Distributed digital security system
地域:
CA
CA Irvine
摘要
A distributed security system can include instances of a compute engine that can execute either locally in security agents on client devices or as cloud instances in a security network. Event data can be processed by elements of the distributed security system according to centrally-defined ontological definitions and/or configurations. Bounding managers of local security agents can control how much event data is sent to the security network. A storage engine in the security network can store event data received from client devices, can route event data to other elements of the security network, including cloud instances of the compute engine. An experimentation engine of the security network can also at least temporarily adjust other elements of the distributed security system during experiments or tests.
說明書
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
Digital security exploits that steal or destroy resources, data, and private information on computing devices are an increasing problem. Governments and businesses devote significant resources to preventing intrusions and thefts related to such digital security exploits. Some of the threats posed by security exploits are of such significance that they are described as cyber terrorism or industrial espionage.
Security threats come in many forms, including computer viruses, worms, trojan horses, spyware, keystroke loggers, adware, and rootkits. Such security threats may be delivered in or through a variety of mechanisms, such as spearfish clickable links, documents, executables, or archives. Other types of security threats may be posed by malicious users who gain access to a computer system and attempt to access, modify, or delete information without authorization.
The detailed description is set forth with reference to the accompanying figures. In the figures, the left-most digit(s) of a reference number identifies the figure in which the reference number first appears. The use of the same reference numbers in different figures indicates similar or identical items or features.
權(quán)利要求
What is claimed is:1. A method, comprising:receiving, by a compute engine from a compiler of a security network, a configuration that includes a compiled set of executable instructions for processing event data associated with occurrences of events on one or more client devices; receiving, by the compute engine, an event stream comprising the event data; generating, by the compute engine using at least one of one or more refinement operations or one or more composition operations according to the configuration, new event data based on the event data in the event stream; adding, by the compute engine, the new event data to the event stream; determining, by the compute engine based on the configuration, that the event data in the event stream matches a target behavior; and outputting, by the compute engine, a result indicating that the event data in the event stream matches the target behavior. 2. The method of claim 1 , wherein generating the new event data comprises:determining, by the compute engine, that a piece of event data in the event stream matches filter criteria for a refinement operation of the one or more refinement operations; identifying at least a subset of data elements in the piece of event data based on a context collection format associated with the refinement operation; and generating, by the compute engine, the new event data as refined event data that includes the at least the subset of data elements in the piece of event data. 3. The method of claim 2 , wherein the context collection format associated with the refinement operation is defined by an ontological definition used by the compiler to generate the configuration. 4. The method of claim 1 , wherein generating the new event data comprises:determining, by the compute engine, that first event data in the event stream matches criteria for a composition operation of the one or more composition operations; generating, by the compute engine, a rally point that includes at least a first set of data elements associated with the first event data; storing, by the compute engine, the rally point in memory accessible to the compute engine; determining, by the compute engine, that second event data in the event stream matches the criteria for the composition operation and is associated with the rally point stored in the memory; and generating, by the compute engine, the new event data as composition event data that includes the first set of data elements from the rally point and a second set of data elements selected from the second event data. 5. The method of claim 4 , wherein one or both of the first set of data elements and the second set of data elements are defined by ontological definitions used by the compiler to generate the configuration. 6. The method of claim 4 , further comprising deleting, by the computing engine, the rally point from the memory upon the compute engine receiving the second event data and generating the new event data. 7. The method of claim 4 , further comprising:determining, by the compute engine, that the rally point also matches second criteria for a second composition operation of the one or more composition operations; determining, by the compute engine, that third event data in the event stream matches the second criteria for the second composition operation and is associated with the rally point stored in the memory; and generating, by the compute engine, the new event data as second composition event data that includes the first set of data elements from the rally point and a third set of data elements selected from the third event data. 8. The method of claim 4 , further comprising tracking, by the computing engine, a reference count of a number of the one or more composition operations that are associated with the rally point after the rally point has been generated. 9. The method of claim 1 , wherein the compiler automatically generates the configuration based on a text description of the target behavior and one or more ontological definitions defined at an ontology service of the security network. 10. The method of claim 1 , wherein the compute engine is a local instance of the compute engine that runs locally on a particular client device to process local event data associated with local events that occur on the particular client device. 