Interface providing an interactive trendline for a detected threat to facilitate evaluation for false positives

US 10,666,668 B2
Filed: 01/28/2019
Issued: 05/26/2020
Est. Priority Date: 08/31/2015
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

receiving event data generated by network activities of entities that interact with a computer network, wherein the event data comprises machine data, and the entities include computer users and/or devices in communication with the network;

based upon the received event data as it is received,(i) automatically detecting anomalies indicating deviations from expected or permitted network activities, wherein each anomaly is classified by type and is associated with an entity or entities that participated in network activities and a date at which the detected anomaly occurred, and(ii) automatically detecting threats based upon at least one of a number, type, or timing of detected anomalies, and generating a listing of detected threats as pending threats against the computer network;

upon receiving a user-selection of a detected threat, causing display, in a graphical user interface, of an interactive trendline, which indicates changes to the number of the occurrences of anomalies as a function of dates along the trendline to enable a user to visually depict a trend of the occurrences of the anomalies associated with the threat; and

upon receiving a user-selection, via the graphical user interface, to resolve the detected threat as a false positive, deleting the threat from the listing of pending threats.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A security platform employs a variety techniques and mechanisms to detect security related anomalies and threats in a computer network environment. The security platform is “big data” driven and employs machine learning to perform security analytics. The security platform performs user/entity behavioral analytics (UEBA) to detect the security related anomalies and threats, regardless of whether such anomalies/threats were previously known. The security platform can include both real-time and batch paths/modes for detecting anomalies and threats. By visually presenting analytical results scored with risk ratings and supporting evidence, the security platform enables network security administrators to respond to a detected anomaly or threat, and to take action promptly.

Citations

20 Claims

1. A method comprising:
- receiving event data generated by network activities of entities that interact with a computer network, wherein the event data comprises machine data, and the entities include computer users and/or devices in communication with the network;
  
  based upon the received event data as it is received,(i) automatically detecting anomalies indicating deviations from expected or permitted network activities, wherein each anomaly is classified by type and is associated with an entity or entities that participated in network activities and a date at which the detected anomaly occurred, and(ii) automatically detecting threats based upon at least one of a number, type, or timing of detected anomalies, and generating a listing of detected threats as pending threats against the computer network;
  
  upon receiving a user-selection of a detected threat, causing display, in a graphical user interface, of an interactive trendline, which indicates changes to the number of the occurrences of anomalies as a function of dates along the trendline to enable a user to visually depict a trend of the occurrences of the anomalies associated with the threat; and
  
  upon receiving a user-selection, via the graphical user interface, to resolve the detected threat as a false positive, deleting the threat from the listing of pending threats.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, wherein the automated determinations result from execution of machine learning logic.
  - 3. The method of claim 1, wherein the trendline is a line connecting a set of points, wherein each point indicates a number of each anomalies occurring on a corresponding date.
  - 4. The method of claim 1, further comprising:
    - upon receiving a selection of a point on the trend line, identifying each anomaly occurring on the respective date; and
      
      upon selection of an identified anomaly, causing display of the event data that triggered detection of the anomaly.
  - 5. The method of claim 1, further comprising:
    - upon receiving a selection of a point on the trend line, identifying each anomaly occurring on the respective date; and
      
      upon receiving a selection of an anomaly from the listing of anomalies, causing display of a graphical representation of a relationship between the entities whose network activity triggered detection of the anomaly.
  - 6. The method of claim 1, wherein each anomaly is classified as a type from a set of anomaly types, the set of types including at least one type pertaining to an alarm, an excessive data transfer, or an unusual login time.
  - 7. The method of claim 1, further comprising:
    - upon receiving the selection of a threat, causing additional display of a graphical representation of a relationship between the entities participating in the network activities that triggered the threat, wherein the display includes one or more lines that connect the entities whose participation together in a network activity triggered an anomaly.
  - 8. The method of claim 1, wherein the anomalies are detected in real-time.
  - 9. The method of claim 1, wherein the anomalies are detected based on both real-time detection and batch detection.

10. A non-transitory, computer-readable storage medium storing instructions, an execution of which in a computer system causes the computer system to perform operations comprising:
- receiving event data generated by network activities of entities that interact with a computer network, wherein the event data comprises machine data, and the entities include computer users and/or devices in communication with the network;
  
  based upon the received event data as it is received,(i) automatically detecting anomalies indicating deviations from expected or permitted network activities, wherein each anomaly is classified by type and is associated with an entity or entities that participated in network activities and a date at which the detected anomaly occurred, and(ii) automatically detecting threats based upon at least one of a number, type, or timing of detected anomalies, and generating a listing of detected threats as pending threats against the computer network;
  
  upon receiving a user-selection of a detected threat, causing display, in a graphical user interface, of an interactive trendline, which indicates changes to the number of the occurrences of anomalies as a function of dates along the trendline to enable a user to visually depict a trend of the occurrences of the anomalies associated with the threat; and
  
