Chain of events representing an issue based on an enriched representation

US 11,269,995 B2
Filed: 10/25/2018
Issued: 03/08/2022
Est. Priority Date: 10/25/2018
Status: Active Grant

First Claim

Patent Images

1. A non-transitory machine-readable storage medium storing instructions that upon execution cause a system to:

electronically collect event data, wherein the collected event data is in a form of a least one of electronic network event data, electronic host event data, and electronic application event data from at least one of a plurality of entities in a computing environment;

construct, based on the collected event data representing a plurality of events in the computing environment, a representation of the plurality of events, the representation including links relating the plurality of events,wherein the representation includes a graphical representation of the plurality of events and the links include temporal links including sequential directional edges relating the plurality of events;

compute issue indications corresponding to potential issues in the computing environment;

add information based on the issue indications to the representation to form an enriched representation;

search the enriched representation to find a chain of events representing an issue in the computing environment,wherein each event of the plurality of events represents an activity of the at least one of the plurality of entities; and

electronically perform a countermeasure to resolve the issue represented by the chain of events in the computer environment, andwherein the issue indications comprise threat scores derived based on anomaly scores based on features of the collected event data, each threat score of the threat scores representing a likelihood of a threat in the computing environment.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In some examples, a system constructs, based on event data representing a plurality of events in a system, a representation of the plurality of events, the representation including information relating the events, and computes issue indications corresponding to potential issues in the system. The system adds information based on the issue indications to the representation to form an enriched representation, and searches the enriched representation to find a chain of events representing an issue in the system.

19 Citations

View as Search Results

18 Claims

1. A non-transitory machine-readable storage medium storing instructions that upon execution cause a system to:
- electronically collect event data, wherein the collected event data is in a form of a least one of electronic network event data, electronic host event data, and electronic application event data from at least one of a plurality of entities in a computing environment;
  
  construct, based on the collected event data representing a plurality of events in the computing environment, a representation of the plurality of events, the representation including links relating the plurality of events,wherein the representation includes a graphical representation of the plurality of events and the links include temporal links including sequential directional edges relating the plurality of events;
  
  compute issue indications corresponding to potential issues in the computing environment;
  
  add information based on the issue indications to the representation to form an enriched representation;
  
  search the enriched representation to find a chain of events representing an issue in the computing environment,wherein each event of the plurality of events represents an activity of the at least one of the plurality of entities; and
  
  electronically perform a countermeasure to resolve the issue represented by the chain of events in the computer environment, andwherein the issue indications comprise threat scores derived based on anomaly scores based on features of the collected event data, each threat score of the threat scores representing a likelihood of a threat in the computing environment.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The non-transitory machine-readable storage medium of claim 1, wherein the graphical representation comprises a graph of nodes that represent respective events of the plurality of events, and wherein the information based on the issue indications are added to the graph of nodes.
  - 3. The non-transitory machine-readable storage medium of claim 1, wherein each anomaly score of the anomaly scores represent a likelihood of an anomaly in the computing environment.
  - 4. The non-transitory machine-readable storage medium of claim 1, wherein add the information based on the issue indications to the representation to form the enriched representation comprises:
    - associate the information based on the issue indications with nodes in the representation, the nodes representing respective events of the plurality of events.
  - 5. The non-transitory machine-readable storage medium of claim 1, wherein search the enriched representation to find the chain of events representing the issue comprises:
    - identify a node, in the enriched representation, that represents an event associated with an issue indication that indicates likely presence of a potential issue; and
      
      identify a path from the identified node to other nodes in the enriched representation, the other nodes in the enriched representation representing events having a specified relationship with the event represented by the identified node,wherein the chain of events includes the events represented by the nodes connected by the identified path.
  - 6. The non-transitory machine-readable;
    - storage medium of claim 5, wherein the specified relationship comprises a temporal relationship.
  - 7. The non-transitory machine-readable storage medium of claim 5, wherein the instructions upon execution cause the system to:
    - compute an aggregate issue indication for the identified path based on aggregating issue indications associated with the events represented by the nodes connected by the identified path; and
      
      identify the events connected by the identified path as being part of the chain of events in response to the aggregate issue indication.
  - 8. The non-transitory machine-readable storage medium of claim 7, wherein the aggregate issue indication is further based on penalizing a value of the aggregate issue indication for a length of the identified path.
  - 9. The non-transitory machine-readable storage medium of claim 5, wherein the instructions that upon execution cause the system to:
    - compare a collection of the events connected by the identified path to a library including template chains of events representing respective issues; and
      
      identify the collection of the events connected by the identified path as the chain of events representing the issue in response to a match between the collection of the events and a chain of events in the library.
  - 10. The non-transitory machine-readable storage medium of claim 9, wherein the instructions that upon execution cause the system to:
    - compute an aggregate issue indication for the chain of events representing the issue based on issue indications associated with the events represented by the nodes connected by the identified path, and a similarity indication indicating a similarity between the collection of the events connected by the identified path and a matching template chain of events in the library.

