Model training and deployment in complex event processing of computer network data

US 10,148,677 B2
Filed: 04/18/2017
Issued: 12/04/2018
Est. Priority Date: 08/31/2015
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

computing in real-time a score by processing a stream of events through a first version of a machine learning model, wherein the stream of events corresponds to a time slice and includes time stamped machine data produced by a component within an information environment and reflects activity within the information technology environment, and wherein the machine learning model is configured to be trained by computer network activity characterized by the stream of events involving at least one entity;

training, in parallel with said processing the stream of events, a second version of the machine learning model with the time slice that is being processed through the first version for scoring, wherein said training includes retraining a model state of the second version of the machine learning model when a group-specific stream of events provides additional event feature sets;

invoking a model readiness logic to determine whether the second version of the machine learning model has sufficient training; and

performing live-swapping in the second version of the machine learning model to replace the first version of the machine learning model as an active version to compute another score, said live-swapping being based on a determination of whether the second version of the machine learning model is ready for active deployment.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A security platform employs a variety techniques and mechanisms to detect security related anomalies and threats in a computer network environment. The security platform is “big data” driven and employs machine learning to perform security analytics. The security platform performs user/entity behavioral analytics (UEBA) to detect the security related anomalies and threats, regardless of whether such anomalies/threats were previously known. The security platform can include both real-time and batch paths/modes for detecting anomalies and threats. By visually presenting analytical results scored with risk ratings and supporting evidence, the security platform enables network security administrators to respond to a detected anomaly or threat, and to take action promptly.

Citations

30 Claims

1. A method comprising:
- computing in real-time a score by processing a stream of events through a first version of a machine learning model, wherein the stream of events corresponds to a time slice and includes time stamped machine data produced by a component within an information environment and reflects activity within the information technology environment, and wherein the machine learning model is configured to be trained by computer network activity characterized by the stream of events involving at least one entity;
  
  training, in parallel with said processing the stream of events, a second version of the machine learning model with the time slice that is being processed through the first version for scoring, wherein said training includes retraining a model state of the second version of the machine learning model when a group-specific stream of events provides additional event feature sets;
  
  invoking a model readiness logic to determine whether the second version of the machine learning model has sufficient training; and
  
  performing live-swapping in the second version of the machine learning model to replace the first version of the machine learning model as an active version to compute another score, said live-swapping being based on a determination of whether the second version of the machine learning model is ready for active deployment.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28)
- - 2. The method of claim 1, wherein the determination of whether the second version is ready is based on at least one of:
    - a number of events that have been used to train the second version, a length of time that the second version has been in training, or whether the model state of the second version is converging.
  - 3. The method of claim 1, wherein said live-swapping comprises processing a subsequent time slice from the stream of events through the second version of the machine learning model.
  - 4. The method of claim 1, further comprising processing the time slice of the stream of events through the first version of the machine learning model prior to when a subsequent time slice becomes available.
  - 5. The method of claim 1, wherein the stream of events are created based on raw event data pertaining to a plurality machine-observed events.
  - 6. The method of claim 1, wherein the time slice being processed by the first version of the machine learning model is a most recent time slice from the stream of events.
  - 7. The method of claim 1, wherein the time slice includes event feature sets that correspond to an event in the stream of events.
  - 8. The method of claim 1, further comprising training the machine learning model by processing a previous time slice of the stream of events, prior to said computing the score.
  - 9. The method of claim 1, wherein said processing the time slice through the first version of the machine learning model includes processing the time slice through a model deliberation process logic configured by the first version of the machine learning model;
    - wherein said training the second version of the machine learning model includes processing the time slice through a model training process logic; and
      
      wherein the model training process logic and the model deliberation process logic are both machine learning models of a particular type.
  - 10. The method of claim 1, whereinsaid live swapping includes re-configuring, without first terminating, a model deliberation process thread that is performing said computing, said computing being performed in real-time.
  - 11. The method of claim 1, furthering comprising processing the stream of events through a plurality of machine learning models of different types to detect security-related anomalies or threats of different types.
  - 12. The method of claim 1, further comprising:
    - identifying a security-related anomaly or a security-related threat to enable remediation of the anomaly or threat as the stream of events is processed, the stream of events being processed in real-time.
  - 13. The method of claim 1, wherein the machine learning model is specific to a particular entity involved in the stream of events, wherein the entity is a user, a device, a system, a network resource locator, an application, a process thread, or any combination thereof.
  - 14. The method of claim 1, wherein the machine learning model performs behavioral analysis of a particular entity involved in the stream of events.
  - 15. The method of claim 1, wherein the machine learning model performs peer group analysis amongst entities involved in the stream of events.
  - 16. The method of claim 1, wherein the machine learning model performs time series analysis on a stream of the events.
  - 17. The method of claim 1, wherein the machine learning model performs graph correlation analysis amongst entities involved in the stream of events.
  - 18. The method of claim 1, wherein the machine learning model includes a state machine specific to an entity involved in an event represented in the time slice.
  - 19. The method of claim 1, wherein said computing the score includes processing the stream of events through the machine learning model according to model deliberation processing logic specified by a model type associated with the machine learning model.
  - 20. The method of claim 1, further comprising training the machine learning model according to model training processing logic specified by a model type associated with the machine learning model.
  - 21. The method of claim 1, further comprising training the machine learning model according to model training processing logic specified by a model type associated with the machine learning model, wherein a model type associated with the machine learning model includes definitions for a model training workflow and a model deliberation workflow.
  - 22. The method of claim 1, further comprising incrementally updating the machine learning model in real-time using the time slice of the events, wherein said incremental updating includes:
    - isolating a portion of a model state representative of the machine learning model affected by the events; and
      
