Anomaly alert system for cyber threat detection
First Claim
1. A method for an anomalous behavior detection system having a mathematical model of what is considered to be normal behavior for a device in a computer system that is used in a detection of anomalous behavior of the device of the computer system, the method arranged to be performed by a processing system, the method comprising:
- deriving values, m1, . . . , mN, of a metric, M, representative of data associated with the device;
modelling a distribution of the values of the metric;
determining, in accordance with the distribution of the values of the metric, a probability of observing a more extreme value of the metric than a given value, m, of the metric, wherein the probability and the distribution of the values of the metric are used by the mathematical model of what is considered to be normal behavior for that device to determine whether the device is behaving anomalously;
determining, in accordance with the probability of observing the more extreme value, and a probabilistic model of the device, a posterior probability of the given value, m, being a result of anomalous behavior of the device, wherein the posterior probability is used to determine whether the device is behaving anomalously;
determining posterior probabilities for a plurality of given values, mi, of a plurality of metrics, Mi, wherein the metrics, Mi, are representative of data associated with the device, where levels of anomalousness of values of the plurality of metrics for the device are combined to produce a measure of an overall posterior probability of the device being in an anomalous state; and
in accordance with the posterior probabilities for the given values, mi, determining an overall posterior probability of the device being in the anomalous state, wherein the overall posterior probability is used to determine whether the device is behaving anomalously;
wherein a combined posterior probability that the device is in an anomalous state, Pd(A), is given by
4 Assignments
0 Petitions
Accused Products
Abstract
Disclosed herein is a method for use in detection of anomalous behavior of a device of a computer system. The method is arranged to be performed by a processing system. The method includes deriving values, m1, . . . , mN, of a metric, M, representative of data associated with the device; modeling a distribution of the values; and determining, in accordance with the distribution of the values, the probability of observing a more extreme value of the metric than a given value, m, of the metric, wherein the probability is used to determine whether the device is behaving anomalously. Also disclosed is an equivalent computer readable medium and anomalous behavior detection system.
32 Citations
20 Claims
-
1. A method for an anomalous behavior detection system having a mathematical model of what is considered to be normal behavior for a device in a computer system that is used in a detection of anomalous behavior of the device of the computer system, the method arranged to be performed by a processing system, the method comprising:
-
deriving values, m1, . . . , mN, of a metric, M, representative of data associated with the device; modelling a distribution of the values of the metric; determining, in accordance with the distribution of the values of the metric, a probability of observing a more extreme value of the metric than a given value, m, of the metric, wherein the probability and the distribution of the values of the metric are used by the mathematical model of what is considered to be normal behavior for that device to determine whether the device is behaving anomalously; determining, in accordance with the probability of observing the more extreme value, and a probabilistic model of the device, a posterior probability of the given value, m, being a result of anomalous behavior of the device, wherein the posterior probability is used to determine whether the device is behaving anomalously; determining posterior probabilities for a plurality of given values, mi, of a plurality of metrics, Mi, wherein the metrics, Mi, are representative of data associated with the device, where levels of anomalousness of values of the plurality of metrics for the device are combined to produce a measure of an overall posterior probability of the device being in an anomalous state; and in accordance with the posterior probabilities for the given values, mi, determining an overall posterior probability of the device being in the anomalous state, wherein the overall posterior probability is used to determine whether the device is behaving anomalously; wherein a combined posterior probability that the device is in an anomalous state, Pd(A), is given by - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
-
-
15. A method for an anomalous behavior detection system having a mathematical model of what is considered to be normal behavior for a device in a computer system that is used in a detection of anomalous behavior of the device of the computer system, the method arranged to be performed by a processing system, the method comprising:
-
deriving values, m1, . . . , mN, of a metric, M, representative of data associated with the device; modelling a distribution of the values of the metric; determining, in accordance with the distribution of the values of the metric, a probability of observing a more extreme value of the metric than a given value, m, of the metric, wherein the probability and the distribution of the values of the metric are used by the mathematical model of what is considered to be normal behavior for that device to determine whether the device is behaving anomalously, and determining, in accordance with the probability of observing the more extreme value, and the mathematical model of the device, a posterior probability of the given value, m, being the result of anomalous behavior of the device, wherein the posterior probability is used to determine whether the device is behaving anomalously, wherein the posterior probability that the given value m of the metric M is the result of anomalous behavior of the device, PM(A), is given by; - View Dependent Claims (16)
-
-
17. A method for an anomalous behavior detection system having a mathematical model of what is considered to be normal behavior for a device in a computer system that is used in a detection of anomalous behavior of the device of the computer system, the method arranged to be performed by a processing system, the method comprising:
