US 12,438,891 B1
Anomaly detection based on ensemble machine learning model
Sudhakar Muddu, Cupertino, CA (US); Christos Tryfonas, San Francisco, CA (US); Joseph Auguste Zadeh, Sunnyvale, CA (US); Alexander Beebe Bond, Union City, CA (US); and Ashwin Athalye, San Jose, CA (US)
Filed by SPLUNK INC., San Francisco, CA (US)
Filed on Feb. 18, 2022, as Appl. No. 17/676,022.
Application 17/676,022 is a continuation of application No. 16/503,181, filed on Jul. 3, 2019, granted, now 11,258,807.
Application 16/503,181 is a continuation of application No. 14/929,183, filed on Oct. 30, 2015, granted, now 10,389,738, issued on Aug. 20, 2019.
Claims priority of provisional application 62/212,541, filed on Aug. 31, 2015.
This patent is subject to a terminal disclaimer.
Int. Cl. H04L 9/40 (2022.01); G06F 3/0482 (2013.01); G06F 3/0484 (2022.01); G06F 3/04842 (2022.01); G06F 3/04847 (2022.01); G06F 16/2457 (2019.01); G06F 16/25 (2019.01); G06F 16/28 (2019.01); G06F 16/44 (2019.01); G06F 16/901 (2019.01); G06F 40/134 (2020.01); G06N 5/022 (2023.01); G06N 5/04 (2023.01); G06N 7/01 (2023.01); G06N 20/00 (2019.01); G06N 20/20 (2019.01); G06V 10/22 (2022.01); H04L 41/0893 (2022.01); H04L 41/14 (2022.01); H04L 41/22 (2022.01); H04L 43/00 (2022.01); H04L 43/045 (2022.01); H04L 43/062 (2022.01); H04L 43/20 (2022.01)
CPC H04L 63/1416 (2013.01) [G06F 3/0482 (2013.01); G06F 3/0484 (2013.01); G06F 3/04842 (2013.01); G06F 3/04847 (2013.01); G06F 16/24578 (2019.01); G06F 16/254 (2019.01); G06F 16/285 (2019.01); G06F 16/444 (2019.01); G06F 16/9024 (2019.01); G06F 40/134 (2020.01); G06N 5/022 (2013.01); G06N 5/04 (2013.01); G06N 7/01 (2023.01); G06N 20/00 (2019.01); G06N 20/20 (2019.01); G06V 10/225 (2022.01); H04L 41/0893 (2013.01); H04L 41/145 (2013.01); H04L 41/22 (2013.01); H04L 43/00 (2013.01); H04L 43/045 (2013.01); H04L 43/062 (2013.01); H04L 43/20 (2022.05); H04L 63/06 (2013.01); H04L 63/1408 (2013.01); H04L 63/1425 (2013.01); H04L 63/1433 (2013.01); H04L 63/1441 (2013.01); H04L 63/20 (2013.01); H04L 2463/121 (2013.01)] 18 Claims
OG exemplary drawing
 
1. A method comprising:
receiving, by a computer system, event data associated with an entity on a computer network;
analyzing, by the computer system, the event data;
generating, by the computer system, a plurality of feature scores for the entity based on a result of analyzing the event data;
creating, by the computer system, an entity profile uniquely associated with the entity, the entity profile including the plurality of feature scores for the entity;
accessing the entity profile to read the plurality of features scores for the entity;
processing the plurality of feature scores for the entity, accessed from the entity profile, by using a plurality of machine-learning models;
generating a plurality of intermediate anomaly scores for the entity, each based on processing of a respective one of the plurality of feature scores of the entity using a respective one of the plurality of machine-learning models;
processing the plurality of intermediate anomaly scores for the entity according to an ensemble learning model;
generating an anomaly score for the entity based on processing the plurality of intermediate anomaly scores for the entity according to the ensemble learning model; and
detecting an anomaly associated with the entity in response to determining that the anomaly score for the entity satisfies a specified criterion.