Using frequency analysis in enterprise threat detection to detect intrusions in a computer system
First Claim
Patent Images
1. A computer-implemented method, comprising:
- receiving time domain activity data for a computer system, wherein the time domain activity data comprise activity records associated with the computer system in a time domain;
filtering the time domain activity data based on activities associated with a monitored job or a monitored user;
computing, by a hardware processor at an intrusion detection system, frequency domain activity data based on the filtered time domain activity data, wherein computing, by the hardware processor, the frequency domain activity data based on the filtered time domain activity data comprise;
grouping the filtered time domain activity data into a plurality of groups, each of the plurality of groups comprises filtered time domain activity data in a different time period; and
for each of the groups, computing frequency domain activity data based on the filtered time domain activity data in the respective group;
identifying, by the hardware processor at the intrusion detection system, a presence of a malicious attack among the activity records by comparing the frequency domain activity data; and
displaying, at the intrusion detection system, the frequency domain activity data for each group consecutively.
1 Assignment
0 Petitions
Accused Products
Abstract
The present disclosure describes methods, systems, and computer program products for performing a frequency domain analysis of activity data for a computer system. One computer-implemented method receiving time domain activity data for a computer system, wherein the time domain activity data comprise activity records associated with the computer system in a time domain; computing, by a hardware processor, frequency domain activity data based on the time domain activity data; and displaying the frequency domain activity data.
201 Citations
14 Claims
-
1. A computer-implemented method, comprising:
-
receiving time domain activity data for a computer system, wherein the time domain activity data comprise activity records associated with the computer system in a time domain; filtering the time domain activity data based on activities associated with a monitored job or a monitored user; computing, by a hardware processor at an intrusion detection system, frequency domain activity data based on the filtered time domain activity data, wherein computing, by the hardware processor, the frequency domain activity data based on the filtered time domain activity data comprise; grouping the filtered time domain activity data into a plurality of groups, each of the plurality of groups comprises filtered time domain activity data in a different time period; and for each of the groups, computing frequency domain activity data based on the filtered time domain activity data in the respective group; identifying, by the hardware processor at the intrusion detection system, a presence of a malicious attack among the activity records by comparing the frequency domain activity data; and displaying, at the intrusion detection system, the frequency domain activity data for each group consecutively. - View Dependent Claims (2, 3, 4, 5)
-
-
6. A computer-implemented system, comprising:
-
a computer memory; and a hardware processor interoperably coupled with the computer memory and configured to perform operations comprising; receiving time domain activity data for a computer system, wherein the time domain activity data comprise activity records for the different computer system in a time domain; filtering the time domain activity data on activities associated with a monitored job or a monitored user; computing frequency domain activity data based on the filtered time domain activity data, wherein computing the frequency domain activity data based on the filtered time domain activity data comprise; grouping the filtered time domain activity data into a plurality of groups, each of the plurality of groups comprises filtered time domain activity data in a different time period; and for each of the groups, computing frequency domain activity data based on the filtered time domain activity data in the respective group; identifying a presence of a malicious attack among the activity records by comparing the frequency domain activity data computed; and displaying the frequency domain activity data for each group consecutively. - View Dependent Claims (7, 8, 9, 10)
-
-
11. A non-transitory, computer-readable medium storing one or more instructions executable by a computer system to perform operations comprising:
-
receiving time domain activity data for a computer system, wherein the time domain activity data comprise activity records for the different computer system in a time domain; filtering the time domain activity data based on activities associated with a monitored job or a monitored user; computing, by a hardware processor at the computer system, frequency domain activity data based on the filtered time domain activity data, wherein computing, by the hardware processor at the computer system, the frequency domain activity data based on the filtered time domain activity data comprise; grouping the filtered time domain activity data into a plurality of groups, each of the plurality of groups comprises filtered time domain activity data in a different time period; and for each of the groups, computing frequency domain activity data based on the filtered time domain activity data in the respective group; identifying, by the hardware processor at the computer system, a presence of a malicious attack among the activity records by comparing the frequency domain activity data; and displaying, at the computer system, the frequency domain activity data for each group consecutively. - View Dependent Claims (12, 13, 14)
-
Specification