Modular model workflow in a distributed computation system

US 10,110,617 B2
Filed: 10/30/2015
Issued: 10/23/2018
Est. Priority Date: 08/31/2015
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method comprising:

extracting, from a model registry, a model type definition that includes a reference to model execution code and a processing mode specifier of a processing mode for a model deliberation workflow or a model training workflow, the processing mode specifier specifying at least one of a real-time processing mode or a batch processing mode;

implementing a model execution engine in a distributed computation system to execute processes that use machine learning to detect computer security related anomalies or threats in a computer network, wherein different models are assigned to different instances of the model execution engine based on information in the model registry;

utilizing the model execution engine to assign the model training workflow or the model deliberation workflow to the distributed computation system based on the processing mode specifier; and

scheduling, according to the model training workflow or the model deliberation workflow, a model processing thread, that corresponds to a portion of the model execution code and that is either a model training thread or a model deliberation thread, to a computing node for parallel processing in the distributed computation system.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A security platform employs a variety techniques and mechanisms to detect security related anomalies and threats in a computer network environment. The security platform is “big data” driven and employs machine learning to perform security analytics. The security platform performs user/entity behavioral analytics (UEBA) to detect the security related anomalies and threats, regardless of whether such anomalies/threats were previously known. The security platform can include both real-time and batch paths/modes for detecting anomalies and threats. By visually presenting analytical results scored with risk ratings and supporting evidence, the security platform enables network security administrators to respond to a detected anomaly or threat, and to take action promptly.

Citations

30 Claims

1. A computer-implemented method comprising:
- extracting, from a model registry, a model type definition that includes a reference to model execution code and a processing mode specifier of a processing mode for a model deliberation workflow or a model training workflow, the processing mode specifier specifying at least one of a real-time processing mode or a batch processing mode;
  
  implementing a model execution engine in a distributed computation system to execute processes that use machine learning to detect computer security related anomalies or threats in a computer network, wherein different models are assigned to different instances of the model execution engine based on information in the model registry;
  
  utilizing the model execution engine to assign the model training workflow or the model deliberation workflow to the distributed computation system based on the processing mode specifier; and
  
  scheduling, according to the model training workflow or the model deliberation workflow, a model processing thread, that corresponds to a portion of the model execution code and that is either a model training thread or a model deliberation thread, to a computing node for parallel processing in the distributed computation system.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28)
- - 2. The method of claim 1, further comprising storing the model type definition in the model registry implemented in a cache cluster or a distributed file system.
  - 3. The method of claim 1, further comprising storing the model type definition in the model registry implemented in Redis or Hadoop Filesystem.
  - 4. The method of claim 1, wherein the model training workflow or the model deliberation workflow is assigned to the distributed computation system when the processing mode specifier specifies the real-time processing mode and the distributed computation system has real-time task-parallel processing capability.
  - 5. The method of claim 1, wherein the model training workflow or the model deliberation workflow is assigned to the distributed computation system when the processing mode specifier specifies the batch processing mode and the distributed computation system has batch data-parallel processing capability.
  - 6. The method of claim 1, wherein the processing mode specifier specifies whether to process inputs in real-time or in batch mode when executing the model processing thread.
  - 7. The method of claim 1, wherein the processing mode specifier is for the model training workflow and the model type definition specifies another processing mode specifier for the model deliberation workflow.
  - 8. The method of claim 1, wherein the distributed computation system includes a distributed resource manager.
  - 9. The method of claim 1, wherein the distributed computation system includes a distributed messaging system.
  - 10. The method of claim 1, wherein the distributed computation system includes a task-parallel, real-time, distributed computation engine capable of running a data processing thread that reliably processes an unbounded data stream.
  - 11. The method of claim 1, wherein the distributed computation system includes Apache Storm.
  - 12. The method of claim 1, wherein the distributed computation system includes a data parallel, cluster-based, distributed computation engine.
  - 13. The method of claim 1, wherein the distributed computation system includes Apache Spark.
  - 14. The method of claim 1, wherein said assigning includes assigning the model deliberation workflow to the distributed computation system;
    - and further comprising instantiating a model deliberation thread by configuring model deliberation processing logic defined by the model execution code with a model state from a model store.
  - 15. The method of claim 1, wherein said assigning includes assigning the model training workflow to the distributed computation system;
    - and further comprising instantiating the model training thread according to model training processing logic defined by the model execution code.
  - 16. The method of claim 1, wherein the model type definition specifies an event view subscription configured to filter for a specific type of data events;
    - and further comprising inputting an event feature set corresponding to the specific type of data events to the model processing thread.
  - 17. The method of claim 1, wherein the model type definition specifies a model type topology;
    - and further comprising determining, based on the model type topology, how many model processing threads of the model type definition to instantiate during either the model training workflow or the model deliberation workflow.
  - 18. The method of claim 1, wherein the model type definition specifies a model type topology;
    - and further comprising;
      
