User classification by local to global sequence alignment techniques for anomaly-based intrusion detection
First Claim
Patent Images
1. A method for implementation by one or more data processors forming part of at least one computing system, the method comprising:
- monitoring a sequence of events by a single user with at least one computing system, each event characterizing user interaction with the at least one computing system, the sequence of events forming a plurality of pairwise disjoint log samples;
determining, using an adjacency graph trained using a plurality of log samples generated by a plurality of users, whether any of the log samples is anomalous; and
providing data characterizing the log samples determined to be anomalous;
wherein the adjacency graph is generated by;
calculating, for each of a plurality pairs of historically generated log samples, an asymmetric adjacency which characterizes how well a first sample fits to a second sample and a symmetric adjacency which characterizes how well the second sample fits to the first sample; and
defining vertices and edges of the adjacency graph are based on the calculated asymmetric adjacency and symmetric adjacency.
1 Assignment
0 Petitions
Accused Products
Abstract
A sequence of events by a single user with at least one computing system are monitored. Each event characterizes user interaction with the at least one computing system and the sequence of events form a plurality of pairwise disjoint log samples. Thereafter, it is determined, using an adjacency graph trained using a plurality of log samples generated by a plurality of users, whether any of the log samples is anomalous. Data can be provided that characterizes the log samples determined to be anomalous. Related apparatus, systems, techniques and articles are also described.
13 Citations
20 Claims
-
1. A method for implementation by one or more data processors forming part of at least one computing system, the method comprising:
-
monitoring a sequence of events by a single user with at least one computing system, each event characterizing user interaction with the at least one computing system, the sequence of events forming a plurality of pairwise disjoint log samples; determining, using an adjacency graph trained using a plurality of log samples generated by a plurality of users, whether any of the log samples is anomalous; and providing data characterizing the log samples determined to be anomalous; wherein the adjacency graph is generated by; calculating, for each of a plurality pairs of historically generated log samples, an asymmetric adjacency which characterizes how well a first sample fits to a second sample and a symmetric adjacency which characterizes how well the second sample fits to the first sample; and defining vertices and edges of the adjacency graph are based on the calculated asymmetric adjacency and symmetric adjacency. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
-
-
17. A system comprising:
-
at least one data processor; and memory storing instructions which, when executed by the at least one data processor, result in operations comprising; monitoring a sequence of events by a single user with at least one computing system, each event characterizing user interaction with the at least one computing system, the sequence of events forming a plurality of pairwise disjoint log samples; determining, using an adjacency graph trained using a plurality of log samples generated by a plurality of users, whether any of the log samples is anomalous; and providing data characterizing the log samples determined to be anomalous; wherein the adjacency graph is generated by; calculating, for each of a plurality pairs of historically generated log samples, an asymmetric adjacency which characterizes how well a first sample fits to a second sample and symmetric adjacency which characterizes how well the second sample fits to the first sample; and defining vertices and edges of the adjacency graph are based on the calculated asymmetric adjacency and symmetric adjacency. - View Dependent Claims (18, 19)
-
-
20. A non-transitory computer program product storing instructions which, when executed by at least one data processor forming part of at least one computing system, result in operations comprising:
-
monitoring a sequence of events by a single user with at least one computing system, each event characterizing user interaction with the at least one computing system, the sequence of events forming a plurality of pairwise disjoint log samples; determining, using an adjacency graph trained using a plurality of log samples generated by a plurality of users, whether any of the log samples is anomalous; and providing data characterizing the log samples determined to be anomalous; wherein the adjacency graph is generated by; calculating, for each of a plurality pairs of historically generated log samples, an asymmetric adjacency which characterizes how well a first sample fits to a second sample and a symmetric adjacency which characterizes how well the second sample fits to the first sample; and defining vertices and edges of the adjacency graph are based on the calculated asymmetric adjacency and symmetric adjacency.
-
Specification