Probabilistic suffix trees for network security analysis

US 10,063,570 B2
Filed: 10/30/2015
Issued: 08/28/2018
Est. Priority Date: 08/31/2015
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

training an event sequence prediction model based on a number of past sequence of event feature sets such that the event sequence prediction model, when deployed and given a historical event feature set sequence, is to generate a probability of encountering a particular event as the next event;

establishing, for the particular entity, an entity-specific baseline distribution of anomaly counts based on using the event sequence prediction model to calculate rarity scores for a number of baseline profiling windows of events;

receiving a sequence of event feature sets corresponding to a sequence of events, wherein the event feature sets are derived from raw event machine data recorded in a computer network;

measuring an anomaly count within a target event window by processing the sequence of event feature sets through an event sequence prediction model to determine a rarity score for the target event window;

identifying the target event window as containing a suspicious series of events based on the rarity score for the target event window;

comparing a similarity of the target event window to past rare windows based on a combination of different similarity metrics; and

generating a computer security threat indicator or a computer security anomaly indicator based on the identification of the suspicious series of events.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A security platform employs a variety techniques and mechanisms to detect security related anomalies and threats in a computer network environment. The security platform is “big data” driven and employs machine learning to perform security analytics. The security platform performs user/entity behavioral analytics (UEBA) to detect the security related anomalies and threats, regardless of whether such anomalies/threats were previously known. The security platform can include both real-time and batch paths/modes for detecting anomalies and threats. By visually presenting analytical results scored with risk ratings and supporting evidence, the security platform enables network security administrators to respond to a detected anomaly or threat, and to take action promptly.

61 Citations

View as Search Results

33 Claims

1. A method comprising:
- training an event sequence prediction model based on a number of past sequence of event feature sets such that the event sequence prediction model, when deployed and given a historical event feature set sequence, is to generate a probability of encountering a particular event as the next event;
  
  establishing, for the particular entity, an entity-specific baseline distribution of anomaly counts based on using the event sequence prediction model to calculate rarity scores for a number of baseline profiling windows of events;
  
  receiving a sequence of event feature sets corresponding to a sequence of events, wherein the event feature sets are derived from raw event machine data recorded in a computer network;
  
  measuring an anomaly count within a target event window by processing the sequence of event feature sets through an event sequence prediction model to determine a rarity score for the target event window;
  
  identifying the target event window as containing a suspicious series of events based on the rarity score for the target event window;
  
  comparing a similarity of the target event window to past rare windows based on a combination of different similarity metrics; and
  
  generating a computer security threat indicator or a computer security anomaly indicator based on the identification of the suspicious series of events.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31)
- - 2. The method of claim 1, wherein the event sequence prediction model is a probabilistic suffix tree (PST) model.
  - 3. The method of claim 1, wherein the event sequence prediction model is associated with an entity involved in the events.
  - 4. The method of claim 1, wherein the event sequence prediction model is associated with an entity involved in the events;
    - and wherein the entity is a user, a device, a system, a network resource locator, an application, a process thread, or any combination thereof.
  - 5. The method of claim 1, wherein the target event window is a moving event window of a constant number of most recent, consecutive event feature sets in the sequence of event feature sets.
  - 6. The method of claim 1, wherein a rarity score among the rarity scores for the baseline profiling windows is calculated based on (a) a number of predictions that are below a threshold inside the baseline profiling window;
    - and (b) a length of the baseline profiling window.
  - 7. The method of claim 1, further comprising receiving in real-time the sequence of event feature sets as a streaming feed without a known end-point.
  - 8. The method of claim 1, wherein identifying the target event window as containing a suspicious series of events includes:
    - scoring an event feature set based on the event sequence prediction model to determine whether an event corresponding to the event feature is an anomaly event; and
      
