公开(公告)号：US11777974B2

公开(公告)日：2023-10-03

申请号：US17680240

申请日：2022-02-24

Applicant: Splunk Inc.

Inventor： Marios Iliofotou ,  Bo Lei ,  Essam Zaky ,  Karthik Kannan ,  George Apostolopoulos ,  Jeswanth Manikonda ,  Sitaram Venkatraman

IPC: H04L29/06 ,  H04L9/40

CPC classification number: H04L63/1425 ,  H04L63/08 ,  H04L63/1408 ,  H04L63/1433 ,  H04L2463/121

Abstract: A network connection between a server group of a data intake and query system and each of one or more source network nodes is established. Source data at the server group is received from at least one of the one or more source network nodes via the respective network connections and transformed, by the indexer server, to timestamped data entries of machine data. A model management server detects data constraints for a security model that include a data element used by the security model and an availability requirement set. Using the timestamped data entries, the data constraints are validated, and the validation used to determine a data availability assessment of the security model.

公开(公告)号：US10904270B2

公开(公告)日：2021-01-26

申请号：US14929187

申请日：2015-10-30

Applicant: Splunk Inc.

Inventor： Sudhakar Muddu ,  Christos Tryfonas ,  Ravi Prasad Bulusu ,  Marios Iliofotou

IPC: H04L9/00 ,  H04L29/06 ,  G06N20/00 ,  G06F16/25 ,  G06F16/28 ,  G06F16/44 ,  G06F16/901 ,  G06F16/2457 ,  H04L12/26 ,  G06F40/134 ,  G06N7/00 ,  G06F3/0482 ,  G06K9/20 ,  G06F3/0484 ,  H04L12/24 ,  G06N5/04 ,  G06N5/02

Abstract: A security platform employs a variety techniques and mechanisms to detect security related anomalies and threats in a computer network environment. The security platform is “big data” driven and employs machine learning to perform security analytics. The security platform performs user/entity behavioral analytics (UEBA) to detect the security related anomalies and threats, regardless of whether such anomalies/threats were previously known. The security platform can include both real-time and batch paths/modes for detecting anomalies and threats. By visually presenting analytical results scored with risk ratings and supporting evidence, the security platform enables network security administrators to respond to a detected anomaly or threat, and to take action promptly.

公开(公告)号：US20200259854A1

公开(公告)日：2020-08-13

申请号：US16861031

申请日：2020-04-28

Applicant: Splunk Inc.

Inventor： Marios Iliofotou ,  Bo Lei ,  Essam Zaky ,  Karthik Kannan ,  George Apostolopoulos ,  Jeswanth Manikonda ,  Sitaram Venkatraman

IPC: H04L29/06

Abstract: A network connection between a server group of a data intake and query system and each of one or more source network nodes is established. The server group includes an indexer server and a model management server. Source data at the server group is received from at least one of the one or more source network nodes via the respective network connections and transformed, by the indexer server, to timestamped entries of machine data. A model management server detects data constraints for a security model. The data constraints include a data element used by the security model and an availability requirement set, the availability requirement set defining when the data element is available. Using the timestamped entries, the data constraints are validated to obtain a validation result, where validating the data constraints includes determining whether the timestamped entries satisfy the availability requirement set for the data element. The model management server determines a data availability assessment of the security model based on the validation result. The data availability assessment of the security model is stored in computer storage.

公开(公告)号：US20180367551A1

公开(公告)日：2018-12-20

申请号：US16050368

申请日：2018-07-31

Applicant: Splunk Inc.

Inventor： Sudhakar Muddu ,  Christos Tryfonas ,  Marios Iliofotou

IPC: H04L29/06 ,  G06N99/00 ,  G06F17/22 ,  H04L12/26 ,  G06F3/0482 ,  G06K9/20 ,  G06N7/00 ,  G06F17/30 ,  G06F3/0484 ,  H04L12/24 ,  G06N5/04

Abstract: The disclosed embodiments include a method performed by a computer system. The method includes forming groups of traffic, where each group includes a subset of detected connection requests. The method further includes determining a periodicity of connection requests for each group, identifying a particular group based on whether the periodicity of connection requests of the particular group satisfies a periodicity criterion, determining a frequency of the particular group in the traffic, and identifying the particular group as an anomaly based on whether the frequency of the particular group satisfies a frequency criterion.

公开(公告)号：US12099492B1

公开(公告)日：2024-09-24

申请号：US18310476

申请日：2023-05-01

Applicant: Splunk Inc.

Inventor： Sumit Singh Bagga ,  Robin Jinyang Hu ,  Marios Iliofotou ,  Amarendra Pendala

IPC: G06F16/23 ,  G06F11/34 ,  G06F16/22 ,  G06F16/27 ,  H04L67/146

CPC classification number: G06F16/2322 ,  G06F11/3409 ,  G06F16/2282 ,  G06F16/273 ,  H04L67/146

Abstract: An identify resolution system performs actions comprises a set-up process and an identity resolution process that executes asynchronously with respect to the set-up process. the set-up process includes accessing machine data including a plurality of event data objects, each event data object of the plurality of event data objects including timestamped raw machine-generated data indicative of performance or operation of one or more entities in a computer network environment. The identity resolution process ascertains the identity of an entity associated with the computer network environment, based on the association data in the data store, wherein the identity of the entity is not expressed directly in the association data in the data store.

