Search

US-12627687-B1 - Generative artificial intelligence-based multi-stage composite event processing

US12627687B1US 12627687 B1US12627687 B1US 12627687B1US-12627687-B1

Abstract

A data platform monitors a compute environment by performing multi-stage heuristic analysis of event data representing a plurality of events occurring within the environment. The platform utilizes multiple event analyzers, each configured according to a distinct analysis heuristic, to evaluate different subsets of the event data and generate corresponding output signals. A higher-level event analyzer applies a further heuristic to the multiple output signals to generate a composite alert signal, indicating whether the combination of analyzed events collectively represents a security intrusion or other anomalous condition of sufficient severity to warrant alerting. Based on the composite alert signal, the platform performs an alert-based operation, such as generating a user-facing alert, initiating an automated mitigation, or updating a contextual model of system behavior. By combining the analytical outputs of heterogeneous heuristics, the disclosed architecture enhances the accuracy and contextual relevance of automated intrusion detection within complex computing environments.

Inventors

  • David Nellinger Adamson
  • Yijou Chen
  • Christopher Hall
  • Njall Skarphedinsson
  • Pamela Bhattacharya
  • Aditya Samalla
  • Rui Zhang
  • Jessica Liu
  • Marcos Garcia Marti
  • Sowmya A. Karmali

Assignees

  • Lacework, Inc.

Dates

Publication Date
20260512
Application Date
20231030

Claims (20)

