Method and apparatus for training a neural network model for use in computer network intrusion detection
First Claim
1. A method of training a model for use in a computer network intrusion detection system, the method comprising:
- deriving a plurality of anomalous feature values;
retrieving a plurality of normal feature values;
determining a ratio of anomalous feature values and normal feature values; and
inputting a particular amount of anomalous feature values and a particular amount of normal feature values according to the ratio to the model whereby the model utilizes the particular amount of anomalous feature values and the particular amount of normal feature values to derive a score for a user activity.
1 Assignment
0 Petitions
Accused Products
Abstract
Detecting harmful or illegal intrusions into a computer network or into restricted portions of a computer network uses a process of synthesizing anomalous data to be used in training a neural network-based model for use in a computer network intrusion detection system. Anomalous data for artificially creating a set of features reflecting anomalous behavior for a particular activity is performed. This is done in conjunction with the creation of normal-behavior feature values. A distribution of users of normal feature values and an expected distribution of users of anomalous feature values are then defined in the form of histograms. The anomalous-feature histogram is then sampled to produce anomalous-behavior feature values. These values are then used to train a model having a neural network training algorithm where the model is used in the computer network intrusion detection system. The model is trained such that it can efficiently recognize anomalous behavior by users in a dynamic computing environment where user behavior can change frequently.
324 Citations
33 Claims
-
1. A method of training a model for use in a computer network intrusion detection system, the method comprising:
-
deriving a plurality of anomalous feature values;
retrieving a plurality of normal feature values;
determining a ratio of anomalous feature values and normal feature values; and
inputting a particular amount of anomalous feature values and a particular amount of normal feature values according to the ratio to the model whereby the model utilizes the particular amount of anomalous feature values and the particular amount of normal feature values to derive a score for a user activity. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
a user activity file including a plurality of records relating to user activities;
a historical data file including user historical data and peer historical data;
a feature generator for generating a features list and that accepts as input the user historical data and the peer historical data; and
a model trained to process the features list and output a score.
-
-
7. A computer network intrusion detection system as recited in claim 6 further comprising:
a plurality of raw data logs parsed based on user and time of activity.
-
8. A computer network intrusion detection system as recited in claim 6 wherein the user historical data further includes a plurality of user historical means and a plurality of user historical standard deviations.
-
9. A computer network intrusion detection system as recited in claim 8 wherein the feature generator accepts as input the plurality of user historical means and a plurality of user historical standard deviations.
-
10. A computer network intrusion detection system as recited in claim 6 wherein the peer historical data further includes a plurality of peer historical means and a plurality of peer historical standard deviations.
-
11. A computer network intrusion detection system as recited in claim 10 wherein the feature generator accepts as input the plurality of peer historical means and a plurality of peer historical standard deviations.
-
12. A computer network intrusion detection system as recited in claim 6 wherein the features list is organized by user and by activity.
-
13. A computer network intrusion detection system as recited in claim 6 further comprising a set of features reflecting anomalous behavior.
-
14. A computer network intrusion detection system as recited in claim 6 further comprising an anomalous feature data store for storing a plurality of sets of anomalous feature values.
-
15. A computer network intrusion detection system as recited in claim 6 further comprising:
-
a data selector for selecting one of either normal feature data and anomalous feature data;
a neural network training component accepting as input one of either normal feature data and anomalous feature data as determined by the data selector wherein the data selector operates based on a predetermined ratio.
-
-
16. A computer network intrusion detection system as recited in claim 15 wherein the neural network training component utilizes a back-propagation algorithm.
-
17. A computer-readable medium containing programmed instructions arranged to train a model for use in a computer network intrusion detection system by synthesizing anomalous data for creating an artificial set of features reflecting anomalous behavior for a particular activity, the computer-readable medium including programmed instructions for:
-
selecting a feature;
retrieving a plurality of normal-feature values associated with the feature;
defining a first distribution of users of normal feature values;
defining an expected second distribution of users of anomalous feature values;
producing a plurality of anomalous-behavior feature values for the feature;
determining a ratio of anomalous feature values and normal feature values; and
inputting a particular amount of anomalous feature values and a particular amount of normal feature values according to the ratio to the model, whereby the model utilizes the particular amount of anomalous feature values and the particular amount of normal feature values to derive a score for a user activity.
-
-
18. A method of training a model for use in a computer network intrusion detection system by synthesizing anomalous data for creating an artificial set of features reflecting anomalous behavior for a particular activity, the method comprising:
-
selecting a feature;
retrieving a plurality of normal-feature values associated with the feature;
defining a first distribution of users of normal feature values;
defining an expected second distribution of users of anomalous feature values;
producing a plurality of anomalous-behavior feature values for the feature;
determining a ratio of anomalous feature values and normal feature values; and
inputting a particular amount of anomalous feature values and a particular amount of normal feature values according to the ratio to the model, whereby the model utilizes the particular amount of anomalous feature values and the particular amount of normal feature values to derive a score for a user activity. - View Dependent Claims (19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32)
-
-
33. A computer-readable medium containing programmed instructions arranged to train a model for use in a computer network intrusion detection system, the computer-readable medium including programmed instructions for:
-
deriving a plurality of anomalous feature values;
retrieving a plurality of normal feature values;
determining a ratio of anomalous feature values and normal feature values; and
inputting a particular amount of anomalous feature values and a particular amount of normal feature values according to the ratio to the model whereby the model utilizes the particular amount of anomalous feature values and the particular amount of normal feature values to derive a score for a user activity.
-
Specification