公开(公告)号：US20170063910A1

公开(公告)日：2017-03-02

申请号：US14929187

申请日：2015-10-30

Applicant: Splunk Inc.

Inventor： Sudhakar Muddu ,  Christos Tryfonas ,  Ravi Prasad Bulusu ,  Marios Iliofotou

IPC: H04L29/06 ,  G06N99/00 ,  G06F17/30

CPC classification number: H04L63/1416 ,  G06F3/0482 ,  G06F3/0484 ,  G06F3/04842 ,  G06F3/04847 ,  G06F16/24578 ,  G06F16/254 ,  G06F16/285 ,  G06F16/444 ,  G06F16/9024 ,  G06F17/2235 ,  G06K9/2063 ,  G06N5/022 ,  G06N5/04 ,  G06N7/005 ,  G06N20/00 ,  H04L41/0893 ,  H04L41/145 ,  H04L41/22 ,  H04L43/00 ,  H04L43/045 ,  H04L43/062 ,  H04L43/08 ,  H04L63/06 ,  H04L63/1408 ,  H04L63/1425 ,  H04L63/1433 ,  H04L63/1441 ,  H04L63/20 ,  H04L2463/121 ,  H05K999/99

Abstract: A security platform employs a variety techniques and mechanisms to detect security related anomalies and threats in a computer network environment. The security platform is “big data” driven and employs machine learning to perform security analytics. The security platform performs user/entity behavioral analytics (UEBA) to detect the security related anomalies and threats, regardless of whether such anomalies/threats were previously known. The security platform can include both real-time and batch paths/modes for detecting anomalies and threats. By visually presenting analytical results scored with risk ratings and supporting evidence, the security platform enables network security administrators to respond to a detected anomaly or threat, and to take action promptly.

Abstract translation: 安全平台采用多种技术和机制来检测计算机网络环境中的安全相关异常和威胁。 安全平台是“大数据”驱动，并采用机器学习来执行安全分析。 安全平台执行用户/实体行为分析（UEBA）以检测与安全性相关的异常和威胁，而不管这种异常/威胁是否已知。 安全平台可以包括用于检测异常和威胁的实时路径和批处理路径/模式。 通过视觉呈现具有风险评级和支持证据的分析结果，安全平台使网络安全管理员能够响应检测到的异常或威胁，并及时采取行动。

公开(公告)号：US11949702B1

公开(公告)日：2024-04-02

申请号：US18052030

申请日：2022-11-02

Applicant: Splunk Inc.

Inventor： Sumit Singh Bagga ,  Francis E. Gerard ,  Robin Jinyang Hu ,  Marios Iliofotou ,  J. Evan Jordan ,  Amarendra Pendala ,  Sourabh Satish

IPC: H04L12/00 ,  H04L9/40 ,  H04L65/61

CPC classification number: H04L63/1425 ,  H04L65/61

Abstract: A method comprises acquiring anomaly data including a plurality of anomalies detected from streaming data, wherein each of the anomalies relates to an entity on or associated with a computer network. The method determines a risk score of each of the anomalies, and adjusts the risk score of an anomaly according to a set of factors. The method further determines, for each of a plurality of sliding time windows of different lengths, an entity score of the entity in relation to the sliding time window, based on an aggregation of risk scores of all anomalies related to the entity that were detected within the sliding time window, where the entity score corresponds to a risk level associated with the entity. An action to prevent the entity from performing an operation can be determined and caused to occur based on the entity score.

公开(公告)号：US11681707B1

公开(公告)日：2023-06-20

申请号：US17691878

申请日：2022-03-10

Applicant: SPLUNK INC.

Inventor： Bo Lei ,  Ryan Lee Faircloth ,  Marios Iliofotou ,  Sathyanarayanan Kavacheri ,  Sadia R. Poddar ,  Anurag Singla

IPC: G06F16/24 ,  G06F9/54 ,  G06F16/22 ,  G06F16/2455

CPC classification number: G06F16/24554 ,  G06F9/542 ,  G06F16/2228

Abstract: Transmission handling of analytics query response includes a search head, in a data intake and query system, receiving a query from an analytics system. The search head distributes at least a portion of the query to at least one indexer for processing the query. The at least one indexer transmits, bypassing the search head, and to the analytics system, events matching the query. The search head receives from the at least one indexer, data regarding the events, and sends the data regarding the events to the analytics system.

公开(公告)号：US11558412B1

公开(公告)日：2023-01-17

申请号：US17216471

申请日：2021-03-29

Applicant: Splunk Inc.

Inventor： Allison Lindsey Drake ,  James Irwin Ebeling ,  Marios Iliofotou ,  Lucas Keith Murphey ,  Mihir Randhir Parikh ,  Amarendra Pendala ,  Krishna Prasanna Sankaran ,  Sourabh Satish

IPC: G06F3/0482 ,  H04L9/40 ,  G06F16/26 ,  G06F16/2457 ,  G06T11/20 ,  G06T11/00 ,  G06F16/248

Abstract: Security related anomalies in the data related to network entities are identified, and a risk score is assigned to each entity based on the anomalies. Visualization data is generated for a color-coded interactive visualization. Generating the visualization data includes assigning each entity to a separate polygon to be displayed concurrently on a display screen; selecting a size of each polygon to indicate one of: a number of security related anomalies associated with the entity, or a risk level assigned to the entity, where the risk level is based on the risk score of the entity, and selecting a color of each polygon to indicate the other one of: the number of security related anomalies associated with the entity, or the risk level assigned to the entity; and causing, the color-coded interactive visualization to be displayed on a display device based on the visualization data.

