Detection of anomalies, threat indicators, and threats to network security

US 10,419,450 B2
Filed: 10/30/2015
Issued: 09/17/2019
Est. Priority Date: 08/31/2015
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

detecting, by a computer system, anomalies in activity on a computer network, by processing received event data associated with the activity using a plurality of machine-learning anomaly models, each of the plurality of machine-learning anomaly models configured to detect a different one of a plurality of categories of anomalous activity on the computer network;

generating, by the computer system, anomaly data indicative of the anomalies in response to said detecting;

identifying, by the computer system, threat indicators by processing the anomaly data using a plurality of machine-learning threat indicator models, each of the plurality of machine-learning threat indicator models configured to analyze relationships between anomalies detected across the computer network;

generating, by the computer system, threat indicator data indicative of the threat indicators in response to said identifying; and

identifying, by the computer system, a security threat to the computer network by processing the threat indicator data using a plurality of machine-learning security threat models, each of the plurality of machine-learning security threat models configured to analyze relationships between threat indicators identified across the computer network.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A security platform employs a variety techniques and mechanisms to detect security related anomalies and threats in a computer network environment. The security platform is “big data” driven and employs machine learning to perform security analytics. The security platform performs user/entity behavioral analytics (UEBA) to detect the security related anomalies and threats, regardless of whether such anomalies/threats were previously known. The security platform can include both real-time and batch paths/modes for detecting anomalies and threats. By visually presenting analytical results scored with risk ratings and supporting evidence, the security platform enables network security administrators to respond to a detected anomaly or threat, and to take action promptly.

39 Citations

View as Search Results

21 Claims

1. A method comprising:
- detecting, by a computer system, anomalies in activity on a computer network, by processing received event data associated with the activity using a plurality of machine-learning anomaly models, each of the plurality of machine-learning anomaly models configured to detect a different one of a plurality of categories of anomalous activity on the computer network;
  
  generating, by the computer system, anomaly data indicative of the anomalies in response to said detecting;
  
  identifying, by the computer system, threat indicators by processing the anomaly data using a plurality of machine-learning threat indicator models, each of the plurality of machine-learning threat indicator models configured to analyze relationships between anomalies detected across the computer network;
  
  generating, by the computer system, threat indicator data indicative of the threat indicators in response to said identifying; and
  
  identifying, by the computer system, a security threat to the computer network by processing the threat indicator data using a plurality of machine-learning security threat models, each of the plurality of machine-learning security threat models configured to analyze relationships between threat indicators identified across the computer network.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19)
- - 2. The method of claim 1, wherein said processing anomaly data includes one or more of:
    - aggregating the anomaly data;
      
      correlating the anomaly data;
      
      or enhancing the anomaly data.
  - 3. The method of claim 1, wherein said processing the anomaly data includes:
    - determining a measure of anomalies associated with a particular entity of the computer network over a time period, the particular entity including a user or a device;
      
      wherein said identifying threat indicators includes identifying a threat indicator if the measure of anomalies associated with the particular entity satisfies a specified criterion.
  - 4. The method of claim 1, wherein said processing the anomaly data includes:
    - determining a number of entities of the computer network associated with a particular category of anomaly over a time period, the entities including users and/or devices;
      
      wherein said identifying threat indicators includes identifying a threat indicator if the number of entities associated with the particular category of anomaly satisfies a specified criterion.
  - 5. The method of claim 1, wherein said processing the anomaly data includes:
    - monitoring a duration of a particular anomaly over a time period; and
      
      wherein said identifying threat indicators includes identifying a threat indicator if the duration of the particular anomaly satisfies a specified criterion.
  - 6. The method of claim 1, wherein processing the anomaly data includes:
    - determining anomalies that have substantially matching profiles over a time period, the profiles based on the underlying event data associated with each anomaly; and
      
      wherein said identifying threat indicators includes identifying a threat indicator if the number of anomalies with substantially matching profiles satisfies a specified criterion.
  - 7. The method of claim 1, wherein processing the anomaly data to identify threat indicators includes:
    - inputting anomaly data associated with a detected first type of anomaly into a model configured to detect a second type of anomaly;
      
      wherein said identifying threat indicators includes identifying a threat indicator if the second type of anomaly is detected based on processing the anomaly data associated with the first type of anomaly according to the model.
  - 8. The method of claim 1, wherein said processing the anomaly data includes:
    - identifying a particular entity associated with the anomaly data; and
      
      comparing the particular entity against data stored in an external database of known security risks;
      
      wherein said identifying threat indicators includes identifying a threat indicator if the particular entity substantially matches a known security risk from the database.
  - 9. The method of claim 1, wherein said processing the anomaly data includes annotating the anomaly data with data from an external database of known security risks.
  - 10. The method of claim 1, wherein said processing the anomaly data includes:
    - identifying an anomaly associated with a connection to a domain considered to be unfamiliar; and
      
      in response to identifying the anomaly associated with the connection to the domain considered to be unfamiliar, determining whether the domain matches a domain known to be a security risk;
      
      wherein said identifying threat indicators includes identifying a threat indicator if the domain substantially matches a domain known to be a security risk.
  - 11. The method of claim 1, wherein said processing the anomaly data includes:
    - identifying an anomaly associated with a beacon type; and
      