      updating the anomaly count based on whether the event is an anomaly event.
  - 9. The method of claim 1, further comprising determining when the event sequence prediction model has sufficient training to be deployed, prior to said processing the sequence of event feature sets.
  - 10. The method of claim 1, further comprising determining when the event sequence prediction model has sufficient training to be deployed;
    - wherein said determining when the event sequence prediction model has sufficient training includes measuring how many events have been used to train the event sequence prediction model.
  - 11. The method of claim 1, further comprising determining when the event sequence prediction model has sufficient training to be deployed;
    - wherein said determining when the event sequence prediction model has sufficient training includes measuring how long the event sequence prediction model has been in training.
  - 12. The method of claim 1, further comprising determining when the event sequence prediction model has sufficient training to be deployed;
    - wherein said determining when the event sequence prediction model has sufficient training includes determining whether numeric values in a model state representative of the event sequence prediction model are converging.
  - 13. The method of claim 1, further comprising determining when the event sequence prediction model has sufficient training to be deployed;
    - wherein said determining when the event sequence prediction model has sufficient training includes determining whether recent versions of the event sequence prediction model produce scores that deviate within a given threshold from each other when applied with same inputs.
  - 14. The method of claim 1, wherein identifying the target event window as containing a suspicious series of events includes maintaining the anomaly count within a moving event window by incrementing the anomaly count whenever a most-recent event feature set as applied to the event sequence prediction model produces a score that is beyond a preset threshold;
    - the method further comprising designating a most-recent event corresponding to the most-recent event feature set as an anomalous event when the score is beyond the preset threshold.
  - 15. The method of claim 1, wherein identifying the target event window as containing a suspicious series of events includes maintaining the anomaly count within a moving event window by decrementing the anomaly count whenever an anomalous event designated by the event sequence prediction model falls outside of the moving event window.
  - 16. The method of claim 1, wherein said combination of different similarity metrics includes a cosine similarity and a Jaccard similarity.
  - 17. The method of claim 1, further comprising expanding the suspicious series of events by adding an additional event corresponding to an additional feature set into the suspicious series, in response to identifying the target event window as containing the suspicious series.
  - 18. The method of claim 1, further comprising expanding the suspicious series of events;
    - and wherein expanding the suspicious series of events includes holding a starting event of the suspicious series of events while the suspicious series of events expands to include an additional event and its corresponding event feature set that is subsequently processed by the event sequence prediction model.
  - 19. The method of claim 1, further comprising:
    - expanding the suspicious series of events; and
      
      updating the anomaly count as the suspicious series of events expands; and
      
      stopping said expanding when the anomaly count stops increasing above a preset threshold.
  - 20. The method of claim 1, further comprising expanding the suspicious series of events until the suspicious series of events expands beyond a threshold percentage.
  - 21. The method of claim 1, further comprising creating an event window signature from event feature sets corresponding to the suspicious series of events.
  - 22. The method of claim 1, further comprising:
    - expanding the suspicious series of events; and
      
      creating an event window signature after the suspicious series of events stops expanding.
  - 23. The method of claim 1, further comprising creating an event window signature by building an array comprised of computed scores from the event sequence prediction model for each event feature set corresponding to each event in the suspicious series of events.
  - 24. The method of claim 1, further comprising:
    - creating an event window signature from event feature sets corresponding to the suspicious series of events;
      
      computing another event window signature from another event window; and
      
      determining whether the other event window is suspicious by comparing the other event window signature against the event window signature of the suspicious series of events.
  - 25. The method of claim 1, further comprising:
    - computing an event window signature of the target event window; and
      
      determining whether the target event window corresponds to a computer security-related threat based on whether the event window signature corresponds to an existing signature in an event window signature database.
  - 26. The method of claim 1, further comprising:
    - computing a current event window signature of a most-recent event window; and
      
      determining whether the most-recent event window corresponds to a real-time computer security threat based on whether the current event window signature corresponds to an existing signature in an event window signature database.
  - 27. The method of claim 1, further comprising:
    - computing an event window signature of the target event window; and
      
      determining whether the target event window corresponds to a computer security threat when the event window signature fails to match an existing signature in an event window signature database within a threshold difference.
  - 28. The method of claim 1, wherein the events include timestamped machine data events.
  - 29. The method of claim 1, wherein establishing an entity-specific baseline distribution of anomaly counts is further based on using the event sequence prediction model to generate a probability of encountering a window with a particular rarity score, given a history of previous rarity scores.
  - 30. The method of claim 1, further comprising:
    - storing target event windows that are identified as containing a suspicious series of events in a rare window database.
  - 31. The method of claim 1, wherein the rarity score for the target event window is calculated based on (a) a number of event feature sets within the target event window identified as corresponding to an anomalous event;
    - and (b) a length of the target event window.

