Eyal Kolman

Techniques of performing queries involve adapting a query to whether query data is encrypted. Along these lines, a data sensitivity policy defines which types of data is encrypted prior to storage in a data analytics database and which other types of data remain unencrypted. When a client formulates a query, the client encrypts a query input and then conceals the encrypted query input and query function to form concealed query logic. When the concealed query logic is received by a data… Show more

Techniques of performing queries involve adapting a query to whether query data is encrypted. Along these lines, a data sensitivity policy defines which types of data is encrypted prior to storage in a data analytics database and which other types of data remain unencrypted. When a client formulates a query, the client encrypts a query input and then conceals the encrypted query input and query function to form concealed query logic. When the concealed query logic is received by a data analytics server, the data analytics server determines whether the query data to be input into the concealed query logic is encrypted or unencrypted. If the query data is unencrypted, then the concealed query logic is unconcealed and the query input unencrypted so that the data analytics server may evaluate the query function without concealment to produce a query result. Show less

A system that permits authentication based on a partial password, in which a risk score is assigned to an authentication request, and a minimum partial password size is generated based on the risk score. User-entered password characters are compared to one or more partial passwords having lengths equal to or greater than the minimum partial password size. If a match is found, the user is authenticated. A password similarity threshold for the request may also be generated based on the risk… Show more

A system that permits authentication based on a partial password, in which a risk score is assigned to an authentication request, and a minimum partial password size is generated based on the risk score. User-entered password characters are compared to one or more partial passwords having lengths equal to or greater than the minimum partial password size. If a match is found, the user is authenticated. A password similarity threshold for the request may also be generated based on the risk score, indicating a minimum level of similarity required between the user-entered password characters and the characters in a partial password, in order for there to be a match. When the user-entered password characters match a partial password, and the requesting user is authenticated, the system may stop inputting user-entered password characters, and/or transmitting the user-entered password characters to a server computer. Show less

A computer-implemented technique provides security to an enterprise. The technique involves receiving, by processing circuitry, personal information belonging to users of the enterprise. The technique further involves providing, by the processing circuitry, lists of user identifiers based on user relationships defined by the personal information. The lists of user identifiers respectively identify clusters of users of the enterprise. The technique further involves electronically imposing, by… Show more

A computer-implemented technique provides security to an enterprise. The technique involves receiving, by processing circuitry, personal information belonging to users of the enterprise. The technique further involves providing, by the processing circuitry, lists of user identifiers based on user relationships defined by the personal information. The lists of user identifiers respectively identify clusters of users of the enterprise. The technique further involves electronically imposing, by the processing circuitry, security classes on the clusters of users of the enterprise based on the lists of user identifiers. Along these lines, such classification can be used for risk assessment (e.g., authentication), alert filtering (e.g., filtering false alarms), and permission/privilege monitoring and/or assignment, among others. Show less

A server is configured to communicate with a group of clients over a network in one embodiment. The server maps the group of clients into a plurality of subgroups of bounded size, communicates to a given one of the clients information identifying the particular subgroup to which that client belongs as well as the other clients in that subgroup. The given client utilizes the communicated information to generate a ring signature over the corresponding subgroup of clients based on the communicated… Show more

A server is configured to communicate with a group of clients over a network in one embodiment. The server maps the group of clients into a plurality of subgroups of bounded size, communicates to a given one of the clients information identifying the particular subgroup to which that client belongs as well as the other clients in that subgroup. The given client utilizes the communicated information to generate a ring signature over the corresponding subgroup of clients based on the communicated information. The subgroup size may be bounded to a minimum size and a maximum size in accordance with a variable privacy parameter. The server can increase or decrease the value of the parameter in order to provide respective increased or decreased privacy to the clients, by making it respectively more or less difficult to determine which client in a corresponding one of the subgroups produced the received ring signature. Show less

A technique provides alert prioritization. The technique involves selecting attributes to use as alert scoring factors. The technique further involves updating, for an incoming alert having particular attribute values for the selected attributes, count data to represent encounter of the incoming alert from perspectives of the selected attributes. The technique further involves generating an overall significance score for the incoming alert based on the updated count data. The overall… Show more

A technique provides alert prioritization. The technique involves selecting attributes to use as alert scoring factors. The technique further involves updating, for an incoming alert having particular attribute values for the selected attributes, count data to represent encounter of the incoming alert from perspectives of the selected attributes. The technique further involves generating an overall significance score for the incoming alert based on the updated count data. The overall significance score is a measure of alert significance relative to other alerts. Scored alerts then can be sorted so that investigators focus on the alerts with the highest significance scores. Such a technique is well suited for adaptive authentication (AA) and Security Information and Event Management (SIEM) systems among other alert-based systems such as churn analysis systems, malfunction detection systems, and the like. Show less

An information processing system implements a security system. The security system comprises a classifier configured to process information characterizing events in order to generate respective risk scores, and a data store coupled to the classifier and configured to store feedback relating to one or more attributes associated with an assessment of the risk scores by one or more users. The classifier is configured to utilize the feedback regarding the risk scores to learn riskiness of… Show more

