US 11,876,821 B1
Combined real-time and batch threat detection
Robert Winslow Pratt, Woodside, CA (US); and Ravi Prasad Bulusu, San Jose, CA (US)
Assigned to SPLUNK INC., San Francisco, CA (US)
Filed by Splunk Inc., San Francisco, CA (US)
Filed on Feb. 9, 2023, as Appl. No. 18/167,040.
Application 18/167,040 is a continuation of application No. 17/236,890, filed on Apr. 21, 2021, granted, now 11,606,379.
Application 17/236,890 is a continuation of application No. 16/886,542, filed on May 28, 2020, granted, now 11,019,088, issued on May 25, 2021.
Application 16/886,542 is a continuation of application No. 15/276,647, filed on Sep. 26, 2016, granted, now 10,673,880, issued on Jun. 2, 2020.
Int. Cl. H04L 29/06 (2006.01); H04L 29/08 (2006.01); H04L 9/14 (2006.01); H04L 9/40 (2022.01); G06N 20/00 (2019.01)
CPC H04L 63/1425 (2013.01) [G06N 20/00 (2019.01); H04L 63/1416 (2013.01); H04L 63/1433 (2013.01); H04L 63/20 (2013.01); H04L 2463/121 (2013.01)] 20 Claims
OG exemplary drawing
 
1. A method comprising:
receiving, at a threat indicator detection system, first event data indicative of a first activity on a computer network and second event data indicative of a second activity on the computer network;
applying a first machine learning anomaly detection model to the first event data, by a real-time analysis engine operated by the threat indicator detection system in real time, to detect first anomaly data;
applying a second machine learning anomaly detection model to the first anomaly data and the second event data, by a batch analysis engine operated by the threat indicator detection system in a batch mode, to detect second anomaly data;
detecting third anomaly data using an anomaly detection rule; and
processing, by the threat indicator detection system using a threat indicator model, the first anomaly data, the second anomaly data, and the third anomaly data to identify a threat indicator associated with a potential security threat to the computer network.