32. A system comprising:
- a memory storing computer-executable instructions; and
  
  a data processor configured by the computer-executable instructions to;
  
  train an event sequence prediction model based on a number of past sequence of event feature sets such that the event sequence prediction model, when deployed and given a historical event feature set sequence, is to generate a probability of encountering a particular event as the next event;
  
  establish, for the particular entity, an entity-specific baseline distribution of anomaly counts based on using the event sequence prediction model to calculate rarity scores for a number of baseline profiling windows of events;
  
  receive a sequence of event feature sets corresponding to a sequence of events, wherein the event feature sets are derived from raw event machine data recorded in a computer network;
  
  measure an anomaly count within a target event window by processing the sequence of event feature sets through an event sequence prediction model to determine a rarity score for the target event window;
  
  identify the target event window as containing a suspicious series of events based on the rarity score for the target event window;
  
  compare a similarity of the target event window to past rare windows based on a combination of different similarity metrics; and
  
  generate a computer security threat indicator or a computer security anomaly indicator based on the identification of the suspicious series of events.

33. A non-transitory computer readable medium storing instructions that, when executed by a processor, cause the processor to:
- train an event sequence prediction model based on a number of past sequence of event feature sets such that the event sequence prediction model, when deployed and given a historical event feature set sequence, is to generate a probability of encountering a particular event as the next event;
  
  establish, for the particular entity, an entity-specific baseline distribution of anomaly counts based on using the event sequence prediction model to calculate rarity scores for a number of baseline profiling windows of events;
  
  receive a sequence of event feature sets corresponding to a sequence of events, wherein the event feature sets are derived from raw event machine data recorded in a computer network;
  
  measure an anomaly count within a target event window by processing the sequence of event feature sets through an event sequence prediction model to determine a rarity score for the target event window;
  
  identify the target event window as containing a suspicious series of based on the rarity score for the target event window;
  
  compare a similarity of the target event window to past rare windows based on a combination of different similarity metrics; and
  
  generate a computer security threat indicator or a computer security anomaly indicator based on the identification of the suspicious series of events.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Splunk Inc.
Original Assignee
Splunk Inc.
Inventors
Muddu, Sudhakar, Tryfonas, Christos, Iliofotou, Marios
Primary Examiner(s)
Hirl, Joseph P
Assistant Examiner(s)
GYORFI, THOMAS A

Application Number

US14/929,132
Publication Number

US 20170063887A1
Time in Patent Office

1,033 Days
Field of Search
US Class Current
CPC Class Codes

G06F 16/24578   using ranking

G06F 16/254   Extract, transform and load...

G06F 16/285   Clustering or classification

G06F 16/444   Spatial browsing, e.g. 2D m...

G06F 16/9024   Graphs; Linked lists G06F16...

G06F 3/0482   Interaction with lists of s...

G06F 3/0484   for the control of specific...

G06F 3/04842   Selection of displayed obje...

G06F 3/04847   Interaction techniques to c...

G06F 40/134   Hyperlinking

G06N 20/00   Machine learning

G06N 20/20   Ensemble learning

G06N 5/022   Knowledge engineering; Know...

G06N 5/04   Inference or reasoning models

G06N 7/01   Probabilistic graphical mod...

G06V 10/225   based on a marking or ident...

H04L 2463/121   Timestamp cryptographic mec...

H04L 41/0893   Assignment of logical group...

H04L 41/145   involving simulating, desig...

H04L 41/22   comprising specially adapte...

H04L 43/00 : Arrangements for monitoring...

H04L 43/045 : for graphical visualisation...

H04L 43/062 : related to network traffic

H04L 43/08 : Monitoring or testing based...

H04L 63/06 : for supporting key manageme...

H04L 63/1408 : by monitoring network traff...

H04L 63/1416 : Event detection, e.g. attac...

H04L 63/1425 : Traffic logging, e.g. anoma...

H04L 63/1433 : Vulnerability analysis

H04L 63/1441 : Countermeasures against mal...

H04L 63/20 : for managing network securi...

H05K 999/99 : dummy group

View All

Probabilistic suffix trees for network security analysis

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

61 Citations

33 Claims

Specification

Solutions

Use Cases

Quick Links

Probabilistic suffix trees for network security analysis

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

61 Citations

33 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links