Using frequency analysis in enterprise threat detection to detect intrusions in a computer system

US 10,530,792 B2
Filed: 12/15/2016
Issued: 01/07/2020
Est. Priority Date: 12/15/2016
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method, comprising:

receiving time domain activity data for a computer system, wherein the time domain activity data comprise activity records associated with the computer system in a time domain;

filtering the time domain activity data based on activities associated with a monitored job or a monitored user;

computing, by a hardware processor at an intrusion detection system, frequency domain activity data based on the filtered time domain activity data, wherein computing, by the hardware processor, the frequency domain activity data based on the filtered time domain activity data comprise;

grouping the filtered time domain activity data into a plurality of groups, each of the plurality of groups comprises filtered time domain activity data in a different time period; and

for each of the groups, computing frequency domain activity data based on the filtered time domain activity data in the respective group;

identifying, by the hardware processor at the intrusion detection system, a presence of a malicious attack among the activity records by comparing the frequency domain activity data; and

displaying, at the intrusion detection system, the frequency domain activity data for each group consecutively.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present disclosure describes methods, systems, and computer program products for performing a frequency domain analysis of activity data for a computer system. One computer-implemented method receiving time domain activity data for a computer system, wherein the time domain activity data comprise activity records associated with the computer system in a time domain; computing, by a hardware processor, frequency domain activity data based on the time domain activity data; and displaying the frequency domain activity data.

201 Citations

14 Claims

1. A computer-implemented method, comprising:
- receiving time domain activity data for a computer system, wherein the time domain activity data comprise activity records associated with the computer system in a time domain;
  
  filtering the time domain activity data based on activities associated with a monitored job or a monitored user;
  
  computing, by a hardware processor at an intrusion detection system, frequency domain activity data based on the filtered time domain activity data, wherein computing, by the hardware processor, the frequency domain activity data based on the filtered time domain activity data comprise;
  
  grouping the filtered time domain activity data into a plurality of groups, each of the plurality of groups comprises filtered time domain activity data in a different time period; and
  
  for each of the groups, computing frequency domain activity data based on the filtered time domain activity data in the respective group;
  
  identifying, by the hardware processor at the intrusion detection system, a presence of a malicious attack among the activity records by comparing the frequency domain activity data; and
  
  displaying, at the intrusion detection system, the frequency domain activity data for each group consecutively.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The computer-implemented method of claim 1, wherein the frequency domain activity data are computed using Fourier Transform.
  - 3. The computer-implemented method of claim 1, wherein the frequency domain activity data for each group are displayed using an animated format.
  - 4. The computer-implemented method of claim 1, further comprising:
    - determining a maximum amplitudes of the frequency domain activity data; and
      
      displaying a user interface object indicating the maximum amplitude.
  - 5. The computer-implemented method of claim 1, wherein the activity records indicate time at which jobs are executed on the computer system.

6. A computer-implemented system, comprising:
- a computer memory; and
  
  a hardware processor interoperably coupled with the computer memory and configured to perform operations comprising;
  
  receiving time domain activity data for a computer system, wherein the time domain activity data comprise activity records for the different computer system in a time domain;
  
  filtering the time domain activity data on activities associated with a monitored job or a monitored user;
  
  computing frequency domain activity data based on the filtered time domain activity data, wherein computing the frequency domain activity data based on the filtered time domain activity data comprise;
  
  grouping the filtered time domain activity data into a plurality of groups, each of the plurality of groups comprises filtered time domain activity data in a different time period; and
  
  for each of the groups, computing frequency domain activity data based on the filtered time domain activity data in the respective group;
  
  identifying a presence of a malicious attack among the activity records by comparing the frequency domain activity data computed; and
  
  displaying the frequency domain activity data for each group consecutively.
- View Dependent Claims (7, 8, 9, 10)
- - 7. The computer-implemented system of claim 6, wherein the frequency domain activity data are computed using Fourier Transform.
  - 8. The computer-implemented system of claim 6, wherein the frequency domain activity data for each group are displayed using an animated format.
  - 9. The computer-implemented system of claim 6, the operations further comprising:
    - determining a maximum amplitudes of the frequency domain activity data; and
      
      displaying a user interface object indicating the maximum amplitude.
  - 10. The computer-implemented system of claim 6, wherein the activity records indicate time at which jobs are executed on the computer system.

11. A non-transitory, computer-readable medium storing one or more instructions executable by a computer system to perform operations comprising:
- receiving time domain activity data for a computer system, wherein the time domain activity data comprise activity records for the different computer system in a time domain;
  
  filtering the time domain activity data based on activities associated with a monitored job or a monitored user;
  
  computing, by a hardware processor at the computer system, frequency domain activity data based on the filtered time domain activity data, wherein computing, by the hardware processor at the computer system, the frequency domain activity data based on the filtered time domain activity data comprise;
  
  grouping the filtered time domain activity data into a plurality of groups, each of the plurality of groups comprises filtered time domain activity data in a different time period; and
  
  for each of the groups, computing frequency domain activity data based on the filtered time domain activity data in the respective group;
  
  identifying, by the hardware processor at the computer system, a presence of a malicious attack among the activity records by comparing the frequency domain activity data; and
  
  displaying, at the computer system, the frequency domain activity data for each group consecutively.
- View Dependent Claims (12, 13, 14)
- - 12. The non-transitory, computer-readable medium of claim 11, wherein the frequency domain activity data are computed using Fourier Transform.
  - 13. The non-transitory, computer-readable medium of claim 11, wherein the frequency domain activity data for each group are displayed using an animated format.
  - 14. The non-transitory, computer-readable medium of claim 11, the operations further comprising:
    - determining a maximum amplitudes of the frequency domain activity data; and
      
      displaying a user interface object indicating the maximum amplitude.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
SAP SE
Original Assignee
SAP SE
Inventors
Nos, Kathrin, Guzman, Volker, Klose, Marvin
Primary Examiner(s)
Naghdali, Khalil
Assistant Examiner(s)
Wade, Shaqueal D

Application Number

US15/380,450
Publication Number

US 20180176238A1
Time in Patent Office

1,118 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/554   involving event detection a...

G06F 21/56   Computer malware detection ...

H04L 63/02   for separating internal fro...

H04L 63/14   for detecting or protecting...

H04L 63/1425   Traffic logging, e.g. anoma...

Using frequency analysis in enterprise threat detection to detect intrusions in a computer system

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

201 Citations

14 Claims

Specification

Solutions

Use Cases

Quick Links

Using frequency analysis in enterprise threat detection to detect intrusions in a computer system

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

201 Citations

14 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links