Abstract: According to examples, an apparatus may include a processor and a memory on which is stored machine-readable instructions that may cause the processor to identify a container image group of a plurality of container image groups to which a subject container image corresponds, in which each of the plurality of container image groups is assigned a respective behavioral profile. The processor may also determine whether activities in the subject container image comply with corresponding activities identified in the behavioral profile of the identified container image group. Based on a determination that at least one activity in the subject container image fails to comply with a corresponding at least one activity identified in the behavioral profile of the identified container image group, the processor may determine that the subject container image includes an anomalous activity and output an alert indicating that the subject container image includes an anomalous activity.

Abstract: Cybersecurity enhancements expose likely cyberattacks and command abuse while reducing false positives. Some embodiments ascertain an operating system mismatch, which occurs when a command tailored for operating system X is asserted in an environment tailored to operating system Y. False positives may be reduced by alerting on such a mismatch only when a command's process belongs to a web server or other targeted process, or uses the same supporting technology (e.g., framework, scripting language, or runtime environment) as the web server or other targeted process. Some embodiments watch for command abuse by spotting assertions of commands that appear frequently in cyberattacks even though those commands also have legitimate uses such as system administration, network administration, or software development.

Abstract: A previously-unknown type of attack on a web application can be detected dynamically using server logs. An alert can be raised for an application that returns a valid response to the potential attacker (e.g., when an http (hypertext transfer protocol) status code of 200 is returned to the requestor). Server logs can be analyzed to identify an external computer that uses the same attack methodology on multiple targets. The external computer may attempt to access the same Uniform Resource Identifier (URI) on various web sites. In many cases, the http status code that is returned is an error code. Characteristics such as but not limited to fast crawling and numerous error status codes being returned to a particular requestor can be used by a machine learning (ML) system to identify potentially malicious external computing devices and/or vulnerable URIs.

Abstract: “Sensitive” URIs for a website can be determined. Access attempts to a sensitive URI can be extracted from server logs. As used herein, sensitive URIs are URIs which if breached are likely to result in harm to the website owner. Access to sensitive URIs can be restricted to trusted accessors. Trusted accessors can be determined by filtering out untrusted accessors using thresholds and/or machine learning techniques. After filtering out untrusted accessors, any remaining accessors can be identified as trusted accessors. Trusted accessors can be added to a whitelist. Access requests to access-restricted URIs by an accessor not in the whitelist can be denied and an alert can be generated. Access requests to access-restricted URIs by an accessor in the whitelist can be granted.

Abstract: A method for detecting machine logon attacks within a cloud service. The method can include accessing a collection of network traffic protocol monitoring data. The network traffic protocol monitoring data can be network traffic protocol monitoring data across a cloud service. The method can also include analyzing the collection of network traffic protocol monitoring data to identify anomalous behavior by attacker entities associated with IP addresses indicating a brute force attack by the attacker entities associated with the IP addresses. Then, based on the anomalous behavior, the method can comprise identifying the IP addresses associated with the attacker entities, and at least one of attack patterns or campaign attack characteristics. Finally, the method can include compiling IP addresses associated with the attacker entities and the at least one of attack patterns or campaign attack characteristics into a reference data structure.

Abstract: Systems, methods, and apparatuses are provided for restricting access to a web resource. Website access information is obtained by monitoring accesses to a plurality of websites for each access, which may include a network identifier of an access requestor, a website identifier, and an access time for each request. Based on at least the website access information, it may be determined that a particular access requestor has accessed a number of different websites in a given time period. As a result, the particular access requestor may be classified as a web robot. A request to permit access to a web resource is received by the particular access requestor. In response to receiving the request to permit access to the web resource, the particular access requestor is prevented from accessing the web resource and/or a notification is generated that the particular access requestor is attempting to access the web resource.

Abstract: Methods, systems, and apparatus, including computer programs encoded on computer storage media for training a machine learning model. The method includes obtaining a training data set comprising a plurality of training examples; determining i) a stochastic gradient descent step size schedule, ii) a stochastic gradient descent noise schedule, and iii) a stochastic gradient descent batch size schedule, wherein the stochastic gradient descent batch size schedule comprises a sequence of varying batch sizes; and training a machine learning model on the training data set, comprising performing stochastic gradient descent according to the i) stochastic gradient descent step size schedule, ii) stochastic gradient descent noise schedule, and iii) stochastic gradient descent batch size schedule to adjust a machine learning model loss function.

