公开(公告)号：US11792157B1

公开(公告)日：2023-10-17

申请号：US17941502

申请日：2022-09-09

Applicant: SPLUNK Inc.

Inventor： Abhinav Mishra ,  Giovanni Mola ,  Ram Sriharsha ,  Zhaohui Wang

IPC: H04L61/4511 ,  H04L67/141 ,  G06F40/205 ,  H04L43/067 ,  H04L47/28

CPC classification number: H04L61/4511 ,  G06F40/205 ,  H04L43/067 ,  H04L47/286 ,  H04L67/141

Abstract: The disclosure provides implementations for determining whether domain name server (DNS) beaconing is present within a communication session. Some implementations provide a method that includes multiple analyses directed to analyzing each of a time-to-live (TTL) run length distribution for a plurality of DNS records within the communication session and analyzing whether the communication is comprised of at least a threshold number of transmissions. As used in the analyses, the communication session may be comprised of transmissions between a first source device and a first DNS. When DNS beaconing is detected within the communication session, some implementations of the disclosure provide for generating an alert to an administrator or other user.

公开(公告)号：US11477161B1

公开(公告)日：2022-10-18

申请号：US17514814

申请日：2021-10-29

Applicant: SPLUNK Inc.

Inventor： Abhinav Mishra ,  Giovanni Mola ,  Ram Sriharsha ,  Zhaohui Wang

IPC: H04L61/4511 ,  H04L67/141 ,  H04L43/067 ,  H04L47/28 ,  G06F40/205

Abstract: A computerized method is disclosed that includes accessing domain name server (DNS) record data including a plurality of DNS records spanning a first time period, performing a time-to-live (TTL) analysis to determine a TTL run length distribution for the DNS record data, wherein the TTL analysis includes: generating a vector of the TTL values of each DNS record ordered sequentially in time, parsing the vector of the TTL values into segments, where a segment consists of one or more TTL values where a current TTL value is less than an immediately preceding TTL value, and determining the TTL run length distribution, determining whether DNS beaconing is present based on a result of the TTL analysis and in response to determining that DNS beaconing is present, generating an alert for a system administrator.

公开(公告)号：US12079233B1

公开(公告)日：2024-09-03

申请号：US17246241

申请日：2021-04-30

Applicant: SPLUNK INC.

Inventor： Abhinav Mishra ,  Ram Sriharsha ,  Sichen Zhong

IPC: G06F16/2458

CPC classification number: G06F16/2465

Abstract: Embodiments described herein are directed to facilitating performing online data decomposition to identify multiple seasonal components. In accordance with aspects of the present disclosure, a first iterative process is performed to determine a first seasonal component associated with an incoming data point based on a set of previous data points of a time series data set and corresponding data components. In addition, a second iterative process is performed to determine a second seasonal component associated with the incoming data point based on previous data points of the time series data set and corresponding data components. The first seasonal component and the second seasonal component can then be provided for analysis of the incoming data point (e.g., for presentation, for use in determining trend and residual components, etc.).

公开(公告)号：US12056169B1

公开(公告)日：2024-08-06

申请号：US17513670

申请日：2021-10-28

Applicant: SPLUNK Inc.

Inventor： Abhinav Mishra ,  Giovanni Mola ,  Ram Sriharsha ,  Abraham Starosta ,  Zhaohui Wang

IPC: G06F7/00 ,  G06F16/33 ,  G06F16/35 ,  G06N20/00

CPC classification number: G06F16/334 ,  G06F16/35 ,  G06N20/00

Abstract: A computerized method is disclosed that includes operations of training a machine learning model using a labeled training set of data, wherein the machine learning model is configured to classify domain name server (DNS) records, obtaining DNS record data including at least a first DNS Txt record, applying the trained machine learning model to the first DNS Txt record to classify the first DNS Txt record and responsive to the classification of the first DNS Txt record, generating a flag for a system administrator. The trained machine learning model may classify the first DNS Txt record using logistic regression. In some instances, applying the trained machine learning model to the first DNS Txt record includes performing a tokenizing operation on the first DNS Txt record to generate a tokenized first DNS Txt record.

公开(公告)号：US11620157B2

公开(公告)日：2023-04-04

申请号：US16670789

申请日：2019-10-31

Applicant: Splunk Inc.

