Parameter adjustment for pattern discovery
First Claim
Patent Images
1. A method comprising:
- receiving event data collected by agents from sources over a communication network, the sources comprising network security devices;
providing a set of parameters to a pattern identifier engine, wherein the set of parameters specify conditions for identifying patterns in the event data;
executing, by the pattern identifier engine executed on a hardware processor of a manager system, a pattern discovery comprising identifying, by the pattern identifier engine, the patterns in the event data if the event data satisfies the conditions specified by the set of parameters;
determining whether the pattern discovery failed to complete within a predetermined period of time;
in response to determining that the pattern discovery failed to complete within the predetermined period of time, iteratively performing further pattern discovery until a criterion is satisfied by;
adjusting a parameter of the set of parameters to reduce use of system resources of the manager system for a subsequent pattern discovery run, the adjusting producing a respective adjusted set of parameters;
providing the respective adjusted set of parameters to the pattern identifier engine and executing, by the pattern identifier engine, the subsequent pattern discovery run to identify patterns in the event data if the event data satisfies conditions specified by the respective adjusted set of parameters; and
executing an action in response to the identified patterns produced by the further pattern discovery, the action comprising one or more of mitigating an attack and displaying the event data for analysis by a network administrator.
12 Assignments
0 Petitions
Accused Products
Abstract
Pattern discovery performed on event data may include selecting an initial set of parameters for the pattern discovery. The parameters may specify conditions for identifying a pattern in the event data. A pattern discovery run is executed on the event data based on the initial set of parameters, and a parameter may be adjusted based on the output of the pattern discovery run.
33 Citations
18 Claims
-
1. A method comprising:
-
receiving event data collected by agents from sources over a communication network, the sources comprising network security devices; providing a set of parameters to a pattern identifier engine, wherein the set of parameters specify conditions for identifying patterns in the event data; executing, by the pattern identifier engine executed on a hardware processor of a manager system, a pattern discovery comprising identifying, by the pattern identifier engine, the patterns in the event data if the event data satisfies the conditions specified by the set of parameters; determining whether the pattern discovery failed to complete within a predetermined period of time; in response to determining that the pattern discovery failed to complete within the predetermined period of time, iteratively performing further pattern discovery until a criterion is satisfied by; adjusting a parameter of the set of parameters to reduce use of system resources of the manager system for a subsequent pattern discovery run, the adjusting producing a respective adjusted set of parameters; providing the respective adjusted set of parameters to the pattern identifier engine and executing, by the pattern identifier engine, the subsequent pattern discovery run to identify patterns in the event data if the event data satisfies conditions specified by the respective adjusted set of parameters; and executing an action in response to the identified patterns produced by the further pattern discovery, the action comprising one or more of mitigating an attack and displaying the event data for analysis by a network administrator. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A network security event processing system comprising:
-
a hardware processor; and a non-transitory storage medium storing instructions executable on the hardware processor to; receive event data collected by agents from sources over a communication network, the sources comprising network security devices; execute, by a pattern identifier engine, a pattern discovery run to detect patterns in the event data based on a set of parameters that specify conditions for identifying the patterns, wherein the patterns are detected if the event data satisfies the conditions specified by the set of parameters, the event data describing activities for devices connected to the communication network; determine whether the pattern discovery run failed to complete within a predetermined period of time; in response to determining that the pattern discovery run failed to complete within the predetermined period of time, iteratively perform further pattern discovery until a criterion is satisfied by; adjusting a parameter from the set of parameters to reduce use of system resources of the network security event processing system for a subsequent pattern discovery run, the adjusting producing an adjusted set of parameters; providing the adjusted set of parameters to the pattern identifier engine and execute, by the pattern identifier engine, the subsequent pattern discovery run to identify patterns in the event data if the event data satisfies conditions specified by the adjusted set of parameters; and execute an action in response to the identified patterns produced by the further pattern discovery, the action comprising one or more of mitigating an attack and displaying the event data for analysis by a network administrator. - View Dependent Claims (12, 13, 14)
-
-
15. A non-transitory computer readable medium including machine readable instructions that when executed cause a manager system to:
-
receive event data collected by agents from sources over a communication network, the sources comprising network security devices; provide a set of parameters to a pattern identifier engine, wherein the set of parameters specify conditions for identifying patterns in the event data; execute, by the pattern identifier engine, a pattern discovery comprising identifying the patterns in the event data if the event data satisfies the conditions specified by the set of parameters; determine whether the pattern discovery failed to complete within a predetermined period of time; in response to determining that the pattern discovery failed to complete within the predetermined period of time, iteratively perform further pattern discovery until a criterion is satisfied by; adjusting a parameter of the initial set of parameters to reduce use of system resources of the manager system for a subsequent pattern discovery run, the adjusting producing an adjusted set of parameters; and providing the adjusted set of parameters to the pattern identifier engine and execute, by the pattern identifier engine, the subsequent pattern discovery run to identify patterns in the event data if the event data satisfies conditions specified by the adjusted set of parameters; and execute an action in response to the identified patterns produced by the further pattern discovery, the action comprising one or more of mitigating an attack and displaying the event data for analysis by a network administrator. - View Dependent Claims (16, 17, 18)
-
Specification