公开(公告)号：US09596252B2

公开(公告)日：2017-03-14

申请号：US15056999

申请日：2016-02-29

Applicant: Splunk Inc.

Inventor： John Coates ,  Lucas Murphey ,  David Hazekamp ,  James Hansen

IPC: G06F11/00 ,  H04L29/06 ,  G06F21/55

CPC classification number: H04L63/1433 ,  G06F17/30598 ,  G06F21/554 ,  G06F2221/034 ,  G06F2221/2151 ,  H04L63/14 ,  H04L63/1408 ,  H04L63/1416 ,  H04L63/20

Abstract: A disclosed computer-implemented method includes receiving and indexing the raw data. Indexing includes dividing the raw data into time stamped searchable events that include information relating to computer or network security. Store the indexed data in an indexed data store and extract values from a field in the indexed data using a schema. Search the extracted field values for the security information. Determine a group of security events using the security information. Each security event includes a field value specified by a criteria. Present a graphical interface (GI) including a summary of the group of security events, other summaries of security events, and a remove element (associated with the summary). Receive input corresponding to an interaction of the remove element. Interacting with the remove element causes the summary to be removed from the GI. Update the GI to remove the summary from the GI.

Abstract translation: 所公开的计算机实现的方法包括接收和索引原始数据。 索引包括将原始数据划分为包含与计算机或网络安全相关的信息的时间戳搜索事件。 将索引数据存储在索引数据存储中，并使用模式从索引数据中的字段中提取值。 搜索提取的字段值以获取安全信息。 使用安全信息确定一组安全事件。 每个安全事件都包括由条件指定的字段值。 提供包括安全事件组的摘要，安全事件的其他摘要和删除元素（与摘要相关联）的图形界面（GI）。 接收与删除元素的交互相对应的输入。 与删除元素进行交互会导致摘要从GI中移除。 更新GI以从GI中删除摘要。

公开(公告)号：US09594789B2

公开(公告)日：2017-03-14

申请号：US14611170

申请日：2015-01-30

Applicant: Splunk Inc.

Inventor： Michael Joseph Baum ,  R. David Carasso ,  Robin Kumar Das ,  Rory Greene ,  Bradley Hall ,  Nicholas Christian Mealy ,  Brian Philip Murphy ,  Stephen Phillip Sorkin ,  Andre David Stechert ,  Erik M. Swan

IPC: G06F7/00 ,  G06F17/30

CPC classification number: G06F17/30336 ,  G06F17/30321 ,  G06F17/30342 ,  G06F17/30353 ,  G06F17/30516 ,  G06F17/30528 ,  G06F17/3053 ,  G06F17/30551 ,  G06F17/30554 ,  G06F17/30864

Abstract: Methods and apparatus consistent with the invention provide the ability to organize, index, search, and present time series data based on searches. Time series data are sequences of time stamped records occurring in one or more usually continuous streams, representing some type of activity. In one embodiment, time series data is organized into discrete events with normalized time stamps and the events are indexed by time and keyword. A search is received and relevant event information is retrieved based in whole or in part on the time indexing mechanism, keyword indexing mechanism, or statistical indices calculated at the time of the search.

Abstract translation: 根据本发明的方法和设备提供了基于搜索来组织，索引，搜索和呈现时间序列数据的能力。 时间序列数据是在一个或多个通常连续的流中发生的时间戳记录的序列，表示某种类型的活动。 在一个实施例中，时间序列数据被组织成具有归一化时间戳的离散事件，并且事件由时间和关键字索引。 完全或部分地基于搜索时计算的时间索引机制，关键字索引机制或统计索引，检索相关的事件信息。

公开(公告)号：US20170063911A1

公开(公告)日：2017-03-02

申请号：US14929196

申请日：2015-10-30

Applicant: Splunk Inc.

