Abstract: Files uploaded to a cloud storage medium are considered. The files may include a mixture of files known to be malicious and known to be benign. The files are clustered using similarity of file features, e.g., based on distance in a feature space. File clusters may then be used to determine a threat status of an unknown file (a file whose threat status is unknown initially). A feature of the unknown file in the feature space is determined, and a distance in the feature space between the file and a file cluster is calculated. The distance between the unknown file and the file cluster is used to determine whether or not to perform a deep scan on the unknown file. If such a need is identified, and the deep scan indicates the unknown file is malicious, a cybersecurity action is triggered.

Abstract: Methods, systems and apparatuses are described herein to provide adaptive severity functions for alerts, particularly security alerts. The adaptive severity functions may be aligned with an existing global security situation to upgrade or downgrade the severity of new and existing alerts. By taking into consideration the time factor along with other parameters, the alerts may be prioritized or reprioritized appropriately. The modification of the severity level for the alerts may be made based on rules and/or one or more triggering events or by using severity functions with or without the aid of artificial intelligence based on best-practice preferences.

Abstract: Methods, systems and apparatuses are described herein to provide adaptive severity functions for alerts, particularly security alerts. The adaptive severity functions may be aligned with an existing global security situation to upgrade or downgrade the severity of new and existing alerts. By taking into consideration the time factor along with other parameters, the alerts may be prioritized or reprioritized appropriately. The modification of the severity level for the alerts may be made based on rules and/or one or more triggering events or by using severity functions with or without the aid of artificial intelligence based on best-practice preferences.

Abstract: According to examples, an apparatus may include a memory on which is stored machine-readable instructions that may cause a processor to identify a privilege level assigned to a principal over a resource and determine whether the assigned privilege level is to be maintained or modified for the principal over the resource. Based on a determination that the assigned privilege level is to be maintained for the principal, the processor may determine whether access by the principal over the resource is to be limited and based on a determination that access to the resource is to be limited, apply a limited access by the principal over the resource.

Abstract: Techniques are described herein that are capable of using graph enrichment to detect a potentially malicious access attempt. A graph that includes nodes and configuration-based links is generated. The nodes represent respective resources. Behavior-based links are added to the graph based at least in part on traffic logs associated with at least a subset of the resources. An attempt to create a new behavior-based link is identified. A probability of the new behavior-based link being created in the graph is determined. The probability is based at least in part on the configuration-based links and the behavior-based links. The new behavior-based link is identified as a potentially malicious link based at least in part on the probability being less than or equal to a threshold probability. A security action is performed based at least in part on the new behavior-based link being identified as a potentially malicious link.

Abstract: Cybersecurity and data categorization efficiency are enhanced by providing reliable statistics about the number and location of sensitive data of different categories in a specified environment. These data sensitivity statistics are computed while iteratively sampling a collection of blobs, files, or other stored items that hold data. The items may be divided into groups, e.g., containers or directories. Efficient sampling algorithms are described. Data sensitivity statistic gathering or updating based on the sampling activity ends when a specified threshold has been reached, e.g., a certain number of items have been sampled, a certain amount of data has been sampled, sampling has used a certain amount of computational resources, or the sensitivity statistics have stabilized to a certain extent.

Abstract: The embodiments described herein are directed to generating labels for alerts and utilizing such labels to train a machine learning algorithm for generating more accurate alerts. For instance, alerts may be generated based on log data generated from an application. After an alert is issued, activity of a user in relation to the alert is tracked. The tracked activity is utilized to generate a metric for the alert indicating a level of interaction between the user and the alert. Based on the metric, the log data on which the alert is based is labeled as being indicative of one of suspicious activity or benign activity. During a training process, the labeled log data is provided to a supervised machine learning algorithm that learns what constitutes suspicious activity or benign activity. The algorithm generates a model, which is configured to receive newly-generated log data and issue security alerts based thereon.

Abstract: An indication is received of a security alert. The indication is generated based on a detected anomaly in one of a data plane or a control plane of a computing environment. When the detected anomaly is in the data plane, the control plane is monitored for a subsequent anomaly in the control plane, and otherwise the data plane is monitored for a subsequent anomaly in the data plane. A correlation between the detected anomalies is determined. A notification of the security alert is sent when the correlation exceeds a predetermined threshold.

Abstract: Context-aware security policies and incident identification, via automated cloud graph building with security overlays, are determined and performed by systems and platforms. Graph nodes, of a graph associated with a computing system, that represent resources associated with the computing system and entities associated with the computing system that have respective associations to the resources are generated. Security attributes are determined and assigned to the graph nodes that represent the entities and resources, and static and dynamic connections between the graph nodes are added to the graph. Additionally, possible connections in the graph between the graph nodes are added based on heuristic relational determinations of the graph nodes. From the graph, security incidents and kill chains are identified, context-aware security policies are generated and validated, and scopes and relationships of applications are identified. Accordingly, security actions are taken for the computing system.

Abstract: According to examples, an apparatus may include a memory on which is stored machine-readable instructions that may cause a processor to determine, for each of a plurality of members in a group, a respective least privilege level for a resource and determine, based on the determined respective least privilege levels, a privilege level to be assigned to the group for the resource. The instructions may also cause the processor to assign the determined privilege level to the group for the resource and apply the assigned privilege level to the members of the group for the resource.

