Abstract: The invention relates to an edge-based log collecting device for collecting logs from several log sources located in a remote network, called edge-network, and sending the logs to a cloud-based system distant from the edge-network. The device is located in the edge-network, and the device includes several processing nodes for processing logs received from the log sources and sending them to said the system. The device is configured to elect, according to a predetermined election algorithm, one of the processing nodes as a master node configured for receiving the logs from all log sources of the local network, and sharing the logs with the other processing nodes. The invention further relates to a computer program and a device configured to carry out such a method.

Abstract: A system that detects malware by analyzing message logs to identify message patterns that are periodic with similar-sized messages. These patterns may indicate malware since malware often sends beacon messages to a command-and-control system that are often periodic and of relatively similar length. The system may group message logs by the combination of source and destination and analyze each group for patterns of periodicity and message length uniformity. Entropy may be used to measure the uniformity of message lengths and message intervals, with low (or zero) entropy suggesting malware. Message intervals that repeat after several messages may be detected by testing subsequence sums for uniformity at different possible periods. Additional factors may be used to assess the risk, such as the duration of communication, and threat intelligence on the source or destination. The system may perform automated actions to eliminate or mitigate detected risks, such as blocking further communication.

Abstract: A method for detecting malicious connections from remote users into a computer network through Remote Desktop protocol via a computer having access to login logs of users. The method includes defining aspects, each divided into bins comprising a day of week aspect comprising n1 bins, a time of day aspect comprising n2 bins, a number of logins in a day aspect comprising n3 bins. The method includes defining a model based on the aspects and providing a score of log for each user; defining a baseline of log; applying the model on each user log to determine a production score of log and comparing the production score of log with respect to the baseline. The model includes calculating a probability density for each bin for each user, determining a weight for each aspect and calculating the score of log from the probability density weighted by the weight for each user.

Abstract: A method for detecting malware penetrating a network by identifying anomalous communication between at least two systems of the network, carried out by a computer. For each unique combination of Source IP address and destination IP address, the method includes considering a past period, considering the network flow logs stored during said past period, calculating values of a metric based on data of the network flow logs within the past period and at a given frequency, calculating a baseline which consists in calculating an IQR of all metric values calculated during the past period, determining an outlier threshold from the baseline, considering a current period, calculating a new IQR of all metric values calculated during the current period, and classifying the communication between the two systems of the unique combination as an anomalous communication if the IQR of the current period is greater than the outlier threshold.

Abstract: The invention relates to a method detecting one or more anomalies regarding logins of a user on an authentication system. The method includes at least one iteration of a monitoring phase that includes collecting a log of successful logins of the user on the authentication system, and calculating, for each monitored parameter, a probability density, in the log, of each predetermined value of the parameter. The method also includes calculating, for each parameter, a weight, as a function of the probability density of each predetermined value of the parameter, calculating an anomaly score for the log as a function of the weights and the probability densities; and comparing the anomaly score to a given threshold in order to determine an anomaly in the daily log for the user. The invention also relates to a computer program product and a device configured to carry out the method.

Abstract: The invention relates to an edge-based log collecting device for collecting logs from several log sources located in a remote network, called edge-network, and sending the logs to a cloud-based system distant from the edge-network. The device is located in the edge-network, and the device includes several processing nodes for processing logs received from the log sources and sending them to said the system. The device is configured to elect, according to a predetermined election algorithm, one of the processing nodes as a master node configured for receiving the logs from all log sources of the local network, and sharing the logs with the other processing nodes. The invention further relates to a computer program and a device configured to carry out such a method.

Abstract: A network security system that analyzes data from network attacks to determine which attacks came from the same attacker, even if the attacker tries to disguise its identity by spreading attacks out over time and attacking from multiple IP addresses. Intrusion detection systems or firewalls may log data for each attack, such as the time of the attack, the type of attack, and the source and target addresses. Embodiments may augment this data with derived attributes that may profile the attacker's behavior. For example, some attackers may spread out attacks over time, but always attack on the same day of the week; some attackers may spread out attacks over different IP addresses, but these addresses may all be in the same country. The original and augmented data may be clustered using an algorithm such as DBSCAN, and each attacker may be identified with one of the resulting clusters.

Abstract: A method for automatically sending containment instructions from a central containment component contained in a public cloud to an endpoint contained inside a company network where a malicious activity has been detected. The method includes a central containment component elaborating and placing a secured containment instruction inside a messaging queue of the central containment component, and a component, called edge containment component, running inside the company network, periodically polling the messaging queue service by creating an outgoing connection from the company network to the central containment component in the public cloud. When the edge containment component detects the containment instruction, the edge containment component retrieves, decodes and sends the containment instruction to the endpoint inside the company network.

Abstract: A method for detecting malicious connections from remote users into a computer network through Remote Desktop protocol via a computer having access to login logs of users. The method includes defining aspects, each divided into bins comprising a day of week aspect comprising n1 bins, a time of day aspect comprising n2 bins, a number of logins in a day aspect comprising n3 bins. The method includes defining a model based on the aspects and providing a score of log for each user; defining a baseline of log; applying the model on each user log to determine a production score of log and comparing the production score of log with respect to the baseline. The model includes calculating a probability density for each bin for each user, determining a weight for each aspect and calculating the score of log from the probability density weighted by the weight for each user.

