Method and system for detecting unusual events and application thereof in computer intrusion detection
First Claim
1. A computer-implemented method of processing event to detect the occurrence of unusual events, said method comprising the steps of:
- receiving a historical event data set;
classifying all events in said historical event data set according to a context in which they occurred;
performing pattern analysis on said historical event data set with context classifications to generate frequent event patterns;
comparing said frequent event patterns to a current event data set and to their context classification to identify unexpected event occurrences or unexpected event absences in said current event data set; and
outputting an unusual event indication whenever an unexpected event occurrence or unexpected event absence is identified.
2 Assignments
0 Petitions
Accused Products
Abstract
An automated decision engine is utilized to screen incoming alarms using a knowledge-base of decision rules. The decision rules are updated with the assistance of a data mining engine that analyzes historical data. “Normal” alarm events, sequences, or patterns generated by sensors under conditions not associated with unusual occurrences (such as intrusion attacks) are characterized and these characterizations are used to contrast normal conditions from abnormal conditions. By identifying frequent occurrences and characterizing them as “normal” it is possible to easily identify anomalies which would indicate a probable improper occurrence. This provides very accurate screening capability based on actual event data.
123 Citations
10 Claims
-
1. A computer-implemented method of processing event to detect the occurrence of unusual events, said method comprising the steps of:
-
receiving a historical event data set;
classifying all events in said historical event data set according to a context in which they occurred;
performing pattern analysis on said historical event data set with context classifications to generate frequent event patterns;
comparing said frequent event patterns to a current event data set and to their context classification to identify unexpected event occurrences or unexpected event absences in said current event data set; and
outputting an unusual event indication whenever an unexpected event occurrence or unexpected event absence is identified. - View Dependent Claims (2, 3, 4, 5)
-
-
6. A method of detecting unusual events, comprising the steps of:
-
(A) characterizing each event stored in a historical data set based on one or more predetermined parameters;
(B) performing association analysis on said historical data set based on the characterization of said events to identify frequent itemsets and association rules in the historical data set;
(C) performing sequential pattern analysis to identify frequent event sequences in the historical data set;
(D) detecting unexpected event occurrences and unexpected event absences in a current data set by comparing the identified frequent itemsets, association rules, and frequent event sequences with events occurring in said current data set; and
(E) outputting an indication of an unusual event whenever an unexpected event occurrence or unexpected event absence is detected.
-
-
7. A method of detecting unusual events, comprising the steps of:
-
classifying all events in said HDS according to a context in which they occurred;
identifying commonly-occurring events in a historical data set (HDS) taking the context classifications into account;
detecting unexpected event occurrences or unexpected event absences in a current data set (CDS) by comparing the identified commonly-occuring events, and their context classification, with events occurring in said CDS; and
outputting an unusual event indication whenever an unexpected event occurrence or unexpected event absence is detected. - View Dependent Claims (8, 9)
-
-
10. A method of detecting suspicious intrusions in a computer network, comprising the steps of:
-
classifying all events in said historical data set according to a context in which they occurred;
identifying commonly-occurring patterns of alarm events in a historical data set taking the context classifications into account;
detecting unexpected alarm event occurrences and unexpected alarm event absences in a current data set by comparing the identified commonly-occurring patterns of alarm events, and their context classification, with alarm events occurring in said current data set; and
outputting an indication of a suspicious intrusion whenever an unexpected alarm event occurrence or unexpected alarm event absence is detected.
-
Specification