Search

US-12625993-B2 - Providing a graphical representation of anomalous events

US12625993B2US 12625993 B2US12625993 B2US 12625993B2US-12625993-B2

Abstract

One or more event logs are received. The one or more event logs are analyzed using a plurality of models to detect one or more anomalous events. A graphical representation of risk entities associated with at least one of the one or more detected anomalous events is provided. A visual representation of automatically detected relationships between the risk entities associated with the at least one of the one or more detected anomalous events is provided in the graphical representation. Indications of measures of anomaly associated with detected anomalous events are provided for the associated risk entities.

Inventors

  • Colin Scott Johnson
  • Mingran Li

Assignees

  • Cohesity, Inc.

Dates

Publication Date
20260512
Application Date
20231212

Claims (18)

  1. 1 . A method comprising: receiving, by a graphical user interface of a computing system, an indication of a graphical user interface item corresponding to a first risk entity among a plurality of graphical user items corresponding to a plurality of different risk entities; in response to receiving the indication, identifying, by the computing system and based on one or more event logs, one or more events associated with the first risk entity corresponding to the graphical user interface item; applying, by the computing system, an input associated with the one or more identified events to one or more machine learning models to generate an output including a corresponding measure of anomaly for the one or more identified events; causing, by the computing system, the graphical user interface to provide the corresponding measure of anomaly for the one or more identified events, wherein for a specific identified event included in the one or more identified events, the graphical user interface provides a visual representation indicating a relationship between a plurality of risk entities associated with the specific identified event as a web of interconnected risk entities of different types, wherein the different types include two or more of an actor type, a location type, a machine learning model type, and an object type, and wherein at least one of the plurality of risk entities associated with the specific identified event corresponds to at least one of the one or more machine learning models that determined the specific identified event to be anomalous; determining, by the computing system, and when determining the relationship, a particular relationship between the at least one of the or more machine learning models that determined the specific identified event to be anomalous and a location at which the specific identified event occurred; and causing, by the computing system, the graphical user interface to present the visual representation indicating the relationship to include the particular relationship.
  2. 2 . The method of claim 1 , wherein identifying the one or more events comprises applying, by the computing system, the one or more machine learning models to analyze the one or more event logs.
  3. 3 . The method of claim 1 , wherein the indication of the graphical user interface item comprises feedback associated with the first risk entity, the method further comprising retraining, by the computing system, the one or more machine learning models based on the feedback.
  4. 4 . The method of claim 3 , further comprising training, by the computing system and using training data comprising the one or more event logs, the one or more machine learning models to generate the output including the corresponding measure of anomaly for the one or more identified events.
  5. 5 . The method of claim 4 , wherein the corresponding measure of anomaly is anomalous behavior selected from one or more of: an insider attack, a ransomware attack, a brute force attack, a wide access, a sensitive data leak, or a geo fencing breach.
  6. 6 . The method of claim 1 , wherein the first risk entity is a risk entity selected from one or more of: the actor type, the location type, or the object type.
  7. 7 . The method of claim 1 , wherein the corresponding measure of anomaly for the one or more identified events is based on a confidence level of the one or more machine learning models.
  8. 8 . The method of claim 1 , wherein the corresponding measure of anomaly for the one or more identified events is associated with a particular period of time.
  9. 9 . A computing system comprising: a memory storing instructions; processing circuitry that executes the instructions to: receive, by a graphical user interface, an indication of a graphical user interface item corresponding to a first risk entity among a plurality of graphical user items corresponding to a plurality of different risk entities; in response to receiving the indication, identify, based on one or more event logs, one or more events associated with the first risk entity corresponding to the graphical user interface item; apply an input associated with the one or more identified events to one or more machine learning models to generate an output including a corresponding measure of anomaly for the one or more identified events; and cause the graphical user interface to provide the corresponding measure of anomaly for the one or more identified events, wherein for a specific identified event included in the one or more identified events, the graphical user interface provides a visual representation indicating a relationship between a plurality of risk entities associated with the specific identified event as a web of interconnected risk entities of different types, wherein the different types include two or more of an actor type, a location type, a machine learning model type, and an object type, and wherein at least one of the plurality of risk entities associated with the specific identified event corresponds to at least one of the one or more machine learning models that determined the specific identified event to be anomalous; determine and when determining the relationship, a particular relationship between the at least one of the or more machine learning models that determined the specific identified event to be anomalous and a location at which the specific identified event occurred; and cause the graphical user interface to present the visual representation indicating the relationship to include the particular relationship.
  10. 10 . The computing system of claim 9 , wherein to identify the one or more events, the processing circuitry executes the instructions to apply the one or more machine learning models to analyze the one or more event logs.
  11. 11 . The computing system of claim 9 , wherein: the indication of the graphical user interface item comprises feedback associated with the first risk entity; and the processing circuitry executes the instructions to retrain the one or more machine learning models based on the feedback.
  12. 12 . The computing system of claim 11 , wherein the processing circuitry executes the instructions to train, using training data comprising the one or more event logs, the one or more machine learning models to generate the output including the corresponding measure of anomaly for the one or more identified events.
  13. 13 . The computing system of claim 12 , wherein the corresponding measure of anomaly is anomalous behavior selected from one or more of: an insider attack, a ransomware attack, a brute force attack, a wide access, a sensitive data leak, or a geo fencing breach.
  14. 14 . The computing system of claim 9 , wherein the first risk entity is a risk entity selected from one or more of: the actor type, the location type, or the object type.
  15. 15 . The computing system of claim 9 , wherein the corresponding measure of anomaly for the one or more identified events is based on a confidence level of the one or more machine learning models.
  16. 16 . The computing system of claim 9 , wherein the corresponding measure of anomaly for the one or more identified events is associated with a particular period of time.
  17. 17 . Non-transitory computer-readable storage media comprising instructions that, when executed, cause processing circuitry of a computing system to: receive, by a graphical user interface, an indication of a graphical user interface item corresponding to a first risk entity among a plurality of graphical user items corresponding to a plurality of different risk entities; in response to receiving the indication, identify, based on one or more event logs, one or more events associated with the first risk entity corresponding to the graphical user interface item; apply an input associated with the one or more identified events to one or more machine learning models to generate an output including a corresponding measure of anomaly for the one or more identified events; and cause the graphical user interface to provide the corresponding measure of anomaly for the one or more identified events, wherein for a specific identified event included in the one or more identified events, the graphical user interface provides a visual representation indicating a relationship between a plurality of risk entities associated with the specific identified event as a web of interconnected risk entities of different types, wherein the different types include two or more of an actor type, a location type, a machine learning model type, and an object type, and wherein at least one of the plurality of risk entities associated with the specific identified event corresponds to at least one of the one or more machine learning models that determined the specific identified event to be anomalous; determine and when determining the relationship, a particular relationship between the at least one of the or more machine learning models that determined the specific identified event to be anomalous and a location at which the specific identified event occurred; and cause the graphical user interface to present the visual representation indicating the relationship to include the particular relationship.
  18. 18 . The non-transitory computer-readable storage media of claim 17 , wherein to identify the one or more events, the instructions, when executed, cause the processing circuitry to apply the one or more machine learning models to analyze the one or more event logs.