Inventor： Sudhakar Muddu ,  Christos Tryfonas ,  Fumei Lam ,  Georgios Apostolopoulos

IPC: H04L29/06 ,  G06F17/30

CPC classification number: H04L63/1416 ,  G06F3/0482 ,  G06F3/0484 ,  G06F3/04842 ,  G06F3/04847 ,  G06F17/2235 ,  G06F17/30061 ,  G06F17/3053 ,  G06F17/30563 ,  G06F17/30598 ,  G06F17/30958 ,  G06K9/2063 ,  G06N5/04 ,  G06N7/005 ,  G06N99/005 ,  H04L41/0893 ,  H04L41/145 ,  H04L41/22 ,  H04L43/00 ,  H04L43/045 ,  H04L43/062 ,  H04L43/08 ,  H04L63/06 ,  H04L63/1408 ,  H04L63/1425 ,  H04L63/1433 ,  H04L63/1441 ,  H04L63/20 ,  H04L2463/121

Abstract: A security platform employs a variety techniques and mechanisms to detect security related anomalies and threats in a computer network environment. The security platform is “big data” driven and employs machine learning to perform security analytics. The security platform performs user/entity behavioral analytics (UEBA) to detect the security related anomalies and threats, regardless of whether such anomalies/threats were previously known. The security platform can include both real-time and batch paths/modes for detecting anomalies and threats. By visually presenting analytical results scored with risk ratings and supporting evidence, the security platform enables network security administrators to respond to a detected anomaly or threat, and to take action promptly.

Abstract translation: 安全平台采用多种技术和机制来检测计算机网络环境中的安全相关异常和威胁。 安全平台是“大数据”驱动，并采用机器学习来执行安全分析。 安全平台执行用户/实体行为分析（UEBA）以检测与安全性相关的异常和威胁，而不管这种异常/威胁是否已知。 安全平台可以包括用于检测异常和威胁的实时路径和批处理路径/模式。 通过视觉呈现具有风险评级和支持证据的分析结果，安全平台使网络安全管理员能够响应检测到的异常或威胁，并及时采取行动。

公开(公告)号：US20170063910A1

公开(公告)日：2017-03-02

申请号：US14929187

申请日：2015-10-30

Applicant: Splunk Inc.

Inventor： Sudhakar Muddu ,  Christos Tryfonas ,  Ravi Prasad Bulusu ,  Marios Iliofotou

IPC: H04L29/06 ,  G06N99/00 ,  G06F17/30

CPC classification number: H04L63/1416 ,  G06F3/0482 ,  G06F3/0484 ,  G06F3/04842 ,  G06F3/04847 ,  G06F16/24578 ,  G06F16/254 ,  G06F16/285 ,  G06F16/444 ,  G06F16/9024 ,  G06F17/2235 ,  G06K9/2063 ,  G06N5/022 ,  G06N5/04 ,  G06N7/005 ,  G06N20/00 ,  H04L41/0893 ,  H04L41/145 ,  H04L41/22 ,  H04L43/00 ,  H04L43/045 ,  H04L43/062 ,  H04L43/08 ,  H04L63/06 ,  H04L63/1408 ,  H04L63/1425 ,  H04L63/1433 ,  H04L63/1441 ,  H04L63/20 ,  H04L2463/121 ,  H05K999/99

Abstract: A security platform employs a variety techniques and mechanisms to detect security related anomalies and threats in a computer network environment. The security platform is “big data” driven and employs machine learning to perform security analytics. The security platform performs user/entity behavioral analytics (UEBA) to detect the security related anomalies and threats, regardless of whether such anomalies/threats were previously known. The security platform can include both real-time and batch paths/modes for detecting anomalies and threats. By visually presenting analytical results scored with risk ratings and supporting evidence, the security platform enables network security administrators to respond to a detected anomaly or threat, and to take action promptly.

Abstract translation: 安全平台采用多种技术和机制来检测计算机网络环境中的安全相关异常和威胁。 安全平台是“大数据”驱动，并采用机器学习来执行安全分析。 安全平台执行用户/实体行为分析（UEBA）以检测与安全性相关的异常和威胁，而不管这种异常/威胁是否已知。 安全平台可以包括用于检测异常和威胁的实时路径和批处理路径/模式。 通过视觉呈现具有风险评级和支持证据的分析结果，安全平台使网络安全管理员能够响应检测到的异常或威胁，并及时采取行动。

公开(公告)号：US20170063904A1

公开(公告)日：2017-03-02

申请号：US14928985

申请日：2015-10-30

Applicant: Splunk Inc.

