Multi-platform sequence-based anomaly detection wrapper

US 6,735,703 B1
Filed: 05/08/2000
Issued: 05/11/2004
Est. Priority Date: 05/08/2000
Status: Expired due to Fees

First Claim

Patent Images

1. A method for detecting anomalies in a stream of events, the method comprising:

(a) deploying a detection module upon an invocation of an application on a computer system;

(b) abstracting a stream of events into a generic event format; and

(c) synchronously determining, using said detection module, whether said stream of generic events includes an anomalous sequence of events;

wherein (a) comprises activating a system call wrapper in kernel space and associating said system call wrapper with said application.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A real-time sequence-based anomaly detection system is disclosed. In a preferred embodiment, the intrusion detection system is incorporated as part of a software wrapper. Event abstraction in the software wrapper enables the intrusion detection system to apply generically across various computing platforms. Real-time anomaly detection is enabled through the definition of a distance matrix that defines allowable separation distances between pairs of system calls. The distance matrix indirectly specifies known sequences of system calls and can be used to determine whether a sequence of system calls in an event window represents an anomaly. Anomalies that are detected are further analyzed through levenshtein distance calculations that also rely on the contents of the distance matrix.

Citations

12 Claims

1. A method for detecting anomalies in a stream of events, the method comprising:
- (a) deploying a detection module upon an invocation of an application on a computer system;
  
  (b) abstracting a stream of events into a generic event format; and
  
  (c) synchronously determining, using said detection module, whether said stream of generic events includes an anomalous sequence of events;
  
  wherein (a) comprises activating a system call wrapper in kernel space and associating said system call wrapper with said application.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1, wherein (b) comprises characterizing a system call interface such that application programming interfaces can be described by multiple platforms using the same attributes.
  - 3. The method of claim 1, further comprising defining a fixed-size distance matrix that specifies known separations between pairs of events.
  - 4. The method of claim 3, wherein said fixed-size distance matrix is implemented as a M×
    - M×
      
      N data structure, wherein M is the number of possible events, and N is the number of events in an event window.
  - 5. The method of claim 3, wherein (c) comprises analyzing a set of N events.
  - 6. The method of claim 5, wherein (c) comprises comparing the separation of a new event with each of the previous N−
    - 1 events with the contents of said fixed-size distance matrix.

7. A system for detecting anomalies in a stream of events in a computer system, comprising:
- an event abstraction module that translates a stream of events into a generic event language format;
  
  a detection module that synchronously determines whether said stream of generic events includes an anomalous sequence of events; and
  
  a management module that dynamically deploys a detection module upon an invocation of an application on a computer system;
  
  wherein said management module is operative to activate a system call wrapper in kernel space and associate said system call wrapper with said application.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. The system of claim 7, wherein said event abstraction module characterizes a system call interface such that application programming interfaces can be described by multiple platforms using the same attributes.
  - 9. The system of claim 7, further comprising a fixed-size distance matrix that specifies known separations between pairs of events.
  - 10. The system of claim 9, wherein said fixed-size distance matrix is implemented as a M×
    - M×
      
      N data structure, wherein M is the number of possible events, and N is the number of events in an event window.
  - 11. The system of claim 9, wherein said detection module is operative to analyze a set of N events.
  - 12. The system of claim 11, wherein said detection module compares the separation of a new event with each of the previous N−
    - 1 events with the contents of said fixed-size distance matrix.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, Inc. (McAfee, LLC)
Original Assignee
Networks Associates Technology, Inc. (McAfee, LLC)
Inventors
Kilpatrick, Douglas, Badger, Mark Lee, Ko, Calvin
Primary Examiner(s)
JUNG, DAVID YIUK

Application Number

US09/566,378
Time in Patent Office

1,464 Days
Field of Search

713/150-154, 713/162-167, 380/35-37, 213/200-202
US Class Current

726/23
CPC Class Codes

G06F 21/53   by executing in a restricte...

G06F 21/554   involving event detection a...

H04L 63/1408   by monitoring network traff...

Multi-platform sequence-based anomaly detection wrapper

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

Citations

12 Claims

Specification

Solutions

Use Cases

Quick Links

Multi-platform sequence-based anomaly detection wrapper

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

12 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links