Anomaly detection using sequences of system calls
First Claim
1. A method of detecting a call sequence in a computing system, the computing system storing a set of call sequences, each call sequence containing a sequence of invocation identifiers that specify a valid sequence of programmatic procedures, wherein each invocation identifier corresponds to a message that invokes a corresponding programmatic procedure, the method comprising:
- receiving a new message from a process, the new message including at least a programmatic procedure identifier and a receiver process identifier;
determining a corresponding invocation identifier based on at least the programmatic procedure identifier and the receiver process identifier;
appending the corresponding invocation identifier to a sequence of previously-determined invocation identifiers corresponding to a sequence of previously-received messages from the process to generate a translated call sequence;
identifying the translated call sequence as an anomaly based on selecting a portion of the translated call sequence and determining that the portion of the translated call sequence does not match at least one of the call sequences in the set of call sequences; and
causing an action based on identification of the translated call sequence as an anomaly.
3 Assignments
0 Petitions
Accused Products
Abstract
Systems and methods of detecting a call sequence anomaly in a message-based operating system are provided. A message may be received that indicates a programmatic procedure of an operating system was invoked. The message may include a programmatic procedure identifier, a sender process identifier, and a receiver process identifier. An invocation hash may be generated based on the message. The invocation hash may be translated to a smaller invocation identifier. The invocation identifier may be included in a translated call sequence that comprises invocation identifiers for a series of invocations. Depending on whether the translated call sequence is included in previously generated predetermined call sequences, the translated call sequence may be determined as an anomaly or not an anomaly.
-
Citations
17 Claims
-
1. A method of detecting a call sequence in a computing system, the computing system storing a set of call sequences, each call sequence containing a sequence of invocation identifiers that specify a valid sequence of programmatic procedures, wherein each invocation identifier corresponds to a message that invokes a corresponding programmatic procedure, the method comprising:
-
receiving a new message from a process, the new message including at least a programmatic procedure identifier and a receiver process identifier; determining a corresponding invocation identifier based on at least the programmatic procedure identifier and the receiver process identifier; appending the corresponding invocation identifier to a sequence of previously-determined invocation identifiers corresponding to a sequence of previously-received messages from the process to generate a translated call sequence; identifying the translated call sequence as an anomaly based on selecting a portion of the translated call sequence and determining that the portion of the translated call sequence does not match at least one of the call sequences in the set of call sequences; and causing an action based on identification of the translated call sequence as an anomaly. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A non-transitory computer readable storage medium comprising computer executable instructions, the computer executable instructions executable by a processor to detect a call sequence in a computing system, the computing system storing a set of call sequences, each call sequence containing a sequence of invocation identifiers that specify a valid sequence of programmatic procedures, wherein each invocation identifier corresponds to a message that invokes a corresponding programmatic procedure, the computer executable instructions comprising:
-
instructions executable to receive a new message from a process, the new message including at least a programmatic procedure identifier and a receiver process identifier; instructions executable to determine a corresponding invocation identifier based on at least the programmatic procedure identifier and the receiver process identifier; instructions executable to append the corresponding invocation identifier to a sequence of previously-determined invocation identifiers corresponding to a sequence of previously-received messages from the process to generate a translated call sequence; instructions executable to identify the translated call sequence as an anomaly based on selecting a portion of the translated call sequence and determining that the portion of the translated call sequence does not match at least one of the call sequences in the set of call sequences; and instructions executable to cause an action based on identification of the translated call sequence as an anomaly. - View Dependent Claims (8, 9, 10, 11)
-
-
12. A computing system to detect a call sequence anomaly in the computing system, the computing system comprising:
-
memory storing a set of call sequences, each call sequence containing a sequence of invocation identifiers that specify a valid sequence of programmatic procedures, wherein each invocation identifier corresponds to a message that invokes a corresponding programmatic procedure; a processor; processor-executable instructions that, when executed by the processor, are to cause the processor to; receive a new message from a process, the new message including at least a programmatic procedure identifier and a receiver process identifier; determine a corresponding invocation identifier based on at least the programmatic procedure identifier and the receiver process identifier; append the corresponding invocation identifier to a sequence of previously-determined invocation identifiers corresponding to a sequence of previously-received messages from the process to generate a translated call sequence; identify the translated call sequence as an anomaly based on selecting of a portion of the translated call sequence and a determination that the portion of the translated call sequence does not match at least one of the call sequences in the set of call sequences; and cause an action based on identification of the translated call sequence as an anomaly. - View Dependent Claims (13, 14, 15, 16, 17)
-
Specification