METHOD FOR EVOLVING DETECTORS TO DETECT MALIGN BEHAVIOR IN AN ARTIFICIAL IMMUNE SYSTEM

US 20070168484A1
Filed: 09/18/2006
Published: 07/19/2007
Est. Priority Date: 09/23/2005
Status: Active Grant

First Claim

Patent Images

1. A network device for detecting an unauthorized client software activity, comprising:

a transceiver to send and receive data over the network; and

a processor that is operative to perform actions, including;

generating a detector, wherein the detector is a sequence of computer system calls;

determining, for the detector, an initial matching value and expectation value;

comparing the detector to logged fragments of computer system calls associated with a computing process, and based on the comparison revising the matching value for the detector;

if the revised matching value of the detector is equal to or greater than the detector'"'"'s expectation value, evolving at least one child detector based on the detector, modifying the detector'"'"'s expectation value, and modifying at least one child detector'"'"'s expectation value and matching value based on another comparison to the logged fragments of the computer system calls; and

if an expectation value for the detector or the at least one child detector exceeds a threshold value, evaluating that detector to determine if an unauthorized activity is detected.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system, apparatus, and method are directed to evolving detectors in an Artificial Immune System for use in detecting unauthorized computing activities. In one embodiment, a population of detectors is generated with a matching value and expectation value of zero. The detectors are then compared to logged fragments of system calls within a computing device to modify the matching value. When the matching value for a given detector is equal to or greater than an expectation value, the detector'"'"'s expectation value may be set to the matching value. The detectors may then evolve and/or generate other detectors using mutation, and/or recombination, or the like. Detectors continue to generate and/or to evolve until a detector'"'"'s matching value reaches a determined value, in which case, the detector may be evaluated to determine if an unauthorized activity is detected. If an unauthorized activity is detected, a detection response may be performed.

110 Citations

View as Search Results

20 Claims

1. A network device for detecting an unauthorized client software activity, comprising:
- a transceiver to send and receive data over the network; and
  
  a processor that is operative to perform actions, including;
  
  generating a detector, wherein the detector is a sequence of computer system calls;
  
  determining, for the detector, an initial matching value and expectation value;
  
  comparing the detector to logged fragments of computer system calls associated with a computing process, and based on the comparison revising the matching value for the detector;
  
  if the revised matching value of the detector is equal to or greater than the detector'"'"'s expectation value, evolving at least one child detector based on the detector, modifying the detector'"'"'s expectation value, and modifying at least one child detector'"'"'s expectation value and matching value based on another comparison to the logged fragments of the computer system calls; and
  
  if an expectation value for the detector or the at least one child detector exceeds a threshold value, evaluating that detector to determine if an unauthorized activity is detected.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The network device of claim 1, wherein evolving the at least one child detector further comprises performing at least one of a combination of the detector with another detector to generate the at least one child detector, or mutating the detector to generate the at least one child detector.
  - 3. The network device of claim 1, wherein evaluating that detector to determine if an unauthorized activity is detected further comprises sending that detector to another network device, wherein the evaluation is performed by the other network device.
  - 4. The network device of claim 1, wherein the processor is operative to perform actions, further comprising:
    - if a matching value for the detector or the at least one child detector is below an expectation value, determining whether to delete that detector or child detector.
  - 5. The network device of claim 1, wherein evaluating that detector to determine if an unauthorized activity is detected, further comprises, evaluating that detector against a self database to determine if the detector indicates a self or non-self status.
  - 6. The network device of claim 1, wherein evolving at least one child detector based on the detector further comprises generating the at least one child detector, wherein for each child detector associating an initial matching value of zero with the generated child detector, and an initial expectation value based on the expectation value of the detector.
  - 7. The network device of claim 1, wherein revising the matching value for the detector further comprises, revising the matching value based on a percentage of the detector that matches a fragment of the computer system calls associated with the computing process.

