公开(公告)号：US11829471B2

公开(公告)日：2023-11-28

申请号：US18098566

申请日：2023-01-18

Applicant: Splunk Inc.

Inventor： Zhuxuan Jin ,  George Apostolopoulos

IPC: G06F21/55 ,  G06F16/245 ,  G06F21/56 ,  H04L9/40

CPC classification number: G06F21/554 ,  G06F16/245 ,  G06F21/552 ,  G06F21/56 ,  H04L63/1416 ,  G06F2221/034

Abstract: A method is disclosed that includes receiving, at a computing device, an event log including events derived from machine data, and determining a score by comparing an event from the event log with frequent patterns of features. Determining the score includes determining a length of a frequent pattern within the event in the event log and a count of occurrences of the frequent pattern within the events, determining a contribution of the frequent pattern based on the length and the count, determining a penalty for an unmatched feature of the first event based on a cardinality of the events, and averaging the contribution and the penalty to obtain the score. The method further includes issuing an alert identifying the first event as an anomaly using the first score and an anomaly score threshold.

公开(公告)号：US20230153430A1

公开(公告)日：2023-05-18

申请号：US18098566

申请日：2023-01-18

Applicant: Splunk Inc.

Inventor： Zhuxuan Jin ,  George Apostolopoulos

IPC: G06F21/55 ,  G06F16/245 ,  G06F21/56 ,  H04L9/40

CPC classification number: G06F21/554 ,  G06F16/245 ,  G06F21/552 ,  G06F21/56 ,  H04L63/1416 ,  G06F2221/034

Abstract: A method is disclosed that includes receiving, at a computing device, an event log including events derived from machine data, and determining a score by comparing an event from the event log with frequent patterns of features. Determining the score includes determining a length of a frequent pattern within the event in the event log and a count of occurrences of the frequent pattern within the events, determining a contribution of the frequent pattern based on the length and the count, determining a penalty for an unmatched feature of the first event based on a cardinality of the events, and averaging the contribution and the penalty to obtain the score. The method further includes issuing an alert identifying the first event as an anomaly using the first score and an anomaly score threshold.

公开(公告)号：US20220247770A1

公开(公告)日：2022-08-04

申请号：US17680240

申请日：2022-02-24

Applicant: Splunk Inc.

Inventor： Marios Iliofotou ,  Bo Lei ,  Essam Zaky ,  Karthik Kannan ,  George Apostolopoulos ,  Jeswanth Manikonda ,  Sitaram Venkatraman

IPC: H04L9/40

Abstract: A network connection between a server group of a data intake and query system and each of one or more source network nodes is established. Source data at the server group is received from at least one of the one or more source network nodes via the respective network connections and transformed, by the indexer server, to timestamped data entries of machine data. A model management server detects data constraints for a security model that include a data element used by the security model and an availability requirement set. Using the timestamped data entries, the data constraints are validated, and the validation used to determine a data availability assessment of the security model.

公开(公告)号：US11297087B2

公开(公告)日：2022-04-05

申请号：US16861031

申请日：2020-04-28

Applicant: Splunk Inc.

Inventor： Marios Iliofotou ,  Bo Lei ,  Essam Zaky ,  Karthik Kannan ,  George Apostolopoulos ,  Jeswanth Manikonda ,  Sitaram Venkatraman

IPC: H04L29/06

Abstract: A network connection between a server group of a data intake and query system and each of one or more source network nodes is established. Source data at the server group is received from at least one of the one or more source network nodes via the respective network connections and transformed, by the indexer server, to timestamped entries of machine data. A model management server detects data constraints for a security model. Using the timestamped entries, the data constraints are validated to obtain a validation result, where validating the data constraints includes determining whether the timestamped entries satisfy the availability requirement set for the data element. The model management server determines a data availability assessment of the security model based on the validation result.

公开(公告)号：US11055405B1

公开(公告)日：2021-07-06

申请号：US16399734

申请日：2019-04-30

Applicant: Splunk Inc.

Inventor： Zhuxuan Jin ,  George Apostolopoulos

IPC: G06F21/55 ,  G06F16/245 ,  G06F21/56 ,  H04L29/06

Abstract: A method is disclosed. The method includes: receiving, at a computing device, an event log including a plurality of events, where the plurality of events are derived from machine data generated by components of an information technology environment; determining a first score associated with a first granularity level by comparing a first event from the event log with a first plurality of frequent patterns generated for the first granularity level; determining a second score associated with a second granularity level by comparing the first event with a second plurality of frequent patterns generated for the second granularity level; determining an aggregate score for the first event based on the first score and the second score; comparing the aggregate score for the first event with an anomaly score threshold; and issuing an alert identifying the first event as an anomaly based on the aggregate score exceeding the anomaly score threshold.

公开(公告)号：US20190238574A1

公开(公告)日：2019-08-01

申请号：US15885485

申请日：2018-01-31

Applicant: Splunk, Inc.

