METHOD FOR EVOLVING DETECTORS TO DETECT MALIGN BEHAVIOR IN AN ARTIFICIAL IMMUNE SYSTEM
First Claim
1. A network device for detecting an unauthorized client software activity, comprising:
- a transceiver to send and receive data over the network; and
a processor that is operative to perform actions, including;
generating a detector, wherein the detector is a sequence of computer system calls;
determining, for the detector, an initial matching value and expectation value;
comparing the detector to logged fragments of computer system calls associated with a computing process, and based on the comparison revising the matching value for the detector;
if the revised matching value of the detector is equal to or greater than the detector'"'"'s expectation value, evolving at least one child detector based on the detector, modifying the detector'"'"'s expectation value, and modifying at least one child detector'"'"'s expectation value and matching value based on another comparison to the logged fragments of the computer system calls; and
if an expectation value for the detector or the at least one child detector exceeds a threshold value, evaluating that detector to determine if an unauthorized activity is detected.
3 Assignments
0 Petitions
Accused Products
Abstract
A system, apparatus, and method are directed to evolving detectors in an Artificial Immune System for use in detecting unauthorized computing activities. In one embodiment, a population of detectors is generated with a matching value and expectation value of zero. The detectors are then compared to logged fragments of system calls within a computing device to modify the matching value. When the matching value for a given detector is equal to or greater than an expectation value, the detector'"'"'s expectation value may be set to the matching value. The detectors may then evolve and/or generate other detectors using mutation, and/or recombination, or the like. Detectors continue to generate and/or to evolve until a detector'"'"'s matching value reaches a determined value, in which case, the detector may be evaluated to determine if an unauthorized activity is detected. If an unauthorized activity is detected, a detection response may be performed.
-
Citations
20 Claims
-
1. A network device for detecting an unauthorized client software activity, comprising:
-
a transceiver to send and receive data over the network; and
a processor that is operative to perform actions, including;
generating a detector, wherein the detector is a sequence of computer system calls;
determining, for the detector, an initial matching value and expectation value;
comparing the detector to logged fragments of computer system calls associated with a computing process, and based on the comparison revising the matching value for the detector;
if the revised matching value of the detector is equal to or greater than the detector'"'"'s expectation value, evolving at least one child detector based on the detector, modifying the detector'"'"'s expectation value, and modifying at least one child detector'"'"'s expectation value and matching value based on another comparison to the logged fragments of the computer system calls; and
if an expectation value for the detector or the at least one child detector exceeds a threshold value, evaluating that detector to determine if an unauthorized activity is detected. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A method for detecting an unauthorized client software activity, comprising:
-
generating a plurality of detectors, wherein each detector is a different sequence of computer system calls, and wherein each detector is assigned an initial matching value and expectation value;
comparing each detector to at least one fragment of sequences of computer system calls associated with a computing process, and based on the comparison revising the matching value for each of the detectors;
if a revised matching value for one of the detectors is equal to or greater than that detector'"'"'s expectation value, evolving at least one child detector based in part on that detector, modifying that detector'"'"'s expectation value, and modifying at least one child detector'"'"'s expectation value and matching value based on a comparison to the at least one fragment of sequences; and
if an expectation value for a detector in the plurality of detectors or the at least one child detector exceeds a threshold value, evaluating that detector or child detector to determine if an unauthorized activity is detected. - View Dependent Claims (9, 10, 11, 12, 13)
-
-
14. A system for detecting an unauthorized computing activity, comprising:
-
a server that is operative to perform actions, including;
generating a plurality of detectors, wherein each detector is a different sequence of computer system calls, and wherein each detector is assigned an initial matching value and expectation value; and
sending the plurality of detectors over a network;
a client device that is operative to perform actions, including;
receiving the plurality of detectors;
comparing each detector to at least one fragment of sequences of computer system calls associated with the computing activity, and based on the comparison revising the matching value for each of the detectors;
if a revised matching value for one of the detectors is equal to or greater than that detector'"'"'s expectation value, evolving at least one child detector based in part on that detector, modifying that detector'"'"'s expectation value, and modifying at least one child detector'"'"'s expectation value and matching value based on a comparison to the at least one fragment of sequences; and
if an expectation value for a detector in the plurality of detectors or the at least one child detector exceeds a threshold value, sending that detector or child detector to the server, wherein that detector or child detector is evaluated to determine if an unauthorized activity is detected on the client device. - View Dependent Claims (15, 16, 17, 18, 19)
-
-
20. An apparatus for detecting an unauthorized process activity, comprising:
-
means for generating a detector having an initial matching value and initial expectation value, and wherein the detector is a sequence of computer system calls;
means for revising the matching value and expectation value for the detector based on a characteristic of a client process;
means for generating another detector based on the detector and the detector'"'"'s matching value and expectation value, wherein a matching value and expectation value is associated with the other detector; and
means for performing a hill-climb of the detector'"'"'s and the other detector'"'"'s matching values, until one of the matching values satisfy a threshold value, then means for determining from the detector or the other detector if an unauthorized activity is detected by the client process.
-
Specification