An information processing system implements a security system. The security system comprises a classifier configured to process information characterizing events in order to generate respective risk scores, and a data store coupled to the classifier and configured to store feedback relating to one or more attributes associated with an assessment of the risk scores by one or more users. The classifier is configured to utilize the feedback regarding the risk scores to learn riskiness of particular events and to adjust its operation based on the learned riskiness, such that the risk score generated by the classifier for a given one of the events is based at least in part on the feedback received regarding risk scores generated for one or more previous ones of the events. Show less

There are disclosed techniques for use in providing security in a computer network. In one embodiment, the techniques comprise a method including multiple steps. The method comprises receiving user access data characterizing user access with a protected resource within a computer network. The method also comprises evaluating the user access data to extract information therefrom that describes user access with respect to a feature of user access. The method also comprises determining a… Show more

There are disclosed techniques for use in providing security in a computer network. In one embodiment, the techniques comprise a method including multiple steps. The method comprises receiving user access data characterizing user access with a protected resource within a computer network. The method also comprises evaluating the user access data to extract information therefrom that describes user access with respect to a feature of user access. The method also comprises determining a cardinality value in connection with the feature based on the extracted information and a maximum cardinality threshold. It should be appreciated that the cardinality value is limited by the maximum cardinality threshold such that the cardinality value cannot exceed the maximum cardinality threshold. The method also comprises presenting the cardinality value for facilitating fraud detection. Show less

In this disclosure we present an innovative method to automatically handle, prune, and aggregate these huge rules lists. This is applied using data-driven approach which analyzes the cases in which each rule fires, correlate between the different rules alerts, and aggregate rules based on these correlations. This follows the approach of Association Rules which is a common unsupervised method for finding patterns in unlabeled data. We apply similar concepts where the handled objects are rules… Show more

In this disclosure we present an innovative method to automatically handle, prune, and aggregate these huge rules lists. This is applied using data-driven approach which analyzes the cases in which each rule fires, correlate between the different rules alerts, and aggregate rules based on these correlations. This follows the approach of Association Rules which is a common unsupervised method for finding patterns in unlabeled data. We apply similar concepts where the handled objects are rules and their alerts. Show less

There is disclosed a technique for detecting risky domains. The technique comprises collecting information in connection with a domain. The technique also comprises generating a profile comprising at least one metric associated with the domain based on the collected information. The technique further comprises determining the riskiness in connection with the domain based on the generated profile.

A new method for detection of Fast-Flux-based attcks

A technique detects riskiness of a communication in a network based on behavior profiling. The technique involves generating a network history baseline (e.g., normal and abnormal behavior profiles) from prior network communications occurring in the network. The technique further involves, for a new network communication, assigning the new network communication a risk score based on a comparison of the new network communication to the network history baseline. The risk score is a numerical… Show more

A technique detects riskiness of a communication in a network based on behavior profiling. The technique involves generating a network history baseline (e.g., normal and abnormal behavior profiles) from prior network communications occurring in the network. The technique further involves, for a new network communication, assigning the new network communication a risk score based on a comparison of the new network communication to the network history baseline. The risk score is a numerical measure of behavioral normalcy relative to the prior network communications occurring in the network. The technique further involves providing an output signal having a first value when the risk score is above a predefined risk threshold to indicate that the communication is risky, and a second value which is different than the first value when the risk score is below the predefined risk threshold to indicate that the communication is not risky. Show less

Data driven device detection is provided, whereby a device is detected by obtaining a plurality of feature values for a given device; obtaining a set of device attributes for a plurality of potential devices; calculating a probability value that the given device is each potential device within the plurality of potential devices; identifying a candidate device associated with a maximum probability value among the calculated probability values; and labeling the given device as the candidate… Show more

Data driven device detection is provided, whereby a device is detected by obtaining a plurality of feature values for a given device; obtaining a set of device attributes for a plurality of potential devices; calculating a probability value that the given device is each potential device within the plurality of potential devices; identifying a candidate device associated with a maximum probability value among the calculated probability values; and labeling the given device as the candidate device if the associated maximum probability value satisfies a predefined threshold. The predefined threshold can be a function, for example, of whether the given user has previously used this device. The obtained feature values can be obtained for a selected set of features satisfying one or more predefined characteristic criteria. The device attributes can be obtained, for example, from a profile for each of the plurality of potential devices. Show less

There is disclosed some techniques for selecting a user authentication challenge. In one example, the method comprises the steps of receiving an authentication request to authenticate a user and selecting a user authentication challenge to issue to the user in response to receiving the authentication request. The selection of the user authentication challenge comprises selecting a user authentication challenge among a plurality of user authentication challenges based on the cost effectiveness… Show more

There is disclosed some techniques for selecting a user authentication challenge. In one example, the method comprises the steps of receiving an authentication request to authenticate a user and selecting a user authentication challenge to issue to the user in response to receiving the authentication request. The selection of the user authentication challenge comprises selecting a user authentication challenge among a plurality of user authentication challenges based on the cost effectiveness of the respective user authentication challenges and characteristics of the authentication request. Show less

