DETECTION OF ANOMALOUS EVENTS
First Claim
1. A method of detecting anomalous events, comprising:
- receiving a first log file including a first plurality of events from a first data source;
receiving a second log file including a second plurality of events from a second data source that is a different type than the first data source;
using the first log file, generating a first anomaly score, the generation being derived from an area associated with a probability density function of the first log file;
using the second log file, generating a second anomaly score, the generation being derived from an area associated with a probability density function of the second log file; and
comparing the first and second anomaly scores.
4 Assignments
0 Petitions
Accused Products
Abstract
A system is described for receiving a stream of events and scoring the events based on anomalousness and maliciousness (or other classification). The system can include a plurality of anomaly detectors that together implement an algorithm to identify low-probability events and detect atypical traffic patterns. The anomaly detector provides for comparability of disparate sources of data (e.g., network flow data and firewall logs.) Additionally, the anomaly detector allows for regulatability, meaning that the algorithm can be user configurable to adjust a number of false alerts. The anomaly detector can be used for a variety of probability density functions, including normal Gaussian distributions, irregular distributions, as well as functions associated with continuous or discrete variables.
-
Citations
20 Claims
-
1. A method of detecting anomalous events, comprising:
-
receiving a first log file including a first plurality of events from a first data source; receiving a second log file including a second plurality of events from a second data source that is a different type than the first data source; using the first log file, generating a first anomaly score, the generation being derived from an area associated with a probability density function of the first log file; using the second log file, generating a second anomaly score, the generation being derived from an area associated with a probability density function of the second log file; and comparing the first and second anomaly scores. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A computer-readable storage having instructions thereon for executing a method of detecting anomalous events, the method comprising:
-
receiving a plurality of input network events from disparate network sources; and calculating multiple anomaly scores for each of the plurality of input network events using a function formed at least in part by the expression Pf(f(X)≦
f(x)), wherein f(X) is related to a probability of an occurrence of an event, f(x) is a current event being analyzed, and Pf is a probability determination. - View Dependent Claims (10, 11, 12, 13, 14, 15, 16, 17)
-
-
18. A system for detecting anomalous events, comprising:
-
a first anomaly detector for receiving a first log file; a second anomaly detector for receiving a second log file; wherein the first and second anomaly detectors calculate anomaly scores for the respective first and second log files, the anomaly detectors using a function formed at least in part by the expression Pf(f(X)≦
f(x)), wherein f(X) is related to a probability of an occurrence of an event, f(x) is a current event being analyzed, and Pf is a probability determination; anda comparator coupled to the anomaly detectors for comparing the anomaly scores. - View Dependent Claims (19, 20)
-
Specification