Abstract: Methods, apparatus, and processor-readable storage media for evaluating cyber attacker behavior using machine learning to identify anomalies are provided herein. An example method includes obtaining, based on events associated with changes in one or more of a registry and a computer process, baseline models comprising a user context representing normal behavior for a first subset of features associated with the events with respect to a given user, an inverse context that represents normal behavior for at least one feature with respect to a particular value of one or more features in the first subset, and a global context representing a behavior of the features across the plurality of users; detecting a new event attributable to the given user; calculating a score for the new event using one or more of the baseline models; and determining that the new event is an anomaly in response to the score satisfying a threshold.

Abstract: Methods, apparatus, and processor-readable storage media for evaluating cyber attacker behavior using machine learning to identify anomalies are provided herein. An example method includes obtaining, based on events associated with changes in one or more of a registry and a computer process, baseline models comprising a user context representing normal behavior for a first subset of features associated with the events with respect to a given user, an inverse context that represents normal behavior for at least one feature with respect to a particular value of one or more features in the first subset, and a global context representing a behavior of the features across the plurality of users; detecting a new event attributable to the given user; calculating a score for the new event using one or more of the baseline models; and determining that the new event is an anomaly in response to the score satisfying a threshold.

Abstract: A computerized system for recursively detecting anomalies in monitored behavior of entities. The system comprises a storage unit to store monitored events, event deviations and parameters related to each event and to each event deviation. The system comprises a processing unit configured to receive a plurality of input events, construct a plurality of baseline models, receive an input event that occurred during an analyzed timeframe, compare parameters of the received input event to a corresponding baseline model in order to detect an event deviation, and associate an event deviation score to the detected event deviation. Using the detected event deviation as an input event, said operations are repeated until a predetermined condition is satisfied, and an alert is generated, indicating suspicious activity has been detected. A viewer application configured to receive and display alerts relating to the detected event deviation is provided.

Abstract: A computerized system for recursively detecting anomalies in monitored behavior of entities. The system comprises a storage unit to store monitored events, event deviations and parameters related to each event and to each event deviation. The system comprises a processing unit configured to receive a plurality of input events, construct a plurality of baseline models, receive an input event that occurred during an analyzed timeframe, compare parameters of the received input event to a corresponding baseline model in order to detect an event deviation, and associate an event deviation score to the detected event deviation. Using the detected event deviation as an input event, said operations are repeated until a predetermined condition is satisfied, and an alert is generated, indicating suspicious activity has been detected. A viewer application configured to receive and display alerts relating to the detected event deviation is provided.