PARAMETER ADJUSTMENT FOR PATTERN DISCOVERY

US 20150106922A1
Filed: 05/30/2012
Published: 04/16/2015
Est. Priority Date: 05/30/2012
Status: Active Grant

First Claim

Patent Images

1. A method for determining parameters for pattern discovery in event data, the method comprising:

selecting an initial set of parameters for pattern discovery, wherein the parameters specify conditions for identifying a pattern in the event data;

executing, by a processor, a pattern discovery run on the event data based on the initial set of parameters; and

adjusting a parameter of the initial set of parameters based on an output of the pattern discovery run.

View all claims

12 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Pattern discovery performed on event data may include selecting an initial set of parameters for the pattern discovery. The parameters may specify conditions for identifying a pattern in the event data. A pattern discovery run is executed on the event data based on the initial set of parameters, and a parameter may be adjusted based on the output of the pattern discovery run.

32 Citations

View as Search Results

15 Claims

1. A method for determining parameters for pattern discovery in event data, the method comprising:
- selecting an initial set of parameters for pattern discovery, wherein the parameters specify conditions for identifying a pattern in the event data;
  
  executing, by a processor, a pattern discovery run on the event data based on the initial set of parameters; and
  
  adjusting a parameter of the initial set of parameters based on an output of the pattern discovery run.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, wherein adjusting a parameter comprises:
    - determining whether a number of patterns identified from the event data as result of executing the pattern discovery run is less than a threshold; and
      
      expanding the parameter to increase the number of patterns identified from the event data if the adjusted parameter is used in a subsequent pattern discovery run.
  - 3. The method of claim 1, wherein adjusting a parameter comprises:
    - determining whether a number of patterns identified from the event data as result of executing the pattern discovery run is greater than a threshold; and
      
      restricting the parameter to decrease the number of patterns identified from the event data if the adjusted parameter is used in a subsequent pattern discovery run.
  - 4. The method of claim 1, wherein adjusting a parameter comprises:
    - determining whether the pattern discovery run failed to complete within a predetermined period of time; and
      
      adjusting the parameter to reduce system resources if the adjusted parameter is used in a subsequent pattern discovery run.
  - 5. The method of claim 1, wherein the initial set of parameters comprises a minimum number of different activities that are performed in a sequence for the activities to be considered a pattern, a repeatability parameter that identifies a minimum number of times the different activities are repeated to be considered a pattern, and a time duration of event data that is considered for the pattern discovery run.
  - 6. The method of claim 5, wherein adjusting the parameter comprises:
    - increasing the minimum number of different activities that are performed for the activities to be considered a pattern, increasing the repeatability parameter, or decreasing the time duration.
  - 7. The method of claim 5, wherein adjusting the parameter comprises:
    - decreasing the minimum number of different activities that are performed for the activities to be considered a pattern, decreasing the repeatability parameter, or increasing the time duration.
  - 8. The method of claim 1, comprising:
    - selecting a set of fields based on field statistics for a pattern discovery profile;
      
      including the set of fields and the initial parameters in a pattern discovery profile; and
      
      executing a pattern discovery run comprises identifying patterns in the event data based on the pattern discovery profile including the set of fields and the initial set of parameters.
  - 9. The method of claim 8, wherein executing a pattern discovery run comprises:
    - determining whether the event data includes the set of fields that satisfy the conditions associated with the initial parameters to identify patterns in the event data matching the patter discovery profile.
  - 10. The method of claim 1, wherein the output of the pattern discovery run comprises a result set of patterns satisfying the conditions of the initial set of parameters, wherein the conditions are associated with a set of fields for the event data.

11. A network security event processing system comprising:
- data storage storing event data describing activities for devices connected to a network;
  
  a pattern identifier engine, executed by a processor, to execute a pattern discovery run to detect patterns in the event data based on an initial set of parameters associated with conditions for identifying the patterns; and
  
  a parameter tuning module to adjust a parameter from the initial set based on an output of the pattern discovery run.
- View Dependent Claims (12, 13, 14)
- - 12. The network security event processing system of claim 11, wherein the parameter tuning module is to determine whether a number of patterns identified from the event data as result of executing the pattern discovery run is less than a threshold, and is to adjust the parameter to increase the number of patterns identified from the event data if the adjusted parameter is used in a subsequent pattern discovery run.
  - 13. The network security event processing system of claim 11, wherein the parameter tuning module is to determine whether a number of patterns identified from the event data as result of executing the pattern discovery run is greater than a threshold, and is to adjust the parameter to decrease the number of patterns identified from the event data if the adjusted parameter is used in a subsequent pattern discovery run.
  - 14. The network security event processing system of claim 11, wherein the parameter tuning module is to determine whether the pattern discovery run failed to complete within a predetermined period of time, and is to adjust the parameter to reduce system resources to execute a subsequent pattern discovery run.

15. A non-transitory computer readable medium including machine readable instructions that when executed by a processor cause the processor to:
- select an initial set of parameters for pattern discovery, wherein the parameters specify conditions for identifying a pattern in the event data;
  
  execute a pattern discovery run on the event data based on the initial set of parameters; and
  
  adjust a parameter of the initial set of parameters based on a number of patterns identified in the pattern discovery run or based on whether the pattern discovery run failed to complete execution.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Micro Focus LLC (Open Text Corporation)
Original Assignee
Hewlett-Packard Development Company, L.P. (HP Inc.)
Inventors
Wang, Yanlin, Singla, Anurag, Zhao, Zhipeng

Granted Patent

US 10,027,686 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/22
CPC Class Codes

H04L 43/04 Processing captured monitor...

H04L 63/1408 by monitoring network traff...

PARAMETER ADJUSTMENT FOR PATTERN DISCOVERY

First Claim

12 Assignments

0 Petitions

Accused Products

Abstract

32 Citations

15 Claims

Specification

Solutions

Use Cases

Quick Links

PARAMETER ADJUSTMENT FOR PATTERN DISCOVERY

First Claim

12 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

32 Citations

15 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links