Inventor： Sudhakar Muddu ,  Christos Tryfonas ,  Ravi Prasad Bulusu

IPC: H04L29/06 ,  G06N5/04 ,  G06N99/00

CPC classification number: H04L63/1416 ,  G06F3/0482 ,  G06F3/0484 ,  G06F3/04842 ,  G06F3/04847 ,  G06F17/2235 ,  G06F17/30061 ,  G06F17/3053 ,  G06F17/30563 ,  G06F17/30598 ,  G06F17/30958 ,  G06K9/2063 ,  G06N5/04 ,  G06N7/005 ,  G06N99/005 ,  H04L41/0893 ,  H04L41/145 ,  H04L41/22 ,  H04L43/00 ,  H04L43/045 ,  H04L43/062 ,  H04L43/08 ,  H04L63/06 ,  H04L63/1408 ,  H04L63/1425 ,  H04L63/1433 ,  H04L63/1441 ,  H04L63/20 ,  H04L2463/121

Abstract: A security platform employs a variety techniques and mechanisms to detect security related anomalies and threats in a computer network environment. The security platform is “big data” driven and employs machine learning to perform security analytics. The security platform performs user/entity behavioral analytics (UEBA) to detect the security related anomalies and threats, regardless of whether such anomalies/threats were previously known. The security platform can include both real-time and batch paths/modes for detecting anomalies and threats. By visually presenting analytical results scored with risk ratings and supporting evidence, the security platform enables network security administrators to respond to a detected anomaly or threat, and to take action promptly.

Abstract translation: 安全平台采用多种技术和机制来检测计算机网络环境中的安全相关异常和威胁。 安全平台是“大数据”驱动，并采用机器学习来执行安全分析。 安全平台执行用户/实体行为分析（UEBA）以检测与安全性相关的异常和威胁，而不管这种异常/威胁是否已知。 安全平台可以包括用于检测异常和威胁的实时路径和批处理路径/模式。 通过视觉呈现具有风险评级和支持证据的分析结果，安全平台使网络安全管理员能够响应检测到的异常或威胁，并及时采取行动。

公开(公告)号：US20170063901A1

公开(公告)日：2017-03-02

申请号：US14928535

申请日：2015-10-30

Applicant: Splunk Inc.

Inventor： Sudhakar Muddu ,  Christos Tryfonas

IPC: H04L29/06 ,  G06N99/00

CPC classification number: H04L63/1416 ,  G06F3/0482 ,  G06F3/0484 ,  G06F3/04842 ,  G06F3/04847 ,  G06F17/2235 ,  G06F17/30061 ,  G06F17/3053 ,  G06F17/30563 ,  G06F17/30598 ,  G06F17/30958 ,  G06K9/2063 ,  G06N5/022 ,  G06N5/04 ,  G06N7/005 ,  G06N99/005 ,  H04L41/0893 ,  H04L41/145 ,  H04L41/22 ,  H04L43/00 ,  H04L43/045 ,  H04L43/062 ,  H04L43/08 ,  H04L63/06 ,  H04L63/1408 ,  H04L63/1425 ,  H04L63/1433 ,  H04L63/1441 ,  H04L63/20 ,  H04L2463/121 ,  H05K999/99

Abstract: A security platform employs a variety techniques and mechanisms to detect security related anomalies and threats in a computer network environment. The security platform is “big data” driven and employs machine learning to perform security analytics. The security platform performs user/entity behavioral analytics (UEBA) to detect the security related anomalies and threats, regardless of whether such anomalies/threats were previously known. The security platform can include both real-time and batch paths/modes for detecting anomalies and threats. By visually presenting analytical results scored with risk ratings and supporting evidence, the security platform enables network security administrators to respond to a detected anomaly or threat, and to take action promptly.

Abstract translation: 安全平台采用多种技术和机制来检测计算机网络环境中的安全相关异常和威胁。 安全平台是“大数据”驱动，并采用机器学习来执行安全分析。 安全平台执行用户/实体行为分析（UEBA）以检测与安全性相关的异常和威胁，而不管这种异常/威胁是否已知。 安全平台可以包括用于检测异常和威胁的实时路径和批处理路径/模式。 通过视觉呈现具有风险评级和支持证据的分析结果，安全平台使网络安全管理员能够响应检测到的异常或威胁，并及时采取行动。

公开(公告)号：US20170063898A1

公开(公告)日：2017-03-02

申请号：US14928451

申请日：2015-10-30

Applicant: Splunk Inc.

