Probabilistic suffix trees for network security analysis
First Claim
1. A method comprising:
- training an event sequence prediction model based on a number of past sequence of event feature sets such that the event sequence prediction model, when deployed and given a historical event feature set sequence, is to generate a probability of encountering a particular event as the next event;
establishing, for the particular entity, an entity-specific baseline distribution of anomaly counts based on using the event sequence prediction model to calculate rarity scores for a number of baseline profiling windows of events;
receiving a sequence of event feature sets corresponding to a sequence of events, wherein the event feature sets are derived from raw event machine data recorded in a computer network;
measuring an anomaly count within a target event window by processing the sequence of event feature sets through an event sequence prediction model to determine a rarity score for the target event window;
identifying the target event window as containing a suspicious series of events based on the rarity score for the target event window;
comparing a similarity of the target event window to past rare windows based on a combination of different similarity metrics; and
generating a computer security threat indicator or a computer security anomaly indicator based on the identification of the suspicious series of events.
2 Assignments
0 Petitions
Accused Products
Abstract
A security platform employs a variety techniques and mechanisms to detect security related anomalies and threats in a computer network environment. The security platform is “big data” driven and employs machine learning to perform security analytics. The security platform performs user/entity behavioral analytics (UEBA) to detect the security related anomalies and threats, regardless of whether such anomalies/threats were previously known. The security platform can include both real-time and batch paths/modes for detecting anomalies and threats. By visually presenting analytical results scored with risk ratings and supporting evidence, the security platform enables network security administrators to respond to a detected anomaly or threat, and to take action promptly.
61 Citations
33 Claims
-
1. A method comprising:
-
training an event sequence prediction model based on a number of past sequence of event feature sets such that the event sequence prediction model, when deployed and given a historical event feature set sequence, is to generate a probability of encountering a particular event as the next event; establishing, for the particular entity, an entity-specific baseline distribution of anomaly counts based on using the event sequence prediction model to calculate rarity scores for a number of baseline profiling windows of events; receiving a sequence of event feature sets corresponding to a sequence of events, wherein the event feature sets are derived from raw event machine data recorded in a computer network; measuring an anomaly count within a target event window by processing the sequence of event feature sets through an event sequence prediction model to determine a rarity score for the target event window; identifying the target event window as containing a suspicious series of events based on the rarity score for the target event window; comparing a similarity of the target event window to past rare windows based on a combination of different similarity metrics; and generating a computer security threat indicator or a computer security anomaly indicator based on the identification of the suspicious series of events. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31)
-
-
32. A system comprising:
-
a memory storing computer-executable instructions; and a data processor configured by the computer-executable instructions to; train an event sequence prediction model based on a number of past sequence of event feature sets such that the event sequence prediction model, when deployed and given a historical event feature set sequence, is to generate a probability of encountering a particular event as the next event; establish, for the particular entity, an entity-specific baseline distribution of anomaly counts based on using the event sequence prediction model to calculate rarity scores for a number of baseline profiling windows of events; receive a sequence of event feature sets corresponding to a sequence of events, wherein the event feature sets are derived from raw event machine data recorded in a computer network; measure an anomaly count within a target event window by processing the sequence of event feature sets through an event sequence prediction model to determine a rarity score for the target event window; identify the target event window as containing a suspicious series of events based on the rarity score for the target event window; compare a similarity of the target event window to past rare windows based on a combination of different similarity metrics; and generate a computer security threat indicator or a computer security anomaly indicator based on the identification of the suspicious series of events.
-
-
33. A non-transitory computer readable medium storing instructions that, when executed by a processor, cause the processor to:
-
train an event sequence prediction model based on a number of past sequence of event feature sets such that the event sequence prediction model, when deployed and given a historical event feature set sequence, is to generate a probability of encountering a particular event as the next event; establish, for the particular entity, an entity-specific baseline distribution of anomaly counts based on using the event sequence prediction model to calculate rarity scores for a number of baseline profiling windows of events;
receive a sequence of event feature sets corresponding to a sequence of events, wherein the event feature sets are derived from raw event machine data recorded in a computer network;measure an anomaly count within a target event window by processing the sequence of event feature sets through an event sequence prediction model to determine a rarity score for the target event window; identify the target event window as containing a suspicious series of based on the rarity score for the target event window; compare a similarity of the target event window to past rare windows based on a combination of different similarity metrics; and generate a computer security threat indicator or a computer security anomaly indicator based on the identification of the suspicious series of events.
-
Specification