Abstract: The invention relates to a method detecting one or more anomalies regarding logins of a user on an authentication system. The method includes at least one iteration of a monitoring phase that includes collecting a log of successful logins of the user on the authentication system, and calculating, for each monitored parameter, a probability density, in the log, of each predetermined value of the parameter. The method also includes calculating, for each parameter, a weight, as a function of the probability density of each predetermined value of the parameter, calculating an anomaly score for the log as a function of the weights and the probability densities; and comparing the anomaly score to a given threshold in order to determine an anomaly in the daily log for the user. The invention also relates to a computer program product and a device configured to carry out the method.

Abstract: The invention relates to an edge-based log collecting device for collecting logs from several log sources located in a remote network, called edge-network, and sending the logs to a cloud-based system distant from the edge-network. The device is located in the edge-network, and the device includes several processing nodes for processing logs received from the log sources and sending them to said the system. The device is configured to elect, according to a predetermined election algorithm, one of the processing nodes as a master node configured for receiving the logs from all log sources of the local network, and sharing the logs with the other processing nodes. The invention further relates to a computer program and a device configured to carry out such a method.

Abstract: A network security system that analyzes data from network attacks to determine which attacks came from the same attacker, even if the attacker tries to disguise its identity by spreading attacks out over time and attacking from multiple IP addresses. Intrusion detection systems or firewalls may log data for each attack, such as the time of the attack, the type of attack, and the source and target addresses. Embodiments may augment this data with derived attributes that may profile the attacker's behavior. For example, some attackers may spread out attacks over time, but always attack on the same day of the week; some attackers may spread out attacks over different IP addresses, but these addresses may all be in the same country. The original and augmented data may be clustered using an algorithm such as DBSCAN, and each attacker may be identified with one of the resulting clusters.

Abstract: A method for automatically sending containment instructions from a central containment component contained in a public cloud to an endpoint contained inside a company network where a malicious activity has been detected. The method includes a central containment component elaborating and placing a secured containment instruction inside a messaging queue of the central containment component, and a component, called edge containment component, running inside the company network, periodically polling the messaging queue service by creating an outgoing connection from the company network to the central containment component in the public cloud. When the edge containment component detects the containment instruction, the edge containment component retrieves, decodes and sends the containment instruction to the endpoint inside the company network.

Abstract: A method for detecting malicious connections from remote users into a computer network through Remote Desktop protocol via a computer having access to login logs of users. The method includes defining aspects, each divided into bins comprising a day of week aspect comprising n1 bins, a time of day aspect comprising n2 bins, a number of logins in a day aspect comprising n3 bins. The method includes defining a model based on the aspects and providing a score of log for each user; defining a baseline of log; applying the model on each user log to determine a production score of log and comparing the production score of log with respect to the baseline. The model includes calculating a probability density for each bin for each user, determining a weight for each aspect and calculating the score of log from the probability density weighted by the weight for each user.

Abstract: A method for detecting malware penetrating a network by identifying anomalous communication between at least two systems of the network, carried out by a computer. For each unique combination of Source IP address and destination IP address, the method includes considering a past period, considering the network flow logs stored during said past period, calculating values of a metric based on data of the network flow logs within the past period and at a given frequency, calculating a baseline which consists in calculating an IQR of all metric values calculated during the past period, determining an outlier threshold from the baseline, considering a current period, calculating a new IQR of all metric values calculated during the current period, and classifying the communication between the two systems of the unique combination as an anomalous communication if the IQR of the current period is greater than the outlier threshold.

Abstract: A network security system that analyzes data from network attacks to determine which attacks came from the same attacker, even if the attacker tries to disguise its identity by spreading attacks out over time and attacking from multiple IP addresses. Intrusion detection systems or firewalls may log data for each attack, such as the time of the attack, the type of attack, and the source and target addresses. Embodiments may augment this data with derived attributes that may profile the attacker's behavior. For example, some attackers may spread out attacks over time, but always attack on the same day of the week; some attackers may spread out attacks over different IP addresses, but these addresses may all be in the same country. The original and augmented data may be clustered using an algorithm such as DBSCAN, and each attacker may be identified with one of the resulting clusters.

Abstract: Disclosed are methods and systems for improving the safety of an intersection. One or more sensor readings can be received. The one or more sensor readings can be compared to one or more thresholds. A signal can be provided to one or more lighting devices based on whether the one or more sensor readings satisfy the one or more thresholds.

Abstract: Disclosed herein are methods and systems for providing multivariate time series clustering for customer segmentation. The system comprises of a model management unit that devices a customer segmentation procedure based on temporal variations of user preferences, using MTS clustering, and utilize the discovered clusters to learn association rules specific to each clusters, and improves campaign targeting. The order of the VAR model is fixed based on the nature of the data and length of the time series.

