APPLICATION OF MACHINE LEARNED BAYESIAN NETWORKS TO DETECTION OF ANOMALIES IN COMPLEX SYSTEMS

US 20130198119A1
Filed: 01/09/2013
Published: 08/01/2013
Est. Priority Date: 01/09/2012
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for anomaly detection, the method comprising:

in response to a set of data for anomaly detection, applying a Bayesian belief network (BBN) model to the data set, including for each of a plurality of features of the BBN model, performing an estimate using known observed values associated with remaining features to generate a posterior probability for the corresponding feature; and

performing a scoring operation using a predetermined scoring algorithm on posterior probabilities of all of the features to generate a similarity score, wherein the similarity score represents a degree to which a given event represented by the data set is novel relative to historical events represented by the BBN model.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

According to one embodiment, in response to a set of data for anomaly detection, a Bayesian belief network (BBN) model is applied to the data set, including for each of a plurality of features of the BBN model, performing an estimate using known observed values associated with remaining features to generate a posterior probability for the corresponding feature. A scoring operation is performed using a predetermined scoring algorithm on posterior probabilities of all of the features to generate a similarity score, wherein the similarity score represents a degree to which a given event represented by the data set is novel relative to historical events represented by the BBN model.

Citations

36 Claims

1. A computer-implemented method for anomaly detection, the method comprising:
- in response to a set of data for anomaly detection, applying a Bayesian belief network (BBN) model to the data set, including for each of a plurality of features of the BBN model, performing an estimate using known observed values associated with remaining features to generate a posterior probability for the corresponding feature; and
  
  performing a scoring operation using a predetermined scoring algorithm on posterior probabilities of all of the features to generate a similarity score, wherein the similarity score represents a degree to which a given event represented by the data set is novel relative to historical events represented by the BBN model.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24)
- - 2. The method of claim 1, wherein performing an estimate using known observed values associated with remaining features comprises comparing an estimated event with a known event associated with the corresponding feature to determine whether the corresponding feature conforms to an expectation.
  - 3. The method of claim 2, further comprising assigning a first score for each of the features based on the comparison between the estimated event and the corresponding known event.
  - 4. The method of claim 3, further comprising performing a predetermined mathematical operation on the first scores of all features to derive the similarity score.
  - 5. The method of claim 4, wherein performing a predetermined mathematical operation on the first scores of all features comprises summing the first scores to generate the similarity score.
  - 6. The method of claim 1, wherein a posterior probability associated with a feature is used by the scoring operation to adjudicate whether an estimate event is novel given known events associated with the remaining features.
  - 7. The method of claim 1, wherein a posterior probability associated with a feature is used by the scoring operation to adjudicate whether an estimate event is harmful given known events associated with the remaining features.
  - 8. The method of claim 1, wherein the data set represents an executable of a software application to be determined whether the executable is malware.
  - 9. The method of claim 1, wherein the data set represents a set of internet transactions to be determined whether the transactions represent illegitimate traffic.
  - 10. The method of claim 1, wherein the data set represents a set social media data to be determined whether a given social media interaction of for benign or malicious purposes.
  - 11. The method of claim 1, wherein the data set represents a set of quality or manufacturing parameters to be determined if the product in question is defective.
  - 12. The method of claim 1, wherein the data set represents biological data to be determined if the patient has underlying biology that is predisposed to illness.
  - 13. The method of claim 1, wherein the data set represents individual documents to be determined if the documents represent a threat of inadvertent disclosure.
  - 14. The method of claim 8, wherein applying a BBN model to the data set comprises:
    - applying a first BBN model to the data set to generate a first score representing a likelihood the executable associated with the data is a malware, wherein the first BBN model was trained based on both malware sample data and benign sample data; and
      
      applying a second BBN model to the data set to generate a second score if the first score is greater than a predetermined threshold, wherein the second BBN model was trained on the malware sample data.
  - 15. The method of claim 14, further comprising applying a third BBN model to the data set to generate a third score if the first score is less than or equal to a predetermined threshold, wherein the third BBN model was trained on the benign sample data.
  - 16. The method of claim 15, further comprising deriving the similarity score based on the second score and the third score.
  - 17. The method of claim 1, wherein the data set represents data of at least one of internet protocol communications, SMTP sessions, and email sessions.
  - 18. The method of claim 1, wherein the data set represents data of at least one of software executables, executable headers, features of executables, origins of executables, and behaviors of executables.
  - 19. The method of claim 1, wherein the data set represents data of at least one of web pages, brochures, pictures, requisition requests, chat groups, manuals, standard operating procedures, financial disclosures, product specifications, and press releases and statements in public forums.
  - 20. The method of claim 1, wherein the data set represents data of at least one of documents related to the development of new systems and capacities, including technology development, building of new facilities or systems architecture.
  - 21. The method of claim 1, wherein the data set represents data of at least one of records of wired telephone communications, email communications, mobile telephone communications, and instant messenger communications.
  - 22. The method of claim 1, wherein the data set represents data of at least one of test and specification parameters pertaining to specific units or lots of manufactured goods.
  - 23. The method of claim 1, wherein the data set represents data of at least one of social media records including posts on social networking web sites, posts on peer-to-peer message syndication services, photographs on social media web sites, personal or professional information posted on social networking web sites, or posts made to chat forums or bulletin boards.
  - 24. The method of claim 1, wherein the data set represents data of at least one of biological systems data including blood chemistry data, genetic sequences, genetic and protein expression data, peptide and cytokine/chemokine data, as well as other biomarkers.