11. A system, comprising:
- a processor; and
  
  a non-transitory storage medium comprising instructions executable on the processor to;
  
  electronically collect event data, wherein the collected event data is in a form of a least one of electronic network event data, electronic host event data, and electronic application event data from at least one of a plurality of entities in a computing environment;
  
  construct, based on the collected event data representing a plurality of events in the computing environment, a representation of the plurality of events, the representation including links relating the plurality of events,wherein the representation includes a graphical representation of the plurality of events and the links include temporal links including sequential directional edges relating the plurality of events;
  
  compute scores corresponding to potential issues in the computing environment;
  
  add information based on the scores to the representation to form an enriched representation;
  
  search the enriched representation to find a chain of events representing an issue in the computing environment,wherein each event of the plurality of events represents an activity of the at least one of the plurality of entities; and
  
  electronically perform a countermeasure to resolve the issue represented by the chain of events in the computer environment,wherein the search of the enriched representation to find the chain of events representing the issue comprises;
  
  identify a node, in the enriched representation, that represents an event associated with a score that exceeds a threshold; and
  
  identify a path from the identified node to other nodes in the enriched representation, the other nodes in the enriched representation representing events having a specified relationship with the event represented by the identified node,wherein the chain of events includes the events represented by the nodes connected by the identified path.
- View Dependent Claims (12, 13, 14, 15)
- - 12. The system of claim 11, wherein the scores comprise anomaly scores, and wherein the instructions are executable on the processor to:
    - extract features from the collected event data; and
      
      compute the anomaly scores for the features.
  - 13. The system of claim 11, Wherein the scores comprise threat scores representing threats m the computing environment.
  - 14. The system of claim 11, wherein add the information based on the scores to the representation to form the enriched representation comprises:
    - associate the information based on the scores with nodes in the representation, the nodes in the representation representing respective events of the plurality of events.
  - 15. The system of claim 11, wherein the instructions are executable on the processor to:
    - compute an aggregate score for the identified path based on aggregating scores associated with the events represented by the nodes connected by the identified path; and
      
      identify the events connected by the identified path as being part of the chain of events in response to the aggregate score.

16. A method performed by a system comprising a hardware processor, comprising:
- electronically collecting event data, wherein the collected event data is in a form of a least one of electronic network event data, electronic host event data, and electronic application event data from at least one of a plurality of entities in a computing environment;
  
  constructing, based on the collected event data representing a plurality of events in the computing environment, a graph including nodes representing events of the plurality of events and temporal links including sequential directional edges relating the plurality of events;
  
  computing issue indications corresponding to potential issues in the computing environment;
  
  adding information based on the issue indications to the graph to form an enriched graph;
  
  searching the enriched graph to find a chain of events representing an issue in the computing environment; and
  
  electronically performing a countermeasure to resolve the issue represented by the chain of events in the computing environment,wherein each event of the plurality of events represents an activity of the at least one of the plurality of entities,wherein the searching of the enriched graph to find the chain of events representing the issue comprises;
  
  identify a node, in the enriched graph, that represents an event associated with a score that exceeds a threshold; and
  
  identify a path from the identified node to other nodes in the enriched graph the other nodes representing events having a specified relationship with the event represented by the identified node,wherein the chain of events includes the events represented by the nodes connected by the identified path.
- View Dependent Claims (17, 18)
- - 17. The method of claim 16, wherein computing the issue indications comprises computing anomaly scores of anomalies, and/or computing threat scores of threats based on the anomalies.
  - 18. The method of claim 16, wherein adding information based on the issue indications to the graph to form an enriched graph including associating the information based on the issue indications with nodes in the graph.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Micro Focus LLC (Open Text Corporation)
Original Assignee
Micro Focus LLC (Open Text Corporation)
Inventors
Marwah, Manish, Kim, Mijung, Arlitt, Martin
Primary Examiner(s)
Nguyen, Trong H

Application Number

US16/170,105
Publication Number

US 20200134175A1
Time in Patent Office

1,230 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/552   involving long-term monitor...

G06F 21/554   involving event detection a...

G06F 2221/034   Test or assess a computer o...

G06F 9/542   Event management; Broadcast...

H04L 41/0631   using root cause analysis; ...

H04L 41/064   involving time analysis

H04L 41/065   involving logical or physic...

H04L 41/0654   using network fault recover...

H04L 41/142   using statistical or mathem...

H04L 43/045   for graphical visualisation...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1433   Vulnerability analysis

H04L 63/1441   Countermeasures against mal...

Chain of events representing an issue based on an enriched representation

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

19 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Chain of events representing an issue based on an enriched representation

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

19 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links