Network security threat detection by user/user-entity behavioral analysis
First Claim
1. A method comprising:
- receiving, at a computer system, first event data indicative of computer network activity of an entity that is part of or has interacted with a computer network, the computer system including a real-time event processing engine and a batch event processing engine;
constructing a variable behavior baseline of the entity by using one of the real-time event processing engine or the batch event processing engine in the computer system, based on the first event data, the variable behavior baseline being representative of computer network activity of a particular type by the entity, wherein constructing the behavior baseline of the entity comprises using a machine learning model to construct the behavior baseline of the entity;
sharing the variable behavior baseline between the real-time event processing engine and the batch event processing engine;
receiving, at the computer system, second event data indicative of additional computer network activity associated with the entity;
comparing, by the other one of the real-time event processing engine and the batch event processing engine, the second event data to the shared variable behavior baseline of the entity;
determining, by said other one of the real-time event processing engine and the batch event processing engine, that the additional computer network activity associated with the entity represents a network security anomaly or a network security threat, when said comparing results in a determination that the second event data has a specified relationship to the shared variable behavior baseline of the entity; and
adjusting the variable behavior baseline of the entity based on the machine learning model.
1 Assignment
0 Petitions
Accused Products
Abstract
A security platform employs a variety techniques and mechanisms to detect security related anomalies and threats in a computer network environment. The security platform is “big data” driven and employs machine learning to perform security analytics. The security platform performs user/entity behavioral analytics (UEBA) to detect the security related anomalies and threats, regardless of whether such anomalies/threats were previously known. The security platform can include both real-time and batch paths/modes for detecting anomalies and threats. By visually presenting analytical results scored with risk ratings and supporting evidence, the security platform enables network security administrators to respond to a detected anomaly or threat, and to take action promptly.
49 Citations
23 Claims
-
1. A method comprising:
-
receiving, at a computer system, first event data indicative of computer network activity of an entity that is part of or has interacted with a computer network, the computer system including a real-time event processing engine and a batch event processing engine; constructing a variable behavior baseline of the entity by using one of the real-time event processing engine or the batch event processing engine in the computer system, based on the first event data, the variable behavior baseline being representative of computer network activity of a particular type by the entity, wherein constructing the behavior baseline of the entity comprises using a machine learning model to construct the behavior baseline of the entity; sharing the variable behavior baseline between the real-time event processing engine and the batch event processing engine; receiving, at the computer system, second event data indicative of additional computer network activity associated with the entity; comparing, by the other one of the real-time event processing engine and the batch event processing engine, the second event data to the shared variable behavior baseline of the entity; determining, by said other one of the real-time event processing engine and the batch event processing engine, that the additional computer network activity associated with the entity represents a network security anomaly or a network security threat, when said comparing results in a determination that the second event data has a specified relationship to the shared variable behavior baseline of the entity; and adjusting the variable behavior baseline of the entity based on the machine learning model. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21)
-
-
22. A computer system comprising:
-
a processor; and a communication device, operatively coupled to the processor, through which to receive first event data indicative of computer network activity of an entity that is part of or interacts with a computer network; a real-time event processing engine; a batch event processing engine; wherein the processor is configured to construct a variable behavior baseline of the entity by using one of the real-time event processing engine or the batch event processing engine in the computer system, based on the first event data, the variable behavior baseline being representative of computer network activity of a particular type by the entity, wherein constructing the first behavior baseline of the entity comprises using a machine learning model to construct the first behavior baseline of the entity;
share the variable behavior baseline between the real-time event processing engine and the batch event processing engine;receive second event data indicative of additional computer network activity associated with the entity; compare, by the other one of the real-time event processing engine and the batch event processing engine, the second event data to the shared variable behavior baseline of the entity; determine, by said other one of the real-time event processing engine and the batch event processing engine, that the additional computer network activity associated with the entity represents a network security anomaly or a network security threat, when said comparing results in a determination that the second event data has a specified relationship to the shared variable behavior baseline of the entity; and adjust the variable behavior baseline of the entity based on the machine learning model.
-
-
23. A non-transitory machine-readable storage medium for use in a processing system, the non-transitory machine-readable storage medium storing instructions, an execution of which in the processing system causes the processing system to perform operations comprising:
-
receiving first event data indicative of computer network activity of an entity that is part of or has interacted with a computer network, the computer system including a real-time event processing engine and a batch event processing engine; constructing a variable behavior baseline of the entity by using one of the real-time event processing engine or the batch event processing engine in the computer system, based on the first event data, the variable behavior baseline being representative of computer network activity of a particular type by the entity, wherein constructing the first behavior baseline of the entity comprises using a machine learning model to construct the first behavior baseline of the entity; sharing the variable behavior baseline between the real-time event processing engine and the batch event processing engine; receiving, at the computer system, second event data indicative of additional computer network activity associated with the entity; comparing, by the other one of the real-time event processing engine and the batch event processing engine, the second event data to the shared variable behavior baseline of the entity determining, by said other one of the real-time event processing engine and the batch event processing engine, that the additional computer network activity associated with the entity represents a network security anomaly or a network security threat, when said comparing results in a determination that the second event data has a specified relationship to the shared variable behavior baseline of the entity; and adjusting the variable behavior baseline of the entity based on the machine learning model.
-
Specification