公开(公告)号：US12088611B1

公开(公告)日：2024-09-10

申请号：US17573399

申请日：2022-01-11

Applicant: SPLUNK Inc.

Inventor： Cui Lin ,  Stanislav Miskovic

IPC: H04L9/40 ,  G06F18/214 ,  G06N20/00

CPC classification number: H04L63/1425 ,  G06F18/214 ,  G06N20/00 ,  H04L63/1416 ,  H04L63/1466 ,  H04L63/166 ,  H04L63/20

Abstract: A computerized method is disclosed that includes operations of obtaining historical network traffic and preparing a training set of data by: applying security rules to the historical network traffic data to obtain a first filtered subset of network transmissions representing a first set of beaconing candidates that is labeled to form a first set of labeled results, applying a clustering logic to the historical network traffic data to obtain a second filtered subset of network transmissions representing a second set of beaconing candidates that is labeled to form a second set of labeled results, applying a machine learning model to the historical network traffic data to label the historical network traffic forming a third set of labeled results, wherein the first, second and third sets of labeled results are augmented to form an augmented labeled training set, and training a machine learning model using the augmented labeled training set.

公开(公告)号：US10462169B2

公开(公告)日：2019-10-29

申请号：US15582645

申请日：2017-04-29

Applicant: Splunk Inc.

Inventor： Satheesh Kumar Joseph Durairaj ,  Stanislav Miskovic ,  Georgios Apostolopoulos

IPC: G08B23/00 ,  G06F12/16 ,  G06F12/14 ,  G06F11/00 ,  H04L29/06 ,  G06N20/00 ,  G06F16/901

Abstract: A lateral movement application identifies lateral movement (LM) candidates that potentially represent a security threat. Security platforms generate event data when performing security-related functions, such as authenticating a user account. The disclosed technology enables greatly increased accuracy identification of lateral movement (LM) candidates by, for example, refining a population of LM candidates based on an analysis of a time constrained graph in which nodes represent entities, and edges between nodes represent a time sequence of login or other association activities between the entities. The graph is created based on an analysis of the event data, including time sequences of the event data.

公开(公告)号：US11658992B2

公开(公告)日：2023-05-23

申请号：US17350689

申请日：2021-06-17

Applicant: Splunk Inc.

Inventor： Satheesh Kumar Joseph Durairaj ,  Stanislav Miskovic ,  Georgios Apostolopoulos

IPC: H04L9/40 ,  G06F16/901 ,  G06N5/02 ,  G06F21/31 ,  G06N20/00 ,  H04L41/142 ,  H04L41/14 ,  H04L41/22 ,  G06N5/022 ,  G06N7/00

CPC classification number: H04L63/1425 ,  G06F16/9024 ,  G06N5/022 ,  G06N20/00 ,  H04L41/142 ,  H04L41/145 ,  H04L41/22 ,  G06N7/005

Abstract: A lateral movement application identifies lateral movement (LM) candidates that potentially represent a security threat. Security platforms generate event data when performing security-related functions, such as authenticating a user account. The disclosed technology enables greatly increased accuracy identification of lateral movement (LM) candidates by, for example, refining a population of LM candidates based on an analysis of a time constrained graph in which nodes represent entities, and edges between nodes represent a time sequence of login or other association activities between the entities. The graph is created based on an analysis of the event data, including time sequences of the event data.

公开(公告)号：US11010342B2

公开(公告)日：2021-05-18

申请号：US15478186

申请日：2017-04-03

Applicant: Splunk Inc.

Inventor： Stanislav Miskovic ,  Satheesh Kumar Joseph Durairaj ,  George Apostolopulous ,  Dimitrios Terzis

IPC: G06F16/17 ,  G06N5/04 ,  H04L29/08 ,  G06N20/00 ,  G06N5/02

Abstract: A system and method of obtaining and utilizing an activity signature that is representative of a specific category of network activities based on directory service (DS) log data. The activity signature may be determining by a learning process, including segmenting and pruning a training dataset into a plurality of event segments and matching them with activities based on DS log data of known activities. Once obtained, the activity signature can advantageously be utilized to analyze any DS log data and activities in actual deployment. Using activity signatures to analyze DS event log can reveal roles of event-collection machines, aggregate information dispersed across their component events to reveal actors involved in particular AD activities, augment visibility of DS by enabling various vantage points to better infer activities at other domain machines, and reveal macro activities so that logged information becomes easily interpretable to human analysts.

公开(公告)号：US12199997B1

公开(公告)日：2025-01-14

申请号：US17573335

申请日：2022-01-11

Applicant: SPLUNK Inc.

