Complex event processing of computer network data
First Claim
1. A method comprising:
- transforming in real time raw event data, representing a sequence of events and captured from multiple sources in a computer network, into a stream of event feature sets without a known end-point to the stream, where the raw event data includes time-stamped machine data;
computing in real-time a score by processing a time slice of the stream of event feature sets through an active version of a machine learning model, wherein the time slice includes a most recent event feature set in the stream of event feature sets;
training, in parallel with said processing the time slice and responsive in real-time to said transforming the raw event data, a non-active version of the machine learning model with the time slice that is being processed through the active version for scoring, wherein the machine learning model is trained to represent a particular entity involved in a computer network activity represented by the raw event data;
identifying, by comparing the score against a threshold, a security-related anomaly or a security-related threat to enable remediation of the security-related anomaly or the security-related threat in the computer network as the stream of event feature sets is processed in real-time;
determining that the non-active version of the machine learning model is ready for active deployment based on at least one of;
a number of event feature sets that have been used to train the non-active version, length of time that the non-active version has been in training, or whether a model state of the non-active version is converging; and
live-swapping in the non-active version as the active version to compute another score by processing a subsequent time slice from the stream of event feature sets through the live-swapped-in active version of the machine learning model.
1 Assignment
0 Petitions
Accused Products
Abstract
A security platform employs a variety techniques and mechanisms to detect security related anomalies and threats in a computer network environment. The security platform is “big data” driven and employs machine learning to perform security analytics. The security platform performs user/entity behavioral analytics (UEBA) to detect the security related anomalies and threats, regardless of whether such anomalies/threats were previously known. The security platform can include both real-time and batch paths/modes for detecting anomalies and threats. By visually presenting analytical results scored with risk ratings and supporting evidence, the security platform enables network security administrators to respond to a detected anomaly or threat, and to take action promptly.
91 Citations
28 Claims
-
1. A method comprising:
-
transforming in real time raw event data, representing a sequence of events and captured from multiple sources in a computer network, into a stream of event feature sets without a known end-point to the stream, where the raw event data includes time-stamped machine data; computing in real-time a score by processing a time slice of the stream of event feature sets through an active version of a machine learning model, wherein the time slice includes a most recent event feature set in the stream of event feature sets; training, in parallel with said processing the time slice and responsive in real-time to said transforming the raw event data, a non-active version of the machine learning model with the time slice that is being processed through the active version for scoring, wherein the machine learning model is trained to represent a particular entity involved in a computer network activity represented by the raw event data; identifying, by comparing the score against a threshold, a security-related anomaly or a security-related threat to enable remediation of the security-related anomaly or the security-related threat in the computer network as the stream of event feature sets is processed in real-time; determining that the non-active version of the machine learning model is ready for active deployment based on at least one of;
a number of event feature sets that have been used to train the non-active version, length of time that the non-active version has been in training, or whether a model state of the non-active version is converging; andlive-swapping in the non-active version as the active version to compute another score by processing a subsequent time slice from the stream of event feature sets through the live-swapped-in active version of the machine learning model. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26)
-
-
27. A system comprising:
-
at least one hardware processor implementing an extract transform load (ETL) engine configured to transform in real time raw event data, representing a sequence of events and captured from multiple sources in a computer network, into an stream of event feature sets without a known end-point to the stream, where the raw event data includes time-stamped machine data; at least one hardware processor implementing a model execution engine configured to compute in real-time a score by processing a time slice of the stream of event feature sets through an active version of a machine learning model and to train, in parallel with said processing the time slice and responsive in real-time to said transforming the raw event data, a non-active version of the machine learning model with the time slice that is being processed through the active version for scoring, wherein the machine learning model is trained to represent a particular entity involved in a computer network activity represented by the raw event data, and wherein the time slice includes a most recent event feature set in the stream of event feature sets; and at least one hardware processor implementing a computing node configured to identify, by comparing the score against a threshold, a security-related anomaly or a security-related threat to enable remediation of the security-related anomaly or the security-related threat in the computer network as the stream of event feature sets is processed in real-time; wherein the model execution engine is configured to determine that the non-active version of the machine learning model is ready for active deployment based on at least one of;
a number of event feature sets that have been used to train the non-active version, length of time that the non-active version has been in training, or whether a model state of the non-active version is converging, and to live-swap in the non-active version as the active version to compute another score by processing a subsequent time slice from the stream of event feature sets through the live-swapped-in active version of the machine learning model.
-
-
28. A non-transitory computer readable medium storing instructions there on which, when executed by a processor, cause the processor to:
-
transform in real time raw event data, representing a sequence of events and captured from multiple sources in a computer network, into an stream of event feature sets without a known end-point to the stream, where the raw event data includes time-stamped machine data; compute in real-time a score by processing a time slice of the stream of event feature sets through an active version of a machine learning model; train, in parallel with said processing the time slice and responsive in real-time to said transforming the raw event data, a non-active version of the machine learning model with the time slice that is being processed through the active version for scoring, wherein the machine learning model is trained to represent a particular entity involved in a computer network activity represented by the raw event data and wherein the time slice includes a most recent event feature set in the stream of event feature sets; identify, by comparing the score against a threshold, a security-related anomaly or a security-related threat to enable remediation of the security-related anomaly or the security-related threat in the computer network as the stream of event feature sets is processed in real-time; determine that the non-active version of the machine learning model is ready for active deployment based on at least one of;
a number of event feature sets that have been used to train the non-active version, length of time that the non-active version has been in training, or whether a model state of the non-active version is converging; andlive-swap in the non-active version as the active version to compute another score by processing a subsequent time slice from the stream of event feature sets through the live-swapped-in active version of the machine learning model.
-
Specification