Abstract: Methods, systems, and apparatus, including computer programs encoded on computer storage media, for online fraud protection. One of the methods includes receiving a query associated with a user account of an online service provider; providing the query to a deep neural network model to generate a prediction of whether the user account is fraudulent, wherein the deep neural network model is trained using anonymized event data for a collection of users received from one or more online service providers; and providing the prediction to the online service provider.

Abstract: Methods, systems, and apparatus, including computer programs encoded on computer storage media, for detecting network attacks. One of the methods includes obtaining input data associated with a plurality of accounts associated with a particular entity; extracting features from the input data; performing unsupervised attack ring detection using the extracted features, wherein the unsupervised attack ring detection identifies suspicious clusters of accounts that have strong similarity or correlations in the high dimensional feature space; and generating an output for the detected attack rings.

Abstract: Methods, systems, and apparatus, including computer programs encoded on computer storage media, for rule generation and interaction. A rules engine is provided that does not require manual effort to generate or maintain high-quality rules over time for detecting malicious accounts or events. Rules no longer need to be manually added, tuned, or removed from the system. The system is able to determine the health of each rule and automatically add, tune, and remove rules to maintain a consistent, effective rule set.

Abstract: Methods, systems, and apparatus, including computer programs encoded on computer storage media, for detecting malicious activities. One of the methods includes obtaining a collection of user event logs or receiving user events through real-time feeds; using data from the user event logs/feeds to determine IP address properties for individual IP addresses and IP address ranges; and for each incoming event, updating the IP address properties for the corresponding IP address and IP prefix properties.

Abstract: Methods, systems, and apparatus, including computer programs encoded on computer storage media, for online fraud protection. One of the methods includes receiving a query associated with a user account of an online service provider; providing the query to a deep neural network model to generate a prediction of whether the user account is fraudulent, wherein the deep neural network model is trained using anonymized event data for a collection of users received from one or more online service providers; and providing the prediction to the online service provider.

Abstract: Methods, systems, and apparatus, including computer programs encoded on computer storage media, for detecting network attacks. One of the methods includes obtaining input data associated with a plurality of accounts associated with a particular entity; extracting features from the input data; performing unsupervised attack ring detection using the extracted features, wherein the unsupervised attack ring detection identifies suspicious clusters of accounts that have strong similarity or correlations in the high dimensional feature space; and generating an output for the detected attack rings.

Abstract: Methods, systems, and apparatus, including computer programs encoded on computer storage media, for detecting suspicious user activities. One of the methods includes generating hypergraphs, wherein the hypergraphs include nodes corresponding to feature profiles and edges between particular nodes representing a measure of similarity between nodes; using the generated hypergraphs to detect suspicious graph nodes; and using the suspicious graph nodes to detect malicious user communities.

Abstract: Methods, systems, and apparatus, including computer programs encoded on computer storage media, for detecting malicious activities. One of the methods includes obtaining a collection of user event logs or receiving user events through real-time feeds; using data from the user event logs/feeds to determine IP address properties for individual IP addresses and IP address ranges; and for each incoming event, updating the IP address properties for the corresponding IP address and IP prefix properties.

Abstract: Methods, systems, and apparatus, including computer programs encoded on computer storage media, for detecting suspicious users. One of the methods includes obtaining a collection of event logs or event feeds associated with a plurality of users to generate a collection of user properties; using the user properties to generate a plurality of groups of events; determining whether one or more groups are suspicious groups; and in response to a determination that one or more groups are suspicious, determining whether there are malicious accounts or events associated with each suspicious group.

Abstract: Mobile devices periodically send resource usage reports to an energy server. The reports include information such as an amount of energy used during a time interval, and identify processes that are executed on the mobile devices during the time interval. These reports are analyzed by the energy server and are used to generate statistics regarding the energy used by the mobile devices and the processes that are executed by the mobile devices. When a mobile device experiences a suspected energy spike, the mobile device generates and sends a report to the energy server. After confirming the energy spike, the energy server uses the statistics and the received report to identify one or more causes of the energy spike. The causes can include one or more processes, or the mobile device itself. The mobile device can reduce the amount of energy used based on the identified causes.

Abstract: Methods, systems, and apparatus, including computer programs encoded on computer storage media, for rule generation and interaction. A rules engine is provided that does not require manual effort to generate or maintain high-quality rules over time for detecting malicious accounts or events. Rules no longer need to be manually added, tuned, or removed from the system. The system is able to determine the health of each rule and automatically add, tune, and remove rules to maintain a consistent, effective rule set.

Abstract: Methods, systems, and apparatus, including computer programs encoded on computer storage media, for detecting malicious attacks. One of the methods includes generating a collection of hypergraphs representing user events across a collection of users; analyzing the collection of hypergraphs to determine a group of malicious user accounts or account activities satisfying a threshold confidence; using the group of malicious user accounts or account activities as training data for a machine learning system that generates one or more classifiers; and using the one or more generated classifiers to output additional malicious user accounts or account activities.

Abstract: Methods, systems, and apparatus, including computer programs encoded on computer storage media, for detecting suspicious user activities. One of the methods includes generating hypergraphs, wherein the hypergraphs include nodes corresponding to feature profiles and edges between particular nodes representing a measure of similarity between nodes; using the generated hypergraphs to detect suspicious graph nodes; and using the suspicious graph nodes to detect malicious user communities.

Abstract: Methods, systems, and apparatus, including computer programs encoded on computer storage media, for displaying information about computer network resources identified as engaging in malicious activities. One of the systems includes one or more computers including one or more processors and one or more memory devices, the one or more computers configured to: identify resources associated with an attack, and provide an attach resource dashboard user interface that displays information related to attack resources, wherein the user interface presents resource information comparing behavior of a particular resource at a single online service with behavior of the resource at other online services, and comparing the behavior of that resource with behavior of other resources.

Abstract: Methods, systems, and apparatus, including computer programs encoded on computer storage media, for presenting data to visualize and interact with results of a user analytics engine. One of the systems include one or more computers including one or more processors and one or more memory devices, the one or more computers configured to: identify fraudulent user accounts through analysis of obtained client data; and provide a campaign user interface that plots groups of fraudulent user accounts to visualize them as attack campaigns, rather than displaying by listing individual fraudulent user accounts.

Abstract: A data partitioning plan is automatically generated that—given a data-parallel program and a large input dataset, and without having to first run the program on the input dataset—substantially optimizes performance of the distributed execution system that explicitly measures and infers various properties of both data and computation to perform cost estimation and optimization. Estimation may comprise inferring the cost of a candidate data partitioning plan, and optimization may comprise generating an optimal partitioning plan based on the estimated costs of computation and input/output.

Abstract: A service log of a service provider is analyzed to identify IP addresses used by account holders that are populated IP addresses. Existing information about legitimate and malicious accounts of the service provider is leveraged to determine likely good and bad populated IP addresses based on the accounts that use the populated IP addresses. Features of the good and bad populated IP addresses are used to train a classifier that can identify good and bad populated IP addresses based on features of the populated IP addresses. The classifier may be used to provide security services to the same service provider or different service providers. The services include identifying malicious accounts.

Abstract: Mobile devices periodically send resource usage reports to an energy server. The reports include information such as an amount of energy used during a time interval, and identify processes that are executed on the mobile devices during the time interval. These reports are analyzed by the energy server and are used to generate statistics regarding the energy used by the mobile devices and the processes that are executed by the mobile devices. When a mobile device experiences a suspected energy spike, the mobile device generates and sends a report to the energy server. After confirming the energy spike, the energy server uses the statistics and the received report to identify one or more causes of the energy spike. The causes can include one or more processes, or the mobile device itself. The mobile device can reduce the amount of energy used based on the identified causes.

Abstract: Search result poisoning attacks may be automatically detected by identifying groups of suspicious uniform resource locators (URLs) containing multiple keywords and exhibiting patterns that deviate from other URLs in the same domain without crawling and evaluating the actual contents of each web page. Suspicious websites are identified and lexical features are extracted for each such website. The websites are clustered based on their lexical features, and group analysis is performed on each group to identify at least one suspicious group. Other implementations are directed to detecting a search engine optimization (SEO) attack by processing a large population of URLs to identify suspicious URLs based on the presence of a subset of keywords in each URL and the relative newness of each URL.

Abstract: Dynamic IP addresses may be automatically identified and their dynamics patterns may be analyzed. Multi-user IP address blocks are determined as candidates for further analysis. An entropy score is determined for each IP address in every candidate block to distinguish between a dynamic IP and a static IP shared by multiple users. IP addresses with high entropy scores are grouped, and then analyzed, and may be used in various applications, such as spam filtering.