US Patent 9306962 Systems and methods for classifying malicious network events

A system for classifying events on a computer network includes an event clustering engine for receiving event and log data related to identifiable actors from a security information and event management (SIEM) or log management module and selecting behavioral groupings of the event and log data. An affinity-based feature generation module assigns a value to each identifiable actor based on occurrences within predetermined time intervals of the identifiable actors having the selected behavioral grouping. A time-based weighting decay module applies a time decaying function to the assigned values for each identifiable actor. A feature engineering storage module stores information relating to the identifiable actors and their associated time-decayed values. A machine learning module generates a prediction model based on information received from the event clustering engine and the time-based weighting decay module, and the prediction model is utilized by a prediction engine on a computer to predict and classify received event and log data as malicious or non-malicious.