Disclosed is a scalable, graph-based approach to detecting anomalous accesses to resources in a computer network. Access events are represented as edges between resource nodes and accessing nodes (e.g., corresponding to users) in a bipartite graph, from which vector representations of the nodes that reflect the connections can be computed by graph embedding. For an access event of interest, an anomaly score may be computed based on dissimilarities, in terms of their embedding distances, between the associated accessing node and other accessing nodes that have accessed the same resource, and/or between the associated resource node and other resource nodes that have been accessed by the same accessing node.

In some instances, the disclosure provides a method for identifying access anomalies using network graphs. The method comprises obtaining access data for an entity, generating a network graph baseline profile based on the plurality of data elements, generating a network graph current profile based on the plurality of data elements, generating comparison data based on comparing the plurality of baseline network graphs with the one or more current network graphs and comparing the plurality of baseline nodes and the plurality of baseline edges with the plurality of current nodes and the plurality of current edges, determining, based on the comparison data, anomaly data comprising one or more flagged network accesses to the enterprise system, and providing the anomaly data indicating the flagged network accesses to an authentication system.

In an anomaly determination method for determining an anomaly in a received message, a plurality of messages which include messages that are periodic and each of which includes a first field having a fixed value and a second field having a variable value are each received as the received message, and one of a plurality of combinations to be used for determination each of which includes at least one of a plurality of anomaly determinations including an anomaly determination utilizing a reception timing based on the periodicity or the number of received messages, an anomaly determination utilizing the first field, and an anomaly determination utilizing the second field, is selected according to one or more criteria among available execution time of the anomaly determination method, a load amount, a data amount, and the number of messages.

Computer-implemented detection of anomalous telephone calls, for example detection of interconnect bypass fraud, is disclosed. A telephone call associated with user devices is analyzed remote from the user devices. A first set of multiple features, for example Mel Frequency Cepstral Coefficients, is derived from a call audio stream. The first set is converted to an embedding vector, for example via a model based on a Universal Background Model comprising a Gaussian Mixture Model, which model is preferably configured based on a training plurality of first sets of multiple features derived form a corresponding training plurality of audio streams. Occurrence, or probability of occurrence, of an anomalous telephone call is determined based on the embedding vector, for example via a back-end classifier, such as a Gaussian Backend Model, which classifier is preferably configured based on labels associated with the training plurality of audio streams.

A method for determining a risk level of an instance on a cloud server. The method includes: obtaining one or more monitoring items of an instance to be monitored and a rule base of each monitoring item; obtaining monitoring data corresponding to each monitoring item of the instance to be monitored; and determining a risk level of the instance to be monitored under each monitoring item based on the rule base and the monitoring data of each monitoring item.

A method is disclosed for authentic data transmission between control devices of a vehicle in which messages which are sent from a first control device to a receiver control device and are provided with a first cryptographic key for authentication, and messages that are sent from a second control device to the receiver control device are provided with a second cryptographic key for authentication. First status information provided with a third cryptographic key is sent from a monitoring module of the first control device to the receiver control device and second status information provided with the second cryptographic key is sent from the second control device to the receiver control device. The first status information and second status information are received by the receiver control device. The received first and second status information is evaluated to detect a manipulation of the first control device.

Some examples relate to classifying IoT malware at a network device. An example includes receiving, by a network device, network traffic from an Internet of Things (IoT) device. Network device may analyze network parameters from the network traffic with a machine learning model. In response to analyzing, network device may classify the network traffic into a category of malware activity. Network device may determine an effectiveness of network traffic classification by measuring a deviation of the network parameters from previously trained network parameters that were used for training the machine learning model. In response to a determination that the deviation of the network parameters from the trained network parameters is more than a pre-defined threshold, network device may generate an alert highlighting the deviation, which allows a user to perform a remedial action pertaining to the IoT device.

The present application describes a system that uses endpoint data and network data to detect an anomaly. Once an anomaly is detected, the system may determine a severity of the anomaly by comparing the anomaly to a global database of known anomalies. The system may then initiate preventative measures to address the anomaly.

In an example embodiment, a combination of machine learning and rule-based techniques are used to automatically detect social engineering attacks in a computer system. More particularly, three phases of detection are utilized on communications in a thread or stream of communications: attack contextualization, intention classification, and security policy violation detection. Each phase of detection causes a score to be generated that is reflective of the degree of danger in the thread or stream of communications, and these scores may then be combined into a single global social engineering attack score, which then may be used to determined appropriate actions to deal with the attack if it transgresses a threshold.

In some implementations, a device may monitor incoming messages to at least one message account of a user. The device may determine, based on monitoring the incoming messages, that one or more messages, of the incoming messages, are associated with resetting authentication information for one or more accounts of the user. The device may determine, based on determining that the one or more messages are associated with resetting authentication information, whether the one or more messages are indicative of abnormal authentication information resetting activity. The device may perform one or more actions based on determining that the one or more messages are indicative of abnormal authentication information resetting activity.