SlideShare uma empresa Scribd logo

Splunk live! Customer Presentation – Prelert

Splunk
Splunk

From Splunklive! San Francisco

Tecnologia
1 de 35
Anomaly Detection using Machine Learning Predictive Analytics the anomaly detection company
Terminology • Machine-learning  Autonomous self-learning without the assistance of humans (unsupervised learning) • Predictive Analytics  Probabilistic prediction of behavior based upon observed past behavior • Anomaly Detection  what’s “different” or weird” versus what’s “good” or “bad”
Q: What’s Interesting Here? 3
A: Only What’s Behaving Abnormally 4
Anomaly Detection - an Analogy • How could I accurately predict how much Postal-mail you are likely to get delivered to your home tomorrow? • And, how would I know if the amount you received was “abnormal”?
A practical methodology would involve… • First, determine what’s normal before I can declare what’s abnormal • Watch your mail delivery volume for a while…  1 day?  1 week?  1 month? • Notice, that you intuitively feel like you’ll gain accuracy in your predictions with more data that you see. • Ideally, use those observations to create a…
Probability Distribution Function pieces of mail per day %likelihood(probability)
Probability Distribution Function pieces of mail per day %likelihood(probability) Best for my house
Probability Distribution Function pieces of mail per day %likelihood(probability) College Student?
Probability Distribution Function pieces of mail per day %likelihood(probability) My Mom
Finding “what’s unexpected”… Your job is often looking for unexpected change in your environment, either proactively through monitoring or reactively through diagnostics/troubleshooting
Using the PDF to Find What is Unexpected pieces of mail per day %likelihood(probability) zero pieces of mail? fifteen pieces of mail?
Relate back to IT and Security data • # Pieces of mail = # events of a certain type  Number of failed logins  Number of errors of different types  Number of events with certain status codes  Etc. • Or, performance metrics  Response time  Utilization % => Every kind of data will need its own unique “model” (probability distribution function)
Do You Know How to Accurately Model? • Which one(s) models your data best? • You will want to get it right 14 source: “Doing Data Science” O’Neil & Schutt avg +/- 2 stdev assumes Gaussian (Normal) Distribution!
Gaussian (“Normal”) Distribution 15
Non-Gaussian Data status=503 status=404 CPU load Memory Utilization Revenue Transactions
Standard Deviations – Not so Good 33,000+ performance metrics analyzed using +/- 2.5σ 0 1000 2000 3000 4000 5000 6000 7000 28 Feb 00:00 28 Feb 12:00 01 Mar 00:00 01 Mar 12:00 02 Mar 00:00 02 Mar 12:00 03 Mar 00:00 03 Mar 12:00 • Never less than 900 alerts per hour • Real outage (circled) overshadowed by ~6000 extraneous alerts Total # Alerts
Don’t worry, we have you covered • Prelert uses sophisticated machine-learning techniques to best-fit the right statistical model for your data. • Better models = better outlier detection = less false alarms 20
21 DEMO
Kinds of Anomalies Detected 22 Deviations in event count vs. time Deviations in values vs. time Rare occurrences of things Population/Peer outliers
#1) Deviations in Event Counts/Rates • Use Case: Online Commerce Site  Cyclical online ordering volume (credit cards, etc.)  Service outage on May 10th orders not being processed, dip in afternoon volume 23
Hard to automatically detect because… • Tricky to catch with thresholds because overall count didn’t dip below low watermark • Output of Splunk “predict”: 24
Prelert finds the anomaly perfectly 25 • No extraneous false alarms • Despite the inherent challenges of the periodic nature of the data
#2) Deviations in Performance Metrics • Use Case: Online travel portal • Makes web services calls to airlines for fare quotes • Each airline responds to fare request with its own typical response time (20 airlines): 26
Hard to automatically detect because… • Tricky to construct unique thresholds for each airline individually • Cannot do “avg +/- 2σ” because it is too noisy for this kind of data • Splunk’s “predict” doesn’t support explosion out via by clause (“by airline”) 27
Prelert finds the anomaly perfectly 28 • Only 1 of the many airlines is having an issue
#3) Rare Items as Anomalies • Use Case: Security team @ services company • Wanted to profile typical processes on each host using netstat • Goal was to identify rare processes that “start up and communicate” for each host, individually 29
Hard to automatically detect because… • Each host has it’s own separate “set” of typical processes that are potentially unique • i.e. FTP may run routinely run on server A, but never runs on server B • Maintaining a running list of “typical processes” across hundreds of servers not practical • Splunk “rare” command is not truly a rarity measurement, just “least occurring” 30
Prelert finds the anomaly perfectly 31 • Finds FTP process running for 3 hours on system that doesn’t normally run FTP
#4) Population / Peer Outliers • Use Case: Proxy log data  Need to determine which users/systems are sending out requests/data much differently than the others 32
Hard to automatically detect because… • Peer analysis is impossible without Prelert 33
Prelert finds the anomaly perfectly 34 • One particular host sending many requests (20,000/hr) to an IIS webserver • This is an attempt to hack the webserver
Anomaly Detective App • Free to download and try – 100% native Splunk app • Easy to use – “push button anomaly detection” • More powerful anomaly detection than Splunk on its own • Scalable for big data sets 35 http://goo.gl/KJY9B
Bonus – Anomaly Cross-Correlation • Use Case: Retail company with flaky POS application (gift card redemption)  App occasionally disconnects from DB  Team suspects either a DB or a network problem, but hard to find cause • Prelert configured to run anomaly detection across 3 data types simultaneously  App logs (unstructured) – count by dynamic message type  SQL Server performance metrics  Network performance metrics 36
Result: Instant Answers 37 Symptom: Sudden influx of DB errors in log Symptom: Drop in SQL Server client connections Cause: Network spike and TCP discards

