Abstract: Methods, apparatus and computer program products implement embodiments of the present invention that include collecting data packets transmitted between multiple entities over a network, and grouping the packets at least according to their source and destination entities and their times, into connections to which the packets belong. Pairs of the connections are identified having identical source and destination entities and times that are together within a specified time window, and sets of features are generated for the identified pairs of the connections. The features in the pairs are evaluated in order to detect a given pair of connections indicating malicious activity, and an alert is generated for the malicious activity.

Abstract: Methods, apparatuses and computer program products implement embodiments of the present invention that include protecting a computer system by identifying multiple user identifiers associated with a single uses entity. A first event carried out using a first one of the user identifiers is detected. Upon detecting a second event carried out using a second one of the user identifiers that is different from the first one of the user identifiers, an alert can be issued in response to a combination of the first and the second events.

Abstract: Methods, apparatus and computer program products implement embodiments of the present invention that include collecting data packets transmitted between multiple entities over a network, and grouping the packets at least according to their source and destination entities and their times, into connections to which the packets belong. Pairs of the connections are identified having identical source and destination entities and times that are together within a specified time window, and sets of features are generated for the identified pairs of the connections. The features in the pairs are evaluated in order to detect a given pair of connections indicating malicious activity, and an alert is generated for the malicious activity.

Abstract: Methods, apparatus and computer software products implement embodiments of the present invention that include protecting a computing system by defining a list of network access messages that are indicative of human use of computing devices, and extracting, from data traffic transmitted over a data network connecting a plurality of the computing devices to multiple Internet sites, respective transmissions from the computing devices to the Internet sites. A given transmission including one of the network access messages in the list is detected in the transmissions from a given computing device, and the given computing device is classified as being operated by a human in response to detecting the given transmission. Upon identifying suspicious content in the transmissions from a subset of the computing devices that includes the given computing device, any suspicious transmissions from the given computing device are ignored in response to the classification.

Abstract: Methods, apparatus and computer program products implement embodiments of the present invention that include collecting data packets transmitted between multiple entities over a network, and grouping the packets at least according to their source and destination entities and their times, into connections to which the packets belong. Pairs of the connections are identified having identical source and destination entities and times that are together within a specified time window, and sets of features are generated for the identified pairs of the connections. The features in the pairs are evaluated in order to detect a given pair of connections indicating malicious activity, and an alert is generated for the malicious activity.

Abstract: A method including extracting, from initial data transmitted on a network, multiple events, each of the events including a user accessing a resource. First and second sets of records are created, each first set record including a sub-group of the events of a user, each second set record including a sub-group of the events of a multiple users during respective sub-periods of a training period. Safe labels are assigned to the first set records and suspicious labels are assigned to the second set records. An analysis fits, to the first and the second set records and their respective labels, a model for predicting the label for a given record. The model filters subsequent network data to identify, in the subsequent data, sequences of events predicted to be labeled suspicious by the model, and upon detecting a given sequence of events predicted as suspicious by the model, an alert is generated.

Abstract: A method, including collecting information on data transmitted at respective times between multiple endpoints and multiple Internet sites having respective domains, and acquiring, from one or more external or internal sources, maliciousness information for the domains. An access time profile is generated based on the times of the transmissions to the domains, and a popularity profile is generated based on the transmissions to the domains. A malicious domain profile is generated based on the acquired maliciousness information, and the collected information is modeled using the access time profile, the popularity profile and the malicious domain profile. Based on their respective modeled collected information, one or more of the domains is predicted to be suspicious, and an alert is generated for the one or more identified domains.

Abstract: Methods, apparatus and computer program products implement embodiments of the present invention that include collecting data packets transmitted between multiple entities over a network, and grouping the packets at least according to their source and destination entities and their times, into connections to which the packets belong. Pairs of the connections are identified having identical source and destination entities and times that are together within a specified time window, and sets of features are generated for the identified pairs of the connections. The features in the pairs are evaluated in order to detect a given pair of connections indicating malicious activity, and an alert is generated for the malicious activity.

Abstract: A method for monitoring includes defining a plurality of different types of administrative activities in a computer system. Each administrative activity in the plurality includes an action performed by one of the computers in the system that can be invoked only by a user having an elevated level of privileges in the system. The administrative activities performed by at least a group of the computers in the system are tracked automatically. Upon detecting that a given computer in the system has performed an anomalous combination of at least two of the different types of administrative activities, an action is initiated to inhibit malicious exploitation of the given computer.

Abstract: A method, including collecting information on data transmitted at respective times between multiple endpoints and multiple Internet sites having respective domains, and acquiring, from one or more external or internal sources, maliciousness information for the domains. An access time profile is generated based on the times of the transmissions to the domains, and a popularity profile is generated based on the transmissions to the domains. A malicious domain profile is generated based on the acquired maliciousness information, and the collected information is modeled using the access time profile, the popularity profile and the malicious domain profile. Based on their respective modeled collected information, one or more of the domains is predicted to be suspicious, and an alert is generated for the one or more identified domains.

Abstract: A method including extracting, from initial data transmitted on a network, multiple events, each of the events including a user accessing a resource. First and second sets of records are created, each first set record including a sub-group of the events of a user, each second set record including a sub-group of the events of a multiple users during respective sub-periods of a training period. Safe labels are assigned to the first set records and suspicious labels are assigned to the second set records. An analysis fits, to the first and the second set records and their respective labels, a model for predicting the label for a given record. The model filters subsequent network data to identify, in the subsequent data, sequences of events predicted to be labeled suspicious by the model, and upon detecting a given sequence of events predicted as suspicious by the model, an alert is generated.

Abstract: A method for monitoring includes defining a plurality of different types of administrative activities in a computer system. Each administrative activity in the plurality includes an action performed by one of the computers in the system that can be invoked only by a user having an elevated level of privileges in the system. The administrative activities performed by at least a group of the computers in the system are tracked automatically. Upon detecting that a given computer in the system has performed an anomalous combination of at least two of the different types of administrative activities, an action is initiated to inhibit malicious exploitation of the given computer.