Rarity analysis in network security anomaly/threat detection
First Claim
1. A method comprising:
- analyzing, by a computer system, event data representative of data traffic associated with a computer network to identify a feature of the data traffic, the data traffic including a plurality of occurrences of the feature, each occurrence of the feature having one of a plurality of values of the feature;
identifying, by the computer system, a set of the values whose probability of occurrence does not exceed a probability of occurrence of a particular value of the plurality of values, the set of the values being those values of the feature that have occurred not more than the number of times of the particular value;
determining, by the computer system, a rarity score for the particular value as a function of the probability of occurrence of the set of the values;
detecting, by the computer system, that activity of an entity on the computer network is anomalous in a security context, by determining that an occurrence of the particular value corresponds to an anomaly, based on the rarity score, wherein said determining the rarity score of the particular value and said determining that the occurrence of the particular value corresponds to an anomaly comprise executing a machine learning model at the computer system; and
enabling, by the computer system, a targeted response to a security threat indicated by the activity by causing a display of an indication that the activity is anomalous.
1 Assignment
0 Petitions
Accused Products
Abstract
A security platform employs a variety techniques and mechanisms to detect security related anomalies and threats in a computer network environment. The security platform is “big data” driven and employs machine learning to perform security analytics. The security platform performs user/entity behavioral analytics (UEBA) to detect the security related anomalies and threats, regardless of whether such anomalies/threats were previously known. The security platform can include both real-time and batch paths/modes for detecting anomalies and threats. By visually presenting analytical results scored with risk ratings and supporting evidence, the security platform enables network security administrators to respond to a detected anomaly or threat, and to take action promptly.
-
Citations
29 Claims
-
1. A method comprising:
-
analyzing, by a computer system, event data representative of data traffic associated with a computer network to identify a feature of the data traffic, the data traffic including a plurality of occurrences of the feature, each occurrence of the feature having one of a plurality of values of the feature; identifying, by the computer system, a set of the values whose probability of occurrence does not exceed a probability of occurrence of a particular value of the plurality of values, the set of the values being those values of the feature that have occurred not more than the number of times of the particular value; determining, by the computer system, a rarity score for the particular value as a function of the probability of occurrence of the set of the values; detecting, by the computer system, that activity of an entity on the computer network is anomalous in a security context, by determining that an occurrence of the particular value corresponds to an anomaly, based on the rarity score, wherein said determining the rarity score of the particular value and said determining that the occurrence of the particular value corresponds to an anomaly comprise executing a machine learning model at the computer system; and enabling, by the computer system, a targeted response to a security threat indicated by the activity by causing a display of an indication that the activity is anomalous. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24)
-
-
25. A non-transitory machine-readable storage medium storing instructions, execution of which in a computer system causes the computer system to perform operations comprising:
-
analyzing event data representative of data traffic associated with a computer network to identify a feature of the data traffic, the data traffic including a plurality of occurrences of the feature, each occurrence of the feature having one of a plurality of values of the feature; identifying a set of the values whose probability of occurrence does not exceed a probability of occurrence of a particular value of the plurality of values, the set of the values being those values of the feature that have occurred not more than the number of times of the particular value; determining a rarity score for the particular value as a function of the probability of occurrence of the set of the values; detecting that activity of an entity on the computer network is anomalous in a security context, by determining that an occurrence of the particular value corresponds to an anomaly, based on the rarity score, wherein said determining the rarity score of the particular value and said determining that the occurrence of the particular value corresponds to an anomaly comprise executing a machine learning model at the computer system; and enabling a targeted response to a security threat indicated by the activity by causing a display of an indication that the activity is anomalous. - View Dependent Claims (26, 27)
-
-
28. A system, comprising:
-
a processor; a memory operatively coupled to the processor; a first module operatively coupled to the processor and configured to analyze event data representative of data traffic associated with a computer network to identify a feature of the data traffic, the data traffic including a plurality of occurrences of the feature, each occurrence of the feature having one of a plurality of values of the feature; a second module operatively coupled to the processor and configured to identify a set of the values whose probability of occurrence does not exceed a probability of occurrence of a particular value of the plurality of values, the set of the values being those values of the feature that have occurred not more than the number of times of the particular value; a third module operatively coupled to the processor and configured to determine a rarity score of the particular value as a function of the probability of occurrence of the set of values; a fourth module operatively coupled to the processor and configured to detect that activity of an entity on the computer network is anomalous in a security context, by determining that an occurrence of the particular value corresponds to an anomaly, based on the rarity score, wherein determination of the rarity score of the particular value and determination that the occurrence of the particular value corresponds to an anomaly comprise executing a machine learning model; and a fifth module operatively coupled to the processor and configured to enable a targeted response to a security threat indicated by the activity by causing a display of an indication that the activity is anomalous. - View Dependent Claims (29)
-
Specification