Detecting anomalous entities

US 10,592,666 B2
Filed: 08/31/2017
Issued: 03/17/2020
Est. Priority Date: 08/31/2017
Status: Active Grant

First Claim

Patent Images

1. A non-transitory machine-readable storage medium storing instructions that upon execution cause a system to:

extract features from event data representing events in a computing environment;

train, using the extracted features, ensembles of machine-learning models for respective analytics modules of a plurality of different types of analytics modules;

assign different priorities to the respective analytics modules of the different types of analytics modules, wherein the different priorities are based on different time scales used by the different types of analytics modules; and

detect, by the different types of analytics modules using the respective trained ensembles of machine-learning models, an anomalous entity in response to further event data, wherein the different types of analytics modules check for presence of the anomalous entity using respective time scales of the different time scales, and wherein a first analytics module of the different types of analytics modules is given a higher priority in access of system resources than a second analytics module of the different types of analytics modules responsive to the first analytics module being assigned a higher priority than the second analytics module by the assigning.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In some examples, a system extracts features from event data representing events in a computing environment, trains ensembles of machine-learning models for respective analytics modules of a plurality of different types of analytics modules, and detects, by the different types of analytics modules using the respective trained ensembles of machine-learning models, an anomalous entity in response to further event data.

29 Citations

View as Search Results

21 Claims

1. A non-transitory machine-readable storage medium storing instructions that upon execution cause a system to:
- extract features from event data representing events in a computing environment;
  
  train, using the extracted features, ensembles of machine-learning models for respective analytics modules of a plurality of different types of analytics modules;
  
  assign different priorities to the respective analytics modules of the different types of analytics modules, wherein the different priorities are based on different time scales used by the different types of analytics modules; and
  
  detect, by the different types of analytics modules using the respective trained ensembles of machine-learning models, an anomalous entity in response to further event data, wherein the different types of analytics modules check for presence of the anomalous entity using respective time scales of the different time scales, and wherein a first analytics module of the different types of analytics modules is given a higher priority in access of system resources than a second analytics module of the different types of analytics modules responsive to the first analytics module being assigned a higher priority than the second analytics module by the assigning.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 13)
- - 2. The non-transitory machine-readable storage medium of claim 1, wherein execution of the different types of analytics modules are according to respective priorities of the different priorities.
  - 3. The non-transitory machine-readable storage medium of claim 1, wherein the instructions upon execution cause the system to:
    - aggregate, by the first analytics module, anomaly scores produced by machine-learning models of a first ensemble of machine-learning models, the first ensemble of machine-learning models being an ensemble of the trained ensembles of machine-learning models.
  - 4. The non-transitory machine-readable storage medium of claim 1, wherein the different types of analytics modules comprise analytics modules selected from among a graph-based analytics module, a deep learning analytics module, and a profile-based analytics module.
  - 5. The non-transitory machine-readable storage medium of claim 1, wherein the instructions upon execution cause the system to:
    - present, in a user interface, a representation of the anomalous entity identified by a given analytics module of the different types of analytics modules; and
      
      receive feedback regarding an accuracy of the identification of the anomalous entity identified by the given analytics module.
  - 6. The non-transitory machine-readable storage medium of claim 5, wherein the instructions upon execution cause the system to:
    - in response to the feedback, update the ensemble of machine-learning models for the given analytics module.
  - 7. The non-transitory machine-readable storage medium of claim 6, wherein the instructions upon execution cause the system to:
    - update the ensemble of machine-learning models for the given analytics module based on features extracted from additional event data, wherein the updating is performed iteratively as the additional event data is continually received.
  - 8. The non-transitory machine-readable storage medium of claim 1, wherein the instructions upon execution cause the system to:
    - partition the extracted features across a plurality of partitions that correspond to different respective entities of the computing environment.
  - 13. The non-transitory machine-readable storage medium of claim 1, wherein the first analytics module is to use a first time scale of the different time scales by re-iterating analytics of the first analytics module for identifying anomalous entities every time interval represented by the first time scale, and wherein the second analytics module is to use a second time scale of the different time scales by re-iterating analytics of the second analytics module for identifying anomalous entities every time interval represented by the second time scale.