  1. 1 . A method comprising: accessing, by a data platform monitoring a compute environment, event data representative of a plurality of events that occur within the compute environment; analyzing, by the data platform using a first event analyzer that operates in accordance with a first analysis heuristic, a first set of one or more events included in the plurality of events to generate a first output signal; analyzing, by the data platform using a second event analyzer that operates in accordance with a second analysis heuristic, a second set of one or more events included in the plurality of events to generate a second output signal; analyzing, by the data platform using a third event analyzer that operates in accordance with a third analysis heuristic, the first and second output signals to generate a composite alert signal indicative of whether the first set of one or more events and the second set of one or more events are together indicative of one or more intrusions that are severe enough to be alerted on by the data platform; and performing, by the data platform based on the composite alert signal, an alert-based operation with respect to the plurality of events.
  2. 2 . The method of claim 1 , wherein: the first output signal is indicative of whether the first set of one or more events are together indicative of one or more intrusions that are severe enough to be alerted on by the data platform, and the second output signal is indicative of whether the first second of one or more events are together indicative of one or more intrusions that are severe enough to be alerted on by the data platform.
  3. 3 . The method of claim 1 , wherein: the first analysis heuristic comprises a first machine learning model, the second analysis heuristic comprises a second machine learning model, and the third analysis heuristic comprises a third machine learning model.
  4. 4 . The method of claim 3 , wherein one or more of the first, second, or third trained machine learning models comprises one or more large language models configured to perform generative artificial intelligence operations.
  5. 5 . The method of claim 3 , wherein one or more of the first, second, or third trained machine learning models are configured to be trained on training sets generated by generative artificial intelligence.
  6. 6 . The method of claim 1 , wherein the first analysis heuristic is configured in accordance with a first common characteristic of the first set of one or more events, the second analysis heuristic is configured in accordance with a second common characteristic of the second set of one or events different from the first common characteristic, and the third analysis heuristic is configured in accordance with a third common characteristic of the third set of one or events different from the first and second common characteristics.
  7. 7 . The method of claim 1 , further comprising: analyzing, by the data platform using a fourth event analyzer that operates in accordance with a fourth analysis heuristic, the composite alert signal to generate contextual information associated with the composite alert signal.
  8. 8 . The method of claim 7 , wherein the performing the alert-based operation comprises presenting the contextual information together with information associated with an alert associated with the composite alert signal within a user interface.
  9. 9 . The method of claim 7 , wherein the contextual information includes one or more of a recommended remedial action associated with the composite alert signal, a feature associated with the composite alert signal, a significance level associated with the feature, or a narrative description associated with the composite alert signal.
  10. 10 . The method of claim 7 , wherein the fourth analysis heuristic comprises a large language model configured to perform generative artificial intelligence operations.
  11. 11 . The method of claim 1 , wherein the performing the alert-based operation comprises presenting a security alert within a user interface based on a characteristic associated with the composite alert signal satisfying one or more predetermined criteria.
  12. 12 . The method of claim 1 , wherein the performing the alert-based operation comprises abstaining from presenting a security alert within a user interface based on a characteristic associated with the composite alert signal failing to satisfy one or more predetermined criteria.
  13. 13 . The method of claim 1 , wherein the performing the alert-based operation further comprises presenting a plurality of selectable items each associated with a different facet of the composite alert signal.
  14. 14 . The method of claim 1 , wherein: the first set of one or more events is initiated within the compute environment by a first entity, and the second set of one or more events is initiated within the compute environment by a second entity.
  15. 15 . The method of claim 1 , wherein the event data is collected using one or more agents deployed within the computing environment.
  16. 16 . The method of claim 1 , wherein the event data is collected using one or more agentless configurations.
  17. 17 . A computer program product embodied in a non-transitory computer-readable storage medium and comprising computer instructions for a data platform to perform a process comprising: accessing event data representative of a plurality of events that occur within a compute environment; analyzing, using a first event analyzer that operates in accordance with a first analysis heuristic, a first set of one or more events included in the plurality of events to generate a first output signal; analyzing, using a second event analyzer that operates in accordance with a second analysis heuristic, a second set of one or more events included in the plurality of events to generate a second output signal; analyzing, using a third event analyzer that operates in accordance with a third analysis heuristic, the first and second output signals to generate a composite alert signal indicative of whether the first set of one or more events and the second set of one or more events are together indicative of one or more intrusions that are severe enough to be alerted on; and performing, based on the composite alert signal, an alert-based operation with respect to the plurality of events.
  18. 18 . The computer program product of claim 17 , wherein: the first output signal is indicative of whether the first set of one or more events are together indicative of one or more intrusions that are severe enough to be alerted on by the data platform, and the second output signal is indicative of whether the first second of one or more events are together indicative of one or more intrusions that are severe enough to be alerted on by the data platform.
  19. 19 . The computer program product of claim 17 , wherein the process further comprises: analyzing, by the data platform using a fourth event analyzer that operates in accordance with a fourth analysis heuristic, the composite alert signal to generate contextual information associated with the composite alert signal.
  20. 20 . A system comprising: memory storing instructions; and one or more processors communicatively coupled to the memory and configured to execute the instructions to perform a process comprising: accessing event data representative of a plurality of events that occur within a compute environment; analyzing, using a first event analyzer that operates in accordance with a first analysis heuristic, a first set of one or more events included in the plurality of events to generate a first output signal; analyzing, using a second event analyzer that operates in accordance with a second analysis heuristic, a second set of one or more events included in the plurality of events to generate a second output signal; analyzing, using a third event analyzer that operates in accordance with a third analysis heuristic, the first and second output signals to generate a composite alert signal indicative of whether the first set of one or more events and the second set of one or more events are together indicative of one or more intrusions that are severe enough to be alerted on; and performing, based on the composite alert signal, an alert-based operation with respect to the plurality of events.