Recomendados

SplunkLive! Prelert Session - Extending Splunk with Machine Learning
SplunkLive! Prelert Session - Extending Splunk with Machine LearningSplunkLive! Prelert Session - Extending Splunk with Machine Learning
SplunkLive! Prelert Session - Extending Splunk with Machine LearningSplunk
 
Influx/Days 2017 San Francisco | Baron Schwartz
Influx/Days 2017 San Francisco | Baron SchwartzInflux/Days 2017 San Francisco | Baron Schwartz
Influx/Days 2017 San Francisco | Baron SchwartzInfluxData
 
Simple math for anomaly detection toufic boubez - metafor software - monito...
Simple math for anomaly detection toufic boubez - metafor software - monito...Simple math for anomaly detection toufic boubez - metafor software - monito...
Simple math for anomaly detection toufic boubez - metafor software - monito...tboubez
 
Data pipelines and anomaly detection
Data pipelines and anomaly detectionData pipelines and anomaly detection
Data pipelines and anomaly detectionSho Fola Soboyejo
 
Defcon 21-pinto-defending-networks-machine-learning by pseudor00t
Defcon 21-pinto-defending-networks-machine-learning by pseudor00tDefcon 21-pinto-defending-networks-machine-learning by pseudor00t
Defcon 21-pinto-defending-networks-machine-learning by pseudor00tpseudor00t overflow
 
Demystifying observability
Demystifying observability Demystifying observability
Demystifying observability Abigail Bangser
 
Vissec2014
Vissec2014Vissec2014
Vissec2014Simon Walton
 
[DrupalCon] Erase Unconscious Bias From Your AI Datasets
[DrupalCon] Erase Unconscious Bias From Your AI Datasets[DrupalCon] Erase Unconscious Bias From Your AI Datasets
[DrupalCon] Erase Unconscious Bias From Your AI DatasetsLauren Maffeo
 

Recomendados

SplunkLive! Prelert Session - Extending Splunk with Machine Learning
SplunkLive! Prelert Session - Extending Splunk with Machine LearningSplunkLive! Prelert Session - Extending Splunk with Machine Learning
SplunkLive! Prelert Session - Extending Splunk with Machine LearningSplunk
 
Influx/Days 2017 San Francisco | Baron Schwartz
Influx/Days 2017 San Francisco | Baron SchwartzInflux/Days 2017 San Francisco | Baron Schwartz
Influx/Days 2017 San Francisco | Baron SchwartzInfluxData
 
Simple math for anomaly detection toufic boubez - metafor software - monito...
Simple math for anomaly detection toufic boubez - metafor software - monito...Simple math for anomaly detection toufic boubez - metafor software - monito...
Simple math for anomaly detection toufic boubez - metafor software - monito...tboubez
 
Data pipelines and anomaly detection
Data pipelines and anomaly detectionData pipelines and anomaly detection
Data pipelines and anomaly detectionSho Fola Soboyejo
 
Defcon 21-pinto-defending-networks-machine-learning by pseudor00t
Defcon 21-pinto-defending-networks-machine-learning by pseudor00tDefcon 21-pinto-defending-networks-machine-learning by pseudor00t
Defcon 21-pinto-defending-networks-machine-learning by pseudor00tpseudor00t overflow
 
Demystifying observability
Demystifying observability Demystifying observability
Demystifying observability Abigail Bangser
 
Vissec2014
Vissec2014Vissec2014
Vissec2014Simon Walton
 
[DrupalCon] Erase Unconscious Bias From Your AI Datasets
[DrupalCon] Erase Unconscious Bias From Your AI Datasets[DrupalCon] Erase Unconscious Bias From Your AI Datasets
[DrupalCon] Erase Unconscious Bias From Your AI DatasetsLauren Maffeo
 
Probabilistic Programming: Why, What, How, When?
Probabilistic Programming: Why, What, How, When?Probabilistic Programming: Why, What, How, When?
Probabilistic Programming: Why, What, How, When?Salesforce Engineering
 
O'Reilly Security New York - Predicting Exploitability Final
O'Reilly Security New York - Predicting Exploitability FinalO'Reilly Security New York - Predicting Exploitability Final
O'Reilly Security New York - Predicting Exploitability FinalMichael Roytman
 
A quest for better sleep
A quest for better sleepA quest for better sleep
A quest for better sleepAlex Martinelli
 
Azure machine learning
Azure machine learningAzure machine learning
Azure machine learningAnne Bougie
 
Engage 2013 - Leveraging Ad Hoc Analysis
Engage 2013 - Leveraging Ad Hoc AnalysisEngage 2013 - Leveraging Ad Hoc Analysis
Engage 2013 - Leveraging Ad Hoc AnalysisWebtrends
 
LOPSA East 2013 - Building a More Effective Monitoring Environment
LOPSA East 2013 - Building a More Effective Monitoring EnvironmentLOPSA East 2013 - Building a More Effective Monitoring Environment
LOPSA East 2013 - Building a More Effective Monitoring EnvironmentMike Julian
 
Phone addiction
Phone addictionPhone addiction
Phone addictionaiclub_slides
 
SANS OUCH Newsletter April 2016
SANS OUCH Newsletter April 2016SANS OUCH Newsletter April 2016
SANS OUCH Newsletter April 2016Gene Ferro
 
Splunk Dynamic lookup
Splunk Dynamic lookupSplunk Dynamic lookup
Splunk Dynamic lookupSplunk
 
Long Term Reporting with Savvius and Splunk
Long Term Reporting with Savvius and SplunkLong Term Reporting with Savvius and Splunk
Long Term Reporting with Savvius and SplunkSavvius, Inc
 
SplunkLive! Customer Presentation - Cequint
SplunkLive! Customer Presentation - CequintSplunkLive! Customer Presentation - Cequint
SplunkLive! Customer Presentation - CequintSplunk
 
