公开(公告)号：US10986110B2

公开(公告)日：2021-04-20

申请号：US15498406

申请日：2017-04-26

Applicant: Elasticsearch B.V.

Inventor： Stephen Dodson ,  Thomas Veasey

IPC: G06N20/00 ,  H04L29/06

Abstract: Anomaly and causation detection in computing environments are disclosed. An example method includes receiving an input stream of data instances for a time series, each of the data instances being time stamped and including at least one principle value and a set of categorical attributes; generating anomaly scores for each of the data instances over continuous time intervals; detecting a change in the anomaly scores over the continuous time intervals for the data instances; and identifying which of the set of categorical attributes of the data instances caused the change in the anomaly scores using a counterfactual analysis. The counterfactual analysis may comprise removing a portion of the data instances; regenerating the anomaly scores for each of the remaining data instances over the continuous time intervals; and if the anomaly scores are improved, identifying the portion as a cause of anomalous activity. Recommendations to remediate the cause may be generated.

公开(公告)号：US11621969B2

公开(公告)日：2023-04-04

申请号：US15857186

申请日：2017-12-28

Applicant: Elasticsearch B.V.

Inventor： Stephen Dodson ,  Thomas Veasey

IPC: H04L9/40 ,  G06N5/025 ,  G06F7/483 ,  G06F16/28 ,  H04L43/16 ,  H04L41/14 ,  H04L41/147 ,  H04L41/22 ,  H04L41/5019 ,  H04L43/0876 ,  G06N20/00

Abstract: Clustering and outlier detection in anomaly and causation detection for computing environments is disclosed. An example method includes receiving an input stream having data instances, each of the data instances having multi-dimensional attribute sets, identifying any of outliers and singularities in the data instances, extracting the outliers and singularities, grouping two or more of the data instances into one or more groups based on correspondence between the multi-dimensional attribute sets and a clustering type, and displaying the grouped data instances that are not extracted in a plurality of clustering maps on an interactive graphical user interface, wherein each of the plurality of clustering maps is based on a unique clustering type.

公开(公告)号：US20220327409A1

公开(公告)日：2022-10-13

申请号：US17848239

申请日：2022-06-23

Applicant: Elasticsearch B.V.

Inventor： Stephen Dodson ,  Thomas Veasey

IPC: G06N7/00 ,  G06N20/00 ,  G06F16/21 ,  G06F21/56 ,  H04L9/40

Abstract: Real time detection of cyber threats using behavioral analytics is disclosed. An example method includes obtaining, in real time, attributes for an entity within a population of entities, the attributes being indicative of entity behavior; building an entity probability model using the attributes and associated values collected over a period of time; and establishing a control portion of the entity probability model associated with a portion of the period of time. The example method includes comparing any of the entity attribute values and the entity probability model for other portions of the period of time to the control portion to identify one or more anomalous differences, and executing a remediation action based thereon. Some embodiments include determining a set comprising the anomalous differences and additional anomalous differences for the entity or the entity's peer group, and calculating the set's overall probability to determine if the entity is malicious.

公开(公告)号：US12282860B2

公开(公告)日：2025-04-22

申请号：US15855823

申请日：2017-12-27

Applicant: Elasticsearch B.V.

Inventor： Thomas Veasey ,  Stephen Dodson

IPC: G06N5/02 ,  G06F16/25 ,  G06Q10/04 ,  G06Q10/0631

Abstract: Forecasting resource allocation is disclosed. An example method includes receiving operating data from a resource; applying periodicity tests to the received operating data using a plurality of sketches of time series of prior operating data, the periodicity tests generating periodic components; applying regression models to the received operating data, the regression models collectively generating a trend component, each regression model being applied over a different time scale of a plurality of time scales; computing a trend model using the periodic components and a trend component; determining a random process describing the historical evolution of the trend model; and calculating and providing a mean prediction, an upper bound, and a lower bound for resource utilization at a future time using the trend model and a predicted distribution.

公开(公告)号：US20210194910A1

公开(公告)日：2021-06-24

申请号：US17192787

申请日：2021-03-04

Applicant: Elasticsearch B.V.

Inventor： Stephen Dodson ,  Thomas Veasey

IPC: H04L29/06 ,  G06N20/00

Abstract: Anomaly and causation detection in computing environments are disclosed. An example method includes receiving an input stream of data instances for a time series, each of the data instances being time stamped and including at least one principle value and a set of categorical attributes; generating anomaly scores for each of the data instances over time intervals; detecting a change in the anomaly scores over the time intervals for the data instances; and identifying which of the set of categorical attributes of the data instances caused the change in the anomaly scores using a counterfactual analysis. The counterfactual analysis may comprise removing a portion of the data instances; regenerating the anomaly scores for each of the remaining data instances over the time intervals; and if the anomaly scores are improved, identifying the portion as a cause of anomalous activity. Recommendations to remediate the cause may be generated.

