Network security analysis using real-time and batch detection engines
First Claim
1. A network security breach detection system comprising:
- a real-time path including a real-time analysis engine configured to receive first event data indicative of first activity on a computer network, the real-time event analysis engine configured to detect first indicia of possible security breaches in a real-time processing mode based on the first event data, and to generate real-time analysis result data representing the first indicia for output to a user;
a non-volatile storage system to store the real-time analysis result data; and
a batch path including a batch analysis engine configured to operate concurrently with the real-time analysis engine, the batch analysis engine further configured to retrieve, from the non-volatile storage system, the real-time analysis result data and second event data indicative of second activity on the computer network, the first event data and the second event data each including timestamped machine data indicative of performance or operation of a component in an information technology environment, the second event data having been stored in the non-volatile storage system prior to analysis of the first event data by the real-time analysis engine, the batch analysis engine further configured to detect, in a batch mode, second indicia of possible security breaches based on the second event data and the real-time analysis result data.
1 Assignment
0 Petitions
Accused Products
Abstract
A security platform employs a variety techniques and mechanisms to detect security related anomalies and threats in a computer network environment. The security platform is “big data” driven and employs machine learning to perform security analytics. The security platform performs user/entity behavioral analytics (UEBA) to detect the security related anomalies and threats, regardless of whether such anomalies/threats were previously known. The security platform can include both real-time and batch paths/modes for detecting anomalies and threats. By visually presenting analytical results scored with risk ratings and supporting evidence, the security platform enables network security administrators to respond to a detected anomaly or threat, and to take action promptly.
78 Citations
28 Claims
-
1. A network security breach detection system comprising:
-
a real-time path including a real-time analysis engine configured to receive first event data indicative of first activity on a computer network, the real-time event analysis engine configured to detect first indicia of possible security breaches in a real-time processing mode based on the first event data, and to generate real-time analysis result data representing the first indicia for output to a user; a non-volatile storage system to store the real-time analysis result data; and a batch path including a batch analysis engine configured to operate concurrently with the real-time analysis engine, the batch analysis engine further configured to retrieve, from the non-volatile storage system, the real-time analysis result data and second event data indicative of second activity on the computer network, the first event data and the second event data each including timestamped machine data indicative of performance or operation of a component in an information technology environment, the second event data having been stored in the non-volatile storage system prior to analysis of the first event data by the real-time analysis engine, the batch analysis engine further configured to detect, in a batch mode, second indicia of possible security breaches based on the second event data and the real-time analysis result data. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18)
-
-
19. A method comprising:
-
detecting, in a real-time processing mode, first indicia of possible security breaches based on first event data indicative of first activity on a computer network, by using a real-time analysis engine; generating real-time analysis result data representing the first indicia for output to a user; storing the real-time analysis result data in a non-volatile storage system; retrieving, from the non-volatile storage system, the real-time analysis result data and second event data indicative of second activity on the computer network, the first event data and the second event data each including timestamped machine data indicative of performance or operation of a component in an information technology environment, the second event data having been stored in the non-volatile storage system prior to analysis of the first event data by the real-time analysis engine; and detecting, in a batch mode, second indicia of possible security breaches based on the second event data and the real-time analysis result data, by using a batch analysis engine concurrently with use of the real-time analysis engine. - View Dependent Claims (20, 21, 22, 23)
-
-
24. A non-transitory machine-readable storage medium storing instructions, execution of which in a computer system causes the computer system to perform operations comprising:
-
detecting, in a real-time processing mode, first indicia of possible security breaches based on first event data indicative of first activity on a computer network, by executing a real-time analysis engine; generating real-time analysis result data representing the first indicia for output to a user; storing the real-time analysis result data in a non-volatile storage system; retrieving, from the non-volatile storage system, the real-time analysis result data and second event data indicative of second activity on the computer network, the first event data and the second event data each including timestamped machine data indicative of performance or operation of a component in an information technology environment, the second event data having been stored in the non-volatile storage system prior to analysis of the first event data by the real-time analysis engine; and detecting, in a batch mode, second indicia of possible security breaches based on the second event data and the real-time analysis result data, by executing a batch analysis engine concurrently with the executing of the real-time analysis engine. - View Dependent Claims (25, 26, 27, 28)
-
Specification