Interface having selectable, interactive views for evaluating potential network compromise

US 9,609,011 B2
Filed: 10/30/2015
Issued: 03/28/2017
Est. Priority Date: 08/31/2015
Status: Active Grant

First Claim

Patent Images

1. A computerized method comprising:

receiving event data associated with network activities by entities, wherein entities include devices, applications, and network users;

identifying instances of potential network compromise by applying machine learning models to the event data, wherein instances include threats and/or anomalies;

causing display, in a graphical user interface, of a user-selectable toggle to switch between a plurality of views, including at least one instances view comprising a listing of instances of potential network compromise and at least one entities view comprising a listing of the entities that participated in network activities that triggered determinations of potential network compromise, wherein each listed instance and entity is linked to a corresponding detailed view;

upon receiving, via the graphical user interface, a user'"'"'s selection of an instance, causing the graphical user interface to generate a detailed view comprising (i) additional data about the selected instance, including data identifying each entity associated with the selected instance, (ii) a prompt to take an action in response to the instance, and a prompt to tag the selected instance for future tracking;

upon receiving, via the graphical user interface and in response to the prompt, a user'"'"'s indication to take an action, providing feedback to a model training process thread to update the machine learning models for identifying future instances of potential network compromise; and

upon receiving a selection by a user of a tag, associating the tag with the selected instance such that the tag is included (i) in response to subsequent requests to generate the detailed view of the selected instance and (ii) in response to requests to generate the detailed view of a selected entity associated with the selected instance.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A security platform employs a variety techniques and mechanisms to detect security related anomalies and threats in a computer network environment. The security platform is “big data” driven and employs machine learning to perform security analytics. The security platform performs user/entity behavioral analytics (UEBA) to detect the security related anomalies and threats, regardless of whether such anomalies/threats were previously known. The security platform can include both real-time and batch paths/modes for detecting anomalies and threats. By visually presenting analytical results scored with risk ratings and supporting evidence, the security platform enables network security administrators to respond to a detected anomaly or threat, and to take action promptly.

100 Citations

View as Search Results

26 Claims

1. A computerized method comprising:
- receiving event data associated with network activities by entities, wherein entities include devices, applications, and network users;
  
  identifying instances of potential network compromise by applying machine learning models to the event data, wherein instances include threats and/or anomalies;
  
  causing display, in a graphical user interface, of a user-selectable toggle to switch between a plurality of views, including at least one instances view comprising a listing of instances of potential network compromise and at least one entities view comprising a listing of the entities that participated in network activities that triggered determinations of potential network compromise, wherein each listed instance and entity is linked to a corresponding detailed view;
  
  upon receiving, via the graphical user interface, a user'"'"'s selection of an instance, causing the graphical user interface to generate a detailed view comprising (i) additional data about the selected instance, including data identifying each entity associated with the selected instance, (ii) a prompt to take an action in response to the instance, and a prompt to tag the selected instance for future tracking;
  
  upon receiving, via the graphical user interface and in response to the prompt, a user'"'"'s indication to take an action, providing feedback to a model training process thread to update the machine learning models for identifying future instances of potential network compromise; and
  
  upon receiving a selection by a user of a tag, associating the tag with the selected instance such that the tag is included (i) in response to subsequent requests to generate the detailed view of the selected instance and (ii) in response to requests to generate the detailed view of a selected entity associated with the selected instance.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 2. The method of claim 1, wherein identified instances of potential network compromise include anomalies, and at least one instances view comprises an anomalies view listing each identified anomaly with its associated anomaly type and date that the anomaly occurred.
  - 3. The method of claim 1, wherein identified instances of potential network compromise include threats, and at least one instances view comprises a threat view listing each identified threat with its associated threat type and start date that the threat began.
  - 4. The method of claim 1, wherein at least one entities view provides a listing of devices, applications, and network users.
  - 5. The method of claim 1, wherein when the graphical user interface provides the detailed view comprising additional data about a selected instance, the user is prompted to designate whether the selected instance is a false positive, andupon receiving a designation from the user that the selected instance is a false positive, associating the designation to be included in the additional data provided in response to subsequent requests to generate the detailed view of the selected instance.
  - 6. The method of claim 1, further comprising:
    - upon receiving, via the graphical user interface, a selection by a user of an entity, causing the graphical user interface to generate a detailed view comprising additional data about the selected entity, including data identifying each instance associated with the selected entity;
      
