Method and system for establishing normal software system behavior and departures from normal behavior
First Claim
1. A method for detecting an anomalous operation of a computer system that executes a plurality of program modules, the method comprising:
- (a) monitoring transitions between and among defined points within an internal operating environment on the computer system and producing program execution trace data;
(b) comparing the program execution trace data with data indicative of a nominal operation of the computer system; and
(c) identifying an anomalous operation of the computer system based on the result of the comparison.
7 Assignments
0 Petitions
Accused Products
Abstract
Detecting abnormal activity of a software system is based on behavioral information obtained from an instrumented computer program while it executes. As the program executes, it expresses information about the sequence and frequency with which program modules are called. Over time, this sequence and frequency defines the normal behavior of the program, and the information expressed on any given run is compared to this normal behavior. Statistical analysis of the differences between the normal behavior and the current run can be used to detect unauthorized or abusive use of the program. Program modules whose behavior is highly correlated can be grouped into a smaller number of virtual modules. Comparison between current and normal program behavior can then be made on the (smaller number of) virtual modules, thereby reducing the dimensionality of the problem of analyzing the differences between current and normal program behavior.
-
Citations
70 Claims
-
1. A method for detecting an anomalous operation of a computer system that executes a plurality of program modules, the method comprising:
-
(a) monitoring transitions between and among defined points within an internal operating environment on the computer system and producing program execution trace data;
(b) comparing the program execution trace data with data indicative of a nominal operation of the computer system; and
(c) identifying an anomalous operation of the computer system based on the result of the comparison. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34)
-
-
35. A method for detecting an anomalous operation of a computer system that comprises a plurality of program modules, the method comprising:
-
(a) monitoring transitions between and among instrumentation points within an operating environment on the computer system, wherein said monitoring is performed by employing signals obtained from instrumented code in the program modules;
(b) providing program instrumentation trace data representative of the transitions between and among program modules within a time frame;
(c) identifying a relatively small set of virtual execution domains whose activity is substantially uncorrelated, and using this information to reduce the amount of trace data needed to detect anomalous activity;
(d) comparing the reduced amount of trace data with predefined data indicative of a nominal operation of the computer system; and
(e) identifying an anomalous operation of the computer system based on the result of the comparison. - View Dependent Claims (36, 37, 38, 39, 40, 41, 42, 43)
-
-
44. A computer system, comprising:
-
(a) a plurality of program modules;
(b) monitoring means for monitoring transitions between and among defined points within the program modules, wherein said monitoring is performed by employing signals obtained from instrumented code in the program modules, and for providing trace data representative of the transitions between or among program modules within a time frame;
(c) means for identifying a relatively small set of virtual execution domains whose activity is substantially uncorrelated, and using this information to reduce the amount of trace data needed to detect anomalous activity;
(d) means for comparing the reduced amount of trace data with predefined data indicative of a nominal operation of the computer system; and
(e) means for identifying an anomalous operation of the computer system based on the result of the comparison. - View Dependent Claims (45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57)
-
-
58. A method for evaluating the behavior of a computer program, the computer program comprising a plurality of program modules, the method comprising:
-
associating each of the program modules with one of a plurality of virtual modules;
generating first data indicative of the normal behavior of the computer program, the first data comprising, for each pair of program modules (a,b), a value indicative of the correlation between the occurrence of invoking program module a and the occurrence of invoking program module b;
based on an execution of the computer program, generating second data indicative of the behavior of the computer program during said execution, said second data comprising, for each pair of program modules (a,b), a value indicative of the correlation between the occurrence of invoking program module a and the occurrence of invoking program module b;
comparing said first data with said second data by comparing the value in the first data associated with a pair of program modules (m1,m2) with the value in the second data associated with the same pair of program modules (m1,m2), wherein m1 and m2 are associated with the same virtual module; and
determining whether the computer program exhibited normal behavior during said execution based on the result of said comparing act. - View Dependent Claims (59, 60, 61, 62, 63, 64, 65, 66, 67, 68, 69, 70)
-
Specification