Abstract: Compromised enterprise data is enriched using inferred content from social networks and other public databases. Compromised enterprise data is enriched by obtaining unstructured data from one or more fraudster drop zones; identifying email addresses in the unstructured data; storing each of the identified email addresses in a record with a corresponding name of a person associated with the identified email address; querying one or more databases to update the records with one or more of a corporate employer, location of employment and a corporate position of the person; and aggregating the records. The aggregation can be performed by, for example, a corporate employer field to identify one or more enterprises requiring enhanced security and/or a cybersecurity countermeasure product. The aggregation can also be performed by location of employment or by corporate position to identify individuals that are susceptible to a cybersecurity threat.

Abstract: Parallel processing of events having multi-dimensional dependencies is provided. Each event has at least one profile and each profile has at least one profile key. An event is dependent on another event if they have at least one common profile key. The profile key(s) for a plurality of profiles of the given event are compared to profile keys of previously queued events. A given event is assigned to a same queue as at least one dependent event. When a given event is dependent on events in at least two queues, the given event is not assigned to a queue until only one queue has dependent events remaining to be processed. A list of profile keys that have been assigned to each queue and/or a reference count of a number of events that have been queued for each profile key are optionally maintained.

Abstract: There are disclosed techniques for use in authentication. In one embodiment, the techniques comprise generating first and second distributions. The first distribution relating to risk scores expected to be produced by an authentication system in connection with requests to access a computerized resource. The expected risk scores are based on a normalization process configured to produce risk scores by normalizing raw risk scores in connection with requests. The second distribution relates to risk scores actually produced by the authentication system in connection with requests. The actual risk scores include risk scores normalized by the normalization process. The techniques also comprise comparing the first and second distributions by determining a Kolmogorov-Smirnov distance between the respective distributions. The techniques also comprise initiating, based on the comparison, a failover of the normalization process to a new normalization process for use by the authentication system.

Abstract: An improved adaptive authentication technique involves defining a window array which stores the number of distinct fact values per time unit over a predetermined number of time units. Each element of the window array has a value set to the number of distinct fact values over a time unit. The window array is stored in a database. Under the improved technique, upon a user initiating an authorization request, the risk engine extracts the request and the window array from the database into a cache on the authorization server. The risk engine uses the request which contains a value of the fact to adjust values of the elements of the window array and, once the adjusting is completed, computing the fact velocity which is used in the determination of a risk score for the request.

Abstract: An improved technique identifies risky transactions from a set of transactions and updates risk scores only for those transactions identified as risky. Along these lines, a transaction sorting engine sorts the set of transactions according to risk score. The transaction sorting engine identifies as risky those transactions having risk scores above a specified percentile; for instance, the transactions having risk scores above the 90th percentile would be identified as risky. Some time later, a risk score engine adjusts, based on new historical transaction data, Bayesian weights which it uses to compute risk scores. The transaction sorting engine sends to the risk score engine only those transactions it identified as risky. The risk score engine computes new risk scores for the risky transactions and makes the new risk scores available to the transaction sorting engine so that it can sort all of current transactions (e.g., received within the past week).