Splunk live university of alberta 2015
Splunk live university of alberta 2015Splunk live university of alberta 2015
Splunk live university of alberta 2015dostatni
 
SplunkLive! Austin Customer Presentation - Dell
SplunkLive! Austin Customer Presentation - DellSplunkLive! Austin Customer Presentation - Dell
SplunkLive! Austin Customer Presentation - DellSplunk
 
Splunk Ninjas: New Features, Pivot, and Search Dojo
Splunk Ninjas: New Features, Pivot, and Search DojoSplunk Ninjas: New Features, Pivot, and Search Dojo
Splunk Ninjas: New Features, Pivot, and Search DojoSplunk
 
SplunkLive! Warsaw 2016 - Machine Learning
SplunkLive! Warsaw 2016 - Machine LearningSplunkLive! Warsaw 2016 - Machine Learning
SplunkLive! Warsaw 2016 - Machine LearningSplunk
 
Herbalife Customer Presentation
Herbalife Customer PresentationHerbalife Customer Presentation
Herbalife Customer PresentationSplunk
 
AWS on Splunk, Splunk on AWS
AWS on Splunk, Splunk on AWSAWS on Splunk, Splunk on AWS
AWS on Splunk, Splunk on AWSSplunk
 
Molina Healthcare Customer Presentation
Molina Healthcare Customer PresentationMolina Healthcare Customer Presentation
Molina Healthcare Customer PresentationSplunk
 
Experian Customer Presentation
Experian Customer PresentationExperian Customer Presentation
Experian Customer PresentationSplunk
 
Drop, Stop & Roll
Drop, Stop & RollDrop, Stop & Roll
Drop, Stop & RollJohn Hoffoss
 
Observability for Emerging Infra (what got you here won't get you there)
Observability for Emerging Infra (what got you here won't get you there)Observability for Emerging Infra (what got you here won't get you there)
Observability for Emerging Infra (what got you here won't get you there)Charity Majors
 
Anomaly Detection Using the CLA
Anomaly Detection Using the CLAAnomaly Detection Using the CLA
Anomaly Detection Using the CLANumenta
 

Mais conteúdo relacionado

Mais procurados

Probabilistic Programming: Why, What, How, When?
Probabilistic Programming: Why, What, How, When?Probabilistic Programming: Why, What, How, When?
Probabilistic Programming: Why, What, How, When?Salesforce Engineering
 
O'Reilly Security New York - Predicting Exploitability Final
O'Reilly Security New York - Predicting Exploitability FinalO'Reilly Security New York - Predicting Exploitability Final
O'Reilly Security New York - Predicting Exploitability FinalMichael Roytman
 
A quest for better sleep
A quest for better sleepA quest for better sleep
A quest for better sleepAlex Martinelli
 
Azure machine learning
Azure machine learningAzure machine learning
Azure machine learningAnne Bougie
 
Engage 2013 - Leveraging Ad Hoc Analysis
Engage 2013 - Leveraging Ad Hoc AnalysisEngage 2013 - Leveraging Ad Hoc Analysis
Engage 2013 - Leveraging Ad Hoc AnalysisWebtrends
 
LOPSA East 2013 - Building a More Effective Monitoring Environment
LOPSA East 2013 - Building a More Effective Monitoring EnvironmentLOPSA East 2013 - Building a More Effective Monitoring Environment
LOPSA East 2013 - Building a More Effective Monitoring EnvironmentMike Julian
 
SANS OUCH Newsletter April 2016
SANS OUCH Newsletter April 2016SANS OUCH Newsletter April 2016
SANS OUCH Newsletter April 2016Gene Ferro
 

Mais procurados (8)

Probabilistic Programming: Why, What, How, When?
Probabilistic Programming: Why, What, How, When?Probabilistic Programming: Why, What, How, When?
Probabilistic Programming: Why, What, How, When?
 
O'Reilly Security New York - Predicting Exploitability Final
O'Reilly Security New York - Predicting Exploitability FinalO'Reilly Security New York - Predicting Exploitability Final
O'Reilly Security New York - Predicting Exploitability Final
 
A quest for better sleep
A quest for better sleepA quest for better sleep
A quest for better sleep
 
Azure machine learning
Azure machine learningAzure machine learning
Azure machine learning
 
Engage 2013 - Leveraging Ad Hoc Analysis
Engage 2013 - Leveraging Ad Hoc AnalysisEngage 2013 - Leveraging Ad Hoc Analysis
Engage 2013 - Leveraging Ad Hoc Analysis
 
LOPSA East 2013 - Building a More Effective Monitoring Environment
LOPSA East 2013 - Building a More Effective Monitoring EnvironmentLOPSA East 2013 - Building a More Effective Monitoring Environment
LOPSA East 2013 - Building a More Effective Monitoring Environment
 
Phone addiction
Phone addictionPhone addiction
Phone addiction
 
SANS OUCH Newsletter April 2016
SANS OUCH Newsletter April 2016SANS OUCH Newsletter April 2016
SANS OUCH Newsletter April 2016
 

Destaque

Splunk Dynamic lookup
Splunk Dynamic lookupSplunk Dynamic lookup
Splunk Dynamic lookupSplunk
 
Long Term Reporting with Savvius and Splunk
Long Term Reporting with Savvius and SplunkLong Term Reporting with Savvius and Splunk
Long Term Reporting with Savvius and SplunkSavvius, Inc
 
SplunkLive! Customer Presentation - Cequint
SplunkLive! Customer Presentation - CequintSplunkLive! Customer Presentation - Cequint
SplunkLive! Customer Presentation - CequintSplunk
 
Splunk live university of alberta 2015
Splunk live university of alberta 2015Splunk live university of alberta 2015
Splunk live university of alberta 2015dostatni
 
