Abstract: Implementations include receiving flow data representative of communication traffic of the network, determining that at least one blacklisted Internet protocol (IP) address is present in the flow data, and in response: providing a set of high-dimensional flow representations of network traffic by processing historical flow data through a deep learning (DL) model, providing a set of low-dimensional flow representations of the network traffic based on the set of high-dimensional flow representations, and labeling at least a portion of the set of low-dimensional flow representations to provide a sub-set of labeled low-dimensional flow representations and a sub-set of unlabeled low-dimensional flow representations, and identifying a host associated with an unlabeled low-dimensional flow representation as a potentially malicious host, and in response, automatically executing a remedial action with respect to the potentially malicious host.

Abstract: Implementations are directed to detecting bypass of an authentication system of a web application with actions including receiving one or more webpage logs including web traffic associated with a web application during a defined time period, receiving one or more authentication logs associated with one or more authentication appliances providing authentication services for the web application, determining, based on the one or more webpage logs, one or more webpage log entries corresponding to a user and the defined time period, determining, based on the one or more authentication logs, a total number of correct authentication factors provided by the user during the defined time period, and determining, based on the one or more webpage log entries corresponding to the user and the defined time period and the total number of correct authentication factors provided by the user, that the user bypassed an authentication system of the web application.

Abstract: A system for detecting and preventing execution of malware on a target system includes an interface for receiving training data. The training data includes domain names known to be legitimate and domain names known to be associated with malware. The system is configured to train a first model to classify the domain names in the training data as being legitimate domain names or malware-associated domain names using a supervised learning methodology. The system configured to train a second model to predict a correct domain name associated with domain names in the training data using an unsupervised learning methodology. The system configured to train a third model to classify the domain names in the training data as being legitimate domain names or malware-associated domain names based on an output of the first learning model and an output of the second learning model.

Abstract: Implementations include receiving, by a redirection resolver, a URL identifying a location of a network resource, processing, by the redirection resolver, the URL to provide a set of results including a set of redirection URLs, the set of redirection URLs including one or more redirections between the URL and an end URL, processing the set of redirection URLs to provide input to a machine learning (ML) model that generates an output based on the set of redirection URLs, determining an error value associated with the URL, and providing an indicator assigned to the URL based on the error value, the indicator indicating whether the URL is determined to be potentially malicious.

Abstract: Implementations include receiving flow data representative of communication traffic of the network, determining that at least one blacklisted Internet protocol (IP) address is present in the flow data, and in response: providing a set of high-dimensional flow representations of network traffic by processing historical flow data through a deep learning (DL) model, providing a set of low-dimensional flow representations of the network traffic based on the set of high-dimensional flow representations, and labeling at least a portion of the set of low-dimensional flow representations to provide a sub-set of labeled low-dimensional flow representations and a sub-set of unlabeled low-dimensional flow representations, and identifying a host associated with an unlabeled low-dimensional flow representation as a potentially malicious host, and in response, automatically executing a remedial action with respect to the potentially malicious host.

Abstract: Implementations are directed to detecting bypass of an authentication system of a web application with actions including receiving one or more webpage logs including web traffic associated with a web application during a defined time period, receiving one or more authentication logs associated with one or more authentication appliances providing authentication services for the web application, determining, based on the one or more webpage logs, one or more webpage log entries corresponding to a user and the defined time period, determining, based on the one or more authentication logs, a total number of correct authentication factors provided by the user during the defined time period, and determining, based on the one or more webpage log entries corresponding to the user and the defined time period and the total number of correct authentication factors provided by the user, that the user bypassed an authentication system of the web application.

Abstract: Implementations include receiving, by a redirection resolver, a URL identifying a location of a network resource, processing, by the redirection resolver, the URL to provide a set of results including a set of redirection URLs, the set of redirection URLs including one or more redirections between the URL and an end URL, processing the set of redirection URLs to provide input to a machine learning (ML) model that generates an output based on the set of redirection URLs, determining an error value associated with the URL, and providing an indicator assigned to the URL based on the error value, the indicator indicating whether the URL is determined to be potentially malicious.

Abstract: A system for detecting and preventing execution of malware on a target system includes an interface for receiving training data. The training data includes domain names known to be legitimate and domain names known to be associated with malware. The system is configured to train a first model to classify the domain names in the training data as being legitimate domain names or malware-associated domain names using a supervised learning methodology. The system configured to train a second model to predict a correct domain name associated with domain names in the training data using an unsupervised learning methodology. The system configured to train a third model to classify the domain names in the training data as being legitimate domain names or malware-associated domain names based on an output of the first learning model and an output of the second learning model.