×

Anomaly detection using sequences of system calls

  • US 10,656,981 B2
  • Filed: 03/25/2019
  • Issued: 05/19/2020
  • Est. Priority Date: 07/19/2016
  • Status: Active Grant
First Claim
Patent Images

1. A method of detecting a call sequence in a computing system, the computing system storing a set of call sequences, each call sequence containing a sequence of invocation identifiers that specify a valid sequence of programmatic procedures, wherein each invocation identifier corresponds to a message that invokes a corresponding programmatic procedure, the method comprising:

  • receiving a new message from a process, the new message including at least a programmatic procedure identifier and a receiver process identifier;

    determining a corresponding invocation identifier based on at least the programmatic procedure identifier and the receiver process identifier;

    appending the corresponding invocation identifier to a sequence of previously-determined invocation identifiers corresponding to a sequence of previously-received messages from the process to generate a translated call sequence;

    identifying the translated call sequence as an anomaly based on selecting a portion of the translated call sequence and determining that the portion of the translated call sequence does not match at least one of the call sequences in the set of call sequences; and

    causing an action based on identification of the translated call sequence as an anomaly.

View all claims
  • 3 Assignments
Timeline View
Assignment View
    ×
    ×