Abstract: A dynamically generated search query is generated based on rarity scores associated with raw-level computer events. Event data is pre-processed using historical information about the frequency, or rarity, of instances of individual events. Each event is assigned one or more labels that identify the event based on the historical information. The rarity scores represent probabilities of events occurring with the same labels. The rarity scores are associated with n-grams of the labels (e.g., a combination of two labels, three labels, etc.). A label n-gram score is calculated based on newly observed events and the rarity scores corresponding to the label n-grams. The search query is generated based on the label n-gram score. The search query is executed against a database to retrieve information, such as diagnostics, used to alert an administrator to events that are potentially anomalous.

Abstract: A dynamically generated search query is generated based on rarity scores associated with raw-level computer events. Event data is pre-processed using historical information about the frequency, or rarity, of instances of individual events. Each event is assigned one or more labels that identify the event based on the historical information. The rarity scores represent probabilities of events occurring with the same labels. The rarity scores are associated with n-grams of the labels (e.g., a combination of two labels, three labels, etc.). A label n-gram score is calculated based on newly observed events and the rarity scores corresponding to the label n-grams. The search query is generated based on the label n-gram score. The search query is executed against a database to retrieve information, such as diagnostics, used to alert an administrator to events that are potentially anomalous.

Abstract: Script and command line exploitation detection is described. Initially, an exploitation detection system collects data describing scripts and command lines launched by various computing devices. The exploitation detection system clusters the scripts and command lines based on a measure of similarity, namely, Bilingual Evaluation Understudy (BLEU) score. Given the clusters and the data describing the scripts and command lines, the exploitation detection system generates encodings of the scripts and command lines for input to a machine learning model, e.g., an autoencoder. From this model, the exploitation detection system receives a measure of unlikeliness that a process corresponding to a given script or command line launches it. The exploitation detection system ranks the scripts and command lines according to the measure of unlikeliness. In this way, the exploitation detection system can display indications of the scripts and command lines that are most unlikely to be launched by their respective process.

Abstract: Script and command line exploitation detection is described. Initially, an exploitation detection system collects data describing scripts and command lines launched by various computing devices. The exploitation detection system clusters the scripts and command lines based on a measure of similarity, namely, Bilingual Evaluation Understudy (BLEU) score. Given the clusters and the data describing the scripts and command lines, the exploitation detection system generates encodings of the scripts and command lines for input to a machine learning model, e.g., an autoencoder. From this model, the exploitation detection system receives a measure of unlikeliness that a process corresponding to a given script or command line launches it. The exploitation detection system ranks the scripts and command lines according to the measure of unlikeliness. In this way, the exploitation detection system can display indications of the scripts and command lines that are most unlikely to be launched by their respective process.