Abstract: Cybersecurity enhancements expose likely cyberattacks and command abuse while reducing false positives. Some embodiments ascertain an operating system mismatch, which occurs when a command tailored for operating system X is asserted in an environment tailored to operating system Y. False positives may be reduced by alerting on such a mismatch only when a command's process belongs to a web server or other targeted process, or uses the same supporting technology (e.g., framework, scripting language, or runtime environment) as the web server or other targeted process. Some embodiments watch for command abuse by spotting assertions of commands that appear frequently in cyberattacks even though those commands also have legitimate uses such as system administration, network administration, or software development.

Abstract: A method includes obtaining a dictionary, data for a set of web requests, and definitions of a first set of clusters associated with vulnerability scanners. The method includes identifying a set of clients that transmitted the second set of web requests. The method includes generating a second set of feature vectors, which each corresponds to one of the clients. Each element in each feature vector corresponds respectively to an entry in the dictionary. The method includes clustering the second set of feature vectors into a second set of clusters. The method includes, in response to a first distance between a selected cluster of the second set of clusters and one of the first set of clusters being less than a first predetermined distance, (i) identifying one of the set of web services that received web requests corresponding to feature vectors in the selected cluster and (ii) generating a scanning alert.

Abstract: A method for detecting machine logon attacks within a cloud service. The method can include accessing a collection of network traffic protocol monitoring data. The network traffic protocol monitoring data can be network traffic protocol monitoring data across a cloud service. The method can also include analyzing the collection of network traffic protocol monitoring data to identify anomalous behavior by attacker entities associated with IP addresses indicating a brute force attack by the attacker entities associated with the IP addresses. Then, based on the anomalous behavior, the method can comprise identifying the IP addresses associated with the attacker entities, and at least one of attack patterns or campaign attack characteristics. Finally, the method can include compiling IP addresses associated with the attacker entities and the at least one of attack patterns or campaign attack characteristics into a reference data structure.

Abstract: Enhancements to network security are provided by identifying malicious actions taken against servers in a network environment, without having to access log data from individual servers. Seed data are collected by an administrator of the network environment, from honeypots and servers whose logs are shared with the administrator, to identify patterns of malicious actions to access the network environment. These patterns of use include ratios of TCP flags in communication sessions, entropy in the use of TCP flags over the life of a communication session, and packet size metrics, which are used to develop a model of characteristic communications for an attack. These attack models are shared with servers in the network environment to detect attacks without having to examine the traffic logs of those servers.

Abstract: “Sensitive” URIs for a website can be determined. Access attempts to a sensitive URI can be extracted from server logs. As used herein, sensitive URIs are URIs which if breached are likely to result in harm to the website owner. Access to sensitive URIs can be restricted to trusted accessors. Trusted accessors can be determined by filtering out untrusted accessors using thresholds and/or machine learning techniques. After filtering out untrusted accessors, any remaining accessors can be identified as trusted accessors. Trusted accessors can be added to a whitelist. Access requests to access-restricted URIs by an accessor not in the whitelist can be denied and an alert can be generated. Access requests to access-restricted URIs by an accessor in the whitelist can be granted.

Abstract: A system for detecting a non-targeted attack by a first machine on a second machine is provided. The system includes an application that includes instructions configured to: extract network data corresponding to traffic flow between the first and second machines, where the second machine is implemented in a cloud-based network; identify a first suspect external IP address based on the network data; calculate features for the first suspect external IP address, where the features include exploration type features and exploitation type features; train a classifier based on predetermined examples and the features to generate and update a model; classify the first suspect external IP address based on the model and at least some of the features; and perform a countermeasure if a classification provided from classifying the first suspect external IP address indicates that the first suspect external IP address is associated with a malicious attack on the second machine.

