Why One Anomaly Means Little — and Several Together Mean a Lot

Anomaly detection has a credibility problem: in any real environment, anomalies happen constantly and almost all of them are harmless. A user logs in from a new city, a server runs a job at an odd hour, a process touches an unusual file. Treat each anomaly as a threat and you bury your analysts in false alarms. The signal isn't in any single anomaly — it's in which anomalies cluster together.

The grant US11606379B2, "Identifying threat indicators by processing multiple anomalies" (issued March 14, 2023, assigned to Splunk Inc.), is built on that insight. Its CPC classifications span the intrusion-detection classes H04L 63/1425, H04L 63/1416, and H04L 63/1433, the policy class H04L 63/20, and the machine-learning class G06N 20/00 — a system that reasons over collections of anomalies rather than individual ones.

“Techniques are described for processing anomalies detected using user-specified rules with anomalies detected using machine-learning based behavioral analysis models to identify threat indicators and security threats to a computer network.”— U.S. Patent No. 11,606,379 source

The mechanism worth understanding is correlation. A new-location login is unremarkable. A new-location login, followed by access to sensitive systems the account rarely touches, followed by an unusual outbound data transfer, is a story — each piece weak on its own, the combination strongly suggestive of a compromised account being used. Processing anomalies together lets the system find these incriminating combinations and suppress the lone anomalies that are just noise.

For defenders, the practical takeaway is about alert quality. The combinatorial approach is how a detection program escapes alert fatigue: instead of thousands of single-anomaly alerts no one can triage, it surfaces a smaller number of correlated, higher-confidence threats worth investigating. That selectivity is what makes a SOC able to function.

The challenge is the combinatorial space — there are vastly more combinations of anomalies than anomalies, and finding the meaningful ones efficiently is hard. The patent's contribution is in making that correlation tractable, which reflects the maturation of detection from raising alarms toward telling coherent stories that a human can actually act on.