Multi-platform sequence-based anomaly detection wrapper
First Claim
1. A method for detecting anomalies in a stream of events, the method comprising:
- (a) deploying a detection module upon an invocation of an application on a computer system;
(b) abstracting a stream of events into a generic event format; and
(c) synchronously determining, using said detection module, whether said stream of generic events includes an anomalous sequence of events;
wherein (a) comprises activating a system call wrapper in kernel space and associating said system call wrapper with said application.
6 Assignments
0 Petitions
Accused Products
Abstract
A real-time sequence-based anomaly detection system is disclosed. In a preferred embodiment, the intrusion detection system is incorporated as part of a software wrapper. Event abstraction in the software wrapper enables the intrusion detection system to apply generically across various computing platforms. Real-time anomaly detection is enabled through the definition of a distance matrix that defines allowable separation distances between pairs of system calls. The distance matrix indirectly specifies known sequences of system calls and can be used to determine whether a sequence of system calls in an event window represents an anomaly. Anomalies that are detected are further analyzed through levenshtein distance calculations that also rely on the contents of the distance matrix.
-
Citations
12 Claims
-
1. A method for detecting anomalies in a stream of events, the method comprising:
-
(a) deploying a detection module upon an invocation of an application on a computer system;
(b) abstracting a stream of events into a generic event format; and
(c) synchronously determining, using said detection module, whether said stream of generic events includes an anomalous sequence of events;
wherein (a) comprises activating a system call wrapper in kernel space and associating said system call wrapper with said application. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A system for detecting anomalies in a stream of events in a computer system, comprising:
-
an event abstraction module that translates a stream of events into a generic event language format;
a detection module that synchronously determines whether said stream of generic events includes an anomalous sequence of events; and
a management module that dynamically deploys a detection module upon an invocation of an application on a computer system;
wherein said management module is operative to activate a system call wrapper in kernel space and associate said system call wrapper with said application. - View Dependent Claims (8, 9, 10, 11, 12)
-
Specification