Synthesis of anomalous data to create artificial feature sets and use of same in computer network intrusion detection systems

US 20040225627A1
Filed: 06/14/2004
Published: 11/11/2004
Est. Priority Date: 10/25/1999
Status: Active Grant

First Claim

Patent Images

1. A method of synthesizing anomalous data for creating an artificial set of features reflecting anomalous behavior for a particular activity, the method comprising:

selecting a feature;

retrieving a plurality of normal-feature values associated with the feature;

defining a first distribution of users of normal feature values;

defining an expected second distribution of users of anomalous feature values; and

producing a plurality of anomalous-behavior feature values for the feature.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Detecting harmful or illegal intrusions into a computer network or into restricted portions of a computer network uses a process of synthesizing anomalous data to be used in training a neural network-based model for use in a computer network intrusion detection system. Anomalous data for artificially creating a set of features reflecting anomalous behavior for a particular activity is performed. This is done in conjunction with the creation of normal-behavior feature values. A distribution of users of normal feature values and an expected distribution of users of anomalous feature values are then defined in the form of histograms. The anomalous-feature histogram is then sampled to produce anomalous-behavior feature values. These values are then used to train a model having a neural network training algorithm where the model is used in the computer network intrusion detection system. The model is trained such that it can efficiently recognize anomalous behavior by users in a dynamic computing environment where user behavior can change frequently.

Citations

15 Claims

1. A method of synthesizing anomalous data for creating an artificial set of features reflecting anomalous behavior for a particular activity, the method comprising:
- selecting a feature;
  
  retrieving a plurality of normal-feature values associated with the feature;
  
  defining a first distribution of users of normal feature values;
  
  defining an expected second distribution of users of anomalous feature values; and
  
  producing a plurality of anomalous-behavior feature values for the feature.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 2. A method as recited in claim 1 wherein the feature is selected from a list of features.
  - 3. A method as recited in claim 1 wherein the plurality of normal feature values reflects predominantly normal behavior.
  - 4. A method as recited in claim 1 wherein the plurality of normal feature values is computed over a predetermined time period.
  - 5. A method as recited in claim 1 wherein the plurality of normal feature values corresponds to a plurality of users on a computer system.
  - 6. A method as recited in claim 1 wherein defining a first distribution of users further comprises defining a normal-behavior histogram indicating the first distribution of users.
  - 7. A method as recited in claim 6 wherein the normal feature values are normalized to define the normal-behavior histogram.
  - 8. A method as recited in claim 1 wherein defining an expected second distribution of users of anomalous feature values further includes determining whether the activity corresponding to the anomalous feature values would be performed one of less frequently and more frequently.
  - 9. A method as recited in claim 1 wherein defining an expected second distribution of users further comprises defining an anomalous-behavior histogram indicating an expected second distribution of users.
  - 10. A method as recited in claim 9 wherein producing a plurality of anomalous feature values further including sampling the anomalous-behavior histogram.
  - 11. A method as recited in claim 1 further including storing the plurality of anomalous-behavior feature values.
  - 12. A method as recited in claim 2 further comprising producing a plurality of anomalous-behavior feature values for each feature in the list of features thereby creating a set of plurality of anomalous-behavior feature values.
  - 13. A method as recited in claim 6 wherein the normal-behavior histogram has a high distribution of users around the center and a lower distribution of users near the ends.
  - 14. A method as recited in claim 9 wherein the anomalous-behavior histogram has a high distribution of users near one of the ends and a low distribution of users near the center.
  - 15. A method as recited in claim 12 further comprising deriving an anomalous features list from the set of plurality of anomalous-behavior feature values.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Visa International Service Association (Visa, Inc.)
Original Assignee
Visa International Service Association (Visa, Inc.)
Inventors
Diep, Thanh A., Botros, Sherif M., Izenson, Martin D.

Granted Patent

US 8,527,776 B2
Time in Patent Office

Days
Field of Search
US Class Current

706/16
CPC Class Codes

G06F 21/55   Detecting local intrusion o...

G06F 2221/2101   Auditing as a secondary aspect

H04L 63/1416   Event detection, e.g. attac...

Synthesis of anomalous data to create artificial feature sets and use of same in computer network intrusion detection systems

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

Citations

15 Claims

Specification

Solutions

Use Cases

Quick Links

Synthesis of anomalous data to create artificial feature sets and use of same in computer network intrusion detection systems

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

15 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links