Network security threat detection using shared variable behavior baseline

US 10,135,848 B2
Filed: 01/23/2017
Issued: 11/20/2018
Est. Priority Date: 08/31/2015
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

receiving, at a computer system, first event data indicative of computer network activity of an entity that is part of or has interacted with a computer network, the computer system including a real-time event processing engine and a batch event processing engine;

constructing a variable behavior baseline of the entity by using one of the real-time event processing engine or the batch event processing engine in the computer system, based on the first event data, the variable behavior baseline being representative of computer network activity of a particular type by the entity;

sharing the variable behavior baseline between the real-time event processing engine and the batch event processing engine;

receiving, at the computer system, second event data indicative of additional computer network activity associated with the entity;

comparing the second event data to the shared variable behavior baseline of the entity, by the one of the real-time event processing engine and the batch event processing engine that was not used to construct the variable behavior baseline of the entity; and

detecting at least one of a network security threat or a network security anomaly, when said comparing results in a determination that the second event data has a specified relationship to the shared variable behavior baseline of the entity.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A security platform employs a variety techniques and mechanisms to detect security related anomalies and threats in a computer network environment. The security platform is “big data” driven and employs machine learning to perform security analytics. The security platform performs user/entity behavioral analytics (UEBA) to detect the security related anomalies and threats, regardless of whether such anomalies/threats were previously known. The security platform can include both real-time and batch paths/modes for detecting anomalies and threats. By visually presenting analytical results scored with risk ratings and supporting evidence, the security platform enables network security administrators to respond to a detected anomaly or threat, and to take action promptly.

46 Citations

View as Search Results

25 Claims

1. A method comprising:
- receiving, at a computer system, first event data indicative of computer network activity of an entity that is part of or has interacted with a computer network, the computer system including a real-time event processing engine and a batch event processing engine;
  
  constructing a variable behavior baseline of the entity by using one of the real-time event processing engine or the batch event processing engine in the computer system, based on the first event data, the variable behavior baseline being representative of computer network activity of a particular type by the entity;
  
  sharing the variable behavior baseline between the real-time event processing engine and the batch event processing engine;
  
  receiving, at the computer system, second event data indicative of additional computer network activity associated with the entity;
  
  comparing the second event data to the shared variable behavior baseline of the entity, by the one of the real-time event processing engine and the batch event processing engine that was not used to construct the variable behavior baseline of the entity; and
  
  detecting at least one of a network security threat or a network security anomaly, when said comparing results in a determination that the second event data has a specified relationship to the shared variable behavior baseline of the entity.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23)
- - 2. A method as recited in claim 1, wherein the first event data comprise machine data.
  - 3. A method as recited in claim 1, wherein the first event data comprise timestamped machine data.
  - 4. A method as recited in claim 1, wherein the first event data comprise data indicative of performance or operation of an element of an information technology environment.
  - 5. A method as recited in claim 1, wherein the entity is a device on the computer network.
  - 6. A method as recited in claim 1, wherein the entity is a user of a device on the computer network.
  - 7. A method as recited in claim 1, wherein constructing the first behavior baseline of the entity comprises using a machine learning process to construct the first behavior baseline of the entity.
  - 8. A method as recited in claim 1, further comprising:
    - adjusting, by a first automated process, the variable behavior baseline of the entity based on the first event data.
  - 9. A method as recited in claim 1, further comprising:
    - adjusting the variable behavior baseline of the entity based on a machine learning model.
  - 10. A method as recited in claim 1, wherein the first event data comprises event data representing a plurality of events on the computer network over a period of time, each of the events being associated with network activity of the entity, and wherein constructing the variable behavioral baseline of the entity comprises constructing the variable behavioral baseline of the entity based on the first event data event data representing the plurality of events.
  - 11. A method as recited in claim 1, further comprising:
    - generating anomaly data indicative that the additional computer network activity associated with the entity represents a network security anomaly;
      
      detecting, by a threat decision engine, that the additional computer network activity associated with the entity represents a network security threat, based on the anomaly data; and
      
