| CPC H04L 67/535 (2022.05) [G06F 16/9024 (2019.01); G06F 16/906 (2019.01); G06F 18/2323 (2023.01); G06F 21/552 (2013.01); G06N 5/02 (2013.01); G06F 11/3068 (2013.01); G06F 11/3075 (2013.01); G06F 11/3082 (2013.01)] | 20 Claims |
|
1. A method performed by a client computing device that is in data communication with a server computing device over a data communication network, the method comprising:
maintaining an event log comprising a plurality of event records, each of the event records describing one or more events that have occurred locally on the client computing device over a period of time;
converting the event log into a graph by using a respective set of conversion algorithms that are specific to an operating system (OS) running on the client computing device at the time the event records were created, wherein converting the event log comprises:
normalizing the plurality of event records, wherein normalizing the plurality of event records comprises anonymizing a unique identifier value in each event record and replacing a variable value in each event record with a predetermined value;
representing each normalized event record as one or more nodes in the graph; and
generating a plurality of event clusters, wherein each event cluster includes an aggregated group of nodes and is generated based on common attributes of and hierarchical relationships between the normalized event records represented by the nodes in the aggregated group, wherein each node in the graph represents a respective segment of a file path included in a given event record which identifies an object described by the given event record, and wherein a traversal from a leaf node to a root node in the graph represents a reconstructed file path;
transmitting data describing the graph to the server computing device over the data communication network;
receiving, from the server computing device and over the data communication network, results of a federated analysis that has been performed by the server computing device on at least the data describing the graph, wherein the results of the federated analysis comprise data that identifies one or more most common event records that occurred most frequently among different event logs maintained by different client computing devices;
generating, based on the results of the federated analysis, a graph compaction strategy, wherein the graph compaction strategy comprises consolidating nodes in the graph to generate a consolidated node that represents the one or more most common event records; and
performing, by the client computing device and in accordance with the graph compaction strategy, a compaction on the graph to generate a compacted graph, wherein the compacted graph comprises the consolidated node in place of existing nodes that represent the one or more most common event records.
|