      re-training only the portion of the model state.
  - 23. The method of claim 1, further comprising simultaneously training multiple machine learning models, associated with different purposes or different entities, in real-time.
  - 24. The method of claim 1, wherein computing the score is performed in a distributed computation system that implements a task-parallel distributed data processing engine.
  - 25. The method of claim 1, further comprising training the machine learning model in a distributed computation system that implements a task-parallel distributed data processing engine.
  - 26. The method of claim 1, further comprising training the machine learning model in real-time using single-pass training processing logic.
  - 27. The method of claim 1, further comprising:
    - training the machine learning model; and
      
      storing a model state of the machine learning model, resulting from said training, in a distributed cache for use in said computing of the score.
  - 28. The method of claim 1, wherein a threshold defining sufficiency of training is defined by the machine learning model.

29. A system comprising:
- a communication device for receiving a stream of events; and
  
  at least one hardware processor configured to;
  
  compute in real-time a score by processing the stream of events through a first version of a machine learning model, wherein the stream of events corresponds to a time slice and includes time stamped machine data produced by a component within an information environment and reflects activity within the information technology environment, and wherein the machine learning model is configured to be trained to by computer network activity characterized by the stream of events involving at least one entity;
  
  train, in parallel with said processing the stream of events, a second version of the machine learning model with the time slice that is being processed through the first version for scoring, wherein said training includes retraining a model state of the second version of the machine learning model when a group-specific stream of events provides additional event feature sets;
  
  invoke a model readiness logic to determine whether the second version of the machine learning model has sufficient training; and
  
  perform live-swapping in the second version of the machine learning model to replace the first version of the machine learning model as an active version to compute another score, said live-swapping being based on a determination of whether the second version of the machine learning model is ready for active deployment.

30. A non-transitory computer readable medium storing instructions, execution of which by a processor in a computer system causes the computer system to:
- compute in real-time a score by processing a stream of events through a first version of a machine learning model, wherein the stream of events corresponds to a time slice and includes time stamped machine data produced by a component within an information environment and reflects activity within the information technology environment, and wherein the machine learning model is configured to be trained by computer network activity characterized by the stream of events involving at least one entity;
  
  train, in parallel with said processing the stream of events, a second version of the machine learning model with the time slice that is being processed through the first version for scoring, wherein said training includes retraining a model state of the second version of the machine learning model when a group-specific stream of events provides additional event feature sets;
  
  invoke a model readiness logic to determine whether the second version of the machine learning model has sufficient training; and
  
  perform live-swapping in the second version of the machine learning model to replace the first version of the machine learning model as an active version to compute another score, said live-swapping being based on a determination of whether the second version of the machine learning model is ready for active deployment.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Splunk Inc. (Cisco Systems, Inc.)
Original Assignee
Splunk Inc. (Cisco Systems, Inc.)
Inventors
Muddu, Sudhakar, Tryfonas, Christos
Primary Examiner(s)
Lwin, Maung T

Application Number

US15/490,849
Publication Number

US 20170223036A1
Time in Patent Office

595 Days
Field of Search

None
US Class Current
CPC Class Codes

G06F 16/24578   using ranking

G06F 16/254   Extract, transform and load...

G06F 16/285   Clustering or classification

G06F 16/444   Spatial browsing, e.g. 2D m...

G06F 16/9024   Graphs; Linked lists G06F16...

G06F 3/0482   Interaction with lists of s...

G06F 3/0484   for the control of specific...

G06F 3/04842   Selection of displayed obje...

G06F 3/04847   Interaction techniques to c...

G06F 40/134   Hyperlinking

G06N 20/00   Machine learning

G06N 20/20   Ensemble learning

G06N 5/022   Knowledge engineering; Know...

G06N 5/04   Inference or reasoning models

G06N 7/01   Probabilistic graphical mod...

G06V 10/225   based on a marking or ident...

H04L 2463/121   Timestamp

H04L 41/0893   Assignment of logical group...

H04L 41/145   involving simulating, desig...

H04L 41/22   comprising specially adapte...

H04L 43/00 : Arrangements for monitoring...

H04L 43/045 : for graphical visualisation...

H04L 43/062 : related to network traffic

H04L 43/08 : Monitoring or testing based...

H04L 63/06 : for supporting key manageme...

H04L 63/1408 : by monitoring network traff...

H04L 63/1416 : Event detection, e.g. attac...

H04L 63/1425 : Traffic logging, e.g. anoma...

H04L 63/1433 : Vulnerability analysis

H04L 63/1441 : Countermeasures against mal...

H04L 63/20 : for managing network securi...

View All

Model training and deployment in complex event processing of computer network data

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

30 Claims

Specification

Solutions

Use Cases

Quick Links

Model training and deployment in complex event processing of computer network data

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

30 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links