      in response to identifying the anomaly associated with the beacon type, determining whether the beacon type matches a beacon type known to be a security risk;
      
      wherein said identifying threat indicators includes identifying a threat indicator if the beacon type substantially matches a beacon type known to be a security risk.
  - 12. The method of claim 1, further comprising:
    - outputting, via a user interface, the identified threat indicators to a user; and
      
      providing an alert to the user, via the user interface, in response to identifying the security threat.
  - 13. The method of claim 1, further comprising:
    - outputting, via the user interface, the identified threat indicators as a summary of key anomalies from a set of detected anomalies across the computer network.
  - 14. The method of claim 1, further comprising:
    - computing, by a processor, a score for a particular identified threat indicator, the score based on the anomaly data on which the particular threat indicator is based;
      
      wherein the score represents a confidence level that the particular threat indictor is indicative of a security threat to the computer network.
  - 15. The method of claim 1, wherein the processing of event data is performed using a processing engine running Apache Storm.
  - 16. The method of claim 1, wherein the processing of anomaly data and/or threat indicator data is performed in batch mode.
  - 17. The method of claim 1, wherein the processing of anomaly data and/or threat indicator data is performed using a processing engine running Apache Spark on a Hadoop distributed computing cluster.
  - 18. The method of claim 1, further comprising:
    - receiving the event data from a plurality of entities associated with the computer network via an extract, transform, and load (ETL) pipeline.
  - 19. The method of claim 1, wherein the event data is machine-generated data.

20. A system comprising:
- a processor; and
  
  a memory unit having instructions stored thereon, which when executed by the processor cause the system to;
  
  detect anomalies in activity on a computer network, by processing received event data associated with the activity using a plurality of machine-learning anomaly models, each of the plurality of machine-learning anomaly models configured to detect a different one of a plurality of categories of anomalous activity on the computer network;
  
  generate anomaly data indicative of the anomalies in response to said detecting;
  
  identify threat indicators by processing the anomaly data using a plurality of machine-learning threat indicator models, each of the plurality of machine-learning threat indicator models configured to analyze relationships between anomalies detected across the computer network;
  
  generate threat indicator data indicative of the threat indicators in response to said identifying; and
  
  identify a security threat to the computer network by processing the threat indicator data using a plurality of machine-learning security threat models, each of the plurality of machine-learning security threat models configured to analyze relationships between threat indicators identified across the computer network.

21. A non-transient computer readable medium containing instructions for causing a computer system to:
- detect anomalies in activity on a computer network by processing received event data associated with the activity using a plurality of machine-learning anomaly models, each of the plurality of machine-learning anomaly models configured to detect a different one of a plurality of categories of anomalous activity on the computer network;
  
  generate anomaly data indicative of the anomalies in response to said detecting;
  
  identify threat indicators by processing the anomaly data using a plurality of machine-learning threat indicator models, each of the plurality of machine-learning threat indicator models configured to analyze relationships between anomalies detected across the computer network;
  
  generate threat indicator data indicative of the threat indicators in response to said identifying; and
  
  identify a security threat to the computer network by processing the threat indicator data using a plurality of machine-learning security threat models, each of the plurality of machine-learning security threat models configured to analyze relationships between threat indicators identified across the computer network.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Splunk Inc.
Original Assignee
Splunk Inc.
Inventors
Muddu, Sudhakar, Tryfonas, Christos
Primary Examiner(s)
Dada, Beemnet W

Application Number

US14/929,037
Publication Number

US 20170063905A1
Time in Patent Office

1,418 Days
Field of Search
US Class Current
CPC Class Codes

G06F 16/24578   using ranking

G06F 16/254   Extract, transform and load...

G06F 16/285   Clustering or classification

G06F 16/444   Spatial browsing, e.g. 2D m...

G06F 16/9024   Graphs; Linked lists G06F16...

G06F 3/0482   Interaction with lists of s...

G06F 3/0484   for the control of specific...

G06F 3/04842   Selection of displayed obje...

G06F 3/04847   Interaction techniques to c...

G06F 40/134   Hyperlinking

G06N 20/00   Machine learning

G06N 20/20   Ensemble learning

G06N 5/022   Knowledge engineering; Know...

G06N 5/04   Inference or reasoning models

G06N 7/01   Probabilistic graphical mod...

G06V 10/225   based on a marking or ident...

H04L 2463/121   Timestamp cryptographic mec...

H04L 41/0893   Assignment of logical group...

H04L 41/145   involving simulating, desig...

H04L 41/22   comprising specially adapte...

H04L 43/00 : Arrangements for monitoring...

H04L 43/045 : for graphical visualisation...

H04L 43/062 : related to network traffic

H04L 43/08 : Monitoring or testing based...

H04L 63/06 : for supporting key manageme...

H04L 63/1408 : by monitoring network traff...

H04L 63/1416 : Event detection, e.g. attac...

H04L 63/1425 : Traffic logging, e.g. anoma...

H04L 63/1433 : Vulnerability analysis

H04L 63/1441 : Countermeasures against mal...

H04L 63/20 : for managing network securi...

H05K 999/99 : dummy group

View All

Detection of anomalies, threat indicators, and threats to network security

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

39 Citations

21 Claims

Specification

Use Cases

Quick Links

Others

Detection of anomalies, threat indicators, and threats to network security

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

39 Citations

21 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others