Inventor： Marios Iliofotou ,  Bo Lei ,  Essam Zaky ,  Karthik Kannan ,  George Apostolopoulos ,  Jeswanth Manikonda ,  Sitaram Venkatraman

IPC: H04L29/06 ,  G06F17/30

Abstract: A network connection between a server group of a data intake and query system and each of one or more source network nodes is established. The server group includes an indexer server and a model management server. Source data at the server group is received from at least one of the one or more source network nodes via the respective network connections and transformed, by the indexer server, to timestamped entries of machine data. A model management server detects data constraints for a security model. The data constraints include a data element used by the security model and an availability requirement set, the availability requirement set defining when the data element is available. Using the timestamped entries, the data constraints are validated to obtain a validation result, where validating the data constraints includes determining whether the timestamped entries satisfy the availability requirement set for the data element. The model management server determines a data availability assessment of the security model based on the validation result. The data availability assessment of the security model is stored in computer storage.

公开(公告)号：US11799728B2

公开(公告)日：2023-10-24

申请号：US17588447

申请日：2022-01-31

Applicant: Splunk Inc.

Inventor： George Apostolopoulos ,  Zhuxuan Jin

IPC: H04L41/0893 ,  H04L41/14 ,  H04L9/40 ,  H04L41/082 ,  H04L43/02 ,  H04L43/04 ,  H04L41/22 ,  H04L67/303 ,  G06F18/2415

CPC classification number: H04L41/0893 ,  G06F18/24155 ,  H04L41/082 ,  H04L41/145 ,  H04L41/22 ,  H04L43/02 ,  H04L43/04 ,  H04L63/1425 ,  H04L67/303

Abstract: One or more embodiments are directed multistage device clustering. A log including network traffic of multiple devices in a network is received. From the log, features of the devices are extracted and an aggregated feature matrix generated. A traffic behavior subset of the features in the aggregated feature matrix is selected, and a topic modeling algorithm applied thereto to obtain traffic behavior device groups. An application behavior subset of the features in the aggregated feature matrix is selected. On a per traffic behavior device group basis, the topic modeling algorithm is applied to the application behavior subset to obtain application behavior device subgroups. One or more devices are assigned to at least one of the plurality of application behavior device subgroups to obtain an assignment.

公开(公告)号：US11777974B2

公开(公告)日：2023-10-03

申请号：US17680240

申请日：2022-02-24

Applicant: Splunk Inc.

Inventor： Marios Iliofotou ,  Bo Lei ,  Essam Zaky ,  Karthik Kannan ,  George Apostolopoulos ,  Jeswanth Manikonda ,  Sitaram Venkatraman

IPC: H04L29/06 ,  H04L9/40

CPC classification number: H04L63/1425 ,  H04L63/08 ,  H04L63/1408 ,  H04L63/1433 ,  H04L2463/121

Abstract: A network connection between a server group of a data intake and query system and each of one or more source network nodes is established. Source data at the server group is received from at least one of the one or more source network nodes via the respective network connections and transformed, by the indexer server, to timestamped data entries of machine data. A model management server detects data constraints for a security model that include a data element used by the security model and an availability requirement set. Using the timestamped data entries, the data constraints are validated, and the validation used to determine a data availability assessment of the security model.

公开(公告)号：US20220158904A1

公开(公告)日：2022-05-19

申请号：US17588447

申请日：2022-01-31

Applicant: Splunk Inc.

Inventor： George Apostolopoulos ,  Zhuxuan Jin

IPC: H04L41/0893 ,  H04L41/14 ,  H04L9/40 ,  H04L41/082 ,  H04L43/02 ,  G06K9/62 ,  H04L43/04 ,  H04L41/22 ,  H04L67/303

Abstract: One or more embodiments are directed multistage device clustering. A log including network traffic of multiple devices in a network is received. From the log, features of the devices are extracted and an aggregated feature matrix generated. A traffic behavior subset of the features in the aggregated feature matrix is selected, and a topic modeling algorithm applied thereto to obtain traffic behavior device groups. An application behavior subset of the features in the aggregated feature matrix is selected. On a per traffic behavior device group basis, the topic modeling algorithm is applied to the application behavior subset to obtain application behavior device subgroups. One or more devices are assigned to at least one of the plurality of application behavior device subgroups to obtain an assignment.

公开(公告)号：US11277312B2

公开(公告)日：2022-03-15

申请号：US17035295

申请日：2020-09-28

Applicant: Splunk Inc.

Inventor： George Apostolopoulos ,  Zhuxuan Jin

IPC: H04L12/24 ,  H04L29/06 ,  H04L12/26 ,  G06K9/62 ,  H04L29/08 ,  H04L41/0893 ,  H04L41/14 ,  H04L41/082 ,  H04L43/02 ,  H04L43/04 ,  H04L41/22 ,  H04L67/303

Abstract: One or more embodiments are directed behavioral based device clustering. A network traffic log of devices in the network is received. Features of devices are extracted from the network traffic log and aggregated into an aggregated feature matrix on a per device basis. By applying a topic modeling algorithm to the aggregated feature matrix, the devices are clustered into device groups according to behavior groups. A device is assigned to the device group to create an assignment.