| CPC H04L 63/1416 (2013.01) [G06N 5/025 (2013.01); G06N 5/04 (2013.01); G06Q 10/20 (2013.01)] | 16 Claims |
|
1. In a stream of reported events defined by incident reports of network entities in a computer network, a method of reporting the most significant events, comprising:
receiving the stream of incident reports at a computer having a memory, each incident report depicting an entity in the network, the entities including at least one of device addresses, hosts and user accounts in the computer network;
determining a set of the entities, and a set of relationships between the entities, from the stream of incident reports, each relationship in the set of relationships formed between a pair of the entities in the set of entities;
identifying, based on the entities and relationships, components, each component including a group of the entities connected by one or more relationships;
evaluating the entities and components based on a congruity of the relationships for computing a significance of the entities relative to the other entities, the evaluation of a component augmenting the computed significance of the entities included in the component, evaluating including generating a graph from the stream of incident reports, further comprising:
for each incident report in the stream of incident reports:
defining a node in the graph based on the entity denoted by the incident report;
determining if a temporal association exists to another incident report in the stream of incident reports; and if so,
defining an edge in the graph denoting a relationship between the entity and the entity in the other incident report; and
rendering, based on an importance threshold, an indication of the entities having the greatest computed significance displayed on a screen entry for each respective entity, the temporal associations based on timestamps defined by each incident report in the stream of incident reports, further comprising:
determining the entity corresponding to the earliest timestamp from among the incident reports;
determining the entity corresponding to the latest timestamp from among the incident reports;
traversing the graph to identify entities corresponding to nodes in a traversal path from the earliest timestamp to the latest timestamp; and
defining a core event sequence including the entities corresponding to the path and increasing the score for each entity corresponding to the nodes in the traversal path.
|