公开(公告)号：US20200287927A1

公开(公告)日：2020-09-10

申请号：US16883887

申请日：2020-05-26

Applicant: Splunk Inc.

Inventor： Joseph Auguste Zadeh ,  Rodolfo Soto ,  George Apostolopoulos ,  John Clifton Pierce

IPC: H04L29/06 ,  H04L12/26 ,  H04L29/08 ,  H04L29/12

Abstract: Techniques are described for analyzing data regarding activity in an IT environment to determine information regarding the entities associated with the activity and using the information to detect anomalous activity that may be indicative of malicious activity. In an embodiment, a plurality of events reflecting activity by a plurality of entities in an IT environment are processed to resolve the identities of the entities, discover how the entities fit within a topology of the IT environment, and determine what the entities are. This information is then used to generate an entity relationship graph that includes nodes representing the entities in the IT environment and edges connecting the nodes representing interaction relationships between the entities. In some embodiments, baselines are established by monitoring the activity between entities. This baseline information can be represented in the entity relationship graph in the form of directionality applied to the edges. The entity relationship graph can then be monitored to detect anomalous activity.

公开(公告)号：US20170063888A1

公开(公告)日：2017-03-02

申请号：US14929183

申请日：2015-10-30

Applicant: Splunk Inc.

Inventor： Sudhakar Muddu ,  Christos Tryfonas ,  Joseph Auguste Zadeh ,  Alexander Beebe Bond ,  Ashwin Athalye

IPC: H04L29/06 ,  G06N99/00

CPC classification number: H04L63/1416 ,  G06F3/0482 ,  G06F3/0484 ,  G06F3/04842 ,  G06F3/04847 ,  G06F16/24578 ,  G06F16/254 ,  G06F16/285 ,  G06F16/444 ,  G06F16/9024 ,  G06F17/2235 ,  G06K9/2063 ,  G06N5/022 ,  G06N5/04 ,  G06N7/005 ,  G06N20/00 ,  H04L41/0893 ,  H04L41/145 ,  H04L41/22 ,  H04L43/00 ,  H04L43/045 ,  H04L43/062 ,  H04L43/08 ,  H04L63/06 ,  H04L63/1408 ,  H04L63/1425 ,  H04L63/1433 ,  H04L63/1441 ,  H04L63/20 ,  H04L2463/121 ,  H05K999/99

Abstract: A security platform employs a variety techniques and mechanisms to detect security related anomalies and threats in a computer network environment. The security platform is “big data” driven and employs machine learning to perform security analytics. The security platform performs user/entity behavioral analytics (UEBA) to detect the security related anomalies and threats, regardless of whether such anomalies/threats were previously known. The security platform can include both real-time and batch paths/modes for detecting anomalies and threats. By visually presenting analytical results scored with risk ratings and supporting evidence, the security platform enables network security administrators to respond to a detected anomaly or threat, and to take action promptly.

Abstract translation: 安全平台采用多种技术和机制来检测计算机网络环境中的安全相关异常和威胁。 安全平台是“大数据”驱动，并采用机器学习来执行安全分析。 安全平台执行用户/实体行为分析（UEBA）以检测与安全性相关的异常和威胁，而不管这种异常/威胁是否已知。 安全平台可以包括用于检测异常和威胁的实时路径和批处理路径/模式。 通过视觉呈现具有风险评级和支持证据的分析结果，安全平台使网络安全管理员能够响应检测到的异常或威胁，并及时采取行动。