公开(公告)号：US11575693B1

公开(公告)日：2023-02-07

申请号：US17125130

申请日：2020-12-17

Applicant: Splunk Inc.

Inventor： Sudhakar Muddu ,  Christos Tryfonas ,  Ravi Prasad Bulusu ,  Marios Iliofotou

IPC: H04L9/40 ,  G06F3/04847 ,  G06F3/04842 ,  H04L41/0893 ,  H04L43/045 ,  H04L43/08 ,  G06N5/04 ,  H04L41/14 ,  H04L41/22 ,  G06N5/02 ,  G06N20/00 ,  G06F16/25 ,  G06F16/28 ,  G06F16/44 ,  G06F16/901 ,  G06F16/2457 ,  H04L43/00 ,  G06F40/134 ,  G06N20/20 ,  G06N7/00 ,  G06F3/0482 ,  G06F3/0484 ,  H04L43/062 ,  G06V10/22

Abstract: A security platform employs a variety techniques and mechanisms to detect security related anomalies and threats in a computer network environment. The security platform is “big data” driven and employs machine learning to perform security analytics. The security platform performs user/entity behavioral analytics (UEBA) to detect the security related anomalies and threats, regardless of whether such anomalies/threats were previously known. The security platform can include both real-time and batch paths/modes for detecting anomalies and threats. By visually presenting analytical results scored with risk ratings and supporting evidence, the security platform enables network security administrators to respond to a detected anomaly or threat, and to take action promptly.

公开(公告)号：US11509706B1

公开(公告)日：2022-11-22

申请号：US17141148

申请日：2021-01-04

Applicant: SPLUNK INC.

Inventor： Marios Iliofotou ,  Ravi Bulusu ,  Ashwin Athalye ,  Sathya Kavacheri ,  Shekar Kesarimanglam

IPC: H04L67/02 ,  H04L67/306 ,  H04L67/50 ,  H04L67/1001

Abstract: A deployment manager executing in a distributed computing environment generates a user behavior analytics (UBA) deployment to process structured event data. The deployment manager configures a streaming cluster to perform streaming processing on real-time data and configures a batch cluster to perform batch processing on aggregated data. A configuration manager executing in the distributed computing environment interoperates with the deployment manager to update the UBA deployment with user-provided code and configurations that define streaming and batch models, among other things. In this manner, the deployment manager provides a scalable UBA deployment that can be customized, via the configuration manager, by a user.

公开(公告)号：US11301475B1

公开(公告)日：2022-04-12

申请号：US16138266

申请日：2018-09-21

Applicant: SPLUNK INC.

Inventor： Bo Lei ,  Ryan Lee Faircloth ,  Marios Iliofotou ,  Sathyanarayanan Kavacheri ,  Sadia R. Poddar ,  Anurag Singla

IPC: G06F16/24 ,  G06F16/2455 ,  G06F9/54 ,  G06F16/22

Abstract: Transmission handling of analytics query response includes a search head, in a data intake and query system, receiving a query from an analytics system. The search head distributes at least a portion of the query to at least one indexer for processing the query. The at least one indexer transmits, bypassing the search head, and to the analytics system, events matching the query. The search head receives from the at least one indexer, data regarding the events, and sends the data regarding the events to the analytics system.

公开(公告)号：US10693898B2

公开(公告)日：2020-06-23

申请号：US15885485

申请日：2018-01-31

Applicant: Splunk, Inc.

Inventor： Marios Iliofotou ,  Bo Lei ,  Essam Zaky ,  Karthik Kannan ,  George Apostolopoulos ,  Jeswanth Manikonda ,  Sitaram Venkatraman

IPC: H04L29/06

Abstract: A network connection between a server group of a data intake and query system and each of one or more source network nodes is established. The server group includes an indexer server and a model management server. Source data at the server group is received from at least one of the one or more source network nodes. A model management server detects data constraints for a security model. The data constraints include a data element used by the security model and an availability requirement set. Using the timestamped entries, the data constraints are validated to obtain a validation result. The model management server determines a data availability assessment of the security model based on the validation result. The data availability assessment of the security model is stored in computer storage.

公开(公告)号：US11675771B1

公开(公告)日：2023-06-13

申请号：US17084239

申请日：2020-10-29

Applicant: Splunk Inc.

Inventor： Sumit Singh Bagga ,  Robin Jinyang Hu ,  Marios Iliofotou ,  Amarendra Pendala

IPC: G06F16/23 ,  G06F16/22 ,  H04L67/146 ,  G06F11/34 ,  G06F16/27

CPC classification number: G06F16/2322 ,  G06F11/3409 ,  G06F16/2282 ,  G06F16/273 ,  H04L67/146

Abstract: An identify resolution system performs actions comprises a set-up process and an identity resolution process that executes asynchronously with respect to the set-up process. the set-up process includes accessing machine data including a plurality of event data objects, each event data object of the plurality of event data objects including timestamped raw machine-generated data indicative of performance or operation of one or more entities in a computer network environment. The identity resolution process ascertains the identity of an entity associated with the computer network environment, based on the association data in the data store, wherein the identity of the entity is not expressed directly in the association data in the data store.