Network security threat detection by user/user-entity behavioral analysis
First Claim
1. A method comprising:
- receiving, at a computer system, first event data indicative of computer network activity of an entity that is part of or has interacted with a computer network;
constructing, by a first automated process in the computer system, a first variable behavior baseline of the entity, based on the first event data, the first variable behavior baseline being representative of a first particular type of computer network activity by the entity;
constructing, by the computer system, a second variable behavior baseline of the entity, based on the first event data or other event data indicative of computer network activity of the entity, the second variable behavior baseline being representative of a second particular type of computer network activity by the entity;
receiving, at the computer system, second event data indicative of additional computer network activity associated with the entity;
comparing, by the computer system, the second event data to at least one of the first variable behavior baseline of the entity or the second variable behavior baseline of the entity;
determining, by at least a second automated process in the computer system, that the additional computer network activity associated with the entity represents a network security anomaly or a network security threat, when said comparing results in a determination that the second event data has a specified relationship to at least one of the first variable behavior baseline of the entity or the second variable baseline of the entity; and
adjusting, by the first automated process, the first variable behavior baseline of the entity based on the second event data, wherein the first automated process and the second automated process are processes of a machine learning model.
1 Assignment
0 Petitions
Accused Products
Abstract
A security platform employs a variety techniques and mechanisms to detect security related anomalies and threats in a computer network environment. The security platform is “big data” driven and employs machine learning to perform security analytics. The security platform performs user/entity behavioral analytics (UEBA) to detect the security related anomalies and threats, regardless of whether such anomalies/threats were previously known. The security platform can include both real-time and batch paths/modes for detecting anomalies and threats. By visually presenting analytical results scored with risk ratings and supporting evidence, the security platform enables network security administrators to respond to a detected anomaly or threat, and to take action promptly.
731 Citations
21 Claims
-
1. A method comprising:
-
receiving, at a computer system, first event data indicative of computer network activity of an entity that is part of or has interacted with a computer network; constructing, by a first automated process in the computer system, a first variable behavior baseline of the entity, based on the first event data, the first variable behavior baseline being representative of a first particular type of computer network activity by the entity; constructing, by the computer system, a second variable behavior baseline of the entity, based on the first event data or other event data indicative of computer network activity of the entity, the second variable behavior baseline being representative of a second particular type of computer network activity by the entity; receiving, at the computer system, second event data indicative of additional computer network activity associated with the entity; comparing, by the computer system, the second event data to at least one of the first variable behavior baseline of the entity or the second variable behavior baseline of the entity; determining, by at least a second automated process in the computer system, that the additional computer network activity associated with the entity represents a network security anomaly or a network security threat, when said comparing results in a determination that the second event data has a specified relationship to at least one of the first variable behavior baseline of the entity or the second variable baseline of the entity; and adjusting, by the first automated process, the first variable behavior baseline of the entity based on the second event data, wherein the first automated process and the second automated process are processes of a machine learning model. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
-
-
14. A computer system comprising:
-
a processor; and a communication device, operatively coupled to the processor, through which to receive first event data indicative of computer network activity of an entity that is part of or interacts with a computer network and second event data indicative of additional computer network activity associated with the entity; wherein the processor is configured to construct, by a first automated process, a first variable behavior baseline of the entity, based on the first event data, the variable behavior baseline being representative of a first particular type of computer network activity by the entity; construct a second variable behavior baseline of the entity, based on the first event data or other event data indicative of computer network activity of the entity, the second variable behavior baseline being representative of a second particular type of computer network activity by the entity; compare the second event data to at least one of the first variable behavior baseline of the entity or the second variable behavior baseline of the entity; determine, by at least a second automated process, that the additional computer network activity associated with the entity represents a network security anomaly or a network security threat, when said comparing results in a determination that the second event data has a specified relationship to at least one of the first variable behavior baseline of the entity or the second variable baseline of the entity; and adjusting, by the first automated process, the first variable behavior baseline of the entity based on the second event data, wherein the first automated process and the second automated process are processes of a machine learning model. - View Dependent Claims (15, 16, 17)
-
-
18. A non-transitory machine-readable storage medium for use in a processing system, the non-transitory machine-readable storage medium storing instructions, an execution of which in the processing system causes the processing system to perform operations comprising:
-
receiving first event data indicative of computer network activity of an entity that is part of or interacts with a computer network; constructing, by a first automated process, a first variable behavior baseline of the entity, based on the first event data, the first variable behavior baseline being representative of a first particular type of computer network activity by the entity; constructing, by the computer system, a second variable behavior baseline of the entity, based on the first event data or other event data indicative of computer network activity of the entity, the second variable behavior baseline being representative of a second particular type of computer network activity by the entity; receiving second event data indicative of additional computer network activity associated with the entity; comparing the second event data to at least one of the first variable behavior baseline of the entity or the second variable behavior baseline of the entity; determining, by at least a second automated process, that the additional computer network activity associated with the entity represents a network security anomaly or a network security threat, when said comparing results in a determination that the second event data has a specified relationship to at least one of the first variable behavior baseline of the entity or the second variable baseline of the entity; and adjusting, by the first automated process, the first variable behavior baseline of the entity based on the second event data, wherein the first automated process and the second automated process are processes of a machine learning model. - View Dependent Claims (19, 20, 21)
-
Specification