SplunkLive! Austin Customer Presentation - Dell
SplunkLive! Austin Customer Presentation - DellSplunkLive! Austin Customer Presentation - Dell
SplunkLive! Austin Customer Presentation - DellSplunk
 
Splunk Ninjas: New Features, Pivot, and Search Dojo
Splunk Ninjas: New Features, Pivot, and Search DojoSplunk Ninjas: New Features, Pivot, and Search Dojo
Splunk Ninjas: New Features, Pivot, and Search DojoSplunk
 
SplunkLive! Warsaw 2016 - Machine Learning
SplunkLive! Warsaw 2016 - Machine LearningSplunkLive! Warsaw 2016 - Machine Learning
SplunkLive! Warsaw 2016 - Machine LearningSplunk
 
Herbalife Customer Presentation
Herbalife Customer PresentationHerbalife Customer Presentation
Herbalife Customer PresentationSplunk
 
AWS on Splunk, Splunk on AWS
AWS on Splunk, Splunk on AWSAWS on Splunk, Splunk on AWS
AWS on Splunk, Splunk on AWSSplunk
 
Molina Healthcare Customer Presentation
Molina Healthcare Customer PresentationMolina Healthcare Customer Presentation
Molina Healthcare Customer PresentationSplunk
 
Experian Customer Presentation
Experian Customer PresentationExperian Customer Presentation
Experian Customer PresentationSplunk
 

Destaque (11)

Splunk Dynamic lookup
Splunk Dynamic lookupSplunk Dynamic lookup
Splunk Dynamic lookup
 
Long Term Reporting with Savvius and Splunk
Long Term Reporting with Savvius and SplunkLong Term Reporting with Savvius and Splunk
Long Term Reporting with Savvius and Splunk
 
SplunkLive! Customer Presentation - Cequint
SplunkLive! Customer Presentation - CequintSplunkLive! Customer Presentation - Cequint
SplunkLive! Customer Presentation - Cequint
 
Splunk live university of alberta 2015
Splunk live university of alberta 2015Splunk live university of alberta 2015
Splunk live university of alberta 2015
 
SplunkLive! Austin Customer Presentation - Dell
SplunkLive! Austin Customer Presentation - DellSplunkLive! Austin Customer Presentation - Dell
SplunkLive! Austin Customer Presentation - Dell
 
Splunk Ninjas: New Features, Pivot, and Search Dojo
Splunk Ninjas: New Features, Pivot, and Search DojoSplunk Ninjas: New Features, Pivot, and Search Dojo
Splunk Ninjas: New Features, Pivot, and Search Dojo
 
SplunkLive! Warsaw 2016 - Machine Learning
SplunkLive! Warsaw 2016 - Machine LearningSplunkLive! Warsaw 2016 - Machine Learning
SplunkLive! Warsaw 2016 - Machine Learning
 
Herbalife Customer Presentation
Herbalife Customer PresentationHerbalife Customer Presentation
Herbalife Customer Presentation
 
AWS on Splunk, Splunk on AWS
AWS on Splunk, Splunk on AWSAWS on Splunk, Splunk on AWS
AWS on Splunk, Splunk on AWS
 
Molina Healthcare Customer Presentation
Molina Healthcare Customer PresentationMolina Healthcare Customer Presentation
Molina Healthcare Customer Presentation
 
Experian Customer Presentation
Experian Customer PresentationExperian Customer Presentation
Experian Customer Presentation
 

Semelhante a Splunk live! Customer Presentation – Prelert

Observability for Emerging Infra (what got you here won't get you there)
Observability for Emerging Infra (what got you here won't get you there)Observability for Emerging Infra (what got you here won't get you there)
Observability for Emerging Infra (what got you here won't get you there)Charity Majors
 
Anomaly Detection Using the CLA
Anomaly Detection Using the CLAAnomaly Detection Using the CLA
Anomaly Detection Using the CLANumenta
 
Anomaly Detection and Automatic Labeling with Deep Learning
Anomaly Detection and Automatic Labeling with Deep LearningAnomaly Detection and Automatic Labeling with Deep Learning
Anomaly Detection and Automatic Labeling with Deep LearningAdam Gibson
 
IT Operation Analytic for security- MiSSconf(sp1)
IT Operation Analytic for security- MiSSconf(sp1)IT Operation Analytic for security- MiSSconf(sp1)
IT Operation Analytic for security- MiSSconf(sp1)stelligence
 
Anomaly Detection in Time-Series Data using the Elastic Stack by Henry Pak
Anomaly Detection in Time-Series Data using the Elastic Stack by Henry PakAnomaly Detection in Time-Series Data using the Elastic Stack by Henry Pak
Anomaly Detection in Time-Series Data using the Elastic Stack by Henry PakData Con LA
 
Five Things I Learned While Building Anomaly Detection Tools - Toufic Boubez ...
Five Things I Learned While Building Anomaly Detection Tools - Toufic Boubez ...Five Things I Learned While Building Anomaly Detection Tools - Toufic Boubez ...
Five Things I Learned While Building Anomaly Detection Tools - Toufic Boubez ...tboubez
 
From ensembles to computer networks
From ensembles to computer networksFrom ensembles to computer networks
From ensembles to computer networksCSIRO
 
(BDT207) Real-Time Analytics In Service Of Self-Healing Ecosystems
(BDT207) Real-Time Analytics In Service Of Self-Healing Ecosystems(BDT207) Real-Time Analytics In Service Of Self-Healing Ecosystems
(BDT207) Real-Time Analytics In Service Of Self-Healing EcosystemsAmazon Web Services
 
Boost your business reliability with Azure Anomaly Detector
Boost your business reliability with Azure Anomaly DetectorBoost your business reliability with Azure Anomaly Detector
Boost your business reliability with Azure Anomaly DetectorLuis Beltran
 
