Detection of clustering in graphs in network security analysis
First Claim
1. A method comprising:
- receiving, at a computer system, event data indicative of network activity of a plurality of entities that are part of or that interact with a computer network;
constructing, by the computer system and based on the event data, a graph that represents relationships among the plurality of entities, the graph including a plurality of nodes that each represent a different one of the entities that are part of or that interact with the computer network and a plurality of edges that represent relationships between pairs of the nodes;
performing, by the computer system, a cluster identification process to identify a node cluster of the plurality nodes, the cluster identification process including computing L1-norm values for the nodes to assign positions to the nodes on a one-dimensional (1D) grid, based on the graph, and identifying the node cluster based on the assigned positions of the nodes on the 1D grid; and
detecting, by the computer system, a network security anomaly based on the identified node cluster.
2 Assignments
0 Petitions
Accused Products
Abstract
A security platform employs a variety techniques and mechanisms to detect security related anomalies and threats in a computer network environment. The security platform is “big data” driven and employs machine learning to perform security analytics. The security platform performs user/entity behavioral analytics (UEBA) to detect the security related anomalies and threats, regardless of whether such anomalies/threats were previously known. The security platform can include both real-time and batch paths/modes for detecting anomalies and threats. By visually presenting analytical results scored with risk ratings and supporting evidence, the security platform enables network security administrators to respond to a detected anomaly or threat, and to take action promptly.
73 Citations
30 Claims
-
1. A method comprising:
-
receiving, at a computer system, event data indicative of network activity of a plurality of entities that are part of or that interact with a computer network; constructing, by the computer system and based on the event data, a graph that represents relationships among the plurality of entities, the graph including a plurality of nodes that each represent a different one of the entities that are part of or that interact with the computer network and a plurality of edges that represent relationships between pairs of the nodes; performing, by the computer system, a cluster identification process to identify a node cluster of the plurality nodes, the cluster identification process including computing L1-norm values for the nodes to assign positions to the nodes on a one-dimensional (1D) grid, based on the graph, and identifying the node cluster based on the assigned positions of the nodes on the 1D grid; and detecting, by the computer system, a network security anomaly based on the identified node cluster. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19)
-
-
20. A computer system comprising:
-
a processor; and a communication device, operatively coupled to the processor, through which to receive event data indicative of network activity of a plurality of entities that are part of or that interact with a computer network; wherein the processor is configured to construct, based on the event data, a graph that represents relationships among the plurality of entities that are part of or that interact with the computer network, the graph including a plurality of nodes that each represent a different one of the entities and a plurality of edges that represent relationships between pairs of the nodes; perform a cluster identification process to identify a node cluster of the plurality nodes, the cluster identification process including computing L1-norm values for the nodes to assign positions to the plurality of nodes on a one-dimensional (1D) grid, based on the graph, and identifying the node cluster based on the assigned positions of the nodes on the 1D grid; and detect a network security anomaly based on the identified node cluster. - View Dependent Claims (21, 22, 23, 24, 25)
-
-
26. A non-transitory machine-readable storage medium for use in a processing system, the non-transitory machine-readable storage medium storing instructions, an execution of which in the processing system causes the processing system to perform operations comprising:
-
receiving event data indicative of network activity of a plurality of entities that are part of or that interact with a computer network; constructing, based on the event data, a graph that represents relationships among the plurality of entities, the graph including a plurality of nodes that each represent a different one of the entities that are part of or that interact with the computer network and a plurality of edges that represent relationships between pairs of the nodes; performing a cluster identification process to identify a node cluster of the plurality nodes, the cluster identification process including computing L1-norm values for the nodes to assign positions to the plurality of nodes on a one-dimensional (1D) grid, based on the graph, and identifying the node cluster based on the assigned positions of the nodes on the 1D grid; and detecting a network security anomaly based on the identified node cluster. - View Dependent Claims (27, 28, 29, 30)
-
Specification