8. A method for detecting an unauthorized client software activity, comprising:
- generating a plurality of detectors, wherein each detector is a different sequence of computer system calls, and wherein each detector is assigned an initial matching value and expectation value;
  
  comparing each detector to at least one fragment of sequences of computer system calls associated with a computing process, and based on the comparison revising the matching value for each of the detectors;
  
  if a revised matching value for one of the detectors is equal to or greater than that detector'"'"'s expectation value, evolving at least one child detector based in part on that detector, modifying that detector'"'"'s expectation value, and modifying at least one child detector'"'"'s expectation value and matching value based on a comparison to the at least one fragment of sequences; and
  
  if an expectation value for a detector in the plurality of detectors or the at least one child detector exceeds a threshold value, evaluating that detector or child detector to determine if an unauthorized activity is detected.
- View Dependent Claims (9, 10, 11, 12, 13)
- - 9. The method of claim 8, wherein evolving the at least one child detector further comprises combining that detector with at least another one of the plurality of detectors to generate the at least one child detector.
  - 10. The method of claim 8, wherein evolving the at least one child detector further comprises randomly changing at least one computer system call in that detector'"'"'s sequence of computer system calls to generate the at least one child detector.
  - 11. The method of claim 8, further comprising:
    - if a matching value for a detector in the plurality of detectors or the at least one child detector is below an expectation value, determining whether to delete that detector or child detector.
  - 12. The method of claim 8, wherein evolving at least one child detector based in part on that detector further comprises:
    - determining an initial expectation value for the at least one child detector based in part on the expectation value associated with that detector.
  - 13. A modulated data signal configured to include program instructions for performing the method of claim 8.

14. A system for detecting an unauthorized computing activity, comprising:
- a server that is operative to perform actions, including;
  
  generating a plurality of detectors, wherein each detector is a different sequence of computer system calls, and wherein each detector is assigned an initial matching value and expectation value; and
  
  sending the plurality of detectors over a network;
  
  a client device that is operative to perform actions, including;
  
  receiving the plurality of detectors;
  
  comparing each detector to at least one fragment of sequences of computer system calls associated with the computing activity, and based on the comparison revising the matching value for each of the detectors;
  
  if a revised matching value for one of the detectors is equal to or greater than that detector'"'"'s expectation value, evolving at least one child detector based in part on that detector, modifying that detector'"'"'s expectation value, and modifying at least one child detector'"'"'s expectation value and matching value based on a comparison to the at least one fragment of sequences; and
  
  if an expectation value for a detector in the plurality of detectors or the at least one child detector exceeds a threshold value, sending that detector or child detector to the server, wherein that detector or child detector is evaluated to determine if an unauthorized activity is detected on the client device.
- View Dependent Claims (15, 16, 17, 18, 19)
- - 15. The system of claim 14, wherein the client device is operative to perform actions, further comprising:
    - if a matching value for one of the detectors or the at least one child detector is below an expectation value, determining whether to delete that detector or child detector.
  - 16. The system of claim 14, wherein evaluating that detector or child detector, further comprises, evaluating that detector or child detector against a self database to determine if the detector indicates a self or non-self status.
  - 17. The system of claim 14, wherein evolving the at least one child detector further comprises performing at least one of a combination or mutation of that detector.
  - 18. The system of claim 14, wherein the client device is operative to perform actions, further comprising:
    - if a matching value for a detector in the plurality of detectors or the at least one child detector is below an expectation value, deleting that detector or child detector.
  - 19. The system of claim 14, wherein generating a plurality of detectors further comprises generating at least one detector in the plurality based on at least one of a random sequence of computer system calls, or generating at least one detector in the plurality based on a known pattern of computer system calls.

20. An apparatus for detecting an unauthorized process activity, comprising:
- means for generating a detector having an initial matching value and initial expectation value, and wherein the detector is a sequence of computer system calls;
  
  means for revising the matching value and expectation value for the detector based on a characteristic of a client process;
  
  means for generating another detector based on the detector and the detector'"'"'s matching value and expectation value, wherein a matching value and expectation value is associated with the other detector; and
  
  means for performing a hill-climb of the detector'"'"'s and the other detector'"'"'s matching values, until one of the matching values satisfy a threshold value, then means for determining from the detector or the other detector if an unauthorized activity is detected by the client process.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Google LLC (Alphabet Inc.)
Original Assignee
Widevine Technologies Incorporated (Alphabet Inc.)
Inventors
Midwinter, Wendy, Koelle, Katharina

Granted Patent

US 8,065,733 B2
Time in Patent Office

Days
Field of Search
US Class Current

709/223
CPC Class Codes

G06F 21/55   Detecting local intrusion o...

G06F 21/56   Computer malware detection ...

G06N 3/126   Evolutionary algorithms, e....

H04L 63/1408   by monitoring network traff...

METHOD FOR EVOLVING DETECTORS TO DETECT MALIGN BEHAVIOR IN AN ARTIFICIAL IMMUNE SYSTEM

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

110 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

METHOD FOR EVOLVING DETECTORS TO DETECT MALIGN BEHAVIOR IN AN ARTIFICIAL IMMUNE SYSTEM

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

110 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links