Creating Your Own Threat Intel Through Hunting & Visualization
Creating Your Own Threat Intel Through Hunting & VisualizationCreating Your Own Threat Intel Through Hunting & Visualization
Creating Your Own Threat Intel Through Hunting & VisualizationRaffael Marty
 
Navy security contest-bigdataforsecurity
Navy security contest-bigdataforsecurityNavy security contest-bigdataforsecurity
Navy security contest-bigdataforsecuritystelligence
 
Effective approaches to web application security
Effective approaches to web application security Effective approaches to web application security
Effective approaches to web application security Zane Lackey
 
Rise of the machines -- Owasp israel -- June 2014 meetup
Rise of the machines -- Owasp israel -- June 2014 meetupRise of the machines -- Owasp israel -- June 2014 meetup
Rise of the machines -- Owasp israel -- June 2014 meetupShlomo Yona
 
Open Anti-Cheat System (OACS)
Open Anti-Cheat System (OACS)Open Anti-Cheat System (OACS)
Open Anti-Cheat System (OACS)Stephen Larroque
 
Zen and the art of Security Testing
Zen and the art of Security TestingZen and the art of Security Testing
Zen and the art of Security TestingTEST Huddle
 
intrusion detection system (IDS)
intrusion detection system (IDS)intrusion detection system (IDS)
intrusion detection system (IDS)Aj Maurya
 
RuSIEM overview (english version)
RuSIEM overview (english version)RuSIEM overview (english version)
RuSIEM overview (english version)Olesya Shelestova
 

Semelhante a Splunk live! Customer Presentation – Prelert (20)

Drop, Stop & Roll
Drop, Stop & RollDrop, Stop & Roll
Drop, Stop & Roll
 
Observability for Emerging Infra (what got you here won't get you there)
Observability for Emerging Infra (what got you here won't get you there)Observability for Emerging Infra (what got you here won't get you there)
Observability for Emerging Infra (what got you here won't get you there)
 
Anomaly Detection Using the CLA
Anomaly Detection Using the CLAAnomaly Detection Using the CLA
Anomaly Detection Using the CLA
 
Anomaly Detection and Automatic Labeling with Deep Learning
Anomaly Detection and Automatic Labeling with Deep LearningAnomaly Detection and Automatic Labeling with Deep Learning
Anomaly Detection and Automatic Labeling with Deep Learning
 
IT Operation Analytic for security- MiSSconf(sp1)
IT Operation Analytic for security- MiSSconf(sp1)IT Operation Analytic for security- MiSSconf(sp1)
IT Operation Analytic for security- MiSSconf(sp1)
 
Anomaly Detection in Time-Series Data using the Elastic Stack by Henry Pak
Anomaly Detection in Time-Series Data using the Elastic Stack by Henry PakAnomaly Detection in Time-Series Data using the Elastic Stack by Henry Pak
Anomaly Detection in Time-Series Data using the Elastic Stack by Henry Pak
 
Five Things I Learned While Building Anomaly Detection Tools - Toufic Boubez ...
Five Things I Learned While Building Anomaly Detection Tools - Toufic Boubez ...Five Things I Learned While Building Anomaly Detection Tools - Toufic Boubez ...
Five Things I Learned While Building Anomaly Detection Tools - Toufic Boubez ...
 
From ensembles to computer networks
From ensembles to computer networksFrom ensembles to computer networks
From ensembles to computer networks
 
(BDT207) Real-Time Analytics In Service Of Self-Healing Ecosystems
(BDT207) Real-Time Analytics In Service Of Self-Healing Ecosystems(BDT207) Real-Time Analytics In Service Of Self-Healing Ecosystems
(BDT207) Real-Time Analytics In Service Of Self-Healing Ecosystems
 
Boost your business reliability with Azure Anomaly Detector
Boost your business reliability with Azure Anomaly DetectorBoost your business reliability with Azure Anomaly Detector
Boost your business reliability with Azure Anomaly Detector
 
Creating Your Own Threat Intel Through Hunting & Visualization
Creating Your Own Threat Intel Through Hunting & VisualizationCreating Your Own Threat Intel Through Hunting & Visualization
Creating Your Own Threat Intel Through Hunting & Visualization
 
Navy security contest-bigdataforsecurity
Navy security contest-bigdataforsecurityNavy security contest-bigdataforsecurity
Navy security contest-bigdataforsecurity
 
Effective approaches to web application security
Effective approaches to web application security Effective approaches to web application security
Effective approaches to web application security
 
Rise of the machines -- Owasp israel -- June 2014 meetup
Rise of the machines -- Owasp israel -- June 2014 meetupRise of the machines -- Owasp israel -- June 2014 meetup
Rise of the machines -- Owasp israel -- June 2014 meetup
 
Open Anti-Cheat System (OACS)
Open Anti-Cheat System (OACS)Open Anti-Cheat System (OACS)
Open Anti-Cheat System (OACS)
 
李育杰/The Growth of a Data Scientist
李育杰/The Growth of a Data Scientist李育杰/The Growth of a Data Scientist
李育杰/The Growth of a Data Scientist
 
Zen and the art of Security Testing
Zen and the art of Security TestingZen and the art of Security Testing
Zen and the art of Security Testing
 
intrusion detection system (IDS)
intrusion detection system (IDS)intrusion detection system (IDS)
intrusion detection system (IDS)
 
RuSIEM overview (english version)
RuSIEM overview (english version)RuSIEM overview (english version)
RuSIEM overview (english version)
 
L15. Machine Learning - Black Art
L15. Machine Learning - Black ArtL15. Machine Learning - Black Art
L15. Machine Learning - Black Art
 

Mais de Splunk

.conf Go 2023 - Data analysis as a routine
.conf Go 2023 - Data analysis as a routine.conf Go 2023 - Data analysis as a routine
.conf Go 2023 - Data analysis as a routineSplunk
 