Abstract: A method for detecting malware penetrating a network by identifying anomalous communication between at least two systems of the network, carried out by a computer. For each unique combination of Source IP address and destination IP address, the method includes considering a past period, considering the network flow logs stored during said past period, calculating values of a metric based on data of the network flow logs within the past period and at a given frequency, calculating a baseline which consists in calculating an IQR of all metric values calculated during the past period, determining an outlier threshold from the baseline, considering a current period, calculating a new IQR of all metric values calculated during the current period, and classifying the communication between the two systems of the unique combination as an anomalous communication if the IQR of the current period is greater than the outlier threshold.

Abstract: A network security system that analyzes data from network attacks to determine which attacks came from the same attacker, even if the attacker tries to disguise its identity by spreading attacks out over time and attacking from multiple IP addresses. Intrusion detection systems or firewalls may log data for each attack, such as the time of the attack, the type of attack, and the source and target addresses. Embodiments may augment this data with derived attributes that may profile the attacker's behavior. For example, some attackers may spread out attacks over time, but always attack on the same day of the week; some attackers may spread out attacks over different IP addresses, but these addresses may all be in the same country. The original and augmented data may be clustered using an algorithm such as DBSCAN, and each attacker may be identified with one of the resulting clusters.

Abstract: Disclosed are methods and systems for improving the safety of an intersection. One or more sensor readings can be received. The one or more sensor readings can be compared to one or more thresholds. A signal can be provided to one or more lighting devices based on whether the one or more sensor readings satisfy the one or more thresholds.

Abstract: Disclosed herein are methods and systems for providing multivariate time series clustering for customer segmentation. The system comprises of a model management unit that devices a customer segmentation procedure based on temporal variations of user preferences, using MTS clustering, and utilize the discovered clusters to learn association rules specific to each clusters, and improves campaign targeting. The order of the VAR model is fixed based on the nature of the data and length of the time series.

Abstract: A network user behavior system that detects anomalous user behavior includes a memory system with a user behavior module. The user behavior module creates a user profile based on user activity that includes user activity logs that record parameters related to user activity; selects indicator features, wherein the indicator feature includes user activity related to the parameters; creates a user identifier (UID) for each combination of the indicator feature and user; associates each UID with a timestamp to establish a UID and timestamp relationship; establishes a UID and timestamp relationship range indicative of non-anomalous user behavior; and identifies an anomalous user behavior as a UID and timestamp relationship outside of the range indicative of non-anomalous user behavior.

Abstract: A network user behavior system that detects anomalous user behavior includes a memory system with a user behavior module. The user behavior module creates a user profile based on user activity that includes user activity logs that record parameters related to user activity; selects indicator features, wherein the indicator feature includes user activity related to the parameters; creates a user identifier (UID) for each combination of the indicator feature and user; associates each UID with a timestamp to establish a UID and timestamp relationship; establishes a UID and timestamp relationship range indicative of non-anomalous user behavior; and identifies an anomalous user behavior as a UID and timestamp relationship outside of the range indicative of non-anomalous user behavior.

Abstract: A system uses a probabilistic technique to determine the vulnerability of similar assets based on the data provided on some assets. The probabilistic technique includes stages of preparing data followed by calculating probability; a preparing data stage, including gathering the latest vulnerability reports of all assets in a system with the help of known scanners; creating open vulnerabilities; enriching the obtained data of open vulnerabilities; creating all vulnerabilities; enriching the obtained data of all vulnerabilities. Following this stage, probability calculation may be done for three cases, when asset information is known, when asset information is partially unknown, and when asset information is completely unknown based on the data taken from open vulnerabilities and all vulnerabilities categorized into blocks of 6 months based on the time at which they have been reported to NIST/MITRE.

Abstract: A system uses a probabilistic technique to determine the vulnerability of similar assets based on the data provided on some assets. The probabilistic technique includes stages of preparing data followed by calculating probability; a preparing data stage, including gathering the latest vulnerability reports of all assets in a system with the help of known scanners; creating open vulnerabilities; enriching the obtained data of open vulnerabilities; creating all vulnerabilities; enriching the obtained data of all vulnerabilities. Following this stage, probability calculation may be done for three cases, when asset information is known, when asset information is partially unknown, and when asset information is completely unknown based on the data taken from open vulnerabilities and all vulnerabilities categorized into blocks of 6 months based on the time at which they have been reported to NIST/MITRE.

Abstract: Disclosed herein are methods and systems for providing multivariate time series clustering for customer segmentation. The system comprises of a model management unit that devices a customer segmentation procedure based on temporal variations of user preferences, using MTS clustering, and utilize the discovered clusters to learn association rules specific to each clusters, and improves campaign targeting. The order of the VAR model is fixed based on the nature of the data and length of the time series.

Abstract: The embodiments herein relate to user data management in a telecommunications network and, more particularly, to classifying users in a telecommunications network and subsequently leveraging the classification and augmented statistical information. The system uses intelligent modeling techniques & machine learning algorithms to classify users. It also groups users by statistical analysis of this classification. The system is able to provide secure, authenticated and authorized access to this classification, statistical grouping and other augmented information about users to an external agent in real-time. This enables service personalization and personalized service recommendations. System allows external agents to define certain classification criteria for users in the form of models, which are pluggable in nature, to derive multiple user classification schemes.

Abstract: Techniques are described to compute response counts and response rates in a mobile marketing environment. Such techniques may be fully automated. Computed counts and rates are accessible in near real-time. Certain techniques use contextual information of transactions events to compute accurate response counts and rates. A flexible filtering algorithm may be configured and applied by a user.