      wherein when the graphical user interface provides the detailed view comprising additional data about the selected entity, the user is prompted to tag the selected entity for future tracking, andupon receiving a selection by a user of a tag, associating the tag with the selected entity such that the tag is included in the additional data provided in response to subsequent requests for the detailed view of the selected entity.
  - 7. The method of claim 1, wherein when the identified instances of potential network compromise from the event data include threats, the instances view lists the identified threats and, for each entry in the listing, a threat type from a set including at least one of malware, data exfiltration, compromise of the organization'"'"'s website, large file transfers, and attack.
  - 8. The method of claim 1, wherein when the identified instances of potential network compromise from the event data include anomalies, the instances view lists the identified anomalies and, for each entry in the listing, an anomaly type from a set including at least one of an alarm, an excessive data transfer, and an unusual login time.
  - 9. The method of claim 1, wherein when the identified instances of potential network compromise from the event data comprise threats, the additional data associated with the detailed view of a threat includes a graphical representation of a relationship between entities participating in the network activities that triggered detection of the threat.
  - 10. The method of claim 1, wherein when the identified instances of potential network compromise from the event data comprise anomalies, the additional data associated with the detailed view of an anomaly includes a graphical representation of a relationship between entities participating in the network activities that triggered detection of the anomaly.
  - 11. The method of claim 1, wherein when the identified instances of potential network compromise from the event data comprise threats, the detailed view of a threat prompts the user to designate whether the threat has been resolved.
  - 12. The method of claim 1, wherein the identified instances of potential network compromise from the event data comprise threats, and each threat is classified as a type from a set of threat types, the set of types including at least one type pertaining to external behavior or insider behavior relative to the computer network.
  - 13. The method of claim 1, wherein the indication received in response to the prompt is that the identified instance of potential network compromise is not a threat.
  - 14. The method of claim 1, wherein the action indicated by the user is at least one of stopping the intrusion, shutting down network access, locking out users, terminating file transfer, or shutting down software or hardware processes.
  - 15. The method of claim 1, wherein the additional data about the selected instance in the detailed view further includes the received event data that triggered identification of the instance.

16. A non-transitory, computer-readable storage medium storing instructions, an execution of which in a computer system causes the computer system to perform operations comprising:
- receiving event data associated with network activities by entities, wherein entities include devices, applications, and network users;
  
  identifying instances of potential network compromise by applying machine learning models to the event data, wherein instances include threats and/or anomalies;
  
  causing display, in a graphical user interface, of a user-selectable toggle to switch between a plurality of views, including at least one instances view comprising a listing of instances of potential network compromise and at least one entities view comprising a listing of the entities that participated in network activities that triggered determinations of potential network compromise, wherein each listed instance and entity is linked to a corresponding detailed view;
  
  upon receiving, via the graphical user interface, a user'"'"'s selection of an instance, causing the graphical user interface to generate a detailed view comprising (i) additional data about the selected instance, including data identifying each entity associated with the selected instance, (ii) a prompt to take an action in response to the instance, and a prompt to tag the selected instance for future tracking;
  
  upon receiving, via the graphical user interface and in response to the prompt, a user'"'"'s indication to take an action, providing feedback to a model training process thread to update the machine learning models for identifying future instances of potential network compromise; and
  
  upon receiving a selection by a user of a tag, associating the tag with the selected instance such that the tag is included (i) in response to subsequent requests to generate the detailed view of the selected instance and (ii) in response to requests to generate the detailed view of a selected entity associated with the selected instance.
- View Dependent Claims (17, 18, 19, 20, 21)
- - 17. The computer-readable storage medium of claim 16, wherein identified instances of potential network compromise include anomalies, and at least one instances view comprises an anomalies view listing each identified anomaly with its associated anomaly type and date that the anomaly occurred.
  - 18. The computer-readable storage medium of claim 16, wherein identified instances of potential network compromise include threats, and at least one instances view comprises a threat view listing each identified threat with its associated threat type and start date that the threat began.
  - 19. The computer-readable storage medium of claim 16, wherein at least one entities view provides a listing of devices, applications, and network users.
  - 20. The computer-readable storage medium of claim 16, wherein when the graphical user interface provides the detailed view comprising additional data about a selected instance, the user is prompted to designate whether the selected instance is a false positive, andupon receiving a designation from the user that the selected instance is a false positive, associating the designation to be included in the additional data provided in response to subsequent requests to generate the detailed view of the selected instance.
  - 21. The computer-readable storage medium of claim 16, further comprising:
    - upon receiving, via the graphical user interface, a selection by a user of an entity, causing the graphical user interface to generate a detailed view comprising additional data about the selected entity, including data identifying each instance associated with the selected entity;
      
      wherein when the graphical user interface provides the detailed view comprising additional data about the selected entity, the user is prompted to tag the selected entity for future tracking, andupon receiving a selection by a user of a tag, associating the tag with the selected entity such that the tag is included in the additional data provided in response to subsequent requests for the detailed view of the selected entity.

