| CPC G06N 7/01 (2023.01) [H04L 63/1425 (2013.01)] | 20 Claims |
|
1. A computer-implementable method for identifying probability distributions, comprising:
receiving a stream of events, the stream of events comprising a plurality of events, each of the plurality of events referring to an occurrence of an action performed by an entity;
extracting features from the plurality of events, at least some extracted features corresponding to interrelated events;
identifying items of interest based upon the interrelated events;
generating a distribution value based upon the items of interest, the distribution value comprising a feature score for the items of interest, the feature score being generated based upon a scoring container update operation, the scoring container update operation using a scoring container, the scoring container comprising a container implemented to provide an approximation of a probability distribution over the values the scoring container contains, based upon samples from the probability distribution, the container comprising a data structure storing a collection of objects in an organized way according to an access rule; and,
performing a security analytics operation, the security analytics operation using the distribution value to identify anomalous, abnormal, unexpected or malicious behavior associated with the entity; and wherein
the scoring container is implemented as one or both of a percentile container or a delta container, the percentile container collecting probability distributions of features extracted from the interrelated events to provide percentile probability distributions, the percentile probability distributions of the features then being used to generate the feature score, the delta container collecting probability distributions of features extracted from the interrelated events to provide delta probability distributions, the delta probability distributions of the features being used to update event data.
|