公开(公告)号：US10237294B1

公开(公告)日：2019-03-19

申请号：US15420039

申请日：2017-01-30

Applicant: Splunk Inc.

Inventor： Joseph Auguste Zadeh ,  Rodolfo Soto ,  George Apostolopoulos ,  John Clifton Pierce

IPC: H04L29/06 ,  H04L12/26 ,  H04L29/08 ,  H04L29/12

Abstract: Techniques are described for analyzing data regarding activity in an IT environment to determine information regarding the entities associated with the activity and using the information to detect anomalous activity that may be indicative of malicious activity. In an embodiment, a plurality of events reflecting activity by a plurality of entities in an IT environment are processed to resolve the identities of the entities, discover how the entities fit within a topology of the IT environment, and determine what the entities are. This information is then used to generate a entity relationship graph that includes nodes representing the entities in the IT environment and edges connecting the nodes representing interaction relationships between the entities. In some embodiments, baselines are established by monitoring the activity between entities. This baseline information can be represented in the entity relationship graph in the form of directionality applied to the edges. The entity relationship graph can then be monitored to detect anomalous activity.

公开(公告)号：US10693900B2

公开(公告)日：2020-06-23

申请号：US16250989

申请日：2019-01-17

Applicant: SPLUNK INC.

Inventor： Joseph Auguste Zadeh ,  Rodolfo Soto ,  George Apostolopoulos ,  John Clifton Pierce

IPC: H04L29/06 ,  H04L12/26 ,  H04L29/08 ,  H04L29/12 ,  H04L12/24

Abstract: Techniques are described for analyzing data regarding activity in an IT environment to determine information regarding the entities associated with the activity and using the information to detect anomalous activity that may be indicative of malicious activity. In an embodiment, a plurality of events reflecting activity by a plurality of entities in an IT environment are processed to resolve the identities of the entities, discover how the entities fit within a topology of the IT environment, and determine what the entities are. This information is then used to generate an entity relationship graph that includes nodes representing the entities in the IT environment and edges connecting the nodes representing interaction relationships between the entities. In some embodiments, baselines are established by monitoring the activity between entities. This baseline information can be represented in the entity relationship graph in the form of directionality applied to the edges. The entity relationship graph can then be monitored to detect anomalous activity.

公开(公告)号：US20190158524A1

公开(公告)日：2019-05-23

申请号：US16250989

申请日：2019-01-17

Applicant: SPLUNK INC.

Inventor： Joseph Auguste Zadeh ,  Rodolfo Soto ,  George Apostolopoulos ,  John Clifton Pierce

IPC: H04L29/06 ,  H04L12/26

CPC classification number: H04L63/1425 ,  H04L41/12 ,  H04L43/045 ,  H04L43/08 ,  H04L43/106 ,  H04L61/103 ,  H04L61/15 ,  H04L61/2007 ,  H04L61/2015 ,  H04L61/6022 ,  H04L67/30

Abstract: Techniques are described for analyzing data regarding activity in an IT environment to determine information regarding the entities associated with the activity and using the information to detect anomalous activity that may be indicative of malicious activity. In an embodiment, a plurality of events reflecting activity by a plurality of entities in an IT environment are processed to resolve the identities of the entities, discover how the entities fit within a topology of the IT environment, and determine what the entities are. This information is then used to generate an entity relationship graph that includes nodes representing the entities in the IT environment and edges connecting the nodes representing interaction relationships between the entities. In some embodiments, baselines are established by monitoring the activity between entities. This baseline information can be represented in the entity relationship graph in the form of directionality applied to the edges. The entity relationship graph can then be monitored to detect anomalous activity.

公开(公告)号：US11870795B1

公开(公告)日：2024-01-09

申请号：US17347278

申请日：2021-06-14

Applicant: SPLUNK INC.

Inventor： Joseph Auguste Zadeh ,  Rodolfo Soto ,  Madhupreetha Chandrasekaran ,  Yijiang Li

IPC: H04L9/40

CPC classification number: H04L63/1425 ,  H04L63/1441 ,  H04L2463/121

Abstract: Techniques for identifying attack behavior based on scripting language activity are disclosed. A security monitoring system generates a behavior profile for a first client device based on scripting language commands included in a first set of raw machine data received from the first client device, where the first client device is coupled to a network, and the first set of raw machine data is associated with network traffic received by or transmitted from the first client device. The security monitoring system analyzes a second set of raw machine data received from the first client device, where the second set of raw machine data is associated with subsequent network traffic received by or transmitted from the first client device. The security monitoring system detects an anomaly in the second set of raw machine data based on the behavior profile, and initiates a mitigation action in response to detecting the anomaly.

