SYSTEM AND METHOD FOR REAL-TIME DETECTION OF ANOMALIES IN DATABASE USAGE
First Claim
1. A method for real-time detection of anomalies comprising:
- receiving a plurality of heterogeneous data streams, wherein the heterogeneous data streams are received from at least two of a group consisting of agents located at databases, agents located at applications, audit programs located at user workstations, and sensors located in, or at access points to, a network;
correlating the heterogeneous data streams, wherein the correlation identifies corresponding events in different ones of the heterogeneous data streams;
identifying patterns of events across the correlated heterogeneous data streams;
building a model of normalcy from the identified pattern of events, wherein the model of normalcy is stored in an analysis database;
creating rules that determine how and whether anomalies are detected, how a detected anomaly is treated and characterized, and what reaction to employ upon detection of the anomaly;
receiving a plurality of additional heterogeneous data streams from the at least two of a group consisting of the agents, audit programs, and sensors;
applying, using an analysis engine, the model of normalcy and rules to the additional heterogeneous data streams and analyzing data from the additional heterogeneous data streams against the model of normalcy and rules;
detecting an anomaly in real-time by determining whether an anomalous event is present, by the application of the rules and whether events, in relation to other events within the additional heterogeneous data streams, fit or do not fit the model of normalcy;
determining at least one characteristic of the detected anomaly; and
issuing an alert upon detection of the anomaly, wherein a type of alert is determined based on the at least one determined characteristic of the detected anomaly.
1 Assignment
0 Petitions
Accused Products
Abstract
A system and method for real-time detection of anomalies in database or application usage is disclosed. Embodiments provide a mechanism to detect anomalies in database or application usage, such as data exfiltration attempts, first by identifying correlations (e.g., patterns of normalcy) in events across different heterogeneous data streams (such as those associated with ordinary, authorized and benign database usage, workstation usage, user behavior or application usage) and second by identifying deviations/anomalies from these patterns of normalcy across data streams in real-time as data is being accessed. An alert is issued upon detection of an anomaly, wherein a type of alert is determined based on a characteristic of the detected anomaly.
-
Citations
30 Claims
-
1. A method for real-time detection of anomalies comprising:
-
receiving a plurality of heterogeneous data streams, wherein the heterogeneous data streams are received from at least two of a group consisting of agents located at databases, agents located at applications, audit programs located at user workstations, and sensors located in, or at access points to, a network; correlating the heterogeneous data streams, wherein the correlation identifies corresponding events in different ones of the heterogeneous data streams; identifying patterns of events across the correlated heterogeneous data streams; building a model of normalcy from the identified pattern of events, wherein the model of normalcy is stored in an analysis database; creating rules that determine how and whether anomalies are detected, how a detected anomaly is treated and characterized, and what reaction to employ upon detection of the anomaly; receiving a plurality of additional heterogeneous data streams from the at least two of a group consisting of the agents, audit programs, and sensors; applying, using an analysis engine, the model of normalcy and rules to the additional heterogeneous data streams and analyzing data from the additional heterogeneous data streams against the model of normalcy and rules; detecting an anomaly in real-time by determining whether an anomalous event is present, by the application of the rules and whether events, in relation to other events within the additional heterogeneous data streams, fit or do not fit the model of normalcy; determining at least one characteristic of the detected anomaly; and issuing an alert upon detection of the anomaly, wherein a type of alert is determined based on the at least one determined characteristic of the detected anomaly. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
-
-
16. A system for real-time detection of anomalies comprising:
one or more computers, each computer including a processor and memory, wherein the memory includes instructions that are executed by the processor for; receiving a plurality of heterogeneous data streams, wherein the heterogeneous data streams are received from at least two of a group consisting of agents located at databases, agents located at applications, audit programs located at user workstations, and sensors located in, or at access points to, a network; correlating the heterogeneous data streams, wherein the correlation identifies corresponding events in different ones of the heterogeneous data streams; identifying patterns of events across the correlated heterogeneous data streams; building a model of normalcy from the identified pattern of events, wherein the model of normalcy is stored in an analysis database; creating rules that determine how and whether anomalies are detected, how a detected anomaly is treated and characterized, and what reaction to employ upon detection of the anomaly; receiving a plurality of additional heterogeneous data streams from the at least two of a group consisting of the agents, audit programs, and sensors; applying, using an analysis engine, the model of normalcy and rules to the additional heterogeneous data streams and analyzing data from the additional heterogeneous data streams against the model of normalcy and rules; detecting an anomaly in real-time by determining whether an anomalous event is present, by the application of the rules and whether events, in relation to other events within the additional heterogeneous data streams, fit or do not fit the model of normalcy; determining at least one characteristic of the detected anomaly; and issuing an alert upon detection of the anomaly, wherein a type of alert is determined based on the at least one determined characteristic of the detected anomaly. - View Dependent Claims (17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30)
Specification