User Classification by Local to Global Sequence Alignment Techniques for Anomaly-Based Intrusion Detection
First Claim
1. A method for implementation by one or more data processors forming part of at least one computing system, the method comprising:
- monitoring a sequence of events by a single user with at least one computing system, each event characterizing user interaction with the at least one computing system, the sequence of events forming a plurality of pairwise disjoint log samples;
determining, using an adjacency graph trained using a plurality of log samples generated by a plurality of users, whether any of the log samples is anomalous; and
providing data characterizing the log samples determined to be anomalous.
1 Assignment
0 Petitions
Accused Products
Abstract
A sequence of events by a single user with at least one computing system are monitored. Each event characterizes user interaction with the at least one computing system and the sequence of events form a plurality of pairwise disjoint log samples. Thereafter, it is determined, using an adjacency graph trained using a plurality of log samples generated by a plurality of users, whether any of the log samples is anomalous. Data can be provided that characterizes the log samples determined to be anomalous. Related apparatus, systems, techniques and articles are also described.
-
Citations
20 Claims
-
1. A method for implementation by one or more data processors forming part of at least one computing system, the method comprising:
-
monitoring a sequence of events by a single user with at least one computing system, each event characterizing user interaction with the at least one computing system, the sequence of events forming a plurality of pairwise disjoint log samples; determining, using an adjacency graph trained using a plurality of log samples generated by a plurality of users, whether any of the log samples is anomalous; and providing data characterizing the log samples determined to be anomalous. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
-
-
17. A system comprising:
-
at least one data processor; and memory storing instructions which, when executed by the at least one data processor, result in operations comprising; monitoring a sequence of events by a single user with at least one computing system, each event characterizing user interaction with the at least one computing system, the sequence of events forming a plurality of pairwise disjoint log samples; determining, using an adjacency graph trained using a plurality of log samples generated by a plurality of users, whether any of the log samples is anomalous; and providing data characterizing the log samples determined to be anomalous. - View Dependent Claims (18, 19)
-
-
20. A non-transitory computer program product storing instructions which, when executed by at least one data processor forming part of at least one computing system, result in operations comprising:
-
monitoring a sequence of events by a single user with at least one computing system, each event characterizing user interaction with the at least one computing system, the sequence of events forming a plurality of pairwise disjoint log samples; determining, using an adjacency graph trained using a plurality of log samples generated by a plurality of users, whether any of the log samples is anomalous; and providing data characterizing the log samples determined to be anomalous.
-
Specification