公开(公告)号：US11463464B2

公开(公告)日：2022-10-04

申请号：US16883887

申请日：2020-05-26

Applicant: Splunk Inc.

Inventor： Joseph Auguste Zadeh ,  Rodolfo Soto ,  George Apostolopoulos ,  John Clifton Pierce

IPC: H04L29/06 ,  H04L9/40 ,  H04L43/08 ,  H04L43/045 ,  H04L67/30 ,  H04L61/45 ,  H04L61/103 ,  H04L61/5014 ,  H04L43/106 ,  H04L41/12 ,  H04L61/5007 ,  H04L101/622

Abstract: Techniques are described for analyzing data regarding activity in an IT environment to determine information regarding the entities associated with the activity and using the information to detect anomalous activity that may be indicative of malicious activity. In an embodiment, a plurality of events reflecting activity by a plurality of entities in an IT environment are processed to resolve the identities of the entities, discover how the entities fit within a topology of the IT environment, and determine what the entities are. This information is then used to generate an entity relationship graph that includes nodes representing the entities in the IT environment and edges connecting the nodes representing interaction relationships between the entities. In some embodiments, baselines are established by monitoring the activity between entities. This baseline information can be represented in the entity relationship graph in the form of directionality applied to the edges. The entity relationship graph can then be monitored to detect anomalous activity.

公开(公告)号：US20200287927A1

公开(公告)日：2020-09-10

申请号：US16883887

申请日：2020-05-26

Applicant: Splunk Inc.

Inventor： Joseph Auguste Zadeh ,  Rodolfo Soto ,  George Apostolopoulos ,  John Clifton Pierce

IPC: H04L29/06 ,  H04L12/26 ,  H04L29/08 ,  H04L29/12

Abstract: Techniques are described for analyzing data regarding activity in an IT environment to determine information regarding the entities associated with the activity and using the information to detect anomalous activity that may be indicative of malicious activity. In an embodiment, a plurality of events reflecting activity by a plurality of entities in an IT environment are processed to resolve the identities of the entities, discover how the entities fit within a topology of the IT environment, and determine what the entities are. This information is then used to generate an entity relationship graph that includes nodes representing the entities in the IT environment and edges connecting the nodes representing interaction relationships between the entities. In some embodiments, baselines are established by monitoring the activity between entities. This baseline information can be represented in the entity relationship graph in the form of directionality applied to the edges. The entity relationship graph can then be monitored to detect anomalous activity.

公开(公告)号：US20200045049A1

公开(公告)日：2020-02-06

申请号：US16051236

申请日：2018-07-31

Applicant: SPLUNK INC.

Inventor： George Apostolopoulos ,  Ignacio Nicolas Bermudez Corrales

IPC: H04L29/06 ,  G06N7/00 ,  G06F17/30 ,  G06F15/18

Abstract: Embodiments of the present invention are directed to facilitating detection of suspicious access to resources. In accordance with aspects of the present disclosure, an access graph is generated. The access graph contains access data that includes observed accesses between entities and resources. Access scores can be determined for entity-resource pairs in the access graph by applying a set of access rules to the entity-resource pairs in the access graph. The access scores indicate an extent of relatedness between the corresponding entity and resource. Thereafter, the access scores can be used to train a probabilistic prediction model that predicts suspiciousness of accesses between entities and resources.

公开(公告)号：US11777945B1

公开(公告)日：2023-10-03

申请号：US17586086

申请日：2022-01-27

Applicant: SPLUNK Inc.

Inventor： George Apostolopoulos ,  Ignacio Nicolas Bermudez Corrales

IPC: G06N20/00 ,  G06N7/00 ,  H04L9/40 ,  G06F16/28

CPC classification number: H04L63/102 ,  G06F16/288 ,  G06N7/00 ,  G06N20/00 ,  H04L63/1425

Abstract: Embodiments of the present invention are directed to facilitating detection of suspicious access to resources. In accordance with aspects of the present disclosure, an access graph is generated. The access graph contains access data that includes observed accesses between entities and resources. Access scores can be determined for entity-resource pairs in the access graph by applying a set of access rules to the entity-resource pairs in the access graph. The access scores indicate an extent of relatedness between the corresponding entity and resource. Thereafter, the access scores can be used to train a probabilistic prediction model that predicts suspiciousness of accesses between entities and resources.

公开(公告)号：US20210286874A1

公开(公告)日：2021-09-16

申请号：US17332804

申请日：2021-05-27

Applicant: Splunk Inc.

Inventor： Zhuxuan Jin ,  George Apostolopoulos

IPC: G06F21/55 ,  G06F16/245 ,  H04L29/06 ,  G06F21/56

Abstract: A method is disclosed that includes receiving, at a computing device, an event log including multiple events, where the events are derived from machine data, determining a first score associated with a first granularity level by comparing an event from the event log with a first frequent patterns generated for the first granularity level, and determining a second score associated with a second granularity level by comparing the event with a second frequent patterns generated for the second granularity level. The method further includes determining an aggregate score for the event based on the first score and the second score, and comparing the aggregate score for the event with an anomaly score threshold. Further, the method includes issuing an alert identifying the event as an anomaly based on the aggregate score exceeding the anomaly score threshold.