.conf Go 2023 - How KPN drives Customer Satisfaction on IPTV
.conf Go 2023 - How KPN drives Customer Satisfaction on IPTV.conf Go 2023 - How KPN drives Customer Satisfaction on IPTV
.conf Go 2023 - How KPN drives Customer Satisfaction on IPTVSplunk
 
.conf Go 2023 - Navegando la normativa SOX (Telefónica)
.conf Go 2023 - Navegando la normativa SOX (Telefónica).conf Go 2023 - Navegando la normativa SOX (Telefónica)
.conf Go 2023 - Navegando la normativa SOX (Telefónica)Splunk
 
.conf Go 2023 - Raiffeisen Bank International
.conf Go 2023 - Raiffeisen Bank International.conf Go 2023 - Raiffeisen Bank International
.conf Go 2023 - Raiffeisen Bank InternationalSplunk
 
.conf Go 2023 - På liv og død Om sikkerhetsarbeid i Norsk helsenett
.conf Go 2023 - På liv og død Om sikkerhetsarbeid i Norsk helsenett .conf Go 2023 - På liv og død Om sikkerhetsarbeid i Norsk helsenett
.conf Go 2023 - På liv og død Om sikkerhetsarbeid i Norsk helsenett Splunk
 
.conf Go 2023 - Many roads lead to Rome - this was our journey (Julius Bär)
.conf Go 2023 - Many roads lead to Rome - this was our journey (Julius Bär).conf Go 2023 - Many roads lead to Rome - this was our journey (Julius Bär)
.conf Go 2023 - Many roads lead to Rome - this was our journey (Julius Bär)Splunk
 
.conf Go 2023 - Das passende Rezept für die digitale (Security) Revolution zu...
.conf Go 2023 - Das passende Rezept für die digitale (Security) Revolution zu....conf Go 2023 - Das passende Rezept für die digitale (Security) Revolution zu...
.conf Go 2023 - Das passende Rezept für die digitale (Security) Revolution zu...Splunk
 
.conf go 2023 - Cyber Resilienz – Herausforderungen und Ansatz für Energiever...
.conf go 2023 - Cyber Resilienz – Herausforderungen und Ansatz für Energiever....conf go 2023 - Cyber Resilienz – Herausforderungen und Ansatz für Energiever...
.conf go 2023 - Cyber Resilienz – Herausforderungen und Ansatz für Energiever...Splunk
 
.conf go 2023 - De NOC a CSIRT (Cellnex)
.conf go 2023 - De NOC a CSIRT (Cellnex).conf go 2023 - De NOC a CSIRT (Cellnex)
.conf go 2023 - De NOC a CSIRT (Cellnex)Splunk
 
conf go 2023 - El camino hacia la ciberseguridad (ABANCA)
conf go 2023 - El camino hacia la ciberseguridad (ABANCA)conf go 2023 - El camino hacia la ciberseguridad (ABANCA)
conf go 2023 - El camino hacia la ciberseguridad (ABANCA)Splunk
 
Splunk - BMW connects business and IT with data driven operations SRE and O11y
Splunk - BMW connects business and IT with data driven operations SRE and O11ySplunk - BMW connects business and IT with data driven operations SRE and O11y
Splunk - BMW connects business and IT with data driven operations SRE and O11ySplunk
 
Splunk x Freenet - .conf Go Köln
Splunk x Freenet - .conf Go KölnSplunk x Freenet - .conf Go Köln
Splunk x Freenet - .conf Go KölnSplunk
 
Splunk Security Session - .conf Go Köln
Splunk Security Session - .conf Go KölnSplunk Security Session - .conf Go Köln
Splunk Security Session - .conf Go KölnSplunk
 
Data foundations building success, at city scale – Imperial College London
Data foundations building success, at city scale – Imperial College London Data foundations building success, at city scale – Imperial College London
Data foundations building success, at city scale – Imperial College LondonSplunk
 
Splunk: How Vodafone established Operational Analytics in a Hybrid Environmen...
Splunk: How Vodafone established Operational Analytics in a Hybrid Environmen...Splunk: How Vodafone established Operational Analytics in a Hybrid Environmen...
Splunk: How Vodafone established Operational Analytics in a Hybrid Environmen...Splunk
 
SOC, Amore Mio! | Security Webinar
SOC, Amore Mio! | Security WebinarSOC, Amore Mio! | Security Webinar
SOC, Amore Mio! | Security WebinarSplunk
 
.conf Go 2022 - Observability Session
.conf Go 2022 - Observability Session.conf Go 2022 - Observability Session
.conf Go 2022 - Observability SessionSplunk
 
.conf Go Zurich 2022 - Keynote
.conf Go Zurich 2022 - Keynote.conf Go Zurich 2022 - Keynote
.conf Go Zurich 2022 - KeynoteSplunk
 
.conf Go Zurich 2022 - Platform Session
.conf Go Zurich 2022 - Platform Session.conf Go Zurich 2022 - Platform Session
.conf Go Zurich 2022 - Platform SessionSplunk
 
.conf Go Zurich 2022 - Security Session
.conf Go Zurich 2022 - Security Session.conf Go Zurich 2022 - Security Session
.conf Go Zurich 2022 - Security SessionSplunk
 

Mais de Splunk (20)

.conf Go 2023 - Data analysis as a routine
.conf Go 2023 - Data analysis as a routine.conf Go 2023 - Data analysis as a routine
.conf Go 2023 - Data analysis as a routine
 
.conf Go 2023 - How KPN drives Customer Satisfaction on IPTV
.conf Go 2023 - How KPN drives Customer Satisfaction on IPTV.conf Go 2023 - How KPN drives Customer Satisfaction on IPTV
.conf Go 2023 - How KPN drives Customer Satisfaction on IPTV
 