公开(公告)号：US20180212985A1

公开(公告)日：2018-07-26

申请号：US15415853

申请日：2017-01-25

Applicant: Splunk, Inc.

Inventor： Joseph Auguste Zadeh ,  Rodolfo Soto ,  Madhupreetha Chandrasekaran ,  Yijiang Li

IPC: H04L29/06

CPC classification number: H04L63/1425 ,  H04L63/1441 ,  H04L2463/121

Abstract: Techniques for identifying attack behavior based on scripting language activity are disclosed. A security monitoring system generates a behavior profile for a first client device based on scripting language commands included in a first set of raw machine data received from the first client device, where the first client device is coupled to a network, and the first set of raw machine data is associated with network traffic received by or transmitted from the first client device. The security monitoring system analyzes a second set of raw machine data received from the first client device, where the second set of raw machine data is associated with subsequent network traffic received by or transmitted from the first client device. The security monitoring system detects an anomaly in the second set of raw machine data based on the behavior profile, and initiates a mitigation action in response to detecting the anomaly.

公开(公告)号：US11463464B2

公开(公告)日：2022-10-04

申请号：US16883887

申请日：2020-05-26

Applicant: Splunk Inc.

Inventor： Joseph Auguste Zadeh ,  Rodolfo Soto ,  George Apostolopoulos ,  John Clifton Pierce

IPC: H04L29/06 ,  H04L9/40 ,  H04L43/08 ,  H04L43/045 ,  H04L67/30 ,  H04L61/45 ,  H04L61/103 ,  H04L61/5014 ,  H04L43/106 ,  H04L41/12 ,  H04L61/5007 ,  H04L101/622

Abstract: Techniques are described for analyzing data regarding activity in an IT environment to determine information regarding the entities associated with the activity and using the information to detect anomalous activity that may be indicative of malicious activity. In an embodiment, a plurality of events reflecting activity by a plurality of entities in an IT environment are processed to resolve the identities of the entities, discover how the entities fit within a topology of the IT environment, and determine what the entities are. This information is then used to generate an entity relationship graph that includes nodes representing the entities in the IT environment and edges connecting the nodes representing interaction relationships between the entities. In some embodiments, baselines are established by monitoring the activity between entities. This baseline information can be represented in the entity relationship graph in the form of directionality applied to the edges. The entity relationship graph can then be monitored to detect anomalous activity.

公开(公告)号：US11038905B2

公开(公告)日：2021-06-15

申请号：US15415853

申请日：2017-01-25

Applicant: Splunk, Inc.

Inventor： Joseph Auguste Zadeh ,  Rodolfo Soto ,  Madhupreetha Chandrasekaran ,  Yijiang Li

IPC: H04L29/06

Abstract: Techniques for identifying attack behavior based on scripting language activity are disclosed. A security monitoring system generates a behavior profile for a first client device based on scripting language commands included in a first set of raw machine data received from the first client device, where the first client device is coupled to a network, and the first set of raw machine data is associated with network traffic received by or transmitted from the first client device. The security monitoring system analyzes a second set of raw machine data received from the first client device, where the second set of raw machine data is associated with subsequent network traffic received by or transmitted from the first client device. The security monitoring system detects an anomaly in the second set of raw machine data based on the behavior profile, and initiates a mitigation action in response to detecting the anomaly.

公开(公告)号：US20200287927A1

公开(公告)日：2020-09-10

申请号：US16883887

申请日：2020-05-26

Applicant: Splunk Inc.

Inventor： Joseph Auguste Zadeh ,  Rodolfo Soto ,  George Apostolopoulos ,  John Clifton Pierce

IPC: H04L29/06 ,  H04L12/26 ,  H04L29/08 ,  H04L29/12

Abstract: Techniques are described for analyzing data regarding activity in an IT environment to determine information regarding the entities associated with the activity and using the information to detect anomalous activity that may be indicative of malicious activity. In an embodiment, a plurality of events reflecting activity by a plurality of entities in an IT environment are processed to resolve the identities of the entities, discover how the entities fit within a topology of the IT environment, and determine what the entities are. This information is then used to generate an entity relationship graph that includes nodes representing the entities in the IT environment and edges connecting the nodes representing interaction relationships between the entities. In some embodiments, baselines are established by monitoring the activity between entities. This baseline information can be represented in the entity relationship graph in the form of directionality applied to the edges. The entity relationship graph can then be monitored to detect anomalous activity.