User classification by local to global sequence alignment techniques for anomaly-based intrusion detection

US 10,491,615 B2
Filed: 01/09/2017
Issued: 11/26/2019
Est. Priority Date: 01/09/2017
Status: Active Grant

First Claim

Patent Images

1. A method for implementation by one or more data processors forming part of at least one computing system, the method comprising:

monitoring a sequence of events by a single user with at least one computing system, each event characterizing user interaction with the at least one computing system, the sequence of events forming a plurality of pairwise disjoint log samples;

determining, using an adjacency graph trained using a plurality of log samples generated by a plurality of users, whether any of the log samples is anomalous; and

providing data characterizing the log samples determined to be anomalous;

wherein the adjacency graph is generated by;

calculating, for each of a plurality pairs of historically generated log samples, an asymmetric adjacency which characterizes how well a first sample fits to a second sample and a symmetric adjacency which characterizes how well the second sample fits to the first sample; and

defining vertices and edges of the adjacency graph are based on the calculated asymmetric adjacency and symmetric adjacency.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A sequence of events by a single user with at least one computing system are monitored. Each event characterizes user interaction with the at least one computing system and the sequence of events form a plurality of pairwise disjoint log samples. Thereafter, it is determined, using an adjacency graph trained using a plurality of log samples generated by a plurality of users, whether any of the log samples is anomalous. Data can be provided that characterizes the log samples determined to be anomalous. Related apparatus, systems, techniques and articles are also described.

13 Citations

20 Claims

1. A method for implementation by one or more data processors forming part of at least one computing system, the method comprising:
- monitoring a sequence of events by a single user with at least one computing system, each event characterizing user interaction with the at least one computing system, the sequence of events forming a plurality of pairwise disjoint log samples;
  
  determining, using an adjacency graph trained using a plurality of log samples generated by a plurality of users, whether any of the log samples is anomalous; and
  
  providing data characterizing the log samples determined to be anomalous;
  
  wherein the adjacency graph is generated by;
  
  calculating, for each of a plurality pairs of historically generated log samples, an asymmetric adjacency which characterizes how well a first sample fits to a second sample and a symmetric adjacency which characterizes how well the second sample fits to the first sample; and
  
  defining vertices and edges of the adjacency graph are based on the calculated asymmetric adjacency and symmetric adjacency.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 2. The method of claim 1, wherein the providing data comprises at least one of:
    - displaying at least one a portion of the data characterizing the log samples determined to be anomalous in an electronic visual display, persisting at least one a portion of the data characterizing the log samples determined to be anomalous in physical data storage, loading at least one a portion of the data characterizing the log samples determined to be anomalous in memory, or transmitting at least one a portion of the data characterizing the log samples determined to be anomalous to a remote computing system.
  - 3. The method of claim 1, wherein the providing data comprises generating an alert identifying activity of the user as being anomalous.
  - 4. The method of claim 1, wherein the monitoring and determining are performed by an intrusion detection system including at least one computing device monitoring communications between a client computing device and at least one backend server.
  - 5. The method of claim 1, wherein the monitored events comprise categorical data characterizing remote functions associated with the at least one computing system.
  - 6. The method of claim 5, wherein the remote functions comprise one or more of:
    - Open Data Protocol (OData) services, XMLHttpRequests (XHR), or Remote Function Calls (RFCs).
  - 7. The method of claim 1, wherein the monitored events comprise events involving an operating system of the at least one computing system.
  - 8. The method of claim 1, wherein the monitoring comprises intercepting queries to analyze table names within SQL statements to log which database tables with which the user is interacting.
  - 9. The method of claim 1, wherein the monitored events characterize user interaction with a graphical user interface rendered on an electronic visual display associated with the at least one computing system.
  - 10. The method of claim 1, wherein the monitored events characterize data exchange volume between the at least one computing system and at least one remote computing system.
  - 11. The method of claim 1, wherein the monitored events characterize data exchange periodicity and/or frequency between the at least one computing system and at least one remote computing system.
  - 12. The method of claim 1, wherein the adjacency graph is generated by calculating, for each of a plurality pairs of historically generated log samples, an asymmetric adjacency.
  - 13. The method of claim 12, wherein the adjacency graph is generated by calculating, for each of a plurality pairs of historically generated log samples, a symmetric adjacency based on the calculated asymmetric adjacency.
  - 14. The method of claim 13, wherein vertices and edges of the adjacency graph are based on the calculated asymmetric adjacency and symmetric adjacency.
  - 15. The method of claim 1, wherein the adjacency graph is previously generated and static.
  - 16. The method of claim 1, wherein the adjacency graph is dynamically updated as additional events are monitored.

17. A system comprising:
- at least one data processor; and
  
  memory storing instructions which, when executed by the at least one data processor, result in operations comprising;
  
  monitoring a sequence of events by a single user with at least one computing system, each event characterizing user interaction with the at least one computing system, the sequence of events forming a plurality of pairwise disjoint log samples;
  
  determining, using an adjacency graph trained using a plurality of log samples generated by a plurality of users, whether any of the log samples is anomalous; and
  
  providing data characterizing the log samples determined to be anomalous;
  
  wherein the adjacency graph is generated by;
  
  calculating, for each of a plurality pairs of historically generated log samples, an asymmetric adjacency which characterizes how well a first sample fits to a second sample and symmetric adjacency which characterizes how well the second sample fits to the first sample; and
  
  defining vertices and edges of the adjacency graph are based on the calculated asymmetric adjacency and symmetric adjacency.
- View Dependent Claims (18, 19)
- - 18. The system of claim 17, wherein the adjacency graph is generated by calculating, for each of a plurality pairs of historically generated log samples, an asymmetric adjacency.
  - 19. The system of claim 18, wherein:
    - the adjacency graph is generated by calculating, for each of a plurality pairs of historically generated log samples, a symmetric adjacency based on the calculated asymmetric adjacency;
      
      vertices and edges of the adjacency graph are based on the calculated asymmetric adjacency and symmetric adjacency.

20. A non-transitory computer program product storing instructions which, when executed by at least one data processor forming part of at least one computing system, result in operations comprising:
- monitoring a sequence of events by a single user with at least one computing system, each event characterizing user interaction with the at least one computing system, the sequence of events forming a plurality of pairwise disjoint log samples;
  
  determining, using an adjacency graph trained using a plurality of log samples generated by a plurality of users, whether any of the log samples is anomalous; and
  
  providing data characterizing the log samples determined to be anomalous;
  
  wherein the adjacency graph is generated by;
  
  calculating, for each of a plurality pairs of historically generated log samples, an asymmetric adjacency which characterizes how well a first sample fits to a second sample and a symmetric adjacency which characterizes how well the second sample fits to the first sample; and
  
  defining vertices and edges of the adjacency graph are based on the calculated asymmetric adjacency and symmetric adjacency.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
SAP SE
Original Assignee
SAP SE
Inventors
Haerterich, Martin
Primary Examiner(s)
Vaughan, Michael R

Application Number

US15/401,861
Publication Number

US 20180198810A1
Time in Patent Office

1,051 Days
Field of Search
US Class Current
CPC Class Codes

G06N 20/00   Machine learning

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/168   above the transport layer

User classification by local to global sequence alignment techniques for anomaly-based intrusion detection

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

13 Citations

20 Claims

Specification

Use Cases

Quick Links

Others

User classification by local to global sequence alignment techniques for anomaly-based intrusion detection

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

13 Citations

20 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others