.conf Go 2023 - Navegando la normativa SOX (Telefónica)
.conf Go 2023 - Navegando la normativa SOX (Telefónica).conf Go 2023 - Navegando la normativa SOX (Telefónica)
.conf Go 2023 - Navegando la normativa SOX (Telefónica)
 
.conf Go 2023 - Raiffeisen Bank International
.conf Go 2023 - Raiffeisen Bank International.conf Go 2023 - Raiffeisen Bank International
.conf Go 2023 - Raiffeisen Bank International
 
.conf Go 2023 - På liv og død Om sikkerhetsarbeid i Norsk helsenett
.conf Go 2023 - På liv og død Om sikkerhetsarbeid i Norsk helsenett .conf Go 2023 - På liv og død Om sikkerhetsarbeid i Norsk helsenett
.conf Go 2023 - På liv og død Om sikkerhetsarbeid i Norsk helsenett
 
.conf Go 2023 - Many roads lead to Rome - this was our journey (Julius Bär)
.conf Go 2023 - Many roads lead to Rome - this was our journey (Julius Bär).conf Go 2023 - Many roads lead to Rome - this was our journey (Julius Bär)
.conf Go 2023 - Many roads lead to Rome - this was our journey (Julius Bär)
 
.conf Go 2023 - Das passende Rezept für die digitale (Security) Revolution zu...
.conf Go 2023 - Das passende Rezept für die digitale (Security) Revolution zu....conf Go 2023 - Das passende Rezept für die digitale (Security) Revolution zu...
.conf Go 2023 - Das passende Rezept für die digitale (Security) Revolution zu...
 
.conf go 2023 - Cyber Resilienz – Herausforderungen und Ansatz für Energiever...
.conf go 2023 - Cyber Resilienz – Herausforderungen und Ansatz für Energiever....conf go 2023 - Cyber Resilienz – Herausforderungen und Ansatz für Energiever...
.conf go 2023 - Cyber Resilienz – Herausforderungen und Ansatz für Energiever...
 
.conf go 2023 - De NOC a CSIRT (Cellnex)
.conf go 2023 - De NOC a CSIRT (Cellnex).conf go 2023 - De NOC a CSIRT (Cellnex)
.conf go 2023 - De NOC a CSIRT (Cellnex)
 
conf go 2023 - El camino hacia la ciberseguridad (ABANCA)
conf go 2023 - El camino hacia la ciberseguridad (ABANCA)conf go 2023 - El camino hacia la ciberseguridad (ABANCA)
conf go 2023 - El camino hacia la ciberseguridad (ABANCA)
 
Splunk - BMW connects business and IT with data driven operations SRE and O11y
Splunk - BMW connects business and IT with data driven operations SRE and O11ySplunk - BMW connects business and IT with data driven operations SRE and O11y
Splunk - BMW connects business and IT with data driven operations SRE and O11y
 
Splunk x Freenet - .conf Go Köln
Splunk x Freenet - .conf Go KölnSplunk x Freenet - .conf Go Köln
Splunk x Freenet - .conf Go Köln
 
Splunk Security Session - .conf Go Köln
Splunk Security Session - .conf Go KölnSplunk Security Session - .conf Go Köln
Splunk Security Session - .conf Go Köln
 
Data foundations building success, at city scale – Imperial College London
Data foundations building success, at city scale – Imperial College London Data foundations building success, at city scale – Imperial College London
Data foundations building success, at city scale – Imperial College London
 
Splunk: How Vodafone established Operational Analytics in a Hybrid Environmen...
Splunk: How Vodafone established Operational Analytics in a Hybrid Environmen...Splunk: How Vodafone established Operational Analytics in a Hybrid Environmen...
Splunk: How Vodafone established Operational Analytics in a Hybrid Environmen...
 
SOC, Amore Mio! | Security Webinar
SOC, Amore Mio! | Security WebinarSOC, Amore Mio! | Security Webinar
SOC, Amore Mio! | Security Webinar
 
.conf Go 2022 - Observability Session
.conf Go 2022 - Observability Session.conf Go 2022 - Observability Session
.conf Go 2022 - Observability Session
 
.conf Go Zurich 2022 - Keynote
.conf Go Zurich 2022 - Keynote.conf Go Zurich 2022 - Keynote
.conf Go Zurich 2022 - Keynote
 
.conf Go Zurich 2022 - Platform Session
.conf Go Zurich 2022 - Platform Session.conf Go Zurich 2022 - Platform Session
.conf Go Zurich 2022 - Platform Session
 
.conf Go Zurich 2022 - Security Session
.conf Go Zurich 2022 - Security Session.conf Go Zurich 2022 - Security Session
.conf Go Zurich 2022 - Security Session
 

Último

"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
What is Artificial Intelligence?????????
What is Artificial Intelligence?????????What is Artificial Intelligence?????????
What is Artificial Intelligence?????????blackmambaettijean
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rick Flair
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demoHarshalMandlekar2
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxBkGupta21
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 

Último (20)

"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
What is Artificial Intelligence?????????
What is Artificial Intelligence?????????What is Artificial Intelligence?????????
What is Artificial Intelligence?????????
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demo
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptx
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 