      identifying entities falling within the model type topology; and
      
      instantiating model processing threads corresponding respectively to the entities.
  - 19. The method of claim 1, wherein the model type definition specifies a model type topology;
    - and further comprising;
      
      identifying entities falling within the model type topology by querying a machine data recording device in the computer network; and
      
      instantiating model processing threads that respectively correspond to the entities.
  - 20. The method of claim 1, wherein the model type definition specifies a model type topology;
    - and further comprising partitioning, according to the model type topology, event feature sets to feed into model processing threads running on different processing nodes of the distributed computation system.
  - 21. The method of claim 1, further comprising executing the model training thread in the distributed computation system;
    - wherein said executing the model training thread includes;
      
      processing event feature sets to compute a model state of the model type definition; and
      
      storing the model state in a model store.
  - 22. The method of claim 1, further comprising training a plurality of models of the model type definition based on event feature sets, each of the plurality of models corresponding to a different entity.
  - 23. The method of claim 1, further comprising training an entity-specific model or a purpose-specific model of the model type definition;
    - and storing multiple versions of the entity-specific model or the purpose-specific model at different stages of said training.
  - 24. The method of claim 1, wherein the model type definition includes a model type topology and an event view subscription;
    - and further comprising;
      
      identifying event feature sets to feed into a plurality of model processing threads for the model training workflow or the model deliberation workflow according to the events view subscription; and
      
      partitioning the event feature sets and the model processing threads into groups, wherein each group corresponds to a worker node in the distributed computation system.
  - 25. The method of claim 1, wherein the model type definition includes a model type topology;
    - and further comprising;
      
      performing a consistent hash on event feature sets selected based on the model type definition; and
      
      partitioning, based on the consistent hash, the event feature sets such that a worker node in the distributed computation system running the model processing thread receives only a subset of the event feature sets.
  - 26. The method of claim 1, wherein the model type definition includes a model type topology;
    - and further comprising;
      
      determining a number of entities corresponding to the model type topology; and
      
      partitioning event feature sets selected based on the model type definition such that each worker node in the distributed computation executing at least a model processing thread of the model training workflow or the model deliberation workflow receives only a subset of the event feature sets, wherein said partitioning includes determining a number of partitions based on the number of entities and a number of available workers in the distributed computation system.
  - 27. The method of claim 1, wherein the distributed computation system includes a plurality of computing machines, each of the computing machines implementing at least a worker node capable of running at least a model processing thread;
    - and wherein said assigning includes assigning either a plurality of entity-specific model training threads of the model training workflow or a plurality of entity-specific model deliberation threads of the model deliberation workflow to each worker node.
  - 28. The method of claim 1, wherein the model type definition includes a model type topology;
    - wherein the distributed computation system includes a plurality of computing machines, each of the computing machines implementing at least a worker node capable of running at least a model processing thread; and
      
      wherein each worker node receives from a single partition of event feature sets according to the model type topology, the event feature sets identified based on an event view subscription of the model type definition.