Description

CROSS REFERENCE TO OTHER APPLICATIONS This application is a continuation of U.S. patent application Ser. No. 17/501,617 entitled PROVIDING A GRAPHICAL REPRESENTATION OF ANOMALOUS EVENTS filed Oct. 14, 2021 which is incorporated herein by reference for all purposes. BACKGROUND OF THE INVENTION A primary system maintains an event log that stores a plurality of entries for a plurality of events. The event log may be updated when an object (e.g., file or directory) is accessed, modified, deleted, or created. The event log may also be updated for other events associated with the primary system, such as when a user logged in, the number of failed login attempts associated with a client device, each time a software update was performed, each time a password was changed, etc. A user may desire to determine whether there has been any anomalous activity at the primary system. However, the number of events stored in the event log may be too voluminous to determine whether there has been any anomalous activity in a timely manner. BRIEF DESCRIPTION OF THE DRAWINGS Various embodiments of the invention are disclosed in the following detailed description and the accompanying drawings. FIG. 1 is a block diagram illustrating a system for providing a graphical representation of anomalous events in accordance with some embodiments. FIG. 2 is a flow diagram illustrating a process for providing evidence of anomalous behavior in accordance with some embodiments. FIG. 3 is a flow diagram illustrating a process for analyzing an event log in accordance with some embodiments. FIG. 4 is a flow diagram illustrating a process for analyzing an event log in accordance with some embodiments. FIG. 5 is a flow diagram illustrating a process of training a model in accordance with some embodiments. FIG. 6A-6N are examples of a graphical user interface in accordance with some embodiments. FIG. 7A is an example of a graphical user interface in accordance with some embodiments. FIG. 7B is an example of a graphical user interface in accordance with some embodiments. DETAILED DESCRIPTION Techniques to provide a graphical representation of anomalous events are described herein. One or more event logs are received and stored at an event analysis system. The one or more event logs include a plurality of entries. Each entry corresponds to an event. An entry may identify an event type and one or more attributes associated with the event. Examples of event type include a file deletion, a file access, a file creation, a file move, a directory deletion, a directory creation, a directory move, a system login grant, a system login denial, a user being added, a user being deleted, a file being downloaded, a user password change, change of state, change of status, etc. Examples of event attributes include a timestamp, a sequence number, a user (actor) to which the event is associated, an object with which the event is associated, an internet protocol address, a location from which the event occurred, etc. Examples of objects include files, databases, virtual machines, applications, containers, volumes, etc. The one or more event logs are analyzed by providing each entry as input to a plurality of models that are configured to detect different types of anomalous behavior. For example, a model may be configured to determine whether an event or a group of events are indicative of an insider attack, a ransomware attack, a brute force attack, wide access (e.g., log in attempts from different locations), a sensitive data leak, a geo fencing breach, or a combination thereof. In some embodiments, the output of one or more models is input to a model (e.g., a layered model). Based on the one or more event log entries, each of the models is configured to output a corresponding confidence level that indicates whether the one or more events corresponding to the one or more event log entries are anomalous. An event by itself or a combination of events may be indicative of anomalous behavior. A model may determine that an event is anomalous in the event a confidence level associated with the event is greater than a confidence level threshold. In some embodiments, the confidence level is based on historical events associated with a particular user. In some embodiments, the confidence level is based on historical events associated with a system that provided the event log. In some embodiments, the confidence level is based on historical programmatically generated events associated with an application. In some embodiments, the confidence level is based on a combination of events (e.g., the confidence level(s) associated with one or more other events may influence the confidence level of an event, a normal event may be determined to be an anomalous event if the event is a threshold event within a time frame. The threshold event is determined to be an anomalous event. The other events may or may not be determined to be anomalous events). Each event is associated with at least one