25. A non-transitory machine-readable medium having instructions stored therein, which when executed by a processor, cause the processor to perform a method for anomaly detection, the method comprising:
- in response to a set of data for anomaly detection, applying a Bayesian belief network (BBN) model to the data set, including for each of a plurality of features of the BBN model, performing an estimate using known observed values associated with remaining features to generate a posterior probability for the corresponding feature; and
  
  performing a scoring operation using a predetermined scoring algorithm on posterior probabilities of all of the features to generate a similarity score, wherein the similarity score represents a degree to which a given event represented by the data set is novel relative to historical events represented by the BBN model.
- View Dependent Claims (26, 27, 28, 29, 30, 31, 32, 33, 34, 35)
- - 26. The non-transitory machine-readable medium of claim 25, wherein performing an estimate using known observed values associated with remaining features comprises comparing an estimated event with a known event associated with the corresponding feature to determine whether the corresponding feature conforms to an expectation.
  - 27. The non-transitory machine-readable medium of claim 26, wherein the method further comprises assigning a first score for each of the features based on the comparison between the estimated event and the corresponding known event.
  - 28. The non-transitory machine-readable medium of claim 27, wherein the method further comprises performing a predetermined mathematical operation on the first scores of all features to derive the similarity score.
  - 29. The non-transitory machine-readable medium of claim 28, wherein performing a predetermined mathematical operation on the first scores of all features comprises summing the first scores to generate the similarity score.
  - 30. The non-transitory machine-readable medium of claim 25, wherein a posterior probability associated with a feature is used by the scoring operation to adjudicate whether an estimate event is novel given known events associated with the remaining features.
  - 31. The non-transitory machine-readable medium of claim 25, wherein a posterior probability associated with a feature is used by the scoring operation to adjudicate whether an estimate event is harmful given known events associated with the remaining features.
  - 32. The non-transitory machine-readable medium of claim 25, wherein the data set represents an executable of a software application to be determined whether the executable is malware.
  - 33. The non-transitory machine-readable medium of claim 32, wherein applying a BBN model to the data set comprises:
    - applying a first BBN model to the data set to generate a first score representing a likelihood the executable associated with the data is a malware, wherein the first BBN model was trained based on both malware sample data and benign sample data; and
      
      applying a second BBN model to the data set to generate a second score if the first score is greater than a predetermined threshold, wherein the second BBN model was trained on the malware sample data.
  - 34. The non-transitory machine-readable medium of claim 33, wherein the method further comprises applying a third BBN model to the data set to generate a third score if the first score is less than or equal to a predetermined threshold, wherein the third BBN model was trained on the benign sample data.
  - 35. The non-transitory machine-readable medium of claim 34, wherein the method further comprises deriving the similarity score based on the second score and the third score.

36. A data processing system, comprising:
- a processor; and
  
  a memory storing instructions, which when executed from the memory, cause the processor toin response to a set of data for anomaly detection, apply a Bayesian belief network (BBN) model to the data set, including for each of a plurality of features of the BBN model, performing an estimate using known observed values associated with remaining features to generate a posterior probability for the corresponding feature, andperform a scoring operation using a predetermined scoring algorithm on posterior probabilities of all of the features to generate a similarity score, wherein the similarity score represents a degree to which a given event represented by the data set is novel relative to historical events represented by the BBN model.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Decisionq Corporation
Original Assignee
Decisionq Corporation
Inventors
Eberhardt, John S. III, Radano, Todd A., Peterson, Benjamin E.

Granted Patent

US 9,349,103 B2
Time in Patent Office

Days
Field of Search
US Class Current

706/12
CPC Class Codes

G06N 20/00 Machine learning

G06N 7/01 Probabilistic graphical mod...

APPLICATION OF MACHINE LEARNED BAYESIAN NETWORKS TO DETECTION OF ANOMALIES IN COMPLEX SYSTEMS

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

36 Claims

Specification

Solutions

Use Cases

Quick Links

APPLICATION OF MACHINE LEARNED BAYESIAN NETWORKS TO DETECTION OF ANOMALIES IN COMPLEX SYSTEMS

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

36 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links