Model training and deployment in complex event processing of computer network data
First Claim
1. A method comprising:
- computing in real-time a score by processing a stream of events through a first version of a machine learning model, wherein the stream of events corresponds to a time slice and includes time stamped machine data produced by a component within an information environment and reflects activity within the information technology environment, and wherein the machine learning model is configured to be trained by computer network activity characterized by the stream of events involving at least one entity;
training, in parallel with said processing the stream of events, a second version of the machine learning model with the time slice that is being processed through the first version for scoring, wherein said training includes retraining a model state of the second version of the machine learning model when a group-specific stream of events provides additional event feature sets;
invoking a model readiness logic to determine whether the second version of the machine learning model has sufficient training; and
performing live-swapping in the second version of the machine learning model to replace the first version of the machine learning model as an active version to compute another score, said live-swapping being based on a determination of whether the second version of the machine learning model is ready for active deployment.
1 Assignment
0 Petitions
Accused Products
Abstract
A security platform employs a variety techniques and mechanisms to detect security related anomalies and threats in a computer network environment. The security platform is “big data” driven and employs machine learning to perform security analytics. The security platform performs user/entity behavioral analytics (UEBA) to detect the security related anomalies and threats, regardless of whether such anomalies/threats were previously known. The security platform can include both real-time and batch paths/modes for detecting anomalies and threats. By visually presenting analytical results scored with risk ratings and supporting evidence, the security platform enables network security administrators to respond to a detected anomaly or threat, and to take action promptly.
-
Citations
30 Claims
-
1. A method comprising:
-
computing in real-time a score by processing a stream of events through a first version of a machine learning model, wherein the stream of events corresponds to a time slice and includes time stamped machine data produced by a component within an information environment and reflects activity within the information technology environment, and wherein the machine learning model is configured to be trained by computer network activity characterized by the stream of events involving at least one entity; training, in parallel with said processing the stream of events, a second version of the machine learning model with the time slice that is being processed through the first version for scoring, wherein said training includes retraining a model state of the second version of the machine learning model when a group-specific stream of events provides additional event feature sets; invoking a model readiness logic to determine whether the second version of the machine learning model has sufficient training; and performing live-swapping in the second version of the machine learning model to replace the first version of the machine learning model as an active version to compute another score, said live-swapping being based on a determination of whether the second version of the machine learning model is ready for active deployment. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28)
-
-
29. A system comprising:
-
a communication device for receiving a stream of events; and at least one hardware processor configured to; compute in real-time a score by processing the stream of events through a first version of a machine learning model, wherein the stream of events corresponds to a time slice and includes time stamped machine data produced by a component within an information environment and reflects activity within the information technology environment, and wherein the machine learning model is configured to be trained to by computer network activity characterized by the stream of events involving at least one entity; train, in parallel with said processing the stream of events, a second version of the machine learning model with the time slice that is being processed through the first version for scoring, wherein said training includes retraining a model state of the second version of the machine learning model when a group-specific stream of events provides additional event feature sets; invoke a model readiness logic to determine whether the second version of the machine learning model has sufficient training; and perform live-swapping in the second version of the machine learning model to replace the first version of the machine learning model as an active version to compute another score, said live-swapping being based on a determination of whether the second version of the machine learning model is ready for active deployment.
-
-
30. A non-transitory computer readable medium storing instructions, execution of which by a processor in a computer system causes the computer system to:
-
compute in real-time a score by processing a stream of events through a first version of a machine learning model, wherein the stream of events corresponds to a time slice and includes time stamped machine data produced by a component within an information environment and reflects activity within the information technology environment, and wherein the machine learning model is configured to be trained by computer network activity characterized by the stream of events involving at least one entity; train, in parallel with said processing the stream of events, a second version of the machine learning model with the time slice that is being processed through the first version for scoring, wherein said training includes retraining a model state of the second version of the machine learning model when a group-specific stream of events provides additional event feature sets; invoke a model readiness logic to determine whether the second version of the machine learning model has sufficient training; and perform live-swapping in the second version of the machine learning model to replace the first version of the machine learning model as an active version to compute another score, said live-swapping being based on a determination of whether the second version of the machine learning model is ready for active deployment.
-
Specification