METHOD AND APPARATUS FOR COMPUTER INTRUSION DETECTION
First Claim
Patent Images
1. A computer-implemented method performed by a computerized device, comprising:
- receiving a description of a computerized system, the description comprising at least two entities, at least one attribute for each of the at least two entities and at least one statistical rule related to relationship between the at least two entities;
receiving data related to activity of the computerized system, the data comprising at least two events;
grouping the at least two events into at least two groups associated with the at least two entities; and
comparing the at least two groups in accordance with the at least one statistical rule, to identify a group not complying with the at least one statistical rule.
6 Assignments
0 Petitions
Accused Products
Abstract
A method and apparatus for intrusion detection, the method comprising: receiving a description of a computerized system, the description comprising two or more entities, one or more attribute for each entity and one or more statistical rule related to relationship between the entities; receiving data related to activity of the computerized system, the data comprising two or more events; grouping the events into two or more groups associated with the entities; comparing the groups in accordance with the statistical rule, to identify a group not complying with any of the statistical rules.
-
Citations
18 Claims
-
1. A computer-implemented method performed by a computerized device, comprising:
-
receiving a description of a computerized system, the description comprising at least two entities, at least one attribute for each of the at least two entities and at least one statistical rule related to relationship between the at least two entities; receiving data related to activity of the computerized system, the data comprising at least two events; grouping the at least two events into at least two groups associated with the at least two entities; and comparing the at least two groups in accordance with the at least one statistical rule, to identify a group not complying with the at least one statistical rule. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. An apparatus having a processing unit and a storage device, the apparatus comprising:
-
a system receiving component for receiving a description of a computerized system, the description comprising at least two entities, at least one attribute for each of the at least two entities and at least one statistical rule related to relationship between the at least two entities; a data receiving component for data related to activity of the computerized system, the data comprising at least two events; a data division component for grouping the at least two events into at least two groups associated with the at least two entities; an aggregation component for aggregating each of the least two groups to obtain at least two objects; and a group analysis component for comparing the at least two objects in accordance with the at least one statistical rule, to identify a group not complying with the at least one statistical rule. - View Dependent Claims (12, 13, 14, 15, 16, 17)
-
-
18. A computer program product comprising:
- a non-transitory computer readable medium;
a first program instruction for receiving a description of a computerized system, the description comprising at least two entities, at least one attribute for each of the at least two entities and at least one statistical rule related to relationship between the at least two entities; a second program instruction for receiving data related to activity of the computerized system, the data comprising at least two events; a third program instruction for grouping the at least two events into at least two groups associated with the at least two entities; and a fourth program instruction for comparing the at least two groups in accordance with the at least one statistical rule, to identify a group not complying with the at least one statistical rule, wherein said first, second, third and fourth program instructions are stored on said non-transitory computer readable medium.
- a non-transitory computer readable medium;
Specification