公开(公告)号：US20130318603A1

公开(公告)日：2013-11-28

申请号：US13956262

申请日：2013-07-31

Applicant: Splunk Inc.

Inventor： Munawar Monzy Merza

IPC: H04L29/06

CPC classification number: H04L63/1441 ,  A61G17/0073 ,  A61G17/04 ,  A61G17/041 ,  A61G17/042 ,  A61G17/044 ,  G06F21/50 ,  G06T11/206 ,  H04L61/1511 ,  H04L63/10 ,  H04L63/1416 ,  H04L67/02

Abstract: Domain names are determined for each computational event in a set, each event detailing requests or posts of webpages. A number of events or accesses associated with each domain name within a time period is determined. A registrar is further queried to determine when the domain name was registered. An object is generated that includes a representation of the access count and an age since registration for each domain names. A client can interact with the object to explore representations of domain names associated with high access counts and recent registrations. Upon determining that a given domain name is suspicious, a rule can be generated to block access to the domain name.

Abstract translation: 确定一组中每个计算事件的域名，每个事件详细说明网页的请求或帖子。 确定在一段时间内与每个域名相关联的一些事件或访问。 进一步查询注册商以确定何时注册域名。 生成一个对象，其中包含访问计数的表示和每个域名注册后的年龄。 客户端可以与对象进行交互，以探索与高访问次数和最近注册相关联的域名的表示。 一旦确定给定的域名是可疑的，就可以生成一个规则来阻止对域名的访问。

公开(公告)号：US10091227B2

公开(公告)日：2018-10-02

申请号：US15339955

申请日：2016-11-01

Applicant: Splunk Inc.

Inventor： Munawar Monzy Merza ,  John Coates ,  James M Hansen ,  Lucas Murphey ,  David Hazekamp ,  Michael Kinsley ,  Alexander Raitz

IPC: H04L29/06 ,  G06F21/55 ,  G06F17/30

Abstract: A metric value is determined for each event in a set of events that characterizes a computational communication or object. For example, a metric value could include a length of a URL or agent string in the event. A subset criterion is generated, such that metric values within the subset are relatively separated from a population's center (e.g., within a distribution tail). Application of the criterion to metric values produces a subset. A representation of the subset is presented in an interactive dashboard. The representation can include unique values in the subset and counts of corresponding event occurrences. Clients can select particular elements in the representation to cause more detail to be presented with respect to individual events corresponding to specific values in the subset. Thus, clients can use their knowledge system operations and observance of value frequencies and underlying events to identify anomalous metric values and potential security threats.

公开(公告)号：US20170223030A1

公开(公告)日：2017-08-03

申请号：US15011414

申请日：2016-01-29

Applicant: Splunk Inc.

Inventor： Munawar Monzy Merza

IPC: H04L29/06

CPC classification number: H04L63/1416 ,  H04L63/02

Abstract: In a method, a plurality of events is accessed, wherein an event of the plurality of events includes a portion of raw-machine data from a data source of a plurality of data sources. For at least one event of the plurality of events, a transaction phase of a computer security transaction is correlated with the at least one event based at least in part on a data source associated with the at least one event. The transaction phase of the at least one event is correlated with a particular asset of a plurality of assets.

公开(公告)号：US20170208089A1

公开(公告)日：2017-07-20

申请号：US15475120

申请日：2017-03-30

Applicant: Splunk Inc.

Inventor： Munawar Monzy Merza

IPC: H04L29/06 ,  H04L29/12

CPC classification number: H04L63/1441 ,  A61G17/0073 ,  A61G17/04 ,  A61G17/041 ,  A61G17/042 ,  A61G17/044 ,  G06F21/50 ,  G06T11/206 ,  H04L61/1511 ,  H04L63/10 ,  H04L63/1416 ,  H04L67/02

Abstract: Domain names are determined for each computational event in a set, each event detailing requests or posts of webpages. A number of events or accesses associated with each domain name within a time period is determined. A registrar is further queried to determine when the domain name was registered. An object is generated that includes a representation of the access count and an age since registration for each domain names. A client can interact with the object to explore representations of domain names associated with high access counts and recent registrations. Upon determining that a given domain name is suspicious, a rule can be generated to block access to the domain name.

