Network security threat detection using shared variable behavior baseline
First Claim
1. A method comprising:
- receiving, at a computer system, first event data indicative of computer network activity of an entity that is part of or has interacted with a computer network, the computer system including a real-time event processing engine and a batch event processing engine;
constructing a variable behavior baseline of the entity by using one of the real-time event processing engine or the batch event processing engine in the computer system, based on the first event data, the variable behavior baseline being representative of computer network activity of a particular type by the entity;
sharing the variable behavior baseline between the real-time event processing engine and the batch event processing engine;
receiving, at the computer system, second event data indicative of additional computer network activity associated with the entity;
comparing the second event data to the shared variable behavior baseline of the entity, by the one of the real-time event processing engine and the batch event processing engine that was not used to construct the variable behavior baseline of the entity; and
detecting at least one of a network security threat or a network security anomaly, when said comparing results in a determination that the second event data has a specified relationship to the shared variable behavior baseline of the entity.
1 Assignment
0 Petitions
Accused Products
Abstract
A security platform employs a variety techniques and mechanisms to detect security related anomalies and threats in a computer network environment. The security platform is “big data” driven and employs machine learning to perform security analytics. The security platform performs user/entity behavioral analytics (UEBA) to detect the security related anomalies and threats, regardless of whether such anomalies/threats were previously known. The security platform can include both real-time and batch paths/modes for detecting anomalies and threats. By visually presenting analytical results scored with risk ratings and supporting evidence, the security platform enables network security administrators to respond to a detected anomaly or threat, and to take action promptly.
46 Citations
25 Claims
-
1. A method comprising:
-
receiving, at a computer system, first event data indicative of computer network activity of an entity that is part of or has interacted with a computer network, the computer system including a real-time event processing engine and a batch event processing engine; constructing a variable behavior baseline of the entity by using one of the real-time event processing engine or the batch event processing engine in the computer system, based on the first event data, the variable behavior baseline being representative of computer network activity of a particular type by the entity; sharing the variable behavior baseline between the real-time event processing engine and the batch event processing engine; receiving, at the computer system, second event data indicative of additional computer network activity associated with the entity; comparing the second event data to the shared variable behavior baseline of the entity, by the one of the real-time event processing engine and the batch event processing engine that was not used to construct the variable behavior baseline of the entity; and detecting at least one of a network security threat or a network security anomaly, when said comparing results in a determination that the second event data has a specified relationship to the shared variable behavior baseline of the entity. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23)
-
-
24. A computer system comprising:
-
a processor; and a communication device, operatively coupled to the processor, through which to receive first event data indicative of computer network activity of an entity that is part of or interacts with a computer network; a real-time event processing engine; a batch event processing engine; wherein the processor is configured to construct a variable behavior baseline of the entity by using one of the real-time event processing engine or the batch event processing engine in the computer system, based on the first event data, the variable behavior baseline being representative of computer network activity of a particular type by the entity; share the variable behavior baseline between the real-time event processing engine and the batch event processing engine; receive second event data indicative of additional computer network activity associated with the entity; compare the second event data to the shared variable behavior baseline of the entity, by the one of the real-time event processing engine and the batch event processing engine that was not used to construct the variable behavior baseline of the entity; and detect at least one of a network security threat or a network security anomaly, when comparison of the second event data to the shared variable behavior baseline of the entity results in a determination that the second event data has a specified relationship to the shared variable behavior baseline of the entity.
-
-
25. A non-transitory machine-readable storage medium for use in a processing system, the non-transitory machine-readable storage medium storing instructions, an execution of which in the processing system causes the processing system to perform operations comprising:
-
receiving first event data indicative of computer network activity of an entity that is part of or has interacted with a computer network, the computer system including a real-time event processing engine and a batch event processing engine; constructing a variable behavior baseline of the entity by using one of the real-time event processing engine or the batch event processing engine in the computer system, based on the first event data, the variable behavior baseline being representative of computer network activity of a particular type by the entity; sharing the variable behavior baseline between the real-time event processing engine and the batch event processing engine; receiving, at the processing system, second event data indicative of additional computer network activity associated with the entity; comparing the second event data to the shared variable behavior baseline of the entity, by the one of the real-time event processing engine and the batch event processing engine that was not used to construct the variable behavior baseline of the entity; and detecting at least one of a network security threat or a network security anomaly, when said comparing results in a determination that the second event data has a specified relationship to the shared variable behavior baseline of the entity.
-
Specification