Detecting anomalous events through runtime verification of software execution using a behavioral model
First Claim
1. A method comprising:
- for each event of a software execution comprising events;
verifying whether the event is covered by a short range correlation of a sequence of the event and one or more events preceding the event with a sequence of two or more events in a behavioral model that comprises one or more n-grams of acceptable short range correlations of a sequence of two or more of the events, one or more groups of acceptable combinations of n-grams, and one or more group arrangements of acceptable combinations of groups;
verifying whether the event is covered by a long range correlation of a group of the sequences with a group of the sequences in the behavioral model;
verifying whether the event is covered by a long range correlation of an arrangement of groups of the sequences with an arrangement of groups of the sequences in the behavioral model;
after verifying each long range correlation, substituting the arrangement of groups of the sequences in the behavioral model event with an intersection of an arrangement of groups of the sequences with an arrangement of groups of the sequences in the behavioral model; and
responsive to the event not being covered by at least one of;
the short range correlation, the long range correlation of a group of the sequences, or the long range correlation of an arrangement of groups, indicating that the event is anomalous and halting software execution before execution of the indicated anomalous event.
1 Assignment
0 Petitions
Accused Products
Abstract
Runtime verification of software execution events against a behavioral model. For each event, it is verified whether there is a short range correlation of a sequence of the event and preceding event(s) with the behavioral model, and whether there is a long range correlation of a group of the sequences and of an arrangement of groups of the sequences with the behavioral model. After verifying each long range correlation, the arrangement of groups in the behavioral model event is substituted with an intersection of an arrangement of groups of the sequences with an arrangement of groups of the sequences in the behavioral model. If an event is not covered by a short range correlation or a long range correlation of a group or a long range correlation of an arrangement of groups, the event is indicated as anomalous.
86 Citations
12 Claims
-
1. A method comprising:
-
for each event of a software execution comprising events; verifying whether the event is covered by a short range correlation of a sequence of the event and one or more events preceding the event with a sequence of two or more events in a behavioral model that comprises one or more n-grams of acceptable short range correlations of a sequence of two or more of the events, one or more groups of acceptable combinations of n-grams, and one or more group arrangements of acceptable combinations of groups; verifying whether the event is covered by a long range correlation of a group of the sequences with a group of the sequences in the behavioral model; verifying whether the event is covered by a long range correlation of an arrangement of groups of the sequences with an arrangement of groups of the sequences in the behavioral model; after verifying each long range correlation, substituting the arrangement of groups of the sequences in the behavioral model event with an intersection of an arrangement of groups of the sequences with an arrangement of groups of the sequences in the behavioral model; and responsive to the event not being covered by at least one of;
the short range correlation, the long range correlation of a group of the sequences, or the long range correlation of an arrangement of groups, indicating that the event is anomalous and halting software execution before execution of the indicated anomalous event. - View Dependent Claims (2, 3)
-
-
4. A system comprising:
-
one or more computer processors; one or more computer-readable storage media; a system log stored on the one or more computer-readable storage media for recording events generated by a software execution; a behavioral model, stored on the one or more computer-readable storage media comprising one or more n-grams of acceptable short range correlations of a sequence of two or more events, one or more groups of acceptable combinations of n-grams, and one or more group arrangements of acceptable combinations of groups; a short range event correlator module, stored on the one or more computer-readable storage media which, when executed by the one or more processors; verifies whether each event is covered by a short range correlation of a sequence of the event and one or more events preceding the event with a sequence of two or more events in the behavioral model; and responsive to the event not being covered by a short range correlation, indicates that the event is anomalous, and halts software execution before execution of the indicated anomalous event; a long range correlator module, stored on the one or more computer-readable storage media which, when executed by the one or more processors; verifies whether each event is covered by one or more of a long range correlation of;
a group of the sequences with a group of the sequences in the behavioral model;
or an arrangement of groups of the sequences with an arrangement of groups of the sequences in the behavioral model; andresponsive to the event not being covered by at least one of the long range correlations, indicates that the event is anomalous, and halts software execution before execution of the indicated anomalous event; and a transaction arrangement substitutor module, stored on the one or more computer-readable storage media which, when executed by the one or more processors, substitutes, after verifying a long range correlation, the arrangement of groups of the sequences in the behavioral model event with an intersection of an arrangement of groups of the sequences with an arrangement of groups of the sequences in the behavioral model. - View Dependent Claims (5, 6)
-
-
7. A computer program product comprising:
-
a computer readable storage medium having program instructions embodied therewith, the program instructions executable by a computer to cause the computer to; for each event of a software execution comprising events; verify whether the event is covered by a short range correlation of a sequence of the event and one or more events preceding the event with a sequence of two or more events in the behavioral model that comprises one or more n-grams of acceptable short range correlations of a sequence of two or more of the events, one or more groups of acceptable combinations of n-grams, and one or more group arrangements of acceptable combinations of groups; verify whether the event is covered by a long range correlation of a group of the sequences with a group of the sequences in the behavioral model; verify whether the event is covered by a long range correlation of an arrangement of groups of the sequences with an arrangement of groups of the sequences in the behavioral model; after verifying each long range correlation, substituting the arrangement of groups of the sequences in the behavioral model event with an intersection of an arrangement of groups of the sequences with an arrangement of groups of the sequences in the behavioral model; and responsive to the event not being covered by at least one of;
the short range correlation, the long range correlation of a group of the sequences, or the long range correlation of an arrangement of groups, indicating that the event is anomalous and halting software execution before execution of the indicated anomalous event. - View Dependent Claims (8, 9)
-
-
10. A computer system comprising:
-
one or more computer processors, one or more computer-readable storage media, and program instructions stored on one or more of the computer-readable storage media for execution by at least one of the one or more processors, the stored program instructions comprising; program instructions, for each event of a software execution comprising events, to; verify whether the event is covered by a short range correlation of a sequence of the event and one or more events preceding the event with a sequence of two or more events in a behavioral model that comprises one or more n-grams of acceptable short range correlations of a sequence of two or more of the events, one or more groups of acceptable combinations of n-grams, and one or more group arrangements of acceptable combinations of groups; verify whether the event is covered by a long range correlation of a group of the sequences with a group of the sequences in the behavioral model; verify whether the event is covered by a long range correlation of an arrangement of groups of the sequences with an arrangement of groups of the sequences in the behavioral model; after verifying each long range correlation, substituting the arrangement of groups of the sequences in the behavioral model event with an intersection of an arrangement of groups of the sequences with an arrangement of groups of the sequences in the behavioral model; and responsive to the event not being covered by at least one of;
the short range correlation, the long range correlation of a group of the sequences, or the long range correlation of an arrangement of groups, indicating that the event is anomalous and halting software execution before execution of the indicated anomalous event. - View Dependent Claims (11, 12)
-
Specification