Anomaly detection based on changes in an entity relationship graph

Assignee

• Splunk Inc. · US

Inventors

• Joseph Auguste Zadeh · Sunnyvale, US
• Rodolfo Soto · Miramar, US
• George Apostolopoulos · San Jose, US
• John Clifton Pierce · Douglasville, US

Key dates

Classification

• Technology area (CPC H)Electricity
• CPC primaryH04L2101/622
• WIPO fieldDigital communication
• WIPO sectorElectrical engineering

Abstract

Techniques are described for analyzing data regarding activity in an IT environment to determine information regarding the entities associated with the activity and using the information to detect anomalous activity that may be indicative of malicious activity. In an embodiment, a plurality of events reflecting activity by a plurality of entities in an IT environment are processed to resolve the identities of the entities, discover how the entities fit within a topology of the IT environment, and determine what the entities are. This information is then used to generate an entity relationship graph that includes nodes representing the entities in the IT environment and edges connecting the nodes representing interaction relationships between the entities. In some embodiments, baselines are established by monitoring the activity between entities. This baseline information can be represented in the entity relationship graph in the form of directionality applied to the edges. The entity relationship graph can then be monitored to detect anomalous activity.