公开(公告)号：US09426172B2

公开(公告)日：2016-08-23

申请号：US14815971

申请日：2015-08-01

Applicant: Splunk Inc.

Inventor： Munawar Monzy Merza

IPC: H04L29/06 ,  H04L29/12 ,  A61G17/007 ,  A61G17/04 ,  G06F21/50 ,  G06T11/20 ,  H04L29/08

CPC classification number: H04L63/1441 ,  A61G17/0073 ,  A61G17/04 ,  A61G17/041 ,  A61G17/042 ,  A61G17/044 ,  G06F21/50 ,  G06T11/206 ,  H04L61/1511 ,  H04L63/10 ,  H04L63/1416 ,  H04L67/02

Abstract: Domain names are determined for each computational event in a set, each event detailing requests or posts of webpages. A number of events or accesses associated with each domain name within a time period is determined. A registrar is further queried to determine when the domain name was registered. An object is generated that includes a representation of the access count and an age since registration for each domain names. A client can interact with the object to explore representations of domain names associated with high access counts and recent registrations. Upon determining that a given domain name is suspicious, a rule can be generated to block access to the domain name.

Abstract translation: 确定一组中每个计算事件的域名，每个事件详细说明网页的请求或帖子。 确定在一段时间内与每个域名相关联的一些事件或访问。 进一步查询注册商以确定何时注册域名。 生成一个对象，其中包含访问计数的表示和每个域名注册后的年龄。 客户端可以与对象进行交互，以探索与高访问次数和最近注册相关联的域名的表示。 一旦确定给定的域名是可疑的，就可以生成一个规则来阻止对域名的访问。

公开(公告)号：US20160036851A1

公开(公告)日：2016-02-04

申请号：US14815972

申请日：2015-08-01

Applicant: Splunk Inc.

Inventor： Munawar Monzy Merza

IPC: H04L29/06 ,  H04L29/12

CPC classification number: H04L63/1441 ,  A61G17/0073 ,  A61G17/04 ,  A61G17/041 ,  A61G17/042 ,  A61G17/044 ,  G06F21/50 ,  G06T11/206 ,  H04L61/1511 ,  H04L63/10 ,  H04L63/1416 ,  H04L67/02

Abstract: Domain names are determined for each computational event in a set, each event detailing requests or posts of webpages. A number of events or accesses associated with each domain name within a time period is determined. A registrar is further queried to determine when the domain name was registered. An object is generated that includes a representation of the access count and an age since registration for each domain names. A client can interact with the object to explore representations of domain names associated with high access counts and recent registrations. Upon determining that a given domain name is suspicious, a rule can be generated to block access to the domain name.

Abstract translation: 确定一组中每个计算事件的域名，每个事件详细说明网页的请求或帖子。 确定在一段时间内与每个域名相关联的一些事件或访问。 进一步查询注册商以确定何时注册域名。 生成一个对象，其中包含访问计数的表示和每个域名注册后的年龄。 客户端可以与对象进行交互，以探索与高访问次数和最近注册相关联的域名的表示。 一旦确定给定的域名是可疑的，就可以生成一个规则来阻止对域名的访问。

公开(公告)号：US20160036850A1

公开(公告)日：2016-02-04

申请号：US14815971

申请日：2015-08-01

Applicant: Splunk Inc.

Inventor： Munawar Monzy Merza

IPC: H04L29/06 ,  H04L29/08 ,  H04L29/12

CPC classification number: H04L63/1441 ,  A61G17/0073 ,  A61G17/04 ,  A61G17/041 ,  A61G17/042 ,  A61G17/044 ,  G06F21/50 ,  G06T11/206 ,  H04L61/1511 ,  H04L63/10 ,  H04L63/1416 ,  H04L67/02

Abstract: Domain names are determined for each computational event in a set, each event detailing requests or posts of webpages. A number of events or accesses associated with each domain name within a time period is determined. A registrar is further queried to determine when the domain name was registered. An object is generated that includes a representation of the access count and an age since registration for each domain names. A client can interact with the object to explore representations of domain names associated with high access counts and recent registrations. Upon determining that a given domain name is suspicious, a rule can be generated to block access to the domain name.