22. A computer system comprising:
- computer memory for storing machine data; and
  
  a processor for;
  
  receiving event data associated with network activities by entities, wherein entities include devices, applications, and/or network users;
  
  identifying instances of potential network compromise by applying machine learning models to the event data, wherein instances include threats and/or anomalies;
  
  causing display, in a graphical user interface, of a user-selectable toggle to switch between a plurality of views, including at least one instances view comprising a listing of instances of potential network compromise and at least one entities view comprising a listing of the entities that participated in network activities that triggered determinations of potential network compromise, wherein each listed instance and entity is linked to a corresponding detailed view;
  
  upon receiving, via the graphical user interface, a user'"'"'s selection of an instance, causing the graphical user interface to generate a detailed view comprising (i) additional data about the selected instance, including data identifying each entity associated with the selected instance, (ii) a prompt to take an action in response to the instance, and a prompt to tag the selected instance for future tracking;
  
  upon receiving, via the graphical user interface and in response to the prompt, a user'"'"'s indication to take an action, providing feedback to a model training process thread to update the machine learning models for identifying future instances of potential network compromise; and
  
  upon receiving a selection by a user of a tag, associating the tag with the selected instance such that the tag is included (i) in response to subsequent requests to generate the detailed view of the selected instance and (ii) in response to requests to generate the detailed view of a selected entity associated with the selected instance.
- View Dependent Claims (23, 24, 25, 26)
- - 23. The computer system of claim 22, wherein identified instances of potential network compromise include anomalies, and at least one instances view comprises an anomalies view listing each identified anomaly with its associated anomaly type and date that the anomaly occurred.
  - 24. The computer system of claim 22, wherein identified instances of potential network compromise include threats, and at least one instances view comprises a threat view listing each identified threat with its associated threat type and start date that the threat began.
  - 25. The computer system of claim 22, wherein at least one entities view provides a listing of devices, applications, and network users.
  - 26. The computer system of claim 22, wherein when the identified instances of potential network compromise from the event data comprise anomalies, the additional data associated with the detailed view of an anomaly includes a graphical representation of a relationship between entities participating in the network activities that triggered detection of the anomaly.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Splunk Inc.
Original Assignee
Splunk Inc.
Inventors
Muddu, Sudhakar, Tryfonas, Christos
Primary Examiner(s)
SIMITOSKI, MICHAEL J

Application Number

US14/928,563
Publication Number

US 20170063902A1
Time in Patent Office

515 Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 16/24578   using ranking

G06F 16/254   Extract, transform and load...

G06F 16/285   Clustering or classification

G06F 16/444   Spatial browsing, e.g. 2D m...

G06F 16/9024   Graphs; Linked lists G06F16...

G06F 3/0482   Interaction with lists of s...

G06F 3/0484   for the control of specific...

G06F 3/04842   Selection of displayed obje...

G06F 3/04847   Interaction techniques to c...

G06F 40/134   Hyperlinking

G06N 20/00   Machine learning

G06N 20/20   Ensemble learning

G06N 5/022   Knowledge engineering; Know...

G06N 5/04   Inference or reasoning models

G06N 7/01   Probabilistic graphical mod...

G06V 10/225   based on a marking or ident...

H04L 2463/121   Timestamp cryptographic mec...

H04L 41/0893   Assignment of logical group...

H04L 41/145   involving simulating, desig...

H04L 41/22   comprising specially adapte...

H04L 43/00 : Arrangements for monitoring...

H04L 43/045 : for graphical visualisation...

H04L 43/062 : related to network traffic

H04L 43/08 : Monitoring or testing based...

H04L 63/06 : for supporting key manageme...

H04L 63/1408 : by monitoring network traff...

H04L 63/1416 : Event detection, e.g. attac...

H04L 63/1425 : Traffic logging, e.g. anoma...

H04L 63/1433 : Vulnerability analysis

H04L 63/1441 : Countermeasures against mal...

H04L 63/20 : for managing network securi...

H05K 999/99 : dummy group

View All

Interface having selectable, interactive views for evaluating potential network compromise

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

100 Citations

26 Claims

Specification

Solutions

Use Cases

Quick Links

Interface having selectable, interactive views for evaluating potential network compromise

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

100 Citations

26 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links