An improved technique involves processing network traffic data to automatically establish whether a device on the network satisfies a particular set of constraints. Along these lines, a SIEM server observes and processes incoming and outgoing traffic data corresponding to a particular device at an address of the network. The SIEM server then analyzes this traffic data in order to determine whether the data satisfies a set of constraints satisfied by a client, or another set of constraints… Show more

An improved technique involves processing network traffic data to automatically establish whether a device on the network satisfies a particular set of constraints. Along these lines, a SIEM server observes and processes incoming and outgoing traffic data corresponding to a particular device at an address of the network. The SIEM server then analyzes this traffic data in order to determine whether the data satisfies a set of constraints satisfied by a client, or another set of constraints satisfied by a server. The SIEM server then applies the label of “client” or “server” to the device according to which set of constraints the SIEM server determines the data to have satisfied. Show less

Active learning-based fraud detection techniques are provided in adaptive authentication systems. An authentication request from an authentication requestor is processed by receiving the authentication request from the authentication requester; comparing current data for the user associated with the user identifier with historical data for the user; generating an adaptive authentication result based on the comparison indicating a likelihood current user data is associated with a fraudulent… Show more

Active learning-based fraud detection techniques are provided in adaptive authentication systems. An authentication request from an authentication requestor is processed by receiving the authentication request from the authentication requester; comparing current data for the user associated with the user identifier with historical data for the user; generating an adaptive authentication result based on the comparison indicating a likelihood current user data is associated with a fraudulent user; and performing one or more additional authentication operations to improve learning if the request satisfies one or more predefined non-risk based criteria. The predefined non-risk based criteria comprises, for example, (i) the request receiving a riskiness score below a threshold based on current data and wherein the request was expected to have a risk score above a threshold, or (ii) the request being in a bucket having a number of tagged events below a threshold. Show less

Similarity-based fraud detection techniques are provided in adaptive authentication systems. A method is provided for determining if an event is fraudulent by obtaining a plurality of tagged events and one or more untagged events, wherein the tagged events indicate a likelihood of whether the corresponding event was fraudulent; constructing a graph, wherein each node in the graph represents an event and has a value representing a likelihood of whether the corresponding event was fraudulent and… Show more

Similarity-based fraud detection techniques are provided in adaptive authentication systems. A method is provided for determining if an event is fraudulent by obtaining a plurality of tagged events and one or more untagged events, wherein the tagged events indicate a likelihood of whether the corresponding event was fraudulent; constructing a graph, wherein each node in the graph represents an event and has a value representing a likelihood of whether the corresponding event was fraudulent and wherein similar transactions are connected via weighted links; diffusing through weights in the graph to assign values to nodes such that neighbors of nodes having non-zero values receive similar values as the neighbors; and classifying whether at least one of the one or more untagged events is fraudulent based on the assigned values. Show less

An improved technique for managing access of a user of a computing machine to a remote network collects device posture information about the user's mobile device. The mobile device runs a soft token, and the collected posture information pertains to various aspects of the mobile device, such as the mobile device's hardware, software, environment, and/or users, for example. The server applies the collected device posture information along with token codes from the soft token in authenticating… Show more

An improved technique for managing access of a user of a computing machine to a remote network collects device posture information about the user's mobile device. The mobile device runs a soft token, and the collected posture information pertains to various aspects of the mobile device, such as the mobile device's hardware, software, environment, and/or users, for example. The server applies the collected device posture information along with token codes from the soft token in authenticating the user to the remote network. Show less

A server is configured to communicate with a group of clients over a network. Each of the clients obtains a corresponding informational message comprising security-related information such as an indication of compromise (IOC), inserts noise in the information message to generate an anonymized message, and communicates the anonymized message to the server. The anonymized messages communicated by the respective clients to the server may be configured so as to prevent the server from identifying… Show more

A server is configured to communicate with a group of clients over a network. Each of the clients obtains a corresponding informational message comprising security-related information such as an indication of compromise (IOC), inserts noise in the information message to generate an anonymized message, and communicates the anonymized message to the server. The anonymized messages communicated by the respective clients to the server may be configured so as to prevent the server from identifying any individual client associated with a particular one of the anonymized messages, while also allowing the server to extract from the anonymized messages collectively one or more characteristics of the underlying informational messages. A given client may insert noise in an informational message by, for example, selecting a noise value from a specified range of noise values, and combining the informational message and the selected noise value to generate the anonymized message. Show less

A method for spotting an interaction in which a target speaker associated with a current index or current interaction speaks, the method comprising: receiving an interaction and an index associated with the interaction, the index associated with additional data; receiving the current interaction or current index associated with the target speaker; obtaining current data associated with the current interaction or current index; filtering the index using the additional data, in accordance with… Show more

A method for spotting an interaction in which a target speaker associated with a current index or current interaction speaks, the method comprising: receiving an interaction and an index associated with the interaction, the index associated with additional data; receiving the current interaction or current index associated with the target speaker; obtaining current data associated with the current interaction or current index; filtering the index using the additional data, in accordance with the current data associated with the current interaction or current index, and obtaining a matching index; and comparing the current index or a representation of the current interaction with the matching index to obtain a target speaker index. Show less