Inventor： Ram Sriharsha ,  Mark Huang ,  Abhinav Mishra ,  Harsha Wasalathanthrige Don

IPC: G06F9/48 ,  G06F17/18 ,  G06F16/17 ,  G06F9/38

Abstract: Systems and methods are described for processing ingested pipeline metrics and ingested logs in an asynchronous manner as the data is being ingested to explain anomalies detected in the pipeline metrics using the ingested logs. For example, one or more streaming data processors can convert data as the data is ingested into a comparable data structure, determine whether the comparable data structure should be assigned to an existing data pattern or a new data pattern, and determine whether the logs corresponding to the comparable data structure is anomalous. Separately, the streaming data processor(s) can perform an outlier detection on the pipeline metrics to detect outliers. The streaming data processor(s) can then window the anomalous logs and the pipeline metric outliers to surface explanations for the pipeline metric outliers using the anomalous logs.

公开(公告)号：US12079304B1

公开(公告)日：2024-09-03

申请号：US17246228

申请日：2021-04-30

Applicant: SPLUNK INC.

Inventor： Abhinav Mishra ,  Ram Sriharsha ,  Sichen Zhong

IPC: G06F18/10 ,  G06F18/214 ,  G06Q10/04

CPC classification number: G06F18/10 ,  G06F18/214 ,  G06Q10/04

Abstract: Embodiments of the present disclosure are directed to facilitating performing online data forecasting. In operation, data decomposition of an incoming data point is performed to determine a trend component associated with the incoming data point. Such a trend component, and previous trend components, can be used to determine a trend component expected for a data point subsequent to the incoming data point. A seasonality component expected for the data point subsequent to the incoming data point can be identified, for example, based on a seasonality component associated with a previous corresponding data point. Thereafter, the expected trend and seasonality components can be used to predict the data point subsequent to the incoming data point. Such a data prediction can be performed in an online processing manner such that a subsequent data point is not used to decompose the incoming data point or forecast the data point.

公开(公告)号：US11907227B1

公开(公告)日：2024-02-20

申请号：US17591511

申请日：2022-02-02

Applicant: Splunk, Inc.

Inventor： Zhaohui Wang ,  Ryan Gannon ,  Xiao Lin ,  Abhinav Mishra ,  Chandrima Sarkar ,  Ram Sriharsha

IPC: G06F16/00 ,  G06F16/2455 ,  G06F16/22 ,  G06F16/2458

CPC classification number: G06F16/24568 ,  G06F16/22 ,  G06F16/2462 ,  G06F16/24552

Abstract: A computerized method is disclosed including operations of receiving a data stream, performing a changepoint detection resulting in a detection of changepoints in the data stream including: maintaining a listing of starting indices for each run within the data stream in a buffer of size L wherein each index of the listing has a run length probability representing a likelihood of being a changepoint, receiving a new data point within the data stream and adding a new index to the buffer resulting in the buffer having size L+1, calculating a posterior run length probability that the new data point is a changepoint, and removing an index from the listing that has a lowest run length probability thereby returning the buffer to size L, and responsive to determining the index removed from the listing does not correspond to the new data point, identifying a changepoint associated with the new data point.

公开(公告)号：US11729074B1

公开(公告)日：2023-08-15

申请号：US17069693

申请日：2020-10-13

Applicant: SPLUNK Inc.

Inventor： Abhinav Mishra ,  Ram Sriharsha

IPC: H04L43/067 ,  H04L43/022 ,  H04L43/062 ,  H04L43/04

CPC classification number: H04L43/067 ,  H04L43/022 ,  H04L43/04 ,  H04L43/062

Abstract: Embodiments of the present invention are directed to facilitating performing online data decomposition. In accordance with aspects of the present disclosure, an incoming data point of a time series data set is obtained. Thereafter, an iterative process of estimating trend and seasonality is performed to decompose the incoming data point to a set of data components based on a particular set of previous data points of the time series data set and corresponding data components. Generally, the set of data components for the incoming data point include a trend component, a seasonality component, and a residual component. The set of data components is provided for analysis of the incoming data point, such as, for example, to identify data anomalies.

公开(公告)号：US20210117232A1

公开(公告)日：2021-04-22

申请号：US16670789

申请日：2019-10-31

Applicant: Splunk Inc.

Inventor： Ram Sriharsha ,  Mark Huang ,  Abhinav Mishra ,  Harsha Wasalathanthrige Don

IPC: G06F9/48 ,  G06F9/38 ,  G06F16/17 ,  G06F17/18

Abstract: Systems and methods are described for processing ingested pipeline metrics and ingested logs in an asynchronous manner as the data is being ingested to explain anomalies detected in the pipeline metrics using the ingested logs. For example, one or more streaming data processors can convert data as the data is ingested into a comparable data structure, determine whether the comparable data structure should be assigned to an existing data pattern or a new data pattern, and determine whether the logs corresponding to the comparable data structure is anomalous. Separately, the streaming data processor(s) can perform an outlier detection on the pipeline metrics to detect outliers. The streaming data processor(s) can then window the anomalous logs and the pipeline metric outliers to surface explanations for the pipeline metric outliers using the anomalous logs.