Inventor： Cui Lin ,  Stanislav Miskovic

IPC: H04L9/40 ,  G06N20/00 ,  H04L41/16 ,  H04L41/22

Abstract: A computerized method is disclosed that includes operations of obtaining network traffic data between a source device and a destination device, applying a set of one or more security rules to a plurality of metrics of the network traffic data to obtain a subset of network traffic metrics, applying a first trained machine learning model to the subset of network traffic metrics to generate a feature vector through feature extraction of the subset of network traffic metrics, and evaluate the feature vector for a presence of beaconing and classify the subset of network traffic metrics, and responsive to the classifying of the subset of network traffic metrics, generating a flag for a system administrator. The plurality of metrics include at least one or more of packet size, packet transmission rate, or a ratio of (i) packet size for inbound packets and (ii) packet size for outbound packets.

公开(公告)号：US11936545B1

公开(公告)日：2024-03-19

申请号：US17573195

申请日：2022-01-11

Applicant: SPLUNK Inc.

Inventor： Stanislav Miskovic ,  Cui Lin

IPC: H04L29/06 ,  G06Q20/06 ,  H04L12/26 ,  H04L43/062 ,  H04L43/08 ,  H04L43/0894

CPC classification number: H04L43/0894 ,  H04L43/062

Abstract: A computerized method is disclosed that includes operations of obtaining network traffic data between a source device and a destination device, performing a regularity assessment of a first metric of the network traffic data across communication sessions of the source device and the destination device over a given time period by: determining an average of the first metric for each of the communication sessions; establishing an upper bound and a lower bound for the averages of the first metric over the given time period; determining a difference between the upper bound and the lower bound; comparing the difference between the upper bound and the lower bound to a mean of the first metric for each of the communication sessions over the given time period, and determining whether beaconing transmissions are present within the network traffic data based on the regularity assessment of the first metric.

公开(公告)号：US20210209067A1

公开(公告)日：2021-07-08

申请号：US17212399

申请日：2021-03-25

Applicant: Splunk Inc.

Inventor： Stanislav Miskovic ,  Satheesh Kumar Joseph Durairaj ,  George Apostolopulous ,  Dimitrios Terzis

IPC: G06F16/17 ,  G06N5/04 ,  H04L29/08 ,  G06N20/00 ,  G06N5/02

Abstract: A system and method of obtaining and utilizing an activity signature that is representative of a specific category of network activities based on directory service (DS) log data. The activity signature may be determining by a learning process, including segmenting and pruning a training dataset into a plurality of event segments and matching them with activities based on DS log data of known activities. Once obtained, the activity signature can advantageously be utilized to analyze any DS log data and activities in actual deployment. Using activity signatures to analyze DS event log can reveal roles of event-collection machines, aggregate information dispersed across their component events to reveal actors involved in particular AD activities, augment visibility of DS by enabling various vantage points to better infer activities at other domain machines, and reveal macro activities so that logged information becomes easily interpretable to human analysts.

公开(公告)号：US11044264B2

公开(公告)日：2021-06-22

申请号：US16573944

申请日：2019-09-17

Applicant: Splunk Inc.

Inventor： Satheesh Kumar Joseph Durairaj ,  Stanislav Miskovic ,  Georgios Apostolopoulos

IPC: G08B23/00 ,  G06F12/16 ,  G06F12/14 ,  G06F11/00 ,  H04L29/06 ,  G06N20/00 ,  G06F16/901 ,  H04L12/24 ,  G06N5/02 ,  G06N7/00

Abstract: A lateral movement application identifies lateral movement (LM) candidates that potentially represent a security threat. Security platforms generate event data when performing security-related functions, such as authenticating a user account. The disclosed technology enables greatly increased accuracy identification of lateral movement (LM) candidates by, for example, refining a population of LM candidates based on an analysis of a time constrained graph in which nodes represent entities, and edges between nodes represent a time sequence of login or other association activities between the entities. The graph is created based on an analysis of the event data, including time sequences of the event data.

公开(公告)号：US20180285776A1

公开(公告)日：2018-10-04

申请号：US15478186

申请日：2017-04-03

Applicant: Splunk Inc.

Inventor： Stanislav Miskovic ,  Satheesh Kumar Joseph Durairaj ,  George Apostolopulous ,  Dimitrios Terzis

IPC: G06N99/00 ,  G06N5/04 ,  H04L12/26 ,  H04L29/08

Abstract: A system and method of obtaining and utilizing an activity signature that is representative of a specific category of network activities based on directory service (DS) log data. The activity signature may be determining by a learning process, including segmenting and pruning a training dataset into a plurality of event segments and matching them with activities based on DS log data of known activities. Once obtained, the activity signature can advantageously be utilized to analyze any DS log data and activities in actual deployment. Using activity signatures to analyze DS event log can reveal roles of event-collection machines, aggregate information dispersed across their component events to reveal actors involved in particular AD activities, augment visibility of DS by enabling various vantage points to better infer activities at other domain machines, and reveal macro activities so that logged information becomes easily interpretable to human analysts.