Abstract translation: 确定一组中每个计算事件的域名，每个事件详细说明网页的请求或帖子。 确定在一段时间内与每个域名相关联的一些事件或访问。 进一步查询注册商以确定域名何时注册。 生成一个对象，其中包含访问计数的表示和每个域名注册后的年龄。 客户端可以与对象进行交互，以探索与高访问次数和最近注册相关联的域名的表示。 一旦确定给定的域名是可疑的，就可以生成一个规则来阻止对域名的访问。

公开(公告)号：US20130326620A1

公开(公告)日：2013-12-05

申请号：US13956252

申请日：2013-07-31

Applicant: Splunk Inc.

Inventor： Munawar Monzy Merza ,  John Coates ,  James Hansen ,  Lucas Murphey ,  David Hazekamp ,  Michael Kinsley ,  Alexander Raitz

IPC: H04L29/06

CPC classification number: H04L63/1425 ,  G06F17/30551 ,  G06F21/552 ,  G06F2221/2151 ,  H04L63/1408 ,  H04L63/1416

Abstract: A metric value is determined for each event in a set of events that characterizes a computational communication or object. For example, a metric value could include a length of a URL or agent string in the event. A subset criterion is generated, such that metric values within the subset are relatively separated from a population's center (e.g., within a distribution tail). Application of the criterion to metric values produces a subset. A representation of the subset is presented in an interactive dashboard. The representation can include unique values in the subset and counts of corresponding event occurrences. Clients can select particular elements in the representation to cause more detail to be presented with respect to individual events corresponding to specific values in the subset. Thus, clients can use their knowledge system operations and observance of value frequencies and underlying events to identify anomalous metric values and potential security threats.

Abstract translation: 为表征计算通信或对象的一组事件中的每个事件确定度量值。 例如，度量值可以包括事件中的URL或代理字符串的长度。 生成子集标准，使得子集内的度量值与群体的中心（例如，分布尾部）相对分开。 将标准应用于度量值产生一个子集。 该子集的表示呈现在交互式仪表板中。 该表示可以包括子集中的唯一值和相应事件发生的计数。 客户端可以选择表示中的特定元素，以便相对于子集中的特定值对应的各个事件来呈现更多的细节。 因此，客户可以使用他们的知识系统操作和遵守价值频率和基础事件来识别异常度量值和潜在的安全威胁。

公开(公告)号：US11876809B2

公开(公告)日：2024-01-16

申请号：US17038495

申请日：2020-09-30

Applicant: SPLUNK Inc.

Inventor： Munawar Monzy Merza

IPC: H04L9/00 ,  H04L9/40

CPC classification number: H04L63/1416 ,  H04L63/02

Abstract: In a method, a plurality of events is accessed, wherein an event of the plurality of events includes a portion of raw-machine data from a data source of a plurality of data sources. For at least one event of the plurality of events, a transaction phase of a computer security transaction is correlated with the at least one event based at least in part on a data source associated with the at least one event. The transaction phase of the at least one event is correlated with a particular asset of a plurality of assets.

公开(公告)号：US20210360022A1

公开(公告)日：2021-11-18

申请号：US17386989

申请日：2021-07-28

Applicant: Splunk Inc.

Inventor： Munawar Monzy Merza

IPC: H04L29/06 ,  H04L29/12 ,  A61G17/04 ,  A61G17/007 ,  G06F21/50 ,  G06T11/20 ,  H04L29/08

Abstract: Domain names are determined for each computational event in a set, each event detailing requests or posts of webpages. A number of events or accesses associated with each domain name within a time period is determined. A registrar is further queried to determine when the domain name was registered. An object is generated that includes a representation of the access count and an age since registration for each domain names. A client can interact with the object to explore representations of domain names associated with high access counts and recent registrations. Upon determining that a given domain name is suspicious, a rule can be generated to block access to the domain name.