公开(公告)号：US11271939B2

公开(公告)日：2022-03-08

申请号：US16051236

申请日：2018-07-31

Applicant: SPLUNK INC.

Inventor： George Apostolopoulos ,  Ignacio Nicolas Bermudez Corrales

IPC: G06N20/00 ,  G06N7/00 ,  H04L29/06 ,  G06F16/28

Abstract: Embodiments of the present invention are directed to facilitating detection of suspicious access to resources. In accordance with aspects of the present disclosure, an access graph is generated. The access graph contains access data that includes observed accesses between entities and resources. Access scores can be determined for entity-resource pairs in the access graph by applying a set of access rules to the entity-resource pairs in the access graph. The access scores indicate an extent of relatedness between the corresponding entity and resource. Thereafter, the access scores can be used to train a probabilistic prediction model that predicts suspiciousness of accesses between entities and resources.

公开(公告)号：US20210014120A1

公开(公告)日：2021-01-14

申请号：US17035295

申请日：2020-09-28

Applicant: Splunk Inc.

Inventor： George Apostolopoulos ,  Zhuxuan Jin

IPC: H04L12/24 ,  H04L29/06 ,  H04L12/26 ,  G06K9/62 ,  H04L29/08

Abstract: One or more embodiments are directed behavioral based device clustering. A network traffic log of devices in the network is received. Features of devices are extracted from the network traffic log and aggregated into an aggregated feature matrix on a per device basis. By applying a topic modeling algorithm to the aggregated feature matrix, the devices are clustered into device groups according to behavior groups. A device is assigned to the device group to create an assignment.

公开(公告)号：US20200259854A1

公开(公告)日：2020-08-13

申请号：US16861031

申请日：2020-04-28

Applicant: Splunk Inc.

Inventor： Marios Iliofotou ,  Bo Lei ,  Essam Zaky ,  Karthik Kannan ,  George Apostolopoulos ,  Jeswanth Manikonda ,  Sitaram Venkatraman

IPC: H04L29/06

Abstract: A network connection between a server group of a data intake and query system and each of one or more source network nodes is established. The server group includes an indexer server and a model management server. Source data at the server group is received from at least one of the one or more source network nodes via the respective network connections and transformed, by the indexer server, to timestamped entries of machine data. A model management server detects data constraints for a security model. The data constraints include a data element used by the security model and an availability requirement set, the availability requirement set defining when the data element is available. Using the timestamped entries, the data constraints are validated to obtain a validation result, where validating the data constraints includes determining whether the timestamped entries satisfy the availability requirement set for the data element. The model management server determines a data availability assessment of the security model based on the validation result. The data availability assessment of the security model is stored in computer storage.

公开(公告)号：US20200044927A1

公开(公告)日：2020-02-06

申请号：US16051001

申请日：2018-07-31

Applicant: Splunk Inc.

Inventor： George Apostolopoulos ,  Zhuxuan Jin

IPC: H04L12/24 ,  H04L29/06 ,  H04L29/08 ,  G06K9/62 ,  H04L12/26

Abstract: One or more embodiments are directed behavioral based device clustering. A network traffic log of devices in the network is received. Features of devices are extracted from the network traffic log and aggregated into an aggregated feature matrix on a per device basis. By applying a topic modeling algorithm to the aggregated feature matrix, the devices are clustered into device groups according to behavior groups. A device is assigned to the device group to create an assignment.

公开(公告)号：US20190158524A1

公开(公告)日：2019-05-23

申请号：US16250989

申请日：2019-01-17

Applicant: SPLUNK INC.

Inventor： Joseph Auguste Zadeh ,  Rodolfo Soto ,  George Apostolopoulos ,  John Clifton Pierce

IPC: H04L29/06 ,  H04L12/26

CPC classification number: H04L63/1425 ,  H04L41/12 ,  H04L43/045 ,  H04L43/08 ,  H04L43/106 ,  H04L61/103 ,  H04L61/15 ,  H04L61/2007 ,  H04L61/2015 ,  H04L61/6022 ,  H04L67/30

Abstract: Techniques are described for analyzing data regarding activity in an IT environment to determine information regarding the entities associated with the activity and using the information to detect anomalous activity that may be indicative of malicious activity. In an embodiment, a plurality of events reflecting activity by a plurality of entities in an IT environment are processed to resolve the identities of the entities, discover how the entities fit within a topology of the IT environment, and determine what the entities are. This information is then used to generate an entity relationship graph that includes nodes representing the entities in the IT environment and edges connecting the nodes representing interaction relationships between the entities. In some embodiments, baselines are established by monitoring the activity between entities. This baseline information can be represented in the entity relationship graph in the form of directionality applied to the edges. The entity relationship graph can then be monitored to detect anomalous activity.