| CPC H04L 63/1425 (2013.01) [G06F 16/285 (2019.01); H04L 63/1433 (2013.01)] | 21 Claims |
|
1. A computer-implementable method for constructing a distribution of event features for identifying security risk factors, comprising:
receiving a stream of events, the stream of events comprising a plurality of events, some of the plurality of events comprising multiple feature types, the multiple feature types comprising non-categorical features and categorical features, the non-categorical features comprising at least one of a raw number feature and a binary feature, the categorical features comprising something other than the raw number feature and the binary feature;
extracting a categorical feature from the plurality of events, wherein
the categorical feature includes a set of categorical feature members, and
the categorical feature members are strings having one or more common characteristics defined by the categorical feature that are extracted from events of the stream of events;
constructing a distribution for the categorical feature based on categorical feature members extracted from the plurality of events, the distribution representing a discrete probability distribution, the discrete probability distribution describing a possibility that a categorical feature member of the set of categorical feature members will occur in an event, the constructing the distribution of categorical features comprising performing a scoring container update operation, the scoring container update operation constructing and maintaining probability distribution corresponding to features associated with an event occurring during a particular interval of time; and,
analyzing the distribution of the categorical feature to identify one or more security risk factors.
|