EFFICIENT IDENTIFICATION OF LOG EVENTS IN ENTERPRISE THREAT DETECTION
First Claim
1. A computer-implemented method, comprising:
- identifying a first set of log entries;
determining a plurality of log entry classes occurring in the first set of log entries, each log entry in a given log entry class having a same number, type, and ordering of components;
determining, for each log entry class, a vector of component type identifiers for a given log entry class, each identifier in the vector identifying a position and type of a component included in a log entry belonging to the given log entry class;
creating a classification tree using the vectors;
identifying an unclassified log entry not included in the first set of log entries;
assigning a log entry class to the unclassified log entry using the classification tree to create a classified log entry; and
evaluating one or more security threat patterns using the classified log entry.
1 Assignment
0 Petitions
Accused Products
Abstract
A first set of log entries is identified. A plurality of log entry classes occurring in the first set of log entries is determined. Each log entry in a given log entry class has a same number, type, and ordering of components. A vector of component type identifiers is determined for each log entry class. Each identifier in a vector for a given log entry class identifies a position and type of a component included in a log entry belonging to the given log entry class. A classification tree is created using the vectors. An unclassified log entry not included in the first set of log entries is identified. A log entry class is assigned to the unclassified log entry using the classification tree to create a classified log entry. One or more security threat patterns are evaluated using the classified log entry.
68 Citations
20 Claims
-
1. A computer-implemented method, comprising:
-
identifying a first set of log entries; determining a plurality of log entry classes occurring in the first set of log entries, each log entry in a given log entry class having a same number, type, and ordering of components; determining, for each log entry class, a vector of component type identifiers for a given log entry class, each identifier in the vector identifying a position and type of a component included in a log entry belonging to the given log entry class; creating a classification tree using the vectors; identifying an unclassified log entry not included in the first set of log entries; assigning a log entry class to the unclassified log entry using the classification tree to create a classified log entry; and evaluating one or more security threat patterns using the classified log entry. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. A non-transitory, computer-readable medium storing computer-readable instructions, the instructions executable by a computer and configured to:
-
identify a first set of log entries; determine a plurality of log entry classes occurring in the first set of log entries, each log entry in a given log entry class having a same number, type, and ordering of components; determine, for each log entry class, a vector of component type identifiers for a given log entry class, each identifier in the vector identifying a position and type of a component included in a log entry belonging to the given log entry class; create a classification tree using the vectors; identify an unclassified log entry not included in the first set of log entries; assign a log entry class to the unclassified log entry using the classification tree to create a classified log entry; and evaluate one or more security threat patterns using the classified log entry. - View Dependent Claims (13, 14, 15, 16)
-
-
17. A system, comprising:
-
a memory; at least one hardware processor interoperably coupled with the memory and configured to; identify a first set of log entries; determine a plurality of log entry classes occurring in the first set of log entries, each log entry in a given log entry class having a same number, type, and ordering of components; determine, for each log entry class, a vector of component type identifiers for a given log entry class, each identifier in the vector identifying a position and type of a component included in a log entry belonging to the given log entry class; create a classification tree using the vectors; identify an unclassified log entry not included in the first set of log entries; assign a log entry class to the unclassified log entry using the classification tree to create a classified log entry; and evaluate one or more security threat patterns using the classified log entry. - View Dependent Claims (18, 19, 20)
-
Specification