11. The method of claim 1 , wherein the compute engine is a cloud instance of the compute engine that runs in the security network, and the cloud instance of the compute engine receives the event stream from a storage engine of the security network that stores event data provided to the security network by the one or more client devices. 12. The method of claim 11 , wherein the cloud instance of the compute engine is associated with a particular rally point associated with at least one composition operation of the one or more composition operations, and the storage engine is configured to forward event data to the cloud instance of the compute engine that is associated with the particular rally point. 13. One or more computing elements, comprising:one or more processors; memory storing computer-executable instructions that, when executed by the one or more processors, cause the one or more computing elements to perform operations comprising:receiving a configuration from a compiler of a security network, the configuration including a set of instructions of the computer-executable instructions for processing event data associated with occurrences of events on one or more client devices; receiving an event stream comprising the event data; generating, using at least one of one or more refinement operations or one or more composition operations according to the configuration, new event data based on the event data in the event stream; adding the new event data to the event stream; determining, based on the configuration, that the event data in the event stream matches a target behavior; and outputting a result indicating that the event data in the event stream matches the target behavior. 14. The one or more computing elements of claim 13 , wherein generating the new event data comprises:determining that a piece of event data in the event stream matches filter criteria for a refinement operation of the one or more refinement operations; identifying at least a subset of data elements in the piece of event data based on a context collection format associated with the refinement operation; and generating the new event data as refined event data that includes the at least the subset of data elements in the piece of event data. 15. The one or more computing elements of claim 13 , wherein generating the new event data comprises:determining that first event data in the event stream matches criteria for a composition operation of the one or more composition operations; generating a rally point that includes at least a first set of data elements associated with the first event data; storing the rally point in the memory; determining that second event data in the event stream matches the criteria for the composition operation and is associated with the rally point stored in the memory; and generating the new event data as composition event data that includes the first set of data elements from the rally point and a second set of data elements selected from the second event data. 16. The one or more computing elements of claim 15 , wherein the operations further comprise:determining that the rally point also matches second criteria for a second composition operation of the one or more composition operations; determining that third event data in the event stream matches the second criteria for the second composition operation and is associated with the rally point stored in the memory; and generating the new event data as second composition event data that includes the first set of data elements from the rally point and a third set of data elements selected from the third event data. 17. One or more non-transitory computer-readable media storing computer-executable instructions for one or more computing elements that, when executed by one or more processors of the one or more computing elements, cause the one or more computing elements to perform operations comprising:receiving a configuration from a compiler of a security network, the configuration including a set of instructions of the computer-executable instructions for processing event data associated with occurrences of events on one or more client devices; receiving an event stream comprising the event data; generating, using at least one of one or more refinement operations or one or more composition operations according to the configuration, new event data based on the event data in the event stream; adding the new event data to the event stream; determining, based on the configuration, that the event data in the event stream matches a target behavior; and outputting a result indicating that the event data in the event stream matches the target behavior. 18. The one or more non-transitory computer-readable media of claim 17 , wherein generating the new event data comprises:determining that a piece of event data in the event stream matches filter criteria for a refinement operation of the one or more refinement operations; identifying at least a subset of data elements in the piece of event data based on a context collection format associated with the refinement operation; and generating the new event data as refined event data that includes the at least the subset of data elements in the piece of event data. 19. The one or more non-transitory computer-readable media of claim 17 , wherein generating the new event data comprises:determining that first event data in the event stream matches criteria for a composition operation of the one or more composition operations; generating a rally point that includes at least a first set of data elements associated with the first event data; storing the rally point in memory; determining that second event data in the event stream matches the criteria for the composition operation and is associated with the rally point stored in the memory; and generating the new event data as composition event data that includes the first set of data elements from the rally point and a second set of data elements selected from the second event data. 20. The one or more non-transitory computer-readable media of claim 19 , wherein the operations further comprise:determining that the rally point also matches second criteria for a second composition operation of the one or more composition operations; determining that third event data in the event stream matches the second criteria for the second composition operation and is associated with the rally point stored in the memory; and generating the new event data as second composition event data that includes the first set of data elements from the rally point and a third set of data elements selected from the third event data.
意見反饋
使用該功能遇到問題