Abstract: An anomalous user session detector is disclosed. A sequence of operations in a logon session for an authorized user is gathered. A supervised learning model is trained to identify the authorized user from the sequence of operations. An anomalous session is detected by querying the supervised learning model.

Abstract: Embodiments are provided for integrating feedback into alert managing processes having defined alert policies. These policies define conditions that, when satisfied by certain detected activities, triggers an alert to be sent to a client. A determination is made that a current detected activity does satisfy the condition(s). Subsequent to determining that the set of conditions is satisfied and prior to actually generating the alert, the current detected activity is determined to share a relationship with previously received feedback that caused the alert policy to be modified. After being modified, the alert policy specified whether the alert is to be sent to the client, modified and then sent, suspended, or disabled. The alert is then either generated or refrained from being generated based on the alert policy.

Abstract: Methods, systems, apparatuses, and computer-readable storage mediums are described for machine learning-based techniques for identifying a deployment environment in which computing resources (e.g., servers, virtual machines, databases, etc.) reside and for enhancing security for the identified deployment environment. For instance, usage data is collected from the computing resources. The usage data is featurized and provided to a machine learning-based classification model that determines a deployment environment in which the computing resources reside based on the featurized usage data. Once the deployment environment is identified, a security policy that is applicable for the identified deployment environment is determined. The security policy specifies a plurality of recommended security settings that should be applied to the computing resources included in the identified deployment environment. The recommended security settings may be provided to the user (e.g.

Abstract: An apparatus, a computer program product and a method for dimensionality reduction comprising: obtaining a set of Application Programming Interface (API) functions of a system invocable by a program, and a set of artifacts. Each artifact is associated with at least one API function and indicative of a functionality thereof. The method further comprising: clustering the API functions based on an analysis of the artifacts to create a set of clusters smaller than the set of API functions, such that each cluster comprises API functions having a similar functionality; and performing a dimensionality reduction to a feature vector using the set of clusters.

Abstract: An indication is received of a security alert. The indication is generated based on a detected anomaly in one of a data plane or a control plane of a computing environment. When the detected anomaly is in the data plane, the control plane is monitored for a subsequent anomaly in the control plane, and otherwise the data plane is monitored for a subsequent anomaly in the data plane. A correlation between the detected anomalies is determined. A notification of the security alert is sent when the correlation exceeds a predetermined threshold.

Abstract: According to examples, an apparatus may include a memory on which is stored machine-readable instructions that may cause a processor to identify a privilege level assigned to a principal over a resource and determine whether the assigned privilege level is to be maintained or modified for the principal over the resource. Based on a determination that the assigned privilege level is to be maintained for the principal, the processor may determine whether access by the principal over the resource is to be limited and based on a determination that access to the resource is to be limited, apply a limited access by the principal over the resource.

Abstract: According to examples, an apparatus may include a memory on which is stored machine-readable instructions that may cause a processor to determine, for each of a plurality of members in a group, a respective least privilege level for a resource and determine, based on the determined respective least privilege levels, a privilege level to be assigned to the group for the resource. The instructions may also cause the processor to assign the determined privilege level to the group for the resource and apply the assigned privilege level to the members of the group for the resource.

Abstract: Generally discussed herein are devices, systems, and methods for computer or other network device security. A method can include identifying a profile associated with event data regarding an operation performed on a cloud resource, determining whether the event data is associated with anomalous customer interaction with the cloud resource, in response to determining the event data is associated with anomalous customer interaction, identifying whether another cloud resource of the cloud resources with a lower granularity profile that is associated with the profile of the cloud resource has previously been determined to be a target of an anomalous operation, and providing a single alert to a client device indicating the anomalous behavior on the cloud resource in response to determining both the event data is associated with anomalous customer interaction and the another cloud resource is determined to be the target of the anomalous operation.

Abstract: Anomalous sequences are detected by approximating user sessions with heuristically extracted event sequences, allowing behavior analysis even without user identification or session identifiers. Extraction delimiters may include event count or event timing constraints. Event sequences extracted from logs or other event lists are vectorized and embedded in a vector space. A machine learning model similarity function measures anomalousness of a candidate sequence relative to a specified history, thus computing an anomaly score. Restrictions may be placed on the history to focus on a particular IP address or time frame, without retraining the model. Anomalous sequences may generate alerts, prompt investigations by security personnel, trigger automatic mitigation, trigger automatic acceptance, trigger tool configuration actions, or result in other cybersecurity actions.

Abstract: Methods, systems, apparatuses, and computer program products are provided for generating a network security rule. Existing security rules may be determined across a network that includes a plurality of network resources, such as computing devices or virtual machines. A map is generated that identifies each of the permitted connections between the resources over the network. In some implementations, the map may include a network topology map. Network traffic data for each of the permitted connections may be gathered or monitored. Based on the existing security rules and the gathered network traffic data, an enhanced security rule may be generated for a particular connection that reduces data traffic over connection, which improves network security by further hardening the available communication paths.