Abstract: A network user behavior system that detects anomalous user behavior includes a memory system with a user behavior module. The user behavior module creates a user profile based on user activity that includes user activity logs that record parameters related to user activity; selects indicator features, wherein the indicator feature includes user activity related to the parameters; creates a user identifier (UID) for each combination of the indicator feature and user; associates each UID with a timestamp to establish a UID and timestamp relationship; establishes a UID and timestamp relationship range indicative of non-anomalous user behavior; and identifies an anomalous user behavior as a UID and timestamp relationship outside of the range indicative of non-anomalous user behavior.

Abstract: A network user behavior system that detects anomalous user behavior includes a memory system with a user behavior module. The user behavior module creates a user profile based on user activity that includes user activity logs that record parameters related to user activity; selects indicator features, wherein the indicator feature includes user activity related to the parameters; creates a user identifier (UID) for each combination of the indicator feature and user; associates each UID with a timestamp to establish a UID and timestamp relationship; establishes a UID and timestamp relationship range indicative of non-anomalous user behavior; and identifies an anomalous user behavior as a UID and timestamp relationship outside of the range indicative of non-anomalous user behavior.

Abstract: A system uses a probabilistic technique to determine the vulnerability of similar assets based on the data provided on some assets. The probabilistic technique includes stages of preparing data followed by calculating probability; a preparing data stage, including gathering the latest vulnerability reports of all assets in a system with the help of known scanners; creating open vulnerabilities; enriching the obtained data of open vulnerabilities; creating all vulnerabilities; enriching the obtained data of all vulnerabilities. Following this stage, probability calculation may be done for three cases, when asset information is known, when asset information is partially unknown, and when asset information is completely unknown based on the data taken from open vulnerabilities and all vulnerabilities categorized into blocks of 6 months based on the time at which they have been reported to NIST/MITRE.

Abstract: A system uses a probabilistic technique to determine the vulnerability of similar assets based on the data provided on some assets. The probabilistic technique includes stages of preparing data followed by calculating probability; a preparing data stage, including gathering the latest vulnerability reports of all assets in a system with the help of known scanners; creating open vulnerabilities; enriching the obtained data of open vulnerabilities; creating all vulnerabilities; enriching the obtained data of all vulnerabilities. Following this stage, probability calculation may be done for three cases, when asset information is known, when asset information is partially unknown, and when asset information is completely unknown based on the data taken from open vulnerabilities and all vulnerabilities categorized into blocks of 6 months based on the time at which they have been reported to NIST/MITRE.

Abstract: Disclosed herein are methods and systems for providing multivariate time series clustering for customer segmentation. The system comprises of a model management unit that devices a customer segmentation procedure based on temporal variations of user preferences, using MTS clustering, and utilize the discovered clusters to learn association rules specific to each clusters, and improves campaign targeting. The order of the VAR model is fixed based on the nature of the data and length of the time series.

Abstract: The embodiments herein relate to user data management in a telecommunications network and, more particularly, to classifying users in a telecommunications network and subsequently leveraging the classification and augmented statistical information. The system uses intelligent modeling techniques & machine learning algorithms to classify users. It also groups users by statistical analysis of this classification. The system is able to provide secure, authenticated and authorized access to this classification, statistical grouping and other augmented information about users to an external agent in real-time. This enables service personalization and personalized service recommendations. System allows external agents to define certain classification criteria for users in the form of models, which are pluggable in nature, to derive multiple user classification schemes.

Abstract: Techniques are described to compute response counts and response rates in a mobile marketing environment. Such techniques may be fully automated. Computed counts and rates are accessible in near real-time. Certain techniques use contextual information of transactions events to compute accurate response counts and rates. A flexible filtering algorithm may be configured and applied by a user.

Abstract: A cellular telephone system and method for using low-cost low-memory cellular handsets is disclosed. The system and method allow for cellular telephony with inexpensive “dumb” cellular telephones that request code, data, and processing power from an application platform. The application platform is also capable of pushing code, data and processing power to the cellular telephones.

Abstract: This invention provides an adaptive transcoder that modifies a data stream for transmission over variable bandwidth networks and to devices having varying processing capabilities in accordance with client desired bit rates. In order to modify the bit rate of a data stream, in a preferred embodiment, certain frames of the data stream are replaced with Pseudo-P frames according with the results of frame ranking techniques.

Abstract: This invention provides a system and method to reduce rectangular graph images. According to the invention, the main graph and axis portions of a rectangular graph image are reduced separately such that readability and clarity of the entire graph image is maintained. The axes of the graph are reduced according to a position of the text values included on the axes of the image. The system may be accessed over a network by display devices when reducing for display images that include rectangular graphs.