Detecting anomalous entities
First Claim
Patent Images
1. A non-transitory machine-readable storage medium storing instructions that upon execution cause a system to:
- extract features from event data representing events in a computing environment;
train, using the extracted features, ensembles of machine-learning models for respective analytics modules of a plurality of different types of analytics modules;
assign different priorities to the respective analytics modules of the different types of analytics modules, wherein the different priorities are based on different time scales used by the different types of analytics modules; and
detect, by the different types of analytics modules using the respective trained ensembles of machine-learning models, an anomalous entity in response to further event data, wherein the different types of analytics modules check for presence of the anomalous entity using respective time scales of the different time scales, and wherein a first analytics module of the different types of analytics modules is given a higher priority in access of system resources than a second analytics module of the different types of analytics modules responsive to the first analytics module being assigned a higher priority than the second analytics module by the assigning.
6 Assignments
0 Petitions
Accused Products
Abstract
In some examples, a system extracts features from event data representing events in a computing environment, trains ensembles of machine-learning models for respective analytics modules of a plurality of different types of analytics modules, and detects, by the different types of analytics modules using the respective trained ensembles of machine-learning models, an anomalous entity in response to further event data.
29 Citations
21 Claims
-
1. A non-transitory machine-readable storage medium storing instructions that upon execution cause a system to:
-
extract features from event data representing events in a computing environment; train, using the extracted features, ensembles of machine-learning models for respective analytics modules of a plurality of different types of analytics modules; assign different priorities to the respective analytics modules of the different types of analytics modules, wherein the different priorities are based on different time scales used by the different types of analytics modules; and detect, by the different types of analytics modules using the respective trained ensembles of machine-learning models, an anomalous entity in response to further event data, wherein the different types of analytics modules check for presence of the anomalous entity using respective time scales of the different time scales, and wherein a first analytics module of the different types of analytics modules is given a higher priority in access of system resources than a second analytics module of the different types of analytics modules responsive to the first analytics module being assigned a higher priority than the second analytics module by the assigning. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 13)
-
-
9. A system comprising:
-
at least one processor; a plurality of different types of analytics modules executable on the at least one processor to apply different types of techniques for detecting anomalous entities in a computing environment; and a plurality of ensembles of machine-learning models, each respective ensemble of machine-learning models associated with a respective analytics module of the plurality of different types of analytics modules, the respective analytics module to use the respective ensemble of machine-learning models to detect an anomalous entity in the computing environment based on features extracted from event data representing events in the computing environment, wherein the different types of analytics modules are associated with respective different priorities based on different time scales used by the different types of analytics modules, wherein execution of the different types of analytics modules are according to the respective different priorities, and wherein a first analytics module of the different types of analytics modules is given a higher priority in access of system resources than a second analytics module of the different types of analytics modules responsive to the first analytics module being associated with a higher priority than the second analytics module. - View Dependent Claims (10, 14, 15, 17, 18, 19, 20, 21)
-
-
11. A method comprising:
-
extracting, by a system comprising a hardware processor, features from event data representing events in a computing environment; training, by the system using the extracted features, ensembles of machine-learning models for respective analytics modules of a plurality of different types of analytics modules; assigning, by the system, different priorities to the respective analytics modules of the different types of analytics modules, wherein the different priorities are based on different time scales used by the different types of analytics modules; and detecting, by the different types of analytics modules using the respective trained ensembles of machine-learning models, an anomalous entity in response to further event data, wherein the different types of analytics modules perform checking for the anomalous entity according to time scales of the different time scales, and wherein a first analytics module of the different types of analytics modules is given a higher priority in access of system resources than a second analytics module of the different types of analytics modules responsive to the first analytics module being assigned a higher priority than the second analytics module by the assigning. - View Dependent Claims (12, 16)
-
Specification