29. A system comprising:
- a distributed computation system;
  
  a model registry configured to store a model type definition including a reference to model execution code and a processing mode specifier for a processing mode of a model deliberation workflow or a model training workflow, the processing mode specifier specifying at least one of a real-time processing mode or a batch processing mode; and
  
  a model execution engine implemented on the distributed computation system to execute processes that use machine learning to detect computer security related anomalies or threats in a computer network, wherein different models are assigned to different instances of the model execution engine based on information in the model registry;
  
  wherein the model execution engine is configured to;
  
  assign the model training workflow or the model deliberation workflow to the distributed computation system based on the processing mode specifier; and
  
  schedule, according to the model training workflow or the model deliberation workflow, a model processing thread, that corresponds to a portion of the model execution code and that is either a model training thread or a model deliberation thread, to a computing node for parallel processing in the distributed computation system.

30. A non-transitory computer readable medium storing instructions there on which, when executed by a processor, cause the processor to:
- define a model type definition including a reference to model execution code and a processing mode specifier of a processing mode for a model deliberation workflow or a model training workflow, the processing mode specifier specifying at least one of a real-time processing mode or a batch processing mode;
  
  implement a model execution engine on a distributed computation system to execute processes that use machine learning to detect computer security related anomalies or threats in a computer network, wherein different models are assigned to different instances of the model execution engine based on information in the model registry;
  
  utilize the model execution engine to assign the model training workflow or the model deliberation workflow to the distributed computation system based on the processing mode specifier; and
  
  schedule, according to the model training workflow or the model deliberation workflow, a model processing thread, that corresponds to a portion of the model execution code and that is either a model training thread or a model deliberation thread, to a computing node for parallel processing in the distributed computation system.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Splunk Inc. (Cisco Systems, Inc.)
Original Assignee
Splunk Inc. (Cisco Systems, Inc.)
Inventors
Muddu, Sudhakar, Tryfonas, Christos, Kavacheri, Sathyanarayanan
Primary Examiner(s)
Hirl, Joseph P
Assistant Examiner(s)
Murphy, J. Brant

Application Number

US14/929,035
Publication Number

US 20170063886A1
Time in Patent Office

1,089 Days
Field of Search
US Class Current
CPC Class Codes

G06F 16/24578   using ranking

G06F 16/254   Extract, transform and load...

G06F 16/285   Clustering or classification

G06F 16/444   Spatial browsing, e.g. 2D m...

G06F 16/9024   Graphs; Linked lists G06F16...

G06F 3/0482   Interaction with lists of s...

G06F 3/0484   for the control of specific...

G06F 3/04842   Selection of displayed obje...

G06F 3/04847   Interaction techniques to c...

G06F 40/134   Hyperlinking

G06N 20/00   Machine learning

G06N 20/20   Ensemble learning

G06N 5/022   Knowledge engineering; Know...

G06N 5/04   Inference or reasoning models

G06N 7/01   Probabilistic graphical mod...

G06V 10/225   based on a marking or ident...

H04L 2463/121   Timestamp

H04L 41/0893   Assignment of logical group...

H04L 41/145   involving simulating, desig...

H04L 41/22   comprising specially adapte...

H04L 43/00 : Arrangements for monitoring...

H04L 43/045 : for graphical visualisation...

H04L 43/062 : related to network traffic

H04L 43/08 : Monitoring or testing based...

H04L 63/06 : for supporting key manageme...

H04L 63/1408 : by monitoring network traff...

H04L 63/1416 : Event detection, e.g. attac...

H04L 63/1425 : Traffic logging, e.g. anoma...

H04L 63/1433 : Vulnerability analysis

H04L 63/1441 : Countermeasures against mal...

H04L 63/20 : for managing network securi...

View All

Modular model workflow in a distributed computation system

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

30 Claims

Specification

Solutions

Use Cases

Quick Links

Modular model workflow in a distributed computation system

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

30 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links