公开(公告)号：US10833942B2

公开(公告)日：2020-11-10

申请号：US16051001

申请日：2018-07-31

Applicant: Splunk Inc.

Inventor： George Apostolopoulos ,  Zhuxuan Jin

IPC: H04L12/24 ,  H04L29/06 ,  H04L12/26 ,  G06K9/62 ,  H04L29/08

Abstract: One or more embodiments are directed behavioral based device clustering. A network traffic log of devices in the network is received. Features of devices are extracted from the network traffic log and aggregated into an aggregated feature matrix on a per device basis. By applying a topic modeling algorithm to the aggregated feature matrix, the devices are clustered into device groups according to behavior groups. A device is assigned to the device group to create an assignment.

公开(公告)号：US10237294B1

公开(公告)日：2019-03-19

申请号：US15420039

申请日：2017-01-30

Applicant: Splunk Inc.

Inventor： Joseph Auguste Zadeh ,  Rodolfo Soto ,  George Apostolopoulos ,  John Clifton Pierce

IPC: H04L29/06 ,  H04L12/26 ,  H04L29/08 ,  H04L29/12

Abstract: Techniques are described for analyzing data regarding activity in an IT environment to determine information regarding the entities associated with the activity and using the information to detect anomalous activity that may be indicative of malicious activity. In an embodiment, a plurality of events reflecting activity by a plurality of entities in an IT environment are processed to resolve the identities of the entities, discover how the entities fit within a topology of the IT environment, and determine what the entities are. This information is then used to generate a entity relationship graph that includes nodes representing the entities in the IT environment and edges connecting the nodes representing interaction relationships between the entities. In some embodiments, baselines are established by monitoring the activity between entities. This baseline information can be represented in the entity relationship graph in the form of directionality applied to the edges. The entity relationship graph can then be monitored to detect anomalous activity.

公开(公告)号：US11586729B2

公开(公告)日：2023-02-21

申请号：US17332804

申请日：2021-05-27

Applicant: Splunk Inc.

Inventor： Zhuxuan Jin ,  George Apostolopoulos

IPC: G06F21/55 ,  G06F16/245 ,  G06F21/56 ,  H04L9/40

Abstract: A method is disclosed that includes receiving, at a computing device, an event log including multiple events, where the events are derived from machine data, determining a first score associated with a first granularity level by comparing an event from the event log with a first frequent patterns generated for the first granularity level, and determining a second score associated with a second granularity level by comparing the event with a second frequent patterns generated for the second granularity level. The method further includes determining an aggregate score for the event based on the first score and the second score, and comparing the aggregate score for the event with an anomaly score threshold. Further, the method includes issuing an alert identifying the event as an anomaly based on the aggregate score exceeding the anomaly score threshold.

公开(公告)号：US10693900B2

公开(公告)日：2020-06-23

申请号：US16250989

申请日：2019-01-17

Applicant: SPLUNK INC.

Inventor： Joseph Auguste Zadeh ,  Rodolfo Soto ,  George Apostolopoulos ,  John Clifton Pierce

IPC: H04L29/06 ,  H04L12/26 ,  H04L29/08 ,  H04L29/12 ,  H04L12/24

Abstract: Techniques are described for analyzing data regarding activity in an IT environment to determine information regarding the entities associated with the activity and using the information to detect anomalous activity that may be indicative of malicious activity. In an embodiment, a plurality of events reflecting activity by a plurality of entities in an IT environment are processed to resolve the identities of the entities, discover how the entities fit within a topology of the IT environment, and determine what the entities are. This information is then used to generate an entity relationship graph that includes nodes representing the entities in the IT environment and edges connecting the nodes representing interaction relationships between the entities. In some embodiments, baselines are established by monitoring the activity between entities. This baseline information can be represented in the entity relationship graph in the form of directionality applied to the edges. The entity relationship graph can then be monitored to detect anomalous activity.

公开(公告)号：US10693898B2

公开(公告)日：2020-06-23

申请号：US15885485

申请日：2018-01-31

Applicant: Splunk, Inc.

Inventor： Marios Iliofotou ,  Bo Lei ,  Essam Zaky ,  Karthik Kannan ,  George Apostolopoulos ,  Jeswanth Manikonda ,  Sitaram Venkatraman

IPC: H04L29/06

Abstract: A network connection between a server group of a data intake and query system and each of one or more source network nodes is established. The server group includes an indexer server and a model management server. Source data at the server group is received from at least one of the one or more source network nodes. A model management server detects data constraints for a security model. The data constraints include a data element used by the security model and an availability requirement set. Using the timestamped entries, the data constraints are validated to obtain a validation result. The model management server determines a data availability assessment of the security model based on the validation result. The data availability assessment of the security model is stored in computer storage.