Network security system with real-time and batch paths
First Claim
1. A network security system comprising:
- a computation engine implemented using Apache Storm or Apache Spark Streaming, configured to receive first event data indicative of activity on a computer network, to detect first indicia of possible security breaches in a real-time processing mode based on the first event data, and to generate real-time analysis result data representing the first indicia;
a non-volatile storage system to store the real-time analysis result data and second event data indicative of activity on the computer network; and
an Apache Spark cluster computing engine operatively coupled to the computation engine and the non-volatile storage system, the Apache Spark cluster computing engine further configured to retrieve, from the non-volatile storage system, the real-time analysis result data and the second event data, and to detect, in a batch mode, second indicia of possible security breaches based on the second event data and the real-time analysis result data.
1 Assignment
0 Petitions
Accused Products
Abstract
A security platform employs a variety techniques and mechanisms to detect security related anomalies and threats in a computer network environment. The security platform is “big data” driven and employs machine learning to perform security analytics. The security platform performs user/entity behavioral analytics (UEBA) to detect the security related anomalies and threats, regardless of whether such anomalies/threats were previously known. The security platform can include both real-time and batch paths/modes for detecting anomalies and threats. By visually presenting analytical results scored with risk ratings and supporting evidence, the security platform enables network security administrators to respond to a detected anomaly or threat, and to take action promptly.
-
Citations
30 Claims
-
1. A network security system comprising:
-
a computation engine implemented using Apache Storm or Apache Spark Streaming, configured to receive first event data indicative of activity on a computer network, to detect first indicia of possible security breaches in a real-time processing mode based on the first event data, and to generate real-time analysis result data representing the first indicia; a non-volatile storage system to store the real-time analysis result data and second event data indicative of activity on the computer network; and an Apache Spark cluster computing engine operatively coupled to the computation engine and the non-volatile storage system, the Apache Spark cluster computing engine further configured to retrieve, from the non-volatile storage system, the real-time analysis result data and the second event data, and to detect, in a batch mode, second indicia of possible security breaches based on the second event data and the real-time analysis result data. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20)
-
-
21. A method comprising:
-
detecting, in a real-time processing mode, first indicia of possible security breaches based on first event data indicative of activity on a computer network, by using a computation engine implemented using Apache Storm or Apache Spark Streaming; generating real-time analysis result data representing the first indicia; storing the real-time analysis result data in a non-volatile storage system; retrieving, from the non-volatile storage system, the real-time analysis result data and second event data indicative of activity on the computer network; and detecting, in a batch mode, second indicia of possible security breaches based on the second event data and the real-time analysis result data, by using an Apache Spark cluster computing engine. - View Dependent Claims (22, 23, 24, 25)
-
-
26. A non-transitory machine-readable storage medium storing instructions, execution of which in a computer system causes the computer system to perform operations comprising:
-
detecting, in a real-time processing mode, first indicia of possible security breaches based on first event data indicative of activity on a computer network, by executing a computation engine implemented using Apache Storm or Apache Spark Streaming; generating real-time analysis result data representing the first indicia; storing the real-time analysis result data in a non-volatile storage system; retrieving, from the non-volatile storage system, the real-time analysis result data and second event data indicative of activity on the computer network; and detecting, in a batch mode, second indicia of possible security breaches based on the second event data and the real-time analysis result data, by executing an Apache Spark cluster computing engine. - View Dependent Claims (27, 28, 29, 30)
-
Specification