Description

RELATED APPLICATIONS This application is a continuation-in-part of U.S. patent application Ser. No. 18/227,228, filed Jul. 27, 2023, which is a continuation-in-part of U.S. patent application Ser. No. 18/129,243, filed Mar. 31, 2023, which is a continuation-in-part of U.S. patent application Ser. No. 18/119,045, filed Mar. 8, 2023, which is a continuation of U.S. patent application Ser. No. 17/510,179, filed Oct. 25, 2021, now U.S. Pat. No. 11,637,849, which is a continuation of U.S. patent application Ser. No. 16/786,822, filed Feb. 10, 2020, now U.S. Pat. No. 11,157,502, which is a continuation of U.S. patent application Ser. No. 16/134,806, filed Sep. 18, 2018, now U.S. Pat. No. 10,614,071, which claims priority to U.S. Provisional Patent Application No. 62/590,986 filed Nov. 27, 2017 and to U.S. Provisional Patent Application No. 62/650,971 filed Mar. 30, 2018. U.S. patent application Ser. No. 18/129,243 also claims priority to U.S. Provisional Patent Application No. 63/333,751 filed Apr. 22, 2022, to U.S. Provisional Patent Application No. 63/394,765 filed Aug. 3, 2022, and to U.S. Provisional Patent Application No. 63/351,607, filed Jun. 13, 2022. U.S. patent application Ser. No. 18/227,228 also claims priority to U.S. Provisional Patent Application No. 63/400,073 filed Aug. 23, 2022. This application also claims priority to U.S. Provisional Patent Application No. 63/466,933 filed May 16, 2023. The contents of each of these applications are hereby incorporated by reference in their entirety. BRIEF DESCRIPTION OF THE DRAWINGS The accompanying drawings illustrate various embodiments and are a part of the specification. The illustrated embodiments are merely examples and do not limit the scope of the disclosure. Throughout the drawings, identical or similar reference numbers designate identical or similar elements. FIG. 1A shows an illustrative configuration in which a data platform is configured to perform various operations with respect to a cloud environment that includes a plurality of compute assets. FIG. 1B shows an illustrative implementation of the configuration of FIG. 1A. FIG. 1C illustrates an example computing device. FIG. 1D illustrates an example of an environment in which activities that occur within datacenters are modeled. FIG. 2A illustrates an example of a process, used by an agent, to collect and report information about a client. FIG. 2B illustrates a 5-tuple of data collected by an agent, physically and logically. FIG. 2C illustrates a portion of a polygraph. FIG. 2D illustrates a portion of a polygraph. FIG. 2E illustrates an example of a communication polygraph. FIG. 2F illustrates an example of a polygraph. FIG. 2G illustrates an example of a polygraph as rendered in an interface. FIG. 2H illustrates an example of a portion of a polygraph as rendered in an interface. FIG. 2I illustrates an example of a portion of a polygraph as rendered in an interface. FIG. 2J illustrates an example of a portion of a polygraph as rendered in an interface. FIG. 2K illustrates an example of a portion of a polygraph as rendered in an interface. FIG. 2L illustrates an example of an insider behavior graph as rendered in an interface. FIG. 2M illustrates an example of a privilege change graph as rendered in an interface. FIG. 2N illustrates an example of a user login graph as rendered in an interface. FIG. 2O illustrates an example of a machine server graph as rendered in an interface. FIG. 3A illustrates an example of a process for detecting anomalies in a network environment. FIG. 3B depicts a set of example processes communicating with other processes. FIG. 3C depicts a set of example processes communicating with other processes. FIG. 3D depicts a set of example processes communicating with other processes. FIG. 3E depicts two pairs of clusters. FIG. 3F is a representation of a user logging into a first machine, then into a second machine from the first machine, and then making an external connection. FIG. 3G is an alternate representation of actions occurring in FIG. 3F. FIG. 3H illustrates an example of a process for performing extended user tracking. FIG. 3I is a representation of a user logging into a first machine, then into a second machine from the first machine, and then making an external connection. FIG. 3J illustrates an example of a process for performing extended user tracking. FIG. 3K illustrates example records. FIG. 3L illustrates example output from performing an ssh connection match. FIG. 3M illustrates example records. FIG. 3N illustrates example records. FIG. 3O illustrates example records. FIG. 3P illustrates example records. FIG. 3Q illustrates an adjacency relationship between two login sessions. FIG. 3R illustrates example records. FIG. 3S illustrates an example of a process for detecting anomalies. FIG. 4A illustrates a representation of an embodiment of an insider behavior graph. FIG. 4B illustrates an embodiment of a portion of an insider behavior graph. FIG. 4C illustrat