Method and apparatus for training a neural network model for use in computer network intrusion detection

US 6,769,066 B1
Filed: 10/25/1999
Issued: 07/27/2004
Est. Priority Date: 10/25/1999
Status: Expired due to Term

First Claim

Patent Images

1. A method of training a model for use in a computer network intrusion detection system, the method comprising:

deriving a plurality of anomalous feature values;

retrieving a plurality of normal feature values;

determining a ratio of anomalous feature values and normal feature values; and

inputting a particular amount of anomalous feature values and a particular amount of normal feature values according to the ratio to the model whereby the model utilizes the particular amount of anomalous feature values and the particular amount of normal feature values to derive a score for a user activity.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Detecting harmful or illegal intrusions into a computer network or into restricted portions of a computer network uses a process of synthesizing anomalous data to be used in training a neural network-based model for use in a computer network intrusion detection system. Anomalous data for artificially creating a set of features reflecting anomalous behavior for a particular activity is performed. This is done in conjunction with the creation of normal-behavior feature values. A distribution of users of normal feature values and an expected distribution of users of anomalous feature values are then defined in the form of histograms. The anomalous-feature histogram is then sampled to produce anomalous-behavior feature values. These values are then used to train a model having a neural network training algorithm where the model is used in the computer network intrusion detection system. The model is trained such that it can efficiently recognize anomalous behavior by users in a dynamic computing environment where user behavior can change frequently.

324 Citations

33 Claims

1. A method of training a model for use in a computer network intrusion detection system, the method comprising:
- deriving a plurality of anomalous feature values;
  
  retrieving a plurality of normal feature values;
  
  determining a ratio of anomalous feature values and normal feature values; and
  
  inputting a particular amount of anomalous feature values and a particular amount of normal feature values according to the ratio to the model whereby the model utilizes the particular amount of anomalous feature values and the particular amount of normal feature values to derive a score for a user activity.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 2. A method as recited in claim 1 wherein the model is trained using a neural network algorithm.
  - 3. A method as recited in claim 1 further comprising deriving a probability factor for use in determining the ratio of anomalous feature values and normal feature values.
  - 4. A method as recited in claim 1 further comprising selecting randomly an anomalous feature data list from the plurality of anomalous feature values and selecting randomly a normal feature data list from the plurality of normal feature values.
  - 5. A method as recited in claim 1 further comprising assigning a desired score to a selected feature data list as input to the model.
  - 6. A computer network intrusion detection system adapted to perform the method set forth in claim 1, comprising:
7. A computer network intrusion detection system as recited in claim 6 further comprising:
- a plurality of raw data logs parsed based on user and time of activity.
8. A computer network intrusion detection system as recited in claim 6 wherein the user historical data further includes a plurality of user historical means and a plurality of user historical standard deviations.
9. A computer network intrusion detection system as recited in claim 8 wherein the feature generator accepts as input the plurality of user historical means and a plurality of user historical standard deviations.
10. A computer network intrusion detection system as recited in claim 6 wherein the peer historical data further includes a plurality of peer historical means and a plurality of peer historical standard deviations.
11. A computer network intrusion detection system as recited in claim 10 wherein the feature generator accepts as input the plurality of peer historical means and a plurality of peer historical standard deviations.
12. A computer network intrusion detection system as recited in claim 6 wherein the features list is organized by user and by activity.
13. A computer network intrusion detection system as recited in claim 6 further comprising a set of features reflecting anomalous behavior.
14. A computer network intrusion detection system as recited in claim 6 further comprising an anomalous feature data store for storing a plurality of sets of anomalous feature values.
15. A computer network intrusion detection system as recited in claim 6 further comprising:
- a data selector for selecting one of either normal feature data and anomalous feature data;
  
  a neural network training component accepting as input one of either normal feature data and anomalous feature data as determined by the data selector wherein the data selector operates based on a predetermined ratio.
16. A computer network intrusion detection system as recited in claim 15 wherein the neural network training component utilizes a back-propagation algorithm.

