative of the device's current operation; determining whether the new ones of data items deviate from the device's typical operation by comparing the new ones of data items to a profile relating to the typical operation of the device, wherein the deviating includes either using an infrequently used one of incoming ports and outgoing ports or continually accessing a new website. The example method can further include based on the determining: updating the device baseline profile to create an updated device baseline profile with the new ones of data items if the new ones of data items do not deviate from the typical operation of the device; and generating an alert if the new ones of data items do deviate from the typical operation of the device.

Abstract: A system and method for the detection of irregularities, such as fraud or malware, running on a device, is disclosed. The system comprises a monitoring program for reviewing data relating to operation of the device, a device profile including data items relating to typical operation of the device generated from messages relating to the device; and an alert module for generating an alert on detection of unusual activity relating to the device.

Abstract: The field of the disclosure relates generally to a method and system for analyzing behavior of a computer infrastructure and the displaying the behavior of the computer infrastructure in a graphical manner. The system comprises an analytical engine connected to agents running on devices in the computer infrastructure and analyzing continuous data and asynchronous data.

Abstract: The field of the disclosure relates generally to a method and system for analyzing behavior of a computer infrastructure and the displaying the behavior of the computer infrastructure in a graphical manner. The system comprises an analytical engine connected to agents running on devices in the computer infrastructure and analyzing continuous data and asynchronous data.

Abstract: Forecasting resource allocation is disclosed. An example method includes receiving operating data from a resource; applying periodicity tests to the received operating data using a plurality of sketches of time series of prior operating data, the periodicity tests generating periodic components; applying regression models to the received operating data, the regression models collectively generating a trend component, each regression model being applied over a different time scale of a plurality of time scales; computing a trend model using the periodic components and a trend component; determining a random process describing the historical evolution of the trend model; and calculating and providing a mean prediction, an upper bound, and a lower bound for resource utilization at a future time using the trend model and a predicted distribution.

Abstract: Real time detection of cyber threats using behavioral analytics is disclosed. An example method includes obtaining, in real time, attributes for an entity within a population of entities, the attributes being indicative of entity behavior; building an entity probability model using the attributes and associated values collected over a period of time; and establishing a control portion of the entity probability model associated with a portion of the period of time. The example method includes comparing any of the entity attribute values and the entity probability model for other portions of the period of time to the control portion to identify one or more anomalous differences, and executing a remediation action based thereon. Some embodiments include determining a set comprising the anomalous differences and additional anomalous differences for the entity or the entity's peer group, and calculating the set's overall probability to determine if the entity is malicious.

Abstract: Clustering and outlier detection in anomaly and causation detection for computing environments is disclosed. An example method includes receiving an input stream having data instances, each of the data instances having multi-dimensional attribute sets, identifying any of outliers and singularities in the data instances, extracting the outliers and singularities, grouping two or more of the data instances into one or more groups based on correspondence between the multi-dimensional attribute sets and a clustering type, and displaying the grouped data instances that are not extracted in a plurality of clustering maps on an interactive graphical user interface, wherein each of the plurality of clustering maps is based on a unique clustering type.

Abstract: Anomaly detection in computing environments is disclosed herein. An example method includes receiving an unstructured input stream of data instances from the computing environment, the unstructured input stream being time stamped; categorizing the data instances of the unstructured input stream of data instances, the data instances comprising at least one principle value and a set of categorical attributes determined through machine learning; generating anomaly scores for each of the data instances collected over a period of time; and detecting a change in the categorical attribute that is indicative of an anomaly.