主权项 |
1. A method for determining fields for a pattern discovery profile, the method comprising:
receiving, by a computing device comprising a hardware processor that implements machine readable instructions, a stream of event data; determining a threshold cardinality and a threshold repetitiveness for each of a plurality of fields of the event data, based on a global summary of the event data; determining cardinality and repetitiveness for each of the plurality of fields of the event data; selecting, by the computing device, a set of fields among the plurality of fields based on the determined cardinality, the determined repetitiveness, the determined threshold cardinality, and the determined threshold repetitiveness; including the set of fields in a pattern discovery profile; and detecting malicious activity in the event data using the pattern discovery profile, wherein selecting the set of fields comprises selecting a pattern identification field and a plurality of transaction fields based on the determined cardinality and repetitiveness, and wherein selecting the plurality of transaction fields comprises selecting, from the plurality of fields, a source field and a destination field having a combined cardinality and repetitiveness that satisfy the threshold cardinality and the threshold repetitiveness. |