Splunk live! Customer Presentation – Prelert

  • 1. Anomaly Detection using Machine Learning Predictive Analytics the anomaly detection company
  • 2. Terminology • Machine-learning  Autonomous self-learning without the assistance of humans (unsupervised learning) • Predictive Analytics  Probabilistic prediction of behavior based upon observed past behavior • Anomaly Detection  what’s “different” or weird” versus what’s “good” or “bad”
  • 4. A: Only What’s Behaving Abnormally 4
  • 5. Anomaly Detection - an Analogy • How could I accurately predict how much Postal-mail you are likely to get delivered to your home tomorrow? • And, how would I know if the amount you received was “abnormal”?
  • 6. A practical methodology would involve… • First, determine what’s normal before I can declare what’s abnormal • Watch your mail delivery volume for a while…  1 day?  1 week?  1 month? • Notice, that you intuitively feel like you’ll gain accuracy in your predictions with more data that you see. • Ideally, use those observations to create a…
  • 7. Probability Distribution Function pieces of mail per day %likelihood(probability)
  • 8. Probability Distribution Function pieces of mail per day %likelihood(probability) Best for my house
  • 9. Probability Distribution Function pieces of mail per day %likelihood(probability) College Student?
  • 10. Probability Distribution Function pieces of mail per day %likelihood(probability) My Mom
  • 11. Finding “what’s unexpected”… Your job is often looking for unexpected change in your environment, either proactively through monitoring or reactively through diagnostics/troubleshooting
  • 12. Using the PDF to Find What is Unexpected pieces of mail per day %likelihood(probability) zero pieces of mail? fifteen pieces of mail?
  • 13. Relate back to IT and Security data • # Pieces of mail = # events of a certain type  Number of failed logins  Number of errors of different types  Number of events with certain status codes  Etc. • Or, performance metrics  Response time  Utilization % => Every kind of data will need its own unique “model” (probability distribution function)
  • 14. Do You Know How to Accurately Model? • Which one(s) models your data best? • You will want to get it right 14 source: “Doing Data Science” O’Neil & Schutt avg +/- 2 stdev assumes Gaussian (Normal) Distribution!
  • 17. Standard Deviations – Not so Good 33,000+ performance metrics analyzed using +/- 2.5σ 0 1000 2000 3000 4000 5000 6000 7000 28 Feb 00:00 28 Feb 12:00 01 Mar 00:00 01 Mar 12:00 02 Mar 00:00 02 Mar 12:00 03 Mar 00:00 03 Mar 12:00 • Never less than 900 alerts per hour • Real outage (circled) overshadowed by ~6000 extraneous alerts Total # Alerts
  • 18. Don’t worry, we have you covered • Prelert uses sophisticated machine-learning techniques to best-fit the right statistical model for your data. • Better models = better outlier detection = less false alarms 20
  • 20. Kinds of Anomalies Detected 22 Deviations in event count vs. time Deviations in values vs. time Rare occurrences of things Population/Peer outliers
  • 21. #1) Deviations in Event Counts/Rates • Use Case: Online Commerce Site  Cyclical online ordering volume (credit cards, etc.)  Service outage on May 10th orders not being processed, dip in afternoon volume 23
  • 22. Hard to automatically detect because… • Tricky to catch with thresholds because overall count didn’t dip below low watermark • Output of Splunk “predict”: 24
  • 23. Prelert finds the anomaly perfectly 25 • No extraneous false alarms • Despite the inherent challenges of the periodic nature of the data
  • 24. #2) Deviations in Performance Metrics • Use Case: Online travel portal • Makes web services calls to airlines for fare quotes • Each airline responds to fare request with its own typical response time (20 airlines): 26
  • 25. Hard to automatically detect because… • Tricky to construct unique thresholds for each airline individually • Cannot do “avg +/- 2σ” because it is too noisy for this kind of data • Splunk’s “predict” doesn’t support explosion out via by clause (“by airline”) 27
  • 26. Prelert finds the anomaly perfectly 28 • Only 1 of the many airlines is having an issue
  • 27. #3) Rare Items as Anomalies • Use Case: Security team @ services company • Wanted to profile typical processes on each host using netstat • Goal was to identify rare processes that “start up and communicate” for each host, individually 29
  • 28. Hard to automatically detect because… • Each host has it’s own separate “set” of typical processes that are potentially unique • i.e. FTP may run routinely run on server A, but never runs on server B • Maintaining a running list of “typical processes” across hundreds of servers not practical • Splunk “rare” command is not truly a rarity measurement, just “least occurring” 30
  • 29. Prelert finds the anomaly perfectly 31 • Finds FTP process running for 3 hours on system that doesn’t normally run FTP
  • 30. #4) Population / Peer Outliers • Use Case: Proxy log data  Need to determine which users/systems are sending out requests/data much differently than the others 32
  • 31. Hard to automatically detect because… • Peer analysis is impossible without Prelert 33
  • 32. Prelert finds the anomaly perfectly 34 • One particular host sending many requests (20,000/hr) to an IIS webserver • This is an attempt to hack the webserver
  • 33. Anomaly Detective App • Free to download and try – 100% native Splunk app • Easy to use – “push button anomaly detection” • More powerful anomaly detection than Splunk on its own • Scalable for big data sets 35 http://goo.gl/KJY9B
  • 34. Bonus – Anomaly Cross-Correlation • Use Case: Retail company with flaky POS application (gift card redemption)  App occasionally disconnects from DB  Team suspects either a DB or a network problem, but hard to find cause • Prelert configured to run anomaly detection across 3 data types simultaneously  App logs (unstructured) – count by dynamic message type  SQL Server performance metrics  Network performance metrics 36
  • 35. Result: Instant Answers 37 Symptom: Sudden influx of DB errors in log Symptom: Drop in SQL Server client connections Cause: Network spike and TCP discards

Notas do Editor

  1. [no audio here]
  2. Probability of data comes in all shapes and sizes – rarely does it fit a nice bell curve
  3. index="invite" | timechart span=1h count as mycount | predict mycount | rename upper95(prediction(mycount)) as ceiling | rename lower95(prediction(mycount)) as floor | eval alarm1=if(mycount > ceiling, "10000", "0") | eval alarm2=if(mycount < floor, "-10000", "0") | table _time,alarm1,alarm2,mycount,ceiling,floor
  4. Prelert has users analyzing 100,000+ simultaneous unique metrics, not just 20!