| CPC H04L 63/1416 (2013.01) [G06F 21/554 (2013.01); G06F 21/6209 (2013.01); G06N 5/02 (2013.01); G06N 7/01 (2023.01); G06N 20/00 (2019.01)] | 20 Claims |
|
1. A method of responding to a detected anomaly event that has not frequently been observed in an ongoing event stream of security-related events of one or more organizations, the method including:
obtaining an evaluation of a plurality of production events with production space IDs, wherein the evaluation has been prepared for a production event by:
transforming features of the production event into categorical bins of a hash-space;
applying a hash function to the production space ID and the features of the production event as transformed to retrieve likelihood coefficients for the transformed features of the production event and a standard candle for the production space ID;
calculating an anomaly score; and
when the anomaly score represents a detected anomaly event, accessing history associated with the production space ID to construct a contrast between feature-event pairs of the detected anomaly event and non-anomalous feature-value pairs of prior events for the production space ID; and
based upon the evaluation as obtained, invoking one or more security actions including at least one of a quarantine, and an encryption, to be performed when at least one detected anomaly event is represented in the evaluation as obtained;
wherein the likelihood coefficients had been calculated by space ID and a standard candle and mapped into the hash-space using a loosely supervised machine learning of observed features in security-related events using a loss function analyzer and recording the standard candle.
|