INVESTIGATIVE AND DYNAMIC DETECTION OF POTENTIAL SECURITY-THREAT INDICATORS FROM EVENTS IN BIG DATA
First Claim
1. A computer-implemented method, comprising:
- accessing a set of events, wherein each event in the set of events characterizes a computational action or computational communication;
determining a set of metrics, wherein each metric in the set of metrics is determined based on a corresponding event in the set of events;
generating a population characterization based on the extracted metrics;
receiving an input corresponding to an identification of a criterion to use to identify metrics to include in a subset of the set of metrics;
analyzing, for each event in the set of events, the extracted metric with respect to the population characterization;
determining, for each event in the set of events, whether the criterion is satisfied based on the analysis;
generating a subset of metrics that consists of all metrics for which the criterion is satisfied; and
generating a visual object that represents the subset of metrics.
1 Assignment
0 Petitions
Accused Products
Abstract
A metric value is determined for each event in a set of events that characterizes a computational communication or object. For example, a metric value could include a length of a URL or agent string in the event. A subset criterion is generated, such that metric values within the subset are relatively separated from a population'"'"'s center (e.g., within a distribution tail). Application of the criterion to metric values produces a subset. A representation of the subset is presented in an interactive dashboard. The representation can include unique values in the subset and counts of corresponding event occurrences. Clients can select particular elements in the representation to cause more detail to be presented with respect to individual events corresponding to specific values in the subset. Thus, clients can use their knowledge system operations and observance of value frequencies and underlying events to identify anomalous metric values and potential security threats.
-
Citations
30 Claims
-
1. A computer-implemented method, comprising:
-
accessing a set of events, wherein each event in the set of events characterizes a computational action or computational communication; determining a set of metrics, wherein each metric in the set of metrics is determined based on a corresponding event in the set of events; generating a population characterization based on the extracted metrics; receiving an input corresponding to an identification of a criterion to use to identify metrics to include in a subset of the set of metrics; analyzing, for each event in the set of events, the extracted metric with respect to the population characterization; determining, for each event in the set of events, whether the criterion is satisfied based on the analysis; generating a subset of metrics that consists of all metrics for which the criterion is satisfied; and generating a visual object that represents the subset of metrics. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
-
-
13. A system, comprising:
-
one or more data processors; and a non-transitory computer-readable storage medium containing instructions which when executed on the one or more data processors, cause the one or more processors to perform operations including; accessing a set of events, wherein each event in the set of events characterizes a computational action or computational communication; determining a set of metrics, wherein each metric in the set of metrics is determined based on a corresponding event in the set of events; generating a population characterization based on the extracted metrics; receiving an input corresponding to an identification of a criterion to use to identify metrics to include in a subset of the set of metrics; analyzing, for each event in the set of events, the extracted metric with respect to the population characterization; determining, for each event in the set of events, whether the criterion is satisfied based on the analysis; generating a subset of metrics that consists of all metrics for which the criterion is satisfied; and generating a visual object that represents the subset of metrics. - View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21)
-
-
22. A computer-program product tangibly embodied in a non-transitory machine-readable storage medium, including instructions configured to cause one or more data processors to:
-
access a set of events, wherein each event in the set of events characterizes a computational action or computational communication; determine a set of metrics, wherein each metric in the set of metrics is determined based on a corresponding event in the set of events; generate a population characterization based on the extracted metrics; receive an input corresponding to an identification of a criterion to use to identify metrics to include in a subset of the set of metrics; analyze, for each event in the set of events, the extracted metric with respect to the population characterization; determine, for each event in the set of events, whether the criterion is satisfied based on the analysis; generate a subset of metrics that consists of all metrics for which the criterion is satisfied; and generating a visual object that represents the subset of metrics. - View Dependent Claims (23, 24, 25, 26, 27, 28, 29, 30)
-
Specification