Inventor： Sudhakar Muddu ,  Christos Tryfonas

IPC: H04L29/06 ,  G06F17/22 ,  G06F3/0484 ,  G06F3/0482 ,  G06N99/00 ,  G06N7/00

CPC classification number: H04L63/1416 ,  G06F3/0482 ,  G06F3/0484 ,  G06F3/04842 ,  G06F3/04847 ,  G06F17/2235 ,  G06F17/30061 ,  G06F17/3053 ,  G06F17/30563 ,  G06F17/30598 ,  G06F17/30958 ,  G06K9/2063 ,  G06N5/04 ,  G06N7/005 ,  G06N99/005 ,  H04L41/0893 ,  H04L41/145 ,  H04L41/22 ,  H04L43/00 ,  H04L43/045 ,  H04L43/062 ,  H04L43/08 ,  H04L63/06 ,  H04L63/1408 ,  H04L63/1425 ,  H04L63/1433 ,  H04L63/1441 ,  H04L63/20 ,  H04L2463/121 ,  H05K999/99

Abstract: A security platform employs a variety techniques and mechanisms to detect security related anomalies and threats in a computer network environment. The security platform is “big data” driven and employs machine learning to perform security analytics. The security platform performs user/entity behavioral analytics (UEBA) to detect the security related anomalies and threats, regardless of whether such anomalies/threats were previously known. The security platform can include both real-time and batch paths/modes for detecting anomalies and threats. By visually presenting analytical results scored with risk ratings and supporting evidence, the security platform enables network security administrators to respond to a detected anomaly or threat, and to take action promptly.

Abstract translation: 安全平台采用多种技术和机制来检测计算机网络环境中的安全相关异常和威胁。 安全平台是“大数据”驱动，并采用机器学习来执行安全分析。 安全平台执行用户/实体行为分析（UEBA）以检测与安全性相关的异常和威胁，而不管这种异常/威胁是否已知。 安全平台可以包括用于检测异常和威胁的实时路径和批处理路径/模式。 通过视觉呈现具有风险评级和支持证据的分析结果，安全平台使网络安全管理员能够响应检测到的异常或威胁，并及时采取行动。

公开(公告)号：US20170063894A1

公开(公告)日：2017-03-02

申请号：US15335250

申请日：2016-10-26

Applicant: Splunk Inc.

Inventor： Sudhakar Muddu ,  Christos Tryfonas

IPC: H04L29/06 ,  G06N99/00

CPC classification number: H04L63/1416 ,  G06F3/0482 ,  G06F3/0484 ,  G06F3/04842 ,  G06F3/04847 ,  G06F17/2235 ,  G06F17/30061 ,  G06F17/3053 ,  G06F17/30563 ,  G06F17/30598 ,  G06F17/30958 ,  G06K9/2063 ,  G06N5/04 ,  G06N7/005 ,  G06N99/005 ,  H04L41/0893 ,  H04L41/145 ,  H04L41/22 ,  H04L43/00 ,  H04L43/045 ,  H04L43/062 ,  H04L43/08 ,  H04L63/06 ,  H04L63/1408 ,  H04L63/1425 ,  H04L63/1433 ,  H04L63/1441 ,  H04L63/20 ,  H04L2463/121

Abstract: A security platform employs a variety techniques and mechanisms to detect security related anomalies and threats in a computer network environment. The security platform is “big data” driven and employs machine learning to perform security analytics. The security platform performs user/entity behavioral analytics (UEBA) to detect the security related anomalies and threats, regardless of whether such anomalies/threats were previously known. The security platform can include both real-time and batch paths/modes for detecting anomalies and threats. By visually presenting analytical results scored with risk ratings and supporting evidence, the security platform enables network security administrators to respond to a detected anomaly or threat, and to take action promptly.

Abstract translation: 安全平台采用多种技术和机制来检测计算机网络环境中的安全相关异常和威胁。 安全平台是“大数据”驱动，并采用机器学习来执行安全分析。 安全平台执行用户/实体行为分析（UEBA）以检测与安全性相关的异常和威胁，而不管这种异常/威胁是否已知。 安全平台可以包括用于检测异常和威胁的实时路径和批处理路径/模式。 通过视觉呈现具有风险评级和支持证据的分析结果，安全平台使网络安全管理员能够响应检测到的异常或威胁，并及时采取行动。

公开(公告)号：US09584374B2

公开(公告)日：2017-02-28

申请号：US14528906

申请日：2014-10-30

Applicant: Splunk Inc.

