MONITORING FOR ANOMALIES IN A COMPUTING ENVIRONMENT

US 20140143868A1
Filed: 11/19/2012
Published: 05/22/2014
Est. Priority Date: 11/19/2012
Status: Active Grant

First Claim

Patent Images

1. A method of monitoring for anomalies in a computing environment comprising, with a processor:

building an anomaly detection system based on topology guided statistical analysis; and

creating a number of correlation rules based on a number of detected anomalies and information provided by a security alerts database.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method of monitoring for anomalies in a computing environment comprises, with a processor building an anomaly detection system based on topology guided statistical analysis, and creating a number of correlation rules based on a number of detected anomalies and information provided by a security alerts database.

34 Citations

View as Search Results

15 Claims

1. A method of monitoring for anomalies in a computing environment comprising, with a processor:
- building an anomaly detection system based on topology guided statistical analysis; and
  
  creating a number of correlation rules based on a number of detected anomalies and information provided by a security alerts database.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, in which building an anomaly detection system based on topology guided statistical analysis comprises:
    - storing transaction and performance data enriched by topology data within a performance management database; and
      
      identifying a number of metrics for each of a number of configuration items in the topology of a web application.
  - 3. The method of claim 2, further comprising determining a metric baseline for the metrics.
  - 4. The method of claim 3, further comprising determining a relationship baseline for a number of relationships between the metrics of the configuration items.
  - 5. The method of claim 4, further comprising:
    - determining if any of the metrics deviate from their respective baselines;
      
      if any of the metrics deviate from their respective baselines, determining if a deviating metric exhibits similar behavior as compared to the relationship baseline; and
      
      if a deviating metric does not exhibit similar behavior as compared to the relationship baseline, flagging the deviating metric as a possibly malicious anomaly.
  - 6. The method of claim 5, in which creating a number of correlation rules based on a number of detected anomalies and information provided by a security alerts database comprises:
    - building a number of correlation rules based on the flagged anomalies and the information provided by the security alerts database.
  - 7. The method of claim 6, further comprising:
    - applying the correlation rules to detect intrusions within the computing environment;
      
      determining if a suspicious session within a database is reported within a security alert;
      
      classifying the flagged anomaly and the suspicious session related alert as the same intrusion if the suspicious session within the database is reported within the security alert; and
      
      classifying the flagged anomaly as an intrusion detected through statistical analysis if the suspicious session within the database is not reported within the security alert.

8. A hybrid intrusion detection system (IDS), comprising:
- a configuration management database to store data regarding a number of configuration items within a computing environment;
  
  a performance management database to store data related to resource usage metrics;
  
  a security alert database to store data associated with a number of security alerts; and
  
  a computing device comprising;
  
  a processor; and
  
  a data storage device to store;
  
  a topology guided anomaly detection module that, when executed by the processor, detects a number of anomalies using topology guided statistical analysis; and
  
  a topology guided correlation module that, when executed by the processor, creates a number of correlation rules based on a number of flagged anomalies and the information provided by the security alerts database.
- View Dependent Claims (9, 10, 11)
- - 9. The hybrid IDS of claim 8, further comprising a correlation rules database to store the correlation rules.
  - 10. The hybrid IDS of claim 8, in which the topology guided anomaly detection module, when executed by the processor:
    - determines a metric baseline for the metrics.determines a relationship baseline for a number of relationships between the metrics of the configuration items.determines if any of the metrics deviate from their respective baselines;
      
      if any of the metrics deviate from their respective baselines, determining if a deviating metric exhibits similar behavior as compared to the relationship baseline; and
      
      if a deviating metric does not exhibit similar behavior as compared to the relationship baseline, flagging the deviating metric as a possibly malicious anomaly.
  - 11. The hybrid IDS of claim 10, in which the topology guided correlation module, when executed by the processor:
    - builds a number of correlation rules based on the flagged anomalies and the information provided by the security alerts database.applies the correlation rules to detect intrusions within the computing environment;
      
      determines if a suspicious session within a database is reported within a security alert;
      
      classifies the flagged anomaly and the suspicious session related alert as the same intrusion if the suspicious session within the database is reported within the security alert; and
      
      classifies the flagged anomaly as an intrusion detected through statistical analysis if the suspicious session within the database is not reported within the security alert.

12. A computer program product for monitoring for anomalies in a computing environment, the computer program product comprising:
- a non-transitory computer readable storage medium comprising computer usable program code embodied therewith, the computer usable program code comprising;
  
  computer usable program code to, when executed by a processor, store transaction and performance data enriched by topology data within a performance management database; and
  
  computer usable program code to, when executed by a processor, identify a number of metrics for each of a number of configuration items in the topology of a web application.
- View Dependent Claims (13, 14, 15)
- - 13. The computer program product of claim 12, further comprising:
    - computer usable program code to, when executed by a processor, determine a metric baseline for the metrics;
      
      computer usable program code to, when executed by a processor, determine a relationship baseline for a number of relationships between the metrics of the configuration items;
      
      computer usable program code to, when executed by a processor, determine if any of the metrics deviate from their respective baselines;
      
      computer usable program code to, when executed by a processor, if any of the metrics deviate from their respective baselines, determine if a deviating metric exhibits similar behavior as compared to the relationship baseline;
      
      ancomputer usable program code to, when executed by a processor, if a deviating metric does not exhibit similar behavior as compared to the relationship baseline, flag the deviating metric as a possibly malicious anomaly.
  - 14. The computer program product of claim 13, further comprising:
    - computer usable program code to, when executed by a processor, build a number of correlation rules based on the flagged anomalies and the information provided by the security alerts database.
  - 15. The computer program product of claim 14, further comprising:
    - computer usable program code to, when executed by a processor, apply the correlation rules to detect intrusions within the computing environment;
      
      computer usable program code to, when executed by a processor, determine if a suspicious session within a database is reported within a security alert;
      
      computer usable program code to, when executed by a processor, classify the flagged anomaly and the suspicious session related alert as the same intrusion if the suspicious session within the database is reported within the security alert; and
      
      computer usable program code to, when executed by a processor, classify the flagged anomaly as an intrusion detected through statistical analysis if the suspicious session within the database is not reported within the security alert.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Hewlett Packard Enterprise Development LP (Hewlett-Packard Enterprise Company)
Original Assignee
Hewlett-Packard Development Company, L.P. (HP Inc.)
Inventors
Rajagopalan, Siva Raj, SHIVA, SM PRAKASH

Granted Patent

US 9,141,791 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/23
CPC Class Codes

G06F 21/552 involving long-term monitor...

H04L 63/14 for detecting or protecting...

MONITORING FOR ANOMALIES IN A COMPUTING ENVIRONMENT

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

34 Citations

15 Claims

Specification

Solutions

Use Cases

Quick Links

MONITORING FOR ANOMALIES IN A COMPUTING ENVIRONMENT

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

34 Citations

15 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links