| CPC H04L 63/1416 (2013.01) [G06F 21/554 (2013.01); G06F 21/6209 (2013.01); G06N 5/02 (2013.01); G06N 7/01 (2023.01); G06N 20/00 (2019.01)] | 20 Claims |
|
1. A method of initializing an anomaly detector that handles a stream of security-related events of one or more organizations, the method comprising:
feeding, to an online machine learner, the stream of security-related events, each security-related event comprising a space identifier (ID) of a plurality of space IDs and one or more feature-value pairs;
transforming the security-related events, the transforming comprising:
assigning the one or more feature-value pairs of each security-related event in the stream of security-related events into a plurality of categorical bins, and
coding the assigned feature-value pairs with a Boolean value representing the feature-value pair associated with the respective categorical bins of the plurality of categorical bins;
analyzing the stream of transformed security-related events using a loss function analyzer of the online machine learner, the analyzing comprising:
grouping transformed security-related events in the stream of transformed security-related events into sub-streams by the space ID of the respective transformed security-related event, and
separately analyzing each sub-stream with the loss function analyzer, the analyzing comprising:
correlating the coded feature-value pairs of the sub-stream with a target feature artificially labeled as a constant to generate a probability prediction for each of the coded feature-value pairs; and
storing the probability predictions for each of the coded feature-value pairs associated with the space ID associated with the respective sub-stream; and
initializing the anomaly detector using the probability predictions.
|