      outputting, to a user, an indication that the additional computer network activity associated with the entity represents a network security threat.
  - 12. A method as recited in claim 1, wherein said constructing the variable behavior baseline is performed in real time as the first event data are received.
  - 13. A method as recited in claim 1, the first event data being stored in a persistent storage facility, wherein said constructing the variable behavior baseline is performed in a batch processing mode based on the stored first event data.
  - 14. A method as recited in claim 1,said comparing comprises comparing, in real-time by the real-time event processing engine, the second event data to the shared variable behavior baseline of the entity;
    - andsaid detecting comprises determining, in real-time by the real-time event processing engine, that the additional computer network activity associated with the entity represents a network security anomaly or a network security threat, when said comparing results in a determination that the second event data has a specified relationship to the shared variable behavior baseline of the entity.
  - 15. A method as recited in claim 1, further comprising:
    - storing the second event data in a persistent storage facility;
      
      wherein said comparing comprises comparing, by the batch event processing engine, the stored second event data to the shared variable behavior baseline of the entity; and
      
      wherein said determining comprises determining, by the batch event processing engine, that the additional computer network activity associated with the entity represents a network security anomaly or a network security threat, when said comparing results in a determination that the second event data has a specified relationship to the shared variable behavior baseline of the entity.
  - 16. A method as recited in claim 1, wherein said constructing the variable behavior baseline is performed in a batch mode by the batch event processing engine,said comparing comprises comparing, in real-time by the real-time event processing engine, the second event data to the shared variable behavior baseline of the entity;
    - andsaid determining comprises determining, in real-time by the real-time event processing engine, that the additional computer network activity associated with the entity represents a network security anomaly or a network security threat, when said comparing results in a determination that the second event data has a specified relationship to the shared variable behavior baseline of the entity.
  - 17. A method as recited in claim 1, wherein said constructing the variable behavior baseline is performed in a real-time mode by the real-time event processing engine;
    - wherein said comparing comprises comparing, in a batch mode by the batch event processing engine, the second event data to the shared variable behavior baseline of the entity; and
      
      wherein said determining comprises determining, in a batch mode by the batch event processing engine, that the additional computer network activity associated with the entity represents a network security anomaly or a network security threat, when said comparing results in a determination that the second event data has a specified relationship to the shared variable behavior baseline of the entity.
  - 18. A method as recited in claim 1, wherein the variable behavioral baseline is a first variable behavioral baseline of the entity, further comprising:
    - constructing a second variable behavior baseline of the entity, based on the second event data, the second variable behavior baseline being representative of the computer network activity of the entity;
      
      receiving, at the computer system, third event data resulting from additional computer network activity associated with the entity;
      
      comparing, by the computer system, the third event data to the first variable behavior baseline and the second variable behavior baseline; and
      
      determining, by an automated process in the computer system, that the additional computer network activity associated with the entity represents a network security anomaly or a network security threat, in response to a determination that the third event data has a specified relationship to at least one of the first variable behavior baseline or the second variable behavior baseline.
  - 19. A method as recited in claim 1, wherein:
    - the first event data and the second event data comprise time stamped data indicative of performance or operation of an element of an information technology environment.
  - 20. A method as recited in claim 1, wherein the batch event processing engine is an implementation of Apache Spark.
  - 21. A method as recited in claim 1, wherein the real-time event processing engine is an implementation of Apache Storm.
  - 22. A method as recited in claim 1, wherein the real-time event processing engine is an implementation of Apache Spark Streaming.
  - 23. A method as recited in claim 1, wherein the batch event processing engine is an implementation of Apache Spark, and the real-time event processing engine is an implementation of Apache Storm or Apache Spark Streaming.