Abstract: Methods, systems, and apparatuses are provided for evaluating a chain of alerts. Historical alerts may be grouped together to form sets of alerts based on a predetermined relationship between the alerts. A score is determined for each set of alerts representing a statistical likelihood that one alert in the set is correlated to another alert in the set, generating a plurality of scores for the sets of alerts. The scores may be placed into a model containing a score for each set of alerts. After the model is formed, a received chain of alerts may be evaluated by examining whether the chain of alerts, or a sub-chain of alerts, corresponds to a score in the model through an iterative process. If the chain of alerts corresponds to a score in the model and meets a predetermined criteria, a system administrator can be alerted of the chain of alerts.

Abstract: A method includes obtaining a dictionary, data for a set of web requests, and definitions of a first set of clusters associated with vulnerability scanners. The method includes identifying a set of clients that transmitted the second set of web requests. The method includes generating a second set of feature vectors, which each corresponds to one of the clients. Each element in each feature vector corresponds respectively to an entry in the dictionary. The method includes clustering the second set of feature vectors into a second set of clusters. The method includes, in response to a first distance between a selected cluster of the second set of clusters and one of the first set of clusters being less than a first predetermined distance, (i) identifying one of the set of web services that received web requests corresponding to feature vectors in the selected cluster and (ii) generating a scanning alert.

Abstract: Systems, methods, and apparatuses are provided for restricting access to a web resource. Website access information is obtained by monitoring accesses to a plurality of websites for each access, which may include a network identifier of an access requestor, a website identifier, and an access time for each request. Based on at least the website access information, it may be determined that a particular access requestor has accessed a number of different websites in a given time period. As a result, the particular access requestor may be classified as a web robot. A request to permit access to a web resource is received by the particular access requestor. In response to receiving the request to permit access to the web resource, the particular access requestor is prevented from accessing the web resource and/or a notification is generated that the particular access requestor is attempting to access the web resource.

Abstract: A previously-unknown type of attack on a web application can be detected dynamically using server logs. An alert can be raised for an application that returns a valid response to the potential attacker (e.g., when an http (hypertext transfer protocol) status code of 200 is returned to the requestor). Server logs can be analyzed to identify an external computer that uses the same attack methodology on multiple targets. The external computer may attempt to access the same Uniform Resource Identifier (URI) on various web sites. In many cases, the http status code that is returned is an error code. Characteristics such as but not limited to fast crawling and numerous error status codes being returned to a particular requestor can be used by a machine learning (ML) system to identify potentially malicious external computing devices and/or vulnerable URIs.

Abstract: Methods, systems, and apparatuses are provided for evaluating a chain of alerts. Historical alerts may be grouped together to form sets of alerts based on a predetermined relationship between the alerts. A score is determined for each set of alerts representing a statistical likelihood that one alert in the set is correlated to another alert in the set, generating a plurality of scores for the sets of alerts. The scores may be placed into a model containing a score for each set of alerts. After the model is formed, a received chain of alerts may be evaluated by examining whether the chain of alerts, or a sub-chain of alerts, corresponds to a score in the model through an iterative process. If the chain of alerts corresponds to a score in the model and meets a predetermined criteria, a system administrator can be alerted of the chain of alerts.

Abstract: A system for detecting a non-targeted attack by a first machine on a second machine is provided. The system includes an application that includes instructions configured to: extract network data corresponding to traffic flow between the first and second machines, where the second machine is implemented in a cloud-based network; identify a first suspect external IP address based on the network data; calculate features for the first suspect external IP address, where the features include exploration type features and exploitation type features; train a classifier based on predetermined examples and the features to generate and update a model; classify the first suspect external IP address based on the model and at least some of the features; and perform a countermeasure if a classification provided from classifying the first suspect external IP address indicates that the first suspect external IP address is associated with a malicious attack on the second machine.

Abstract: Enhancements to network security are provided by identifying malicious actions taken against servers in a network environment, without having to access log data from individual servers. Seed data are collected by an administrator of the network environment, from honeypots and servers whose logs are shared with the administrator, to identify patterns of malicious actions to access the network environment. These patterns of use include ratios of TCP flags in communication sessions, entropy in the use of TCP flags over the life of a communication session, and packet size metrics, which are used to develop a model of characteristic communications for an attack. These attack models are shared with servers in the network environment to detect attacks without having to examine the traffic logs of those servers.