Anomaly detection to identify security threats
First Claim
1. A computer-implemented method comprising:
- processing events associated with an information technology environment using a machine-learning anomaly detection model to generate first anomaly data indicative of a first anomaly detected in the events;
processing the events using an anomaly detection rule to generate second anomaly data indicative of a second anomaly detected in the events, the anomaly detection rule having been defined by a user;
inputting the first anomaly data and the second anomaly data into a machine-learning threat indicator model; and
processing the first anomaly data concurrently with the second anomaly data using the machine-learning threat indicator model to identify a threat indicator associated with a potential security threat to the information technology environment.
1 Assignment
0 Petitions
Accused Products
Abstract
Techniques are described for processing anomalies detected using user-specified rules with anomalies detected using machine-learning based behavioral analysis models to identify threat indicators and security threats to a computer network. In an embodiment, anomalies are detected based on processing event data at a network security system that used rules-based anomaly detection. These rules-based detected anomalies are acquired by a network security system that uses machine-learning based anomaly detection. The rules-based detected anomalies are processed along with machine learning detected anomalies to detect threat indicators or security threats to the computer network. The threat indicators and security threats are output as alerts to the network security system that used rules-based anomaly detection.
-
Citations
29 Claims
-
1. A computer-implemented method comprising:
-
processing events associated with an information technology environment using a machine-learning anomaly detection model to generate first anomaly data indicative of a first anomaly detected in the events; processing the events using an anomaly detection rule to generate second anomaly data indicative of a second anomaly detected in the events, the anomaly detection rule having been defined by a user; inputting the first anomaly data and the second anomaly data into a machine-learning threat indicator model; and processing the first anomaly data concurrently with the second anomaly data using the machine-learning threat indicator model to identify a threat indicator associated with a potential security threat to the information technology environment. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27)
-
-
28. A computer system comprising:
-
processor; and
aa storage device having instructions stored thereon, which when executed by the processor cause the computer system to; process events associated with an information technology environment using a machine-learning anomaly detection model to generate first anomaly data indicative of a first anomaly detected in the events; process the events using an anomaly detection rule to generate second anomaly data indicative of a second anomaly detected in the events, the anomaly detection rule having been defined by a user; input the first anomaly data and the second anomaly data into a machine-learning threat indicator model; and process the first anomaly data concurrently with the second anomaly data using the machine-learning threat indicator model to identify a threat indicator associated with a potential security threat to the information technology environment.
-
-
29. A non-transitory computer readable medium containing instructions, execution of which in a computer system causes the computer system to:
-
process events associated with an information technology environment using a machine-learning anomaly detection model to generate first anomaly data indicative of a first anomaly detected in the events; process the events using an anomaly detection rule to generate second anomaly data indicative of a second anomaly detected in the events, the anomaly detection rule having been defined by a user; input the first anomaly data and the second anomaly data into a machine-learning threat indicator model; and process the first anomaly data concurrently with the second anomaly data using the machine-learning threat indicator model to identify a threat indicator associated with a potential security threat to the information technology environment.
-
Specification