Dual-path distributed architecture for network security analysis
First Claim
1. A network security breach detection system comprising:
- a real-time path including a real-time analysis engine configured to receive first event data indicative of first activity on a computer network, the real-time event analysis engine configured to detect, in real time, first indicia of possible security breaches based on the first event data, and to generate, in real-time, analysis result data representing the first indicia for output to a user;
a non-volatile storage system to store the real-time analysis result data; and
a batch path including a batch analysis engine configured to operate concurrently with the real-time analysis engine, the batch analysis engine further configured to retrieve, from the non-volatile storage system, the real-time analysis result data and second event data indicative of second activity on the computer network, the second event data having been stored in the non-volatile storage system prior to analysis of the first event data by the real-time analysis engine, the batch analysis engine further configured to detect, in a batch mode, second indicia of possible security breaches based on the second event data and the real-time analysis result data.
1 Assignment
0 Petitions
Accused Products
Abstract
A security platform employs a variety techniques and mechanisms to detect security related anomalies and threats in a computer network environment. The security platform is “big data” driven and employs machine learning to perform security analytics. The security platform performs user/entity behavioral analytics (UEBA) to detect the security related anomalies and threats, regardless of whether such anomalies/threats were previously known. The security platform can include both real-time and batch paths/modes for detecting anomalies and threats. By visually presenting analytical results scored with risk ratings and supporting evidence, the security platform enables network security administrators to respond to a detected anomaly or threat, and to take action promptly.
62 Citations
30 Claims
-
1. A network security breach detection system comprising:
-
a real-time path including a real-time analysis engine configured to receive first event data indicative of first activity on a computer network, the real-time event analysis engine configured to detect, in real time, first indicia of possible security breaches based on the first event data, and to generate, in real-time, analysis result data representing the first indicia for output to a user; a non-volatile storage system to store the real-time analysis result data; and a batch path including a batch analysis engine configured to operate concurrently with the real-time analysis engine, the batch analysis engine further configured to retrieve, from the non-volatile storage system, the real-time analysis result data and second event data indicative of second activity on the computer network, the second event data having been stored in the non-volatile storage system prior to analysis of the first event data by the real-time analysis engine, the batch analysis engine further configured to detect, in a batch mode, second indicia of possible security breaches based on the second event data and the real-time analysis result data. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20)
-
-
21. A method comprising:
-
detecting, in real-time, first indicia of possible security breaches based on first event data indicative of first activity on a computer network, by using a real-time analysis engine; generating real-time analysis result data representing the first indicia for output to a user; storing the real-time analysis result data in a non-volatile storage system; retrieving, from the non-volatile storage system, the real-time analysis result data and second event data indicative of second activity on the computer network, the second event data having been stored in the non-volatile storage system prior to analysis of the first event data by the real-time analysis engine; and detecting, in a batch mode, second indicia of possible security breaches based on the second event data and the real-time analysis result data, by using a batch analysis engine concurrently with use of the real-time analysis engine. - View Dependent Claims (22, 23, 24, 25)
-
-
26. A non-transitory machine-readable storage medium storing instructions, execution of which in a computer system causes the computer system to perform operations comprising:
-
detecting, in real-time, first indicia of possible security breaches based on first event data indicative of first activity on a computer network, by executing a real-time analysis engine; generating real-time analysis result data representing the first indicia for output to a user; storing the real-time analysis result data in a non-volatile storage system; retrieving, from the non-volatile storage system, the real-time analysis result data and second event data indicative of second activity on the computer network, the second event data having been stored in the non-volatile storage system prior to analysis of the first event data by the real-time analysis engine; and detecting, in a batch mode, second indicia of possible security breaches based on the second event data and the real-time analysis result data, by executing a batch analysis engine concurrently with the executing of the real-time analysis engine. - View Dependent Claims (27, 28, 29, 30)
-
Specification