主权项 |
1. An anomaly detection system, comprising:
a processor configured to:
determine a set of anomalous events associated with an enterprise network, wherein each of the set of anomalous events is stored with a corresponding plurality of attributes; anddetermine a path of interest based at least in part on at least a subset of the set of anomalous events, wherein the path of interest includes a series of two or more anomalous events from the set of anomalous events, wherein each anomalous event of the path of interest is determined to be linked to an adjacent anomalous event of the path of interest, wherein determining the path of interest includes:
determining that an attribute of a stored plurality of attributes corresponding to a first anomalous event of the set of anomalous events matches an attribute of a stored plurality of attributes corresponding to a second anomalous event of the set of anomalous events;storing a link relationship between the first anomalous event and the second anomalous event based at least in part on the determination that the attribute of the stored plurality of attributes corresponding to the first anomalous event matches the attribute of the stored plurality of attributes corresponding to the second anomalous event, wherein the link relationship between the first anomalous event and the second anomalous event is included in the path of interest; anddetermining a score corresponding to the stored link relationship between the first anomalous event and the second anomalous event;determine an overall score corresponding to the path of interest based at least in part on the score corresponding to the stored link relationship between the first anomalous event and the second anomalous event, and a memory coupled to the processor and configured to store data associated with the set of anomalous events. |