Window-based rarity determination using probabilistic suffix trees for network security analysis
First Claim
1. A method comprising:
- receiving a sequence of event feature sets corresponding to a sequence of events, wherein the event feature sets are derived from raw event machine data recorded in a computer network;
measuring an anomaly count within a target event window by processing the sequence of event feature sets through an event sequence prediction model to increase the anomaly count when the event sequence prediction model identifies an event feature set within the target event window as corresponding to an anomalous event, wherein the event sequence prediction model includes a probabilistic suffix tree (PST) based machine learning model;
comparing a rarity score for the target event window against an established baseline distribution to determine a probability of encountering the event window with the rarity score; and
upon determining that the probability of encountering the event window is below a threshold, identifying the target event window as containing a suspicious series of events by determining whether the anomaly count deviates from a baseline by a specified criterion; and
generating a computer security threat indicator or a computer security anomaly indicator based on the identification of the suspicious series of events.
1 Assignment
0 Petitions
Accused Products
Abstract
A security platform employs a variety techniques and mechanisms to detect security related anomalies and threats in a computer network environment. The security platform is “big data” driven and employs machine learning to perform security analytics. The security platform performs user/entity behavioral analytics (UEBA) to detect the security related anomalies and threats, regardless of whether such anomalies/threats were previously known. The security platform can include both real-time and batch paths/modes for detecting anomalies and threats. By visually presenting analytical results scored with risk ratings and supporting evidence, the security platform enables network security administrators to respond to a detected anomaly or threat, and to take action promptly.
89 Citations
30 Claims
-
1. A method comprising:
-
receiving a sequence of event feature sets corresponding to a sequence of events, wherein the event feature sets are derived from raw event machine data recorded in a computer network; measuring an anomaly count within a target event window by processing the sequence of event feature sets through an event sequence prediction model to increase the anomaly count when the event sequence prediction model identifies an event feature set within the target event window as corresponding to an anomalous event, wherein the event sequence prediction model includes a probabilistic suffix tree (PST) based machine learning model; comparing a rarity score for the target event window against an established baseline distribution to determine a probability of encountering the event window with the rarity score; and upon determining that the probability of encountering the event window is below a threshold, identifying the target event window as containing a suspicious series of events by determining whether the anomaly count deviates from a baseline by a specified criterion; and generating a computer security threat indicator or a computer security anomaly indicator based on the identification of the suspicious series of events. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28)
-
-
29. A system comprising:
-
a memory storing computer-executable instructions; and a processor configured by the computer-executable instructions to; receive a sequence of event feature sets corresponding to a sequence of events, wherein the event feature sets are derived from raw event machine data recorded in a computer network; measure an anomaly count within a target event window by processing the sequence of event feature sets through an event sequence prediction model to increase the anomaly count when the event sequence prediction model identifies an event feature set within the target event window as corresponding to an anomalous event, wherein the event sequence prediction model includes a probabilistic suffix tree (PST) based machine learning model; compare a rarity score for the target event window against an established baseline distribution to determine a probability of encountering such event window with the rarity score; and upon determining that the probability of encountering such event window is below a threshold, identify the target event window as containing a suspicious series of events by determining whether the anomaly count deviates from a baseline by a specified criterion; and generate a computer security threat indicator or a computer security anomaly indicator based on the identification of the suspicious series of events.
-
-
30. A non-transitory machine readable medium storing instructions, execution of which by at least one processor in a computer system causes the computer system to:
-
receive a sequence of event feature sets corresponding to a sequence of events, wherein the event feature sets are derived from raw event machine data recorded in a computer network; measure an anomaly count within a target event window by processing the sequence of event feature sets through an event sequence prediction model to increase the anomaly count when the event sequence prediction model identifies an event feature set within the target event window as corresponding to an anomalous event, wherein the event sequence prediction model includes a probabilistic suffix tree (PST) based machine learning model; compare a rarity score for the target event window against an established baseline distribution to determine a probability of encountering such event window with the rarity score; and upon determining that the probability of encountering such event window is below a threshold, identify the target event window as containing a suspicious series of events by determining whether the anomaly count deviates from a baseline by a specified criterion; and generate a computer security threat indicator or a computer security anomaly indicator based on the identification of the suspicious series of events.
-
Specification