Data retrieval in security anomaly detection platform with shared model state between real-time and batch paths
First Claim
1. A method comprising:
- implementing a batch event processing engine on a distributed data processing platform, wherein the batch event processing engine is configured to process a batch of historic event data;
performing an interaction with a datastore to retrieve specific event data;
scheduling the batch event processing engine to process the specific event data; and
enabling the batch event processing engine to share a model state of a particular machine learning model, with a real-time event processing engine on the distributed data processing platform, the real-time event processing engine being configured to process an unbounded stream of event data, the particular machine learning model being configured to process a time slice of data for detecting a security-related issue,wherein the real-time event processing engine and the batch event processing engine each utilize the shared model state to share, with the other engine, security-related knowledge gained from processing respective data.
1 Assignment
0 Petitions
Accused Products
Abstract
A security platform employs a variety techniques and mechanisms to detect security related anomalies and threats in a computer network environment. The security platform is “big data” driven and employs machine learning to perform security analytics. The security platform performs user/entity behavioral analytics (UEBA) to detect the security related anomalies and threats, regardless of whether such anomalies/threats were previously known. The security platform can include both real-time and batch paths/modes for detecting anomalies and threats. By visually presenting analytical results scored with risk ratings and supporting evidence, the security platform enables network security administrators to respond to a detected anomaly or threat, and to take action promptly.
-
Citations
30 Claims
-
1. A method comprising:
-
implementing a batch event processing engine on a distributed data processing platform, wherein the batch event processing engine is configured to process a batch of historic event data; performing an interaction with a datastore to retrieve specific event data; scheduling the batch event processing engine to process the specific event data; and enabling the batch event processing engine to share a model state of a particular machine learning model, with a real-time event processing engine on the distributed data processing platform, the real-time event processing engine being configured to process an unbounded stream of event data, the particular machine learning model being configured to process a time slice of data for detecting a security-related issue, wherein the real-time event processing engine and the batch event processing engine each utilize the shared model state to share, with the other engine, security-related knowledge gained from processing respective data. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28)
-
-
29. A computer system comprising:
-
a real-time event processing engine on the distributed data processing platform, the real-time event processing engine being configured to process an unbounded stream of event data; and a batch event processing engine on a distributed data processing platform, wherein the batch event processing engine is configured to process a batch of historic event data; wherein the system is configured to; perform an interaction with a datastore to retrieve specific event data; schedule the batch event processing engine to process the specific event data; and enable the batch event processing engine to share a model state of a particular machine learning model, with the real-time event processing engine, the particular machine learning model being configured to process a time slice of data for detecting a security-related issue, wherein the real-time event processing engine and the batch event processing engine each utilize the shared model state to share, with the other engine, security-related knowledge gained from processing respective data.
-
-
30. A non-transitory machine-readable storage medium for use in a processing system, the non-transitory machine-readable storage medium storing instructions, an execution of which in the processing system causes the processing system to perform operations comprising:
-
implementing a batch event processing engine on a distributed data processing platform, wherein the batch event processing engine is configured to process a batch of historic event data; performing an interaction with a datastore to retrieve specific event data; scheduling the batch event processing engine to process the specific event data; and enabling the batch event processing engine to share a model state of a particular machine learning model, with a real-time event processing engine on the distributed data processing platform, the real-time event processing engine being configured to process an unbounded stream of event data, the particular machine learning model being configured to process a time slice of data for detecting a security-related issue, wherein the real-time event processing engine and the batch event processing engine each utilize the shared model state to share, with the other engine, security-related knowledge gained from processing respective data.
-
Specification