Automated anomaly detection
First Claim
1. An automated method of detection of software vulnerabilities by applying a rule set to test for vulnerabilities in computer software, the rule set comprising at least one vulnerability characterisation rule, the method incorporating the steps of:
- a) providing a training data set of computer software incorporating positive and negative vulnerability examples and expressed as programs flagged to indicate either presence or absence of vulnerability, the programs comprising instructions each incorporating an identifier to indicate its associated program, the instruction'"'"'s address, an instruction operator and a list of instruction operands,b) defining a rule generalisation, the rule generalisation being processable to transform it into the at least one vulnerability characterisation rule, andc) using computer apparatus to execute the steps of;
i) receiving the training data set and the rule generalisation,ii) processing the rule generalisation to transform it into a more specific rule generalisation by employing logic of at least First-Order and adding to the rule generalisation at least one of a condition, a variable, a constant, a unification of variables and a function based on the training data set and background knowledge relating to attributes of the training data set and consisting of at least one of concepts, facts of interest and functions for calculating values of interest from items of data,iii) evaluating the more specific rule generalisation by applying it to the training data set to identify vulnerabilities, andiv) incorporating the more specific rule generalisation in the rule set if it classifies vulnerabilities in the training data set adequately in terms of covering at least some of the positive vulnerability examples,v) applying the rule set to a test program for vulnerability detection therein, andvi) providing an alert or a report to a user regarding vulnerability detection in the test program resulting from operation of the method in order to enable corrective action to be taken.
1 Assignment
0 Petitions
Accused Products
Abstract
A method of anomaly detection applicable to telecommunications or retail fraud or software vulnerabilities uses inductive logic programming to develop anomaly characterization rules from relevant background knowledge and a training data set, which includes positive anomaly samples of data covered by rules. Data samples include 1 or 0 indicating association or otherwise with anomalies. An anomaly is detected by a rule having condition set which the anomaly fu,lfils. Rules are developed by addition of conditions and unification of variables, and are filtered to remove duplicates, equivalents, symmetric rules and unnecessary conditions. Overfitting of noisy data is avoided by an encoding cost criterion. Termination of rule construction involves criteria of rule length, absence of negative examples, rule significance and accuracy, and absence of recent refinement. Iteration of rule construction involves selecting rules with unterminated construction, selecting rule refinements associated with high accuracies, and iterating a rule refinement, filtering and evaluation procedure to identify any refined rule usable to test data. Rule development may use first order logic or Higher Order logic.
-
Citations
15 Claims
-
1. An automated method of detection of software vulnerabilities by applying a rule set to test for vulnerabilities in computer software, the rule set comprising at least one vulnerability characterisation rule, the method incorporating the steps of:
-
a) providing a training data set of computer software incorporating positive and negative vulnerability examples and expressed as programs flagged to indicate either presence or absence of vulnerability, the programs comprising instructions each incorporating an identifier to indicate its associated program, the instruction'"'"'s address, an instruction operator and a list of instruction operands, b) defining a rule generalisation, the rule generalisation being processable to transform it into the at least one vulnerability characterisation rule, and c) using computer apparatus to execute the steps of; i) receiving the training data set and the rule generalisation, ii) processing the rule generalisation to transform it into a more specific rule generalisation by employing logic of at least First-Order and adding to the rule generalisation at least one of a condition, a variable, a constant, a unification of variables and a function based on the training data set and background knowledge relating to attributes of the training data set and consisting of at least one of concepts, facts of interest and functions for calculating values of interest from items of data, iii) evaluating the more specific rule generalisation by applying it to the training data set to identify vulnerabilities, and iv) incorporating the more specific rule generalisation in the rule set if it classifies vulnerabilities in the training data set adequately in terms of covering at least some of the positive vulnerability examples, v) applying the rule set to a test program for vulnerability detection therein, and vi) providing an alert or a report to a user regarding vulnerability detection in the test program resulting from operation of the method in order to enable corrective action to be taken. - View Dependent Claims (2, 3, 4, 5)
-
-
6. A system for computer-implemented detection