公开(公告)号：US11586729B2

公开(公告)日：2023-02-21

申请号：US17332804

申请日：2021-05-27

Applicant: Splunk Inc.

Inventor： Zhuxuan Jin ,  George Apostolopoulos

IPC: G06F21/55 ,  G06F16/245 ,  G06F21/56 ,  H04L9/40

Abstract: A method is disclosed that includes receiving, at a computing device, an event log including multiple events, where the events are derived from machine data, determining a first score associated with a first granularity level by comparing an event from the event log with a first frequent patterns generated for the first granularity level, and determining a second score associated with a second granularity level by comparing the event with a second frequent patterns generated for the second granularity level. The method further includes determining an aggregate score for the event based on the first score and the second score, and comparing the aggregate score for the event with an anomaly score threshold. Further, the method includes issuing an alert identifying the event as an anomaly based on the aggregate score exceeding the anomaly score threshold.

公开(公告)号：US20210286874A1

公开(公告)日：2021-09-16

申请号：US17332804

申请日：2021-05-27

Applicant: Splunk Inc.

Inventor： Zhuxuan Jin ,  George Apostolopoulos

IPC: G06F21/55 ,  G06F16/245 ,  H04L29/06 ,  G06F21/56

Abstract: A method is disclosed that includes receiving, at a computing device, an event log including multiple events, where the events are derived from machine data, determining a first score associated with a first granularity level by comparing an event from the event log with a first frequent patterns generated for the first granularity level, and determining a second score associated with a second granularity level by comparing the event with a second frequent patterns generated for the second granularity level. The method further includes determining an aggregate score for the event based on the first score and the second score, and comparing the aggregate score for the event with an anomaly score threshold. Further, the method includes issuing an alert identifying the event as an anomaly based on the aggregate score exceeding the anomaly score threshold.

公开(公告)号：US10833942B2

公开(公告)日：2020-11-10

申请号：US16051001

申请日：2018-07-31

Applicant: Splunk Inc.

Inventor： George Apostolopoulos ,  Zhuxuan Jin

IPC: H04L12/24 ,  H04L29/06 ,  H04L12/26 ,  G06K9/62 ,  H04L29/08

Abstract: One or more embodiments are directed behavioral based device clustering. A network traffic log of devices in the network is received. Features of devices are extracted from the network traffic log and aggregated into an aggregated feature matrix on a per device basis. By applying a topic modeling algorithm to the aggregated feature matrix, the devices are clustered into device groups according to behavior groups. A device is assigned to the device group to create an assignment.

公开(公告)号：US11829471B2

公开(公告)日：2023-11-28

申请号：US18098566

申请日：2023-01-18

Applicant: Splunk Inc.

Inventor： Zhuxuan Jin ,  George Apostolopoulos

IPC: G06F21/55 ,  G06F16/245 ,  G06F21/56 ,  H04L9/40

CPC classification number: G06F21/554 ,  G06F16/245 ,  G06F21/552 ,  G06F21/56 ,  H04L63/1416 ,  G06F2221/034

Abstract: A method is disclosed that includes receiving, at a computing device, an event log including events derived from machine data, and determining a score by comparing an event from the event log with frequent patterns of features. Determining the score includes determining a length of a frequent pattern within the event in the event log and a count of occurrences of the frequent pattern within the events, determining a contribution of the frequent pattern based on the length and the count, determining a penalty for an unmatched feature of the first event based on a cardinality of the events, and averaging the contribution and the penalty to obtain the score. The method further includes issuing an alert identifying the first event as an anomaly using the first score and an anomaly score threshold.

公开(公告)号：US20230153430A1

公开(公告)日：2023-05-18

申请号：US18098566

申请日：2023-01-18

Applicant: Splunk Inc.

Inventor： Zhuxuan Jin ,  George Apostolopoulos

IPC: G06F21/55 ,  G06F16/245 ,  G06F21/56 ,  H04L9/40

CPC classification number: G06F21/554 ,  G06F16/245 ,  G06F21/552 ,  G06F21/56 ,  H04L63/1416 ,  G06F2221/034

Abstract: A method is disclosed that includes receiving, at a computing device, an event log including events derived from machine data, and determining a score by comparing an event from the event log with frequent patterns of features. Determining the score includes determining a length of a frequent pattern within the event in the event log and a count of occurrences of the frequent pattern within the events, determining a contribution of the frequent pattern based on the length and the count, determining a penalty for an unmatched feature of the first event based on a cardinality of the events, and averaging the contribution and the penalty to obtain the score. The method further includes issuing an alert identifying the first event as an anomaly using the first score and an anomaly score threshold.

公开(公告)号：US11055405B1

公开(公告)日：2021-07-06

申请号：US16399734

申请日：2019-04-30

Applicant: Splunk Inc.