公开(公告)号：US11552974B1

公开(公告)日：2023-01-10

申请号：US17086146

申请日：2020-10-30

Applicant: Splunk Inc.

Inventor： Sumit Singh Bagga ,  Francis E. Gerard ,  Robin Jinyang Hu ,  Marios Iliofotou ,  J. Evan Jordan ,  Amarendra Pendala ,  Sourabh Satish

IPC: H04L12/00 ,  H04L9/40 ,  H04L65/61

Abstract: A method comprises acquiring anomaly data including a plurality of anomalies detected from streaming data, wherein each of the anomalies relates to an entity on or associated with a computer network. The method determines a risk score of each of the anomalies, and adjusts the risk score of an anomaly according to a set of factors. The method further determines, for each of a plurality of sliding time windows of different lengths, an entity score of the entity in relation to the sliding time window, based on an aggregation of risk scores of all anomalies related to the entity that were detected within the sliding time window, where the entity score corresponds to a risk level associated with the entity. An action to prevent the entity from performing an operation can be determined and caused to occur based on the entity score.

公开(公告)号：US20220247770A1

公开(公告)日：2022-08-04

申请号：US17680240

申请日：2022-02-24

Applicant: Splunk Inc.

Inventor： Marios Iliofotou ,  Bo Lei ,  Essam Zaky ,  Karthik Kannan ,  George Apostolopoulos ,  Jeswanth Manikonda ,  Sitaram Venkatraman

IPC: H04L9/40

Abstract: A network connection between a server group of a data intake and query system and each of one or more source network nodes is established. Source data at the server group is received from at least one of the one or more source network nodes via the respective network connections and transformed, by the indexer server, to timestamped data entries of machine data. A model management server detects data constraints for a security model that include a data element used by the security model and an availability requirement set. Using the timestamped data entries, the data constraints are validated, and the validation used to determine a data availability assessment of the security model.

公开(公告)号：US11297087B2

公开(公告)日：2022-04-05

申请号：US16861031

申请日：2020-04-28

Applicant: Splunk Inc.

Inventor： Marios Iliofotou ,  Bo Lei ,  Essam Zaky ,  Karthik Kannan ,  George Apostolopoulos ,  Jeswanth Manikonda ,  Sitaram Venkatraman

IPC: H04L29/06

Abstract: A network connection between a server group of a data intake and query system and each of one or more source network nodes is established. Source data at the server group is received from at least one of the one or more source network nodes via the respective network connections and transformed, by the indexer server, to timestamped entries of machine data. A model management server detects data constraints for a security model. Using the timestamped entries, the data constraints are validated to obtain a validation result, where validating the data constraints includes determining whether the timestamped entries satisfy the availability requirement set for the data element. The model management server determines a data availability assessment of the security model based on the validation result.

公开(公告)号：US20190238574A1

公开(公告)日：2019-08-01

申请号：US15885485

申请日：2018-01-31

Applicant: Splunk, Inc.

Inventor： Marios Iliofotou ,  Bo Lei ,  Essam Zaky ,  Karthik Kannan ,  George Apostolopoulos ,  Jeswanth Manikonda ,  Sitaram Venkatraman

IPC: H04L29/06 ,  G06F17/30

Abstract: A network connection between a server group of a data intake and query system and each of one or more source network nodes is established. The server group includes an indexer server and a model management server. Source data at the server group is received from at least one of the one or more source network nodes via the respective network connections and transformed, by the indexer server, to timestamped entries of machine data. A model management server detects data constraints for a security model. The data constraints include a data element used by the security model and an availability requirement set, the availability requirement set defining when the data element is available. Using the timestamped entries, the data constraints are validated to obtain a validation result, where validating the data constraints includes determining whether the timestamped entries satisfy the availability requirement set for the data element. The model management server determines a data availability assessment of the security model based on the validation result. The data availability assessment of the security model is stored in computer storage.

公开(公告)号：US10063570B2

公开(公告)日：2018-08-28

申请号：US14929132

申请日：2015-10-30

Applicant: Splunk Inc.

Inventor： Sudhakar Muddu ,  Christos Tryfonas ,  Marios Iliofotou

IPC: H04L29/06 ,  G06N99/00 ,  G06F17/30 ,  G06N7/00 ,  G06F3/0482 ,  G06K9/20 ,  G06F3/0484 ,  H04L12/24 ,  H04L12/26

CPC classification number: H04L63/1416 ,  G06F3/0482 ,  G06F3/0484 ,  G06F3/04842 ,  G06F3/04847 ,  G06F16/24578 ,  G06F16/254 ,  G06F16/285 ,  G06F16/444 ,  G06F16/9024 ,  G06F17/2235 ,  G06K9/2063 ,  G06N5/022 ,  G06N5/04 ,  G06N7/005 ,  G06N20/00 ,  H04L41/0893 ,  H04L41/145 ,  H04L41/22 ,  H04L43/00 ,  H04L43/045 ,  H04L43/062 ,  H04L43/08 ,  H04L63/06 ,  H04L63/1408 ,  H04L63/1425 ,  H04L63/1433 ,  H04L63/1441 ,  H04L63/20 ,  H04L2463/121 ,  H05K999/99

Abstract: A security platform employs a variety techniques and mechanisms to detect security related anomalies and threats in a computer network environment. The security platform is “big data” driven and employs machine learning to perform security analytics. The security platform performs user/entity behavioral analytics (UEBA) to detect the security related anomalies and threats, regardless of whether such anomalies/threats were previously known. The security platform can include both real-time and batch paths/modes for detecting anomalies and threats. By visually presenting analytical results scored with risk ratings and supporting evidence, the security platform enables network security administrators to respond to a detected anomaly or threat, and to take action promptly.