| 主权项 |
1. A method comprising:
receiving, at a computer system, first event data indicative of computer network activity of an entity that is part of or has interacted with a computer network; constructing, by a first automated process in the computer system, a first variable behavior baseline of the entity, based on the first event data, the first variable behavior baseline being representative of a first particular type of computer network activity by the entity; constructing, by the computer system, a second variable behavior baseline of the entity, based on the first event data or other event data indicative of computer network activity of the entity, the second variable behavior baseline being representative of a second particular type of computer network activity by the entity; receiving, at the computer system, second event data indicative of additional computer network activity associated with the entity; comparing, by the computer system, the second event data to at least one of the first variable behavior baseline of the entity or the second variable behavior baseline of the entity; determining, by at least a second automated process in the computer system, that the additional computer network activity associated with the entity represents a network security anomaly or a network security threat, when said comparing results in a determination that the second event data has a specified relationship to at least one of the first variable behavior baseline of the entity or the second variable baseline of the entity; and adjusting, by the first automated process, the first variable behavior baseline of the entity based on the second event data, wherein the first automated process and the second automated process are processes of a machine learning model. |