  upon receiving a user-selection, via the graphical user interface, to resolve the detected threat as a false positive, deleting the threat from the listing of pending threats.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
- - 11. The computer-readable storage medium of claim 10, wherein the automated determinations result from execution of machine learning logic.
  - 12. The computer-readable storage medium of claim 10, wherein the trendline is a line connecting a set of points, wherein each point indicates a number of each anomalies occurring on a corresponding date.
  - 13. The computer-readable storage medium of claim 10, performing operations further comprising:
    - upon receiving a selection of a point on the trend line, identifying each anomaly occurring on the respective date; and
      
      upon selection of an identified anomaly, causing display of the event data that triggered detection of the anomaly.
  - 14. The computer-readable storage medium of claim 10, performing operations further comprising:
    - upon receiving a selection of a point on the trend line, identifying each anomaly occurring on the respective date; and
      
      upon receiving a selection of an anomaly from the listing of anomalies, causing display of a graphical representation of a relationship between the entities whose network activity triggered detection of the anomaly.
  - 15. The computer-readable storage medium of claim 10, wherein each anomaly is classified as a type from a set of anomaly types, the set of types including at least one type pertaining to an alarm, an excessive data transfer, or an unusual login time.
  - 16. The computer-readable storage medium of claim 10, performing operations further comprising:
    - upon receiving the selection of a threat, causing additional display of a graphical representation of a relationship between the entities participating in the network activities that triggered the threat, wherein the display includes one or more lines that connect the entities whose participation together in a network activity triggered an anomaly.
  - 17. The computer-readable storage medium of claim 10, wherein the anomalies are detected in real-time.
  - 18. The computer-readable storage medium of claim 10, wherein the anomalies are detected based on both real-time detection and batch detection.

19. A computer system comprising:
- computer memory for storing machine data; and
  
  a processor for;
  
  receiving event data generated by network activities of entities that interact with a computer network, wherein the event data comprises machine data, and the entities include computer users and/or devices in communication with the network;
  
  based upon the received event data as it is received,(i) automatically detecting anomalies indicating deviations from expected or permitted network activities, wherein each anomaly is classified by type and is associated with an entity or entities that participated in network activities and a date at which the detected anomaly occurred, and(ii) automatically detecting threats based upon at least one of a number, type, or timing of detected anomalies, and generating a listing of detected threats as pending threats against the computer network;
  
  upon receiving a user-selection of a detected threat, causing display, in a graphical user interface, of an interactive trendline, which indicates changes to the number of the occurrences of anomalies as a function of dates along the trendline to enable a user to visually depict a trend of the occurrences of the anomalies associated with the threat; and
  
  upon receiving a user-selection, via the graphical user interface, to resolve the detected threat as a false positive, deleting the threat from the listing of pending threats.
- View Dependent Claims (20)
- - 20. The computer system of claim 19, wherein the automated determinations result from execution of machine learning logic.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Splunk Inc. (Cisco Systems, Inc.)
Original Assignee
Splunk Inc. (Cisco Systems, Inc.)
Inventors
Muddu, Sudhakar, Tryfonas, Christos
Primary Examiner(s)
Naghdali, Khalil

Application Number

US16/259,999
Publication Number

US 20190158517A1
Time in Patent Office

484 Days
Field of Search

726 23
US Class Current
CPC Class Codes

G06F 16/24578   using ranking

G06F 16/254   Extract, transform and load...

G06F 16/285   Clustering or classification

G06F 16/444   Spatial browsing, e.g. 2D m...

G06F 16/9024   Graphs; Linked lists G06F16...

G06F 3/0482   Interaction with lists of s...

G06F 3/0484   for the control of specific...

G06F 3/04842   Selection of displayed obje...

G06F 3/04847   Interaction techniques to c...

G06F 40/134   Hyperlinking

G06N 20/00   Machine learning

G06N 20/20   Ensemble learning

G06N 5/022   Knowledge engineering; Know...

G06N 5/04   Inference or reasoning models

G06N 7/01   Probabilistic graphical mod...

G06V 10/225   based on a marking or ident...

H04L 2463/121   Timestamp

H04L 41/0893   Assignment of logical group...

H04L 41/145   involving simulating, desig...

H04L 41/22   comprising specially adapte...

H04L 43/00 : Arrangements for monitoring...

H04L 43/045 : for graphical visualisation...

H04L 43/062 : related to network traffic

H04L 43/08 : Monitoring or testing based...

H04L 63/06 : for supporting key manageme...

H04L 63/1408 : by monitoring network traff...

H04L 63/1416 : Event detection, e.g. attac...

H04L 63/1425 : Traffic logging, e.g. anoma...

H04L 63/1433 : Vulnerability analysis

H04L 63/1441 : Countermeasures against mal...

H04L 63/20 : for managing network securi...

View All

Interface providing an interactive trendline for a detected threat to facilitate evaluation for false positives

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Interface providing an interactive trendline for a detected threat to facilitate evaluation for false positives

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links