17. A computer-readable medium containing programmed instructions arranged to train a model for use in a computer network intrusion detection system by synthesizing anomalous data for creating an artificial set of features reflecting anomalous behavior for a particular activity, the computer-readable medium including programmed instructions for:
- selecting a feature;
  
  retrieving a plurality of normal-feature values associated with the feature;
  
  defining a first distribution of users of normal feature values;
  
  defining an expected second distribution of users of anomalous feature values;
  
  producing a plurality of anomalous-behavior feature values for the feature;
  
  determining a ratio of anomalous feature values and normal feature values; and
  
  inputting a particular amount of anomalous feature values and a particular amount of normal feature values according to the ratio to the model, whereby the model utilizes the particular amount of anomalous feature values and the particular amount of normal feature values to derive a score for a user activity.

18. A method of training a model for use in a computer network intrusion detection system by synthesizing anomalous data for creating an artificial set of features reflecting anomalous behavior for a particular activity, the method comprising:
- selecting a feature;
  
  retrieving a plurality of normal-feature values associated with the feature;
  
  defining a first distribution of users of normal feature values;
  
  defining an expected second distribution of users of anomalous feature values;
  
  producing a plurality of anomalous-behavior feature values for the feature;
  
  determining a ratio of anomalous feature values and normal feature values; and
  
  inputting a particular amount of anomalous feature values and a particular amount of normal feature values according to the ratio to the model, whereby the model utilizes the particular amount of anomalous feature values and the particular amount of normal feature values to derive a score for a user activity.
- View Dependent Claims (19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32)
- - 19. A method as recited in claim 18 wherein the feature is selected from a list of features.
  - 20. A method as recited in claim 18 wherein the plurality of normal feature values reflects predominantly normal behavior.
  - 21. A method as recited in claim 18 wherein the plurality of normal feature values is computed over a predetermined time period.
  - 22. A method as recited in claim 18 wherein the plurality of normal feature values corresponds to a plurality of users on a computer system.
  - 23. A method as recited in claim 18 wherein defining a first distribution of users further comprises defining a normal-behavior histogram indicating the first distribution of users.
  - 24. A method as recited in claim 23 wherein the normal feature values are normalized to define the normal-behavior histogram.
  - 25. A method as recited in claim 18 wherein defining an expected second distribution of users of anomalous feature values further includes determining whether the activity corresponding to the anomalous feature values would be performed one of less frequently and more frequently.
  - 26. A method as recited in claim 18 wherein defining an expected second distribution of users further comprises defining an anomalous-behavior histogram indicating an expected second distribution of users.
  - 27. A method as recited in claim 26 wherein producing a plurality of anomalous feature values further including sampling the anomalous-behavior histogram.
  - 28. A method as recited in claim 18 further including storing the plurality of anomalous-behavior feature values.
  - 29. A method as recited in claim 19 further comprising producing a plurality of anomalous-behavior feature values for each feature in the list of features thereby creating a set of plurality of anomalous-behavior feature values.
  - 30. A method as recited in claim 23 wherein the normal-behavior histogram has a high distribution of users around the center and a lower distribution of users near the ends.
  - 31. A method as recited in claim 26 wherein the anomalous-behavior histogram has a high distribution of users near one of the ends and a low distribution of users near the center.
  - 32. A method as recited in claim 29 further comprising deriving an anomalous features list from the set of plurality of anomalous-behavior feature values.

33. A computer-readable medium containing programmed instructions arranged to train a model for use in a computer network intrusion detection system, the computer-readable medium including programmed instructions for:
- deriving a plurality of anomalous feature values;
  
  retrieving a plurality of normal feature values;
  
  determining a ratio of anomalous feature values and normal feature values; and
  
  inputting a particular amount of anomalous feature values and a particular amount of normal feature values according to the ratio to the model whereby the model utilizes the particular amount of anomalous feature values and the particular amount of normal feature values to derive a score for a user activity.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Visa International Service Association (Visa, Inc.)
Original Assignee
Visa International Service Association (Visa, Inc.)
Inventors
Diep, Thanh A., Botros, Sherif M., Izenson, Martin D.
Primary Examiner(s)
Wright, Norman M.

Application Number

US09/427,147
Time in Patent Office

1,737 Days
Field of Search

713/200, 713/201, 700/29, 700/79, 700/108, 700/110
US Class Current

726/23
CPC Class Codes

G06F 21/55   Detecting local intrusion o...

G06F 2221/2101   Auditing as a secondary aspect

H04L 63/1416   Event detection, e.g. attac...

Method and apparatus for training a neural network model for use in computer network intrusion detection

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

324 Citations

33 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for training a neural network model for use in computer network intrusion detection

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

324 Citations

33 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links