Instance based learning framework for effective behavior profiling and anomaly intrusion detection
First Claim
Patent Images
1. A computer implemented method for detecting intruders into a computer comprising:
- capturing historical data input into the computer by a user during a training mode;
profiling the historical data during the training mode to identify normal behavior;
capturing test data input by the user into the computer during an operational mode;
comparing the test data with the profiled historical data in accordance with a predetermined similarity metric during the operational mode to produce similarity results; and
, evaluating the similarity results during the operational mode to identify abnormal data.
1 Assignment
0 Petitions
Accused Products
Abstract
Intruders into a computer are detected by capturing historical data input into the computer by a user during a training mode, by profiling the historical data during the training mode to identify normal behavior, by capturing test data input by the user into the computer during an operational mode, by comparing the test data with the profiled historical data in accordance with a predetermined similarity metric during the operational mode to produce similarity results, and by evaluating the similarity results during the operational mode to identify abnormal data.
-
Citations
29 Claims
-
1. A computer implemented method for detecting intruders into a computer comprising:
-
capturing historical data input into the computer by a user during a training mode;
profiling the historical data during the training mode to identify normal behavior;
capturing test data input by the user into the computer during an operational mode;
comparing the test data with the profiled historical data in accordance with a predetermined similarity metric during the operational mode to produce similarity results; and
,evaluating the similarity results during the operational mode to identify abnormal data. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
-
-
16. A computer implemented method for detecting intruders into a computer system comprising:
-
establishing clusters of training data input into the computer system by a user during a training mode, wherein each cluster includes a representative instance, a frequency associated with the representative instance, and pointers that point to a list of non-representative instances whose similarity scores with the representative instance is above a predetermined threshold, and wherein the similarity scores are based on a predetermined similarity metric;
comparing test data with the representative instances of the clusters in accordance with the predetermined similarity metric during an operational mode to produce similarity results, wherein the test data is input by the user into the computer system; and
,evaluating the similarity results during the operational mode to identify intrusions. - View Dependent Claims (17, 18, 19, 20, 21, 22, 23)
-
-
24. A computer implemented method for detecting intruders into a computer system comprising:
-
capturing first data input into the computer system;
establishing clusters of the first data, wherein each cluster includes a representative instance, a frequency associated with the representative instance, and pointers that point to a list of non-representative instances whose similarity scores with the representative instance are within a predetermined range, and wherein the similarity scores are based on a predetermined similarity metric;
capturing second data input into the computer system;
comparing the second data with the representative instances in accordance with the predetermined similarity metric to produce similarity results; and
,evaluating the similarity results to identify abnormal data. - View Dependent Claims (25, 26, 27, 28, 29)
-
Specification