公开(公告)号：US20190197413A1

公开(公告)日：2019-06-27

申请号：US15855823

申请日：2017-12-27

Applicant: Elasticsearch B.V.

Inventor： Thomas Veasey ,  Stephen Dodson

IPC: G06N5/02 ,  G06F17/30

CPC classification number: G06N5/02 ,  G06F16/252

Abstract: Forecasting resource allocation is disclosed. An example method includes receiving operating data from a resource; applying periodicity tests to the received operating data using a plurality of sketches of time series of prior operating data, the periodicity tests generating periodic components; applying regression models to the received operating data, the regression models collectively generating a trend component, each regression model being applied over a different time scale of a plurality of time scales; computing a trend model using the periodic components and a trend component; determining a random process describing the historical evolution of the trend model; and calculating and providing a mean prediction, an upper bound, and a lower bound for resource utilization at a future time using the trend model and a predicted distribution.

公开(公告)号：US20180330257A1

公开(公告)日：2018-11-15

申请号：US15590439

申请日：2017-05-09

Applicant: Elasticsearch B.V.

Inventor： Stephen Dodson ,  Thomas Veasey

IPC: G06N7/00 ,  G06N99/00 ,  G06F17/30 ,  G06N3/08 ,  G06N3/12

CPC classification number: G06N7/005 ,  G06F17/30294 ,  G06F21/00 ,  G06F2221/034 ,  G06N3/086 ,  G06N3/126 ,  G06N99/005

Abstract: Real time detection of cyber threats using behavioral analytics is disclosed. An example method includes obtaining, in real time, attributes for an entity within a population of entities, the attributes being indicative of entity behavior; building an entity probability model using the attributes and associated values collected over a period of time; and establishing a control portion of the entity probability model associated with a portion of the period of time. The example method includes comparing any of the entity attribute values and the entity probability model for other portions of the period of time to the control portion to identify one or more anomalous differences, and executing a remediation action based thereon. Some embodiments include determining a set comprising the anomalous differences and additional anomalous differences for the entity or the entity's peer group, and calculating the set's overall probability to determine if the entity is malicious.

公开(公告)号：US20180314835A1

公开(公告)日：2018-11-01

申请号：US15855748

申请日：2017-12-27

Applicant: Elasticsearch B.V.

Inventor： Stephen Dodson ,  Thomas Veasey ,  David Mark Roberts

IPC: G06F21/57 ,  G06N99/00

Abstract: Anomaly detection in computing environments is disclosed herein. An example method includes receiving an unstructured input stream of data instances from the computing environment, the unstructured input stream being time stamped; categorizing the data instances of the unstructured input stream of data instances, the data instances comprising at least one principle value and a set of categorical attributes determined through machine learning; generating anomaly scores for each of the data instances collected over a period of time; and detecting a change in the categorical attribute that is indicative of an anomaly.

公开(公告)号：US11783046B2

公开(公告)日：2023-10-10

申请号：US15855748

申请日：2017-12-27

Applicant: Elasticsearch B.V.

Inventor： Stephen Dodson ,  Thomas Veasey ,  David Mark Roberts

IPC: G06F21/57 ,  G06N20/00 ,  G06F21/55 ,  G06N20/20 ,  G06N5/025

CPC classification number: G06F21/577 ,  G06F21/552 ,  G06N20/00 ,  G06N20/20 ,  G06F2221/034 ,  G06N5/025

Abstract: Anomaly detection in computing environments is disclosed herein. An example method includes receiving an unstructured input stream of data instances from the computing environment, the unstructured input stream being time stamped; categorizing the data instances of the unstructured input stream of data instances, the data instances comprising at least one principle value and a set of categorical attributes determined through machine learning; generating anomaly scores for each of the data instances collected over a period of time; and detecting a change in the categorical attribute that is indicative of an anomaly.

公开(公告)号：US11386343B2

公开(公告)日：2022-07-12

申请号：US15590439

申请日：2017-05-09

Applicant: Elasticsearch B.V.

Inventor： Stephen Dodson ,  Thomas Veasey

IPC: G06N7/00 ,  G06N20/00 ,  G06F16/21 ,  G06F21/56 ,  H04L9/40

Abstract: Real time detection of cyber threats using behavioral analytics is disclosed. An example method includes obtaining, in real time, attributes for an entity within a population of entities, the attributes being indicative of entity behavior; building an entity probability model using the attributes and associated values collected over a period of time; and establishing a control portion of the entity probability model associated with a portion of the period of time. The example method includes comparing any of the entity attribute values and the entity probability model for other portions of the period of time to the control portion to identify one or more anomalous differences, and executing a remediation action based thereon. Some embodiments include determining a set comprising the anomalous differences and additional anomalous differences for the entity or the entity's peer group, and calculating the set's overall probability to determine if the entity is malicious.