Inventor： Brian John Bingham ,  Tristan Antonio Fletcher ,  Hemendra Singh Choudhary

IPC: H04L12/24 ,  G06Q10/06 ,  H04L29/08 ,  G06F17/30 ,  H04L12/26 ,  G06F3/0484 ,  G06F9/54 ,  G06F3/0481 ,  G06F3/0482

CPC classification number: H04L43/16 ,  G06F3/0481 ,  G06F3/04817 ,  G06F3/0482 ,  G06F3/0484 ,  G06F3/04842 ,  G06F3/04847 ,  G06F9/542 ,  G06F17/30424 ,  G06F17/30463 ,  G06F17/30477 ,  G06F17/30554 ,  G06F17/3056 ,  G06F17/30572 ,  G06F17/30675 ,  G06F17/30864 ,  G06F17/30867 ,  G06F17/30958 ,  G06F17/30964 ,  G06F17/30979 ,  G06F17/30991 ,  G06Q10/06393 ,  G06T11/206 ,  G06T2200/24 ,  H04L29/08072 ,  H04L41/0213 ,  H04L41/0806 ,  H04L41/22 ,  H04L41/5009 ,  H04L41/5032 ,  H04L41/5035 ,  H04L41/5038 ,  H04L43/04 ,  H04L43/045 ,  H04L67/10 ,  H04L67/16

Abstract: One or more processing devices derive a value for each of a plurality of key performance indicators (KPIs). Each KPI indicates a different aspect of how the same service provided by one or more entities is performing at a point in time. Each KPI is defined by a search query that derives the value for that KPI from machine data associated with the one or more entities that provide the same service. The one or more processing devices calculate a value for an aggregate KPI for the same service from the values for each of the plurality of KPIs.

Abstract translation: 一个或多个处理装置为多个关键性能指标（KPI）中的每一个导出值。 每个关键绩效指标表示一个或多个实体提供的相同服务在某个时间点上执行的不同方面。 每个KPI由搜索查询定义，该搜索查询从与提供相同服务的一个或多个实体相关联的机器数据中导出该KPI的值。 一个或多个处理装置根据多个KPI中的每一个的值计算相同服务的聚合KPI的值。

公开(公告)号：US20170048264A1

公开(公告)日：2017-02-16

申请号：US15339952

申请日：2016-11-01

Applicant: Splunk Inc,

Inventor： Vijay Chauhan ,  Cary Noel ,  Wenhui Yu ,  Luke Murphey ,  Alexander Raitz ,  David Hazekamp

IPC: H04L29/06 ,  G06F17/30 ,  G06F21/62 ,  G06F17/24 ,  G06F3/0484

CPC classification number: H04L63/1425 ,  G06F3/0484 ,  G06F17/241 ,  G06F17/30551 ,  G06F17/30554 ,  G06F17/30557 ,  G06F21/629 ,  G06F2221/2151 ,  H04L43/06

Abstract: Techniques and mechanisms are disclosed that enable network security analysts and other users to efficiently conduct network security investigations and to produce useful representations of investigation results. As used herein, a network security investigation generally refers to an analysis by an analyst (or team of analysts) of one or more detected network events that may pose internal and/or external threats to a computer network under management. A network security application provides various interfaces that enable users to create investigation timelines, where the investigation timelines display a collection of events related to a particular network security investigation. A network security application further provides functionality to monitor and log user interactions with the network security application, where particular logged user interactions may also be added to one or more investigation timelines.

Abstract translation: 公开了技术和机制，使网络安全分析师和其他用户有效地进行网络安全调查并产生调查结果的有用表示。 如本文所使用的，网络安全调查通常是指分析者（或分析师小组）对可能对管理的计算机网络造成内部和/或外部威胁的一个或多个检测到的网络事件的分析。 网络安全应用程序提供各种接口，使用户能够创建调查时间表，其中调查时间表显示与特定网络安全调查相关的事件的集合。 网络安全应用程序还提供监视和记录与网络安全应用程序的用户交互的功能，其中特定记录的用户交互也可以被添加到一个或多个调查时间线。