9. A system comprising:
- at least one processor;
  
  a plurality of different types of analytics modules executable on the at least one processor to apply different types of techniques for detecting anomalous entities in a computing environment; and
  
  a plurality of ensembles of machine-learning models, each respective ensemble of machine-learning models associated with a respective analytics module of the plurality of different types of analytics modules, the respective analytics module to use the respective ensemble of machine-learning models to detect an anomalous entity in the computing environment based on features extracted from event data representing events in the computing environment, wherein the different types of analytics modules are associated with respective different priorities based on different time scales used by the different types of analytics modules, wherein execution of the different types of analytics modules are according to the respective different priorities, and wherein a first analytics module of the different types of analytics modules is given a higher priority in access of system resources than a second analytics module of the different types of analytics modules responsive to the first analytics module being associated with a higher priority than the second analytics module.
- View Dependent Claims (10, 14, 15, 17, 18, 19, 20, 21)
- - 10. The system of claim 9, wherein the first analytics module is executable to:
    - aggregate anomaly scores produced by machine-learning models of a first ensemble of machine-learning models, to generate an aggregated anomaly score, the first ensemble of machine-learning models being an ensemble of the ensembles of machine-learning models; and
      
      detect the anomalous entity using the aggregated anomaly score.
  - 14. The system of claim 9, wherein the first analytics module is to use a first time scale of the different time scales by re-iterating analytics of the first analytics module for identifying anomalous entities every time interval represented by the first time scale, and wherein the second analytics module is to use a second time scale of the different time scales by re-iterating analytics of the second analytics module for identifying anomalous entities every time interval represented by the second time scale.
  - 15. The system of claim 9, wherein the different types of analytics modules comprise analytics modules selected from among a graph-based analytics module, a deep learning analytics module, and a profile-based analytics module.
  - 17. The system of claim 9, further comprising:
    - model training instructions executable on the at least one processor to train the plurality of ensembles of machine-learning models using features extracted from further event data representing events in the computing environment.
  - 18. The system of claim 17, wherein the model training instructions are executable on the at least one processor to:
    - aggregate the further event data in a specified time interval to produce aggregated event data; and
      
      extract the features for training the plurality of ensembles of machine-learning models from the aggregated event data.
  - 19. The system of claim 9, further comprising:
    - a pluggable framework to enable addition of an additional analytics module.
  - 20. The system of claim 19, wherein the pluggable framework comprises an interface to support creation of the additional analytics module.
  - 21. The system of claim 9, wherein the different types of analytics modules are to check for presence of anomalous entities using respective time sales of the different time scales.

11. A method comprising:
- extracting, by a system comprising a hardware processor, features from event data representing events in a computing environment;
  
  training, by the system using the extracted features, ensembles of machine-learning models for respective analytics modules of a plurality of different types of analytics modules;
  
  assigning, by the system, different priorities to the respective analytics modules of the different types of analytics modules, wherein the different priorities are based on different time scales used by the different types of analytics modules; and
  
  detecting, by the different types of analytics modules using the respective trained ensembles of machine-learning models, an anomalous entity in response to further event data, wherein the different types of analytics modules perform checking for the anomalous entity according to time scales of the different time scales, and wherein a first analytics module of the different types of analytics modules is given a higher priority in access of system resources than a second analytics module of the different types of analytics modules responsive to the first analytics module being assigned a higher priority than the second analytics module by the assigning.
- View Dependent Claims (12, 16)
- - 12. The method of claim 11, wherein the different types of analytics modules comprise analytics modules selected from among a graph-based analytics module, a deep learning analytics module, and a profile-based analytics module.
  - 16. The method of claim 11, wherein the first analytics module uses a first time scale of the different time scales by re-iterating analytics of the first analytics module for identifying anomalous entities every time interval represented by the first time scale, and wherein the second analytics module uses a second time scale of the different time scales by re-iterating analytics of the second analytics module for identifying anomalous entities every time interval represented by the second time scale.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Micro Focus LLC (Open Text Corporation)
Original Assignee
Micro Focus LLC (Open Text Corporation)
Inventors
Kim, Mijung, Manadhata, Pratyusa K., Marwah, Manish, Ulanov, Alexander, Li, Jun
Primary Examiner(s)
Idowu, Olugbenga O

Application Number

US15/692,655
Publication Number

US 20190065738A1
Time in Patent Office

929 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/552   involving long-term monitor...

G06F 21/554   involving event detection a...

G06F 21/57   Certifying or maintaining t...

G06N 3/042   Knowledge-based neural netw...

G06N 3/045   Combinations of networks

G06N 3/08   Learning methods

G06N 5/022   Knowledge engineering; Know...

Detecting anomalous entities

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

29 Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Detecting anomalous entities

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

29 Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links