Runtime thresholds for behavior detection
First Claim
1. A computer based method for detecting a behavior, the method comprising:
- receiving data from at least one source;
determining an application environment corresponding to the data;
retrieving a scenario, wherein the scenario comprises one or more parameterized patterns indicative of one or more behaviors;
retrieving one or more parameter sets applicable to the one or more parameterized patterns, wherein each parameter set comprises one or more parameters;
selecting one of the one or more parameter sets based on the application environment;
forming a dataset, wherein the dataset includes a portion of the received data, one or more events and one or more entities; and
detecting one or more matches between the dataset and the one or more parameterized patterns with the selected parameter set.
3 Assignments
0 Petitions
Accused Products
Abstract
A computer based method and system for detecting behaviors from patterns of data where sets of thresholds and ranges used within detection scenarios can be created and applied while the system is in active operation. Data is received from at least one source, and an application environment is determined. A scenario including one or more parameterized patterns indicative of one or more behaviors is retrieved. One or more sets of parameters applicable to the one or more parameterized patterns are also retrieved. A parameter set is selected based on the application environment, and a dataset including a portion of the received data, one or more events, and one or more entities is formed. Detection processing is then performed by detecting one or more matches between the dataset and the parameterized patterns using the selected parameter set.
-
Citations
14 Claims
-
1. A computer based method for detecting a behavior, the method comprising:
-
receiving data from at least one source;
determining an application environment corresponding to the data;
retrieving a scenario, wherein the scenario comprises one or more parameterized patterns indicative of one or more behaviors;
retrieving one or more parameter sets applicable to the one or more parameterized patterns, wherein each parameter set comprises one or more parameters;
selecting one of the one or more parameter sets based on the application environment;
forming a dataset, wherein the dataset includes a portion of the received data, one or more events and one or more entities; and
detecting one or more matches between the dataset and the one or more parameterized patterns with the selected parameter set. - View Dependent Claims (2, 3, 4, 5)
-
-
6. A computer readable medium embodying program instructions for detecting a behavior, the computer readable medium comprising instructions for:
-
receiving data from at least one source;
determining an application environment corresponding to the data;
retrieving a scenario, wherein the scenario comprises one or more parameterized patterns indicative of one or more behaviors;
retrieving one or more parameter sets applicable to the one or more parameterized patterns, wherein each parameter set comprises one or more parameters;
selecting one of the one or more parameter sets based on the application environment;
forming a dataset, wherein the dataset includes a portion of the received data, one or more events and one or more entities; and
detecting one or more matches between the dataset and the one or more parameterized patterns with the selected parameter set. - View Dependent Claims (7, 8, 9, 10)
-
-
11. A system for detecting a behavior, the system comprising:
-
a processor having circuitry to execute instructions;
a communications interface, in communication with the processor, for receiving data from at least one source;
a memory, in communication with the processor, for storing instructions for;
determining an application environment corresponding to the data;
retrieving a scenario, wherein the scenario comprises one or more parameterized patterns indicative of one or more behaviors;
retrieving one or more parameter sets applicable to the one or more parameterized patterns, wherein each parameter set comprises one or more parameters;
selecting one of the one or more parameter sets based on the application environment;
forming a dataset, wherein the dataset includes a portion of the received data, one or more events and one or more entities; and
detecting one or more matches between the dataset and the one or more parameterized patterns with the selected parameter set.
-
-
12. A method for configuring parameter sets for detection scenarios, the method comprising:
-
retrieving a base parameter set comprising one or more parameters for use in a detection scenario and a default value for each parameter;
generating one or more derived parameter sets, wherein each derived parameter set includes at least one parameter from the base parameter set;
setting at least one parameter in each derived parameter set to a value different than the default value for the corresponding parameter in the base parameter set; and
specifying, for each derived parameter set, an application environment to which the derived parameter set applies. - View Dependent Claims (13, 14)
-
Specification