Detection of anomalies, threat indicators, and threats to network security
First Claim
1. A method comprising:
- detecting, by a computer system, anomalies in activity on a computer network, by processing received event data associated with the activity using a plurality of machine-learning anomaly models, each of the plurality of machine-learning anomaly models configured to detect a different one of a plurality of categories of anomalous activity on the computer network;
generating, by the computer system, anomaly data indicative of the anomalies in response to said detecting;
identifying, by the computer system, threat indicators by processing the anomaly data using a plurality of machine-learning threat indicator models, each of the plurality of machine-learning threat indicator models configured to analyze relationships between anomalies detected across the computer network;
generating, by the computer system, threat indicator data indicative of the threat indicators in response to said identifying; and
identifying, by the computer system, a security threat to the computer network by processing the threat indicator data using a plurality of machine-learning security threat models, each of the plurality of machine-learning security threat models configured to analyze relationships between threat indicators identified across the computer network.
2 Assignments
0 Petitions
Accused Products
Abstract
A security platform employs a variety techniques and mechanisms to detect security related anomalies and threats in a computer network environment. The security platform is “big data” driven and employs machine learning to perform security analytics. The security platform performs user/entity behavioral analytics (UEBA) to detect the security related anomalies and threats, regardless of whether such anomalies/threats were previously known. The security platform can include both real-time and batch paths/modes for detecting anomalies and threats. By visually presenting analytical results scored with risk ratings and supporting evidence, the security platform enables network security administrators to respond to a detected anomaly or threat, and to take action promptly.
39 Citations
21 Claims
-
1. A method comprising:
-
detecting, by a computer system, anomalies in activity on a computer network, by processing received event data associated with the activity using a plurality of machine-learning anomaly models, each of the plurality of machine-learning anomaly models configured to detect a different one of a plurality of categories of anomalous activity on the computer network; generating, by the computer system, anomaly data indicative of the anomalies in response to said detecting; identifying, by the computer system, threat indicators by processing the anomaly data using a plurality of machine-learning threat indicator models, each of the plurality of machine-learning threat indicator models configured to analyze relationships between anomalies detected across the computer network; generating, by the computer system, threat indicator data indicative of the threat indicators in response to said identifying; and identifying, by the computer system, a security threat to the computer network by processing the threat indicator data using a plurality of machine-learning security threat models, each of the plurality of machine-learning security threat models configured to analyze relationships between threat indicators identified across the computer network. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19)
-
-
20. A system comprising:
-
a processor; and a memory unit having instructions stored thereon, which when executed by the processor cause the system to; detect anomalies in activity on a computer network, by processing received event data associated with the activity using a plurality of machine-learning anomaly models, each of the plurality of machine-learning anomaly models configured to detect a different one of a plurality of categories of anomalous activity on the computer network; generate anomaly data indicative of the anomalies in response to said detecting; identify threat indicators by processing the anomaly data using a plurality of machine-learning threat indicator models, each of the plurality of machine-learning threat indicator models configured to analyze relationships between anomalies detected across the computer network; generate threat indicator data indicative of the threat indicators in response to said identifying; and identify a security threat to the computer network by processing the threat indicator data using a plurality of machine-learning security threat models, each of the plurality of machine-learning security threat models configured to analyze relationships between threat indicators identified across the computer network.
-
-
21. A non-transient computer readable medium containing instructions for causing a computer system to:
-
detect anomalies in activity on a computer network by processing received event data associated with the activity using a plurality of machine-learning anomaly models, each of the plurality of machine-learning anomaly models configured to detect a different one of a plurality of categories of anomalous activity on the computer network; generate anomaly data indicative of the anomalies in response to said detecting; identify threat indicators by processing the anomaly data using a plurality of machine-learning threat indicator models, each of the plurality of machine-learning threat indicator models configured to analyze relationships between anomalies detected across the computer network; generate threat indicator data indicative of the threat indicators in response to said identifying; and identify a security threat to the computer network by processing the threat indicator data using a plurality of machine-learning security threat models, each of the plurality of machine-learning security threat models configured to analyze relationships between threat indicators identified across the computer network.
-
Specification