-
deriving values, m1, . . . , mN, of a metric, M, representative of data associated with the device; modelling a distribution of the values of the metric; determining, in accordance with the distribution of the values of the metric, a probability of observing a more extreme value of the metric than a given value, m, of the metric, wherein the probability and the distribution of the values of the metric are used by the mathematical model of what is considered to be normal behavior for that device to determine whether the device is behaving anomalously, and determining, in accordance with the probability of observing the more extreme value, and the mathematical model of the device, a posterior probability of the given value, m, being the result of anomalous behavior of the device, wherein the posterior probability is used to determine whether the device is behaving anomalously, wherein the posterior probability that the given value m of the metric M is the result of anomalous behavior of the device, PM(A), is given by;
-
-
18. A method for an anomalous behavior detection system having a mathematical model of what is considered to be normal behavior for a device in a computer system that is used in a detection of anomalous behavior of the device of the computer system, the method arranged to be performed by a processing system, the method comprising:
-
deriving values, m1, . . . , mN, of a metric, M, representative of data associated with the device; modelling a distribution of the values of the metric; determining, in accordance with the distribution of the values of the metric, a probability of observing a more extreme value of the metric than a given value, m, of the metric, wherein the probability and the distribution of the values of the metric are used by the mathematical model of what is considered to be normal behavior for that device to determine whether the device is behaving anomalously; determining, in accordance with the probability of observing the more extreme value, and a probabilistic model of the device, a posterior probability of the given value, m, being a result of anomalous behavior of the device, wherein the posterior probability is used to determine whether the device is behaving anomalously; determining posterior probabilities for a plurality of given values, mi, of a plurality of metrics, Mi, wherein the metrics, Mi, are representative of data associated with the device, where levels of anomalousness of values of the plurality of metrics for the device are combined to produce a measure of an overall posterior probability of the device being in an anomalous state; in accordance with the posterior probabilities for the given values, mi, determining an overall posterior probability of the device being in the anomalous state, wherein the overall posterior probability is used to determine whether the device is behaving anomalously;
wherein the metrics, Mi, are assumed to be statistically dependent, the statistical dependencies modeled using copulas; andcalculating transformed variables, z1, . . . , zn, wherein the transformed variables are such that
z1, . . . ,zn=Φ
−
1(P(M1>
m1)), . . . ,Φ
−
1(P(Mn>
mn)).wherein Φ
denotes a cumulative distribution function of the standard normal distribution and P(Mi>
mi) is the probability of observing a greater value than the given value, mi;wherein a combined posterior probability that the device is in an anomalous state, Pd(A), is given by; - View Dependent Claims (19)
-
-
20. An anomalous behavior detection system, comprising a processor, an anomalous behavior detection system having a mathematical model of what is considered to be normal behavior for a first device in a computer system that is used in a detection of anomalous behavior of the first device of a computer system, and a non-transitory memory comprising computer readable code operable, which when executed by the processer that is configured to instruct a computing device to
derive values, m_1, . . . , m_N, of a metric, M, representative of data associated with the first device; -
model a distribution of the values of the metric; determine, in accordance with the distribution of the values of the metric, a probability of observing a more extreme value of the metric than a given value, m, of the metric, wherein the probability and the distribution of the values of the metric are used by the mathematical model of what is considered to be normal behavior for the first device to determine whether the first device is behaving anomalously; maintain one or more mathematical models to build and maintain dynamic, ever-changing models of a normal behavior of each device monitored by the anomalous behavior detection system, based on a comparison of metrics associated with a corresponding device, where two or more devices, including the first device, are monitored by the anomalous behavior detection system, where the anomalous behavior detection system is configured to use the one or more mathematical models to determine whether each corresponding device is behaving anomalously; utilize an anomaly alert system that generates a notification when the first device is behaving anomalously, where the anomaly alert system is configured to rank an importance of different alerts being generated; determine, in accordance with the probability of observing the more extreme value, and a probabilistic model of the device, a posterior probability of the given value, m, being a result of anomalous behavior of the first device, wherein the posterior probability is used to determine whether the first device is behaving anomalously; determine posterior probabilities for a plurality of given values, mi, of a plurality of metrics, Mi, wherein the metrics, Mi, are representative of data associated with the first device, where levels of anomalousness of values of the plurality of metrics for the first device are combined to produce a measure of an overall posterior probability of the first device being in an anomalous state; in accordance with the posterior probabilities for the given values, mi, determine an overall posterior probability of the first device being in the anomalous state, wherein the overall posterior probability is used to determine whether the first device is behaving anomalously; and wherein a combined posterior probability that the first device is in an anomalous state, Pd(A), is given by;
-
Specification