US 9,813,435 B2
Network security analysis using real-time and batch detection engines
Sudhakar Muddu, Cupertino, CA (US); Christos Tryfonas, Foster City, CA (US); and Ravi Prasad Bulusu, San Jose, CA (US)
Assigned to Splunk Inc., San Francisco, CA (US)
Filed by Splunk Inc., San Francisco, CA (US)
Filed on Jan. 25, 2017, as Appl. No. 15/415,747.
Application 15/415,747 is a continuation of application No. 14/929,224, filed on Oct. 30, 2015, granted, now 9,591,010.
Claims priority of provisional application 62/212,541, filed on Aug. 31, 2015.
Prior Publication US 2017/0134410 A1, May 11, 2017
This patent is subject to a terminal disclaimer.
Int. Cl. H04L 29/06 (2006.01); G06N 99/00 (2010.01)
CPC H04L 63/1416 (2013.01) [G06N 99/005 (2013.01); H04L 63/1425 (2013.01); H04L 2463/121 (2013.01)] 28 Claims
OG exemplary drawing
 
1. A network security breach detection system comprising:
a real-time path including a real-time analysis engine configured to receive first event data indicative of first activity on a computer network, the real-time event analysis engine configured to detect first indicia of possible security breaches in a real-time processing mode based on the first event data, and to generate real-time analysis result data representing the first indicia for output to a user;
a non-volatile storage system to store the real-time analysis result data; and
a batch path including a batch analysis engine configured to operate concurrently with the real-time analysis engine, the batch analysis engine further configured to retrieve, from the non-volatile storage system, the real-time analysis result data and second event data indicative of second activity on the computer network, the first event data and the second event data each including timestamped machine data indicative of performance or operation of a component in an information technology environment, the second event data having been stored in the non-volatile storage system prior to analysis of the first event data by the real-time analysis engine, the batch analysis engine further configured to detect, in a batch mode, second indicia of possible security breaches based on the second event data and the real-time analysis result data.