Modular model workflow in a distributed computation system
First Claim
1. A computer-implemented method comprising:
- extracting, from a model registry, a model type definition that includes a reference to model execution code and a processing mode specifier of a processing mode for a model deliberation workflow or a model training workflow, the processing mode specifier specifying at least one of a real-time processing mode or a batch processing mode;
implementing a model execution engine in a distributed computation system to execute processes that use machine learning to detect computer security related anomalies or threats in a computer network, wherein different models are assigned to different instances of the model execution engine based on information in the model registry;
utilizing the model execution engine to assign the model training workflow or the model deliberation workflow to the distributed computation system based on the processing mode specifier; and
scheduling, according to the model training workflow or the model deliberation workflow, a model processing thread, that corresponds to a portion of the model execution code and that is either a model training thread or a model deliberation thread, to a computing node for parallel processing in the distributed computation system.
2 Assignments
0 Petitions
Accused Products
Abstract
A security platform employs a variety techniques and mechanisms to detect security related anomalies and threats in a computer network environment. The security platform is “big data” driven and employs machine learning to perform security analytics. The security platform performs user/entity behavioral analytics (UEBA) to detect the security related anomalies and threats, regardless of whether such anomalies/threats were previously known. The security platform can include both real-time and batch paths/modes for detecting anomalies and threats. By visually presenting analytical results scored with risk ratings and supporting evidence, the security platform enables network security administrators to respond to a detected anomaly or threat, and to take action promptly.
-
Citations
30 Claims
-
1. A computer-implemented method comprising:
-
extracting, from a model registry, a model type definition that includes a reference to model execution code and a processing mode specifier of a processing mode for a model deliberation workflow or a model training workflow, the processing mode specifier specifying at least one of a real-time processing mode or a batch processing mode; implementing a model execution engine in a distributed computation system to execute processes that use machine learning to detect computer security related anomalies or threats in a computer network, wherein different models are assigned to different instances of the model execution engine based on information in the model registry; utilizing the model execution engine to assign the model training workflow or the model deliberation workflow to the distributed computation system based on the processing mode specifier; and scheduling, according to the model training workflow or the model deliberation workflow, a model processing thread, that corresponds to a portion of the model execution code and that is either a model training thread or a model deliberation thread, to a computing node for parallel processing in the distributed computation system. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28)
-
-
29. A system comprising:
-
a distributed computation system; a model registry configured to store a model type definition including a reference to model execution code and a processing mode specifier for a processing mode of a model deliberation workflow or a model training workflow, the processing mode specifier specifying at least one of a real-time processing mode or a batch processing mode; and a model execution engine implemented on the distributed computation system to execute processes that use machine learning to detect computer security related anomalies or threats in a computer network, wherein different models are assigned to different instances of the model execution engine based on information in the model registry; wherein the model execution engine is configured to; assign the model training workflow or the model deliberation workflow to the distributed computation system based on the processing mode specifier; and schedule, according to the model training workflow or the model deliberation workflow, a model processing thread, that corresponds to a portion of the model execution code and that is either a model training thread or a model deliberation thread, to a computing node for parallel processing in the distributed computation system.
-
-
30. A non-transitory computer readable medium storing instructions there on which, when executed by a processor, cause the processor to:
-
define a model type definition including a reference to model execution code and a processing mode specifier of a processing mode for a model deliberation workflow or a model training workflow, the processing mode specifier specifying at least one of a real-time processing mode or a batch processing mode; implement a model execution engine on a distributed computation system to execute processes that use machine learning to detect computer security related anomalies or threats in a computer network, wherein different models are assigned to different instances of the model execution engine based on information in the model registry; utilize the model execution engine to assign the model training workflow or the model deliberation workflow to the distributed computation system based on the processing mode specifier; and schedule, according to the model training workflow or the model deliberation workflow, a model processing thread, that corresponds to a portion of the model execution code and that is either a model training thread or a model deliberation thread, to a computing node for parallel processing in the distributed computation system.
-
Specification