Inventor： Zhuxuan Jin ,  George Apostolopoulos

IPC: G06F21/55 ,  G06F16/245 ,  G06F21/56 ,  H04L29/06

Abstract: A method is disclosed. The method includes: receiving, at a computing device, an event log including a plurality of events, where the plurality of events are derived from machine data generated by components of an information technology environment; determining a first score associated with a first granularity level by comparing a first event from the event log with a first plurality of frequent patterns generated for the first granularity level; determining a second score associated with a second granularity level by comparing the first event with a second plurality of frequent patterns generated for the second granularity level; determining an aggregate score for the first event based on the first score and the second score; comparing the aggregate score for the first event with an anomaly score threshold; and issuing an alert identifying the first event as an anomaly based on the aggregate score exceeding the anomaly score threshold.

公开(公告)号：US11799728B2

公开(公告)日：2023-10-24

申请号：US17588447

申请日：2022-01-31

Applicant: Splunk Inc.

Inventor： George Apostolopoulos ,  Zhuxuan Jin

IPC: H04L41/0893 ,  H04L41/14 ,  H04L9/40 ,  H04L41/082 ,  H04L43/02 ,  H04L43/04 ,  H04L41/22 ,  H04L67/303 ,  G06F18/2415

CPC classification number: H04L41/0893 ,  G06F18/24155 ,  H04L41/082 ,  H04L41/145 ,  H04L41/22 ,  H04L43/02 ,  H04L43/04 ,  H04L63/1425 ,  H04L67/303

Abstract: One or more embodiments are directed multistage device clustering. A log including network traffic of multiple devices in a network is received. From the log, features of the devices are extracted and an aggregated feature matrix generated. A traffic behavior subset of the features in the aggregated feature matrix is selected, and a topic modeling algorithm applied thereto to obtain traffic behavior device groups. An application behavior subset of the features in the aggregated feature matrix is selected. On a per traffic behavior device group basis, the topic modeling algorithm is applied to the application behavior subset to obtain application behavior device subgroups. One or more devices are assigned to at least one of the plurality of application behavior device subgroups to obtain an assignment.

公开(公告)号：US20220158904A1

公开(公告)日：2022-05-19

申请号：US17588447

申请日：2022-01-31

Applicant: Splunk Inc.

Inventor： George Apostolopoulos ,  Zhuxuan Jin

IPC: H04L41/0893 ,  H04L41/14 ,  H04L9/40 ,  H04L41/082 ,  H04L43/02 ,  G06K9/62 ,  H04L43/04 ,  H04L41/22 ,  H04L67/303

Abstract: One or more embodiments are directed multistage device clustering. A log including network traffic of multiple devices in a network is received. From the log, features of the devices are extracted and an aggregated feature matrix generated. A traffic behavior subset of the features in the aggregated feature matrix is selected, and a topic modeling algorithm applied thereto to obtain traffic behavior device groups. An application behavior subset of the features in the aggregated feature matrix is selected. On a per traffic behavior device group basis, the topic modeling algorithm is applied to the application behavior subset to obtain application behavior device subgroups. One or more devices are assigned to at least one of the plurality of application behavior device subgroups to obtain an assignment.

公开(公告)号：US11277312B2

公开(公告)日：2022-03-15

申请号：US17035295

申请日：2020-09-28

Applicant: Splunk Inc.

Inventor： George Apostolopoulos ,  Zhuxuan Jin

IPC: H04L12/24 ,  H04L29/06 ,  H04L12/26 ,  G06K9/62 ,  H04L29/08 ,  H04L41/0893 ,  H04L41/14 ,  H04L41/082 ,  H04L43/02 ,  H04L43/04 ,  H04L41/22 ,  H04L67/303

Abstract: One or more embodiments are directed behavioral based device clustering. A network traffic log of devices in the network is received. Features of devices are extracted from the network traffic log and aggregated into an aggregated feature matrix on a per device basis. By applying a topic modeling algorithm to the aggregated feature matrix, the devices are clustered into device groups according to behavior groups. A device is assigned to the device group to create an assignment.

公开(公告)号：US20210014120A1

公开(公告)日：2021-01-14

申请号：US17035295

申请日：2020-09-28

Applicant: Splunk Inc.

Inventor： George Apostolopoulos ,  Zhuxuan Jin

IPC: H04L12/24 ,  H04L29/06 ,  H04L12/26 ,  G06K9/62 ,  H04L29/08

Abstract: One or more embodiments are directed behavioral based device clustering. A network traffic log of devices in the network is received. Features of devices are extracted from the network traffic log and aggregated into an aggregated feature matrix on a per device basis. By applying a topic modeling algorithm to the aggregated feature matrix, the devices are clustered into device groups according to behavior groups. A device is assigned to the device group to create an assignment.