24. A computer system comprising:
- a processor; and
  
  a communication device, operatively coupled to the processor, through which to receive first event data indicative of computer network activity of an entity that is part of or interacts with a computer network;
  
  a real-time event processing engine;
  
  a batch event processing engine;
  
  wherein the processor is configured toconstruct a variable behavior baseline of the entity by using one of the real-time event processing engine or the batch event processing engine in the computer system, based on the first event data, the variable behavior baseline being representative of computer network activity of a particular type by the entity;
  
  share the variable behavior baseline between the real-time event processing engine and the batch event processing engine;
  
  receive second event data indicative of additional computer network activity associated with the entity;
  
  compare the second event data to the shared variable behavior baseline of the entity, by the one of the real-time event processing engine and the batch event processing engine that was not used to construct the variable behavior baseline of the entity; and
  
  detect at least one of a network security threat or a network security anomaly, when comparison of the second event data to the shared variable behavior baseline of the entity results in a determination that the second event data has a specified relationship to the shared variable behavior baseline of the entity.

25. A non-transitory machine-readable storage medium for use in a processing system, the non-transitory machine-readable storage medium storing instructions, an execution of which in the processing system causes the processing system to perform operations comprising:
- receiving first event data indicative of computer network activity of an entity that is part of or has interacted with a computer network, the computer system including a real-time event processing engine and a batch event processing engine;
  
  constructing a variable behavior baseline of the entity by using one of the real-time event processing engine or the batch event processing engine in the computer system, based on the first event data, the variable behavior baseline being representative of computer network activity of a particular type by the entity;
  
  sharing the variable behavior baseline between the real-time event processing engine and the batch event processing engine;
  
  receiving, at the processing system, second event data indicative of additional computer network activity associated with the entity;
  
  comparing the second event data to the shared variable behavior baseline of the entity, by the one of the real-time event processing engine and the batch event processing engine that was not used to construct the variable behavior baseline of the entity; and
  
  detecting at least one of a network security threat or a network security anomaly, when said comparing results in a determination that the second event data has a specified relationship to the shared variable behavior baseline of the entity.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Splunk Inc.
Original Assignee
Splunk Inc.
Inventors
Muddu, Sudhakar, Tryfonas, Christos
Primary Examiner(s)
Shiferaw, Eleni A
Assistant Examiner(s)
Holmes, Angela R

Application Number

US15/413,336
Publication Number

US 20170134415A1
Time in Patent Office

666 Days
Field of Search

726 23
US Class Current
CPC Class Codes

G06F 16/24578   using ranking

G06F 16/254   Extract, transform and load...

G06F 16/285   Clustering or classification

G06F 16/444   Spatial browsing, e.g. 2D m...

G06F 16/9024   Graphs; Linked lists G06F16...

G06F 3/0482   Interaction with lists of s...

G06F 3/0484   for the control of specific...

G06F 3/04842   Selection of displayed obje...

G06F 3/04847   Interaction techniques to c...

G06F 40/134   Hyperlinking

G06N 20/00   Machine learning

G06N 20/20   Ensemble learning

G06N 5/022   Knowledge engineering; Know...

G06N 5/04   Inference or reasoning models

G06N 7/01   Probabilistic graphical mod...

G06V 10/225   based on a marking or ident...

H04L 2463/121   Timestamp cryptographic mec...

H04L 41/0893   Assignment of logical group...

H04L 41/145   involving simulating, desig...

H04L 41/22   comprising specially adapte...

H04L 43/00 : Arrangements for monitoring...

H04L 43/045 : for graphical visualisation...

H04L 43/062 : related to network traffic

H04L 43/08 : Monitoring or testing based...

H04L 63/06 : for supporting key manageme...

H04L 63/1408 : by monitoring network traff...

H04L 63/1416 : Event detection, e.g. attac...

H04L 63/1425 : Traffic logging, e.g. anoma...

H04L 63/1433 : Vulnerability analysis

H04L 63/1441 : Countermeasures against mal...

H04L 63/20 : for managing network securi...

H05K 999/99 : dummy group

View All

Network security threat detection using shared variable behavior baseline

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

46 Citations

25 Claims

Specification

Solutions

Use Cases

Quick Links

Network security threat detection using shared variable behavior baseline

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

46 Citations

25 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links