Abstract: A method, apparatus and computer program product for real-time new account fraud detection and prevention. The technique leverages machine learning. In this approach, first and second computational branches of a machine learning model are trained jointly on a corpus of emails. Following training, an arbitrary email is received. The arbitrary email is then applied through the computational branches of the machine learning model. The first branch has an attention layer, and the second branch has a convolutional layer. The outputs of the branches are aggregated into an output that is then applied through another self-attention layer to generate a score. Based on the score, the arbitrary email is characterized. If the email is characterized as fraudulent, a mitigation action is taken.

Abstract: A method executes upon receiving data associated with a registration. In response, an encoding is applied to the data to generate a vector. The vector indexes a database of such vectors that the system maintains (from prior registrations). The database potentially includes one or more node vector(s) that may have a given similarity to the encoded node vector. To determine whether there are such vectors present, a set of k-nearest neighbors to the encoded node vector are then obtained from the database. This set of k-nearest neighbors together with the encoded node vector comprise a virtual graph that is then fed as a graph input to a Graph Neural Network previously trained on a set of training data. The GNN generates a probability. If the probability exceeds a configurable threshold, the system outputs an indication that the registration is potentially fraudulent, and a mitigation action is taken.

Abstract: A technique to detect script-based attacks. In this approach, behavioral analysis is performed against a traceable data structure, preferably in the form of a call flow graph (CFG) that is generated at an instrumented end user client browser. The CFG comprises a set of runtime script execution data points and one or more associated event chains that include the execution data points and their relative ordering. It is generated in a client browser in association with an interaction with a page, and it represents a context-based record of that specific interaction. By collecting similar CFGs from other such interactions with that page, the system identifies execution flow anomalies that represent malicious JavaScript attack(s). These attacks can then be mitigated, e.g., by updating the page or access policy associated with the page such that the attack cannot be successfully executed against other users interacting with the page.

Abstract: A method executes upon receiving data (email, IP address) associated with an account registration. In response, an encoding is applied to the data to generate a node vector. The node vector indexes a database of such node vectors that the system maintains (from prior registrations). The database potentially includes one or more node vector(s) that may have a given similarity to the encoded node vector. To determine whether there are such vectors present, a set of k-nearest neighbors to the encoded node vector are then obtained from the database. This set of k-nearest neighbors together with the encoded node vector comprise a virtual graph that is then fed as a graph input to a Graph Neural Network previously trained on a set of training data. The GNN generates a probability that the virtual graph represents a NAF. If the probability exceeds a configurable threshold, the system outputs an indication that the registration is potentially fraudulent, and a mitigation action is taken.

Abstract: A method and system of detecting script-based attacks. In this approach, behavioral analysis is performed against a traceable data structure, preferably in the form of a call flow graph (CFG) that is generated at an instrumented end user client browser. The CFG comprises a set of runtime JavaScript execution data points and one or more associated event chains that include the execution data points and their relative ordering. It is generated in a client browser in association with an interaction with a page, and it represents a context-based record of that specific interaction. By collecting similar CFGs from other such interactions with that page, the system identifies execution flow anomalies that represent malicious JavaScript attack(s). These attacks can then be mitigated, e.g., by updating the page or access policy associated with the page such that the attack cannot be successfully executed against other users interacting with the page.

Abstract: A method executes upon receiving data (email, IP address) associated with an account registration. In response, an encoding is applied to the data to generate a node vector. The node vector indexes a database of such node vectors that the system maintains (from prior registrations). The database potentially includes one or more node vector(s) that may have a given similarity to the encoded node vector. To determine whether there are such vectors present, a set of k-nearest neighbors to the encoded node vector are then obtained from the database. This set of k-nearest neighbors together with the encoded node vector comprise a virtual graph that is then fed as a graph input to a Graph Neural Network previously trained on a set of training data. The GNN generates a probability that the virtual graph represents a NAF. If the probability exceeds a configurable threshold, the system outputs an indication that the registration is potentially fraudulent, and a mitigation action is taken.

Abstract: A method, apparatus and computer program product for real-time new account fraud detection and prevention. The technique leverages machine learning. In this approach, first and second computational branches of a machine learning model are trained jointly on a corpus of emails. Following training, an arbitrary email is received. The arbitrary email is then applied through the computational branches of the machine learning model. The first branch has an attention layer, and the second branch has a convolutional layer. The outputs of the branches are aggregated into an output that is then applied through another self-attention layer to generate a score. Based on the score, the arbitrary email is characterized. If the email is characterized as fraudulent, a mitigation action is taken.

Abstract: A method and system of detecting script-based attacks. In this approach, behavioral analysis is performed against a traceable data structure, preferably in the form of a call flow graph (CFG) that is generated at an instrumented end user client browser. The CFG comprises a set of runtime JavaScript execution data points and one or more associated event chains that include the execution data points and their relative ordering. It is generated in a client browser in association with an interaction with a page, and it represents a context-based record of that specific interaction. By collecting similar CFGs from other such interactions with that page, the system identifies execution flow anomalies that represent malicious JavaScript attack(s). These attacks can then be mitigated, e.g., by updating the page or access policy associated with the page such that the attack cannot be successfully executed against other users interacting with the page.

Abstract: A method, system, and computer program product for detecting malicious code insertion in data are provided in the illustrative embodiments. At an application executing using a processor and a memory in a data processing system, a script that has been inserted in a mix of code and content is detected. A content-related portion is removed from the script to form a remaining script structure, the content-related portion referring to the content in the mix. From the remaining script structure, a code construct is selected and replaced with an alphanumeric string to form a normalized construct. Whether the normalized construct matches, within a tolerance, a second normalized construct in a corpus of normalized scripts is determined. Responsive to the normalized construct matching the second normalized construct within the tolerance, a conclusion is drawn that the script is malicious.

Abstract: A method, system, and computer program product for detecting malicious code insertion in data are provided in the illustrative embodiments. At an application executing using a processor and a memory in a data processing system, a script that has been inserted in a mix of code and content is detected. A content-related portion is removed from the script to form a remaining script structure, the content-related portion referring to the content in the mix. From the remaining script structure, a code construct is selected and replaced with an alphanumeric string to form a normalized construct. Whether the normalized construct matches, within a tolerance, a second normalized construct in a corpus of normalized scripts is determined. Responsive to the normalized construct matching the second normalized construct within the tolerance, a conclusion is drawn that the script is malicious.

Abstract: A method, system, and computer program product for detecting malicious code insertion in data are provided in the illustrative embodiments. At an application executing using a processor and a memory in a data processing system, a script that has been inserted in a mix of code and content is detected. A content-related portion is removed from the script to form a remaining script structure, the content-related portion referring to the content in the mix. From the remaining script structure, a code construct is selected and replaced with an alphanumeric string to form a normalized construct. Whether the normalized construct matches, within a tolerance, a second normalized construct in a corpus of normalized scripts is determined. Responsive to the normalized construct matching the second normalized construct within the tolerance, a conclusion is drawn that the script is malicious.

Abstract: A method, system, and computer program product for detecting malicious code insertion in data are provided in the illustrative embodiments. At an application executing using a processor and a memory in a data processing system, a script that has been inserted in a mix of code and content is detected. A content-related portion is removed from the script to form a remaining script structure, the content-related portion referring to the content in the mix. From the remaining script structure, a code construct is selected and replaced with an alphanumeric string to form a normalized construct. Whether the normalized construct matches, within a tolerance, a second normalized construct in a corpus of normalized scripts is determined. Responsive to the normalized construct matching the second normalized construct within the tolerance, a conclusion is drawn that the script is malicious.