REAL-TIME DETECTION AND CLASSIFICATION OF ANOMALOUS EVENTS IN STREAMING DATA
First Claim
1. A method of detecting and classifying anomalous events, comprising:
- receiving an input log file including a plurality of events, wherein each event comprises a data set;
for each event, providing multiple contexts that group the data set into different sub-groups;
generating an anomaly score for each context so that each event has at least two anomaly scores associated therewith;
for each event, combining at least the anomaly scores to generate an overall event score so as to classify the event as being normal or abnormal; and
outputting a plurality of the overall event scores for the input log file.
4 Assignments
0 Petitions
Accused Products
Abstract
A system is described for receiving a stream of events and scoring the events based on anomalousness and maliciousness (or other classification). The events can be displayed to a user in user-defined groupings in an animated fashion. The system can include a plurality of anomaly detectors that together implement an algorithm to identify low probability events and detect atypical traffic patterns. The atypical traffic patterns can then be classified as being of interest or not. In one particular example, in a network environment, the classification can be whether the network traffic is malicious or not.
-
Citations
21 Claims
-
1. A method of detecting and classifying anomalous events, comprising:
-
receiving an input log file including a plurality of events, wherein each event comprises a data set; for each event, providing multiple contexts that group the data set into different sub-groups; generating an anomaly score for each context so that each event has at least two anomaly scores associated therewith; for each event, combining at least the anomaly scores to generate an overall event score so as to classify the event as being normal or abnormal; and outputting a plurality of the overall event scores for the input log file. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
-
-
14. A computer-readable medium having instructions thereon for executing a method of detecting and classifying anomalous events, the method comprising:
-
receiving a plurality of input network events; transforming the input network events so that each event is associated with a position parameter, which includes at least a source and destination network address, a value parameter, which is a description of the event, and a time parameter indicating when the event occurred; generating a plurality of anomaly detectors that aggregate different sub-parts of the position, value and time parameters; calculating a plurality of anomaly scores for each input network event using the anomaly detectors; and calculating a maliciousness score for each event using the plurality of anomaly scores. - View Dependent Claims (15, 16, 17, 18)
-
-
19. A system for detecting and classifying anomalous events, comprising:
-
a data model for receiving events and transforming the events into a common format; a plurality of anomaly detectors for receiving the events from the data model and generating a plurality of anomaly scores associated with each event; and a classifier coupled to the anomaly detectors for generating a maliciousness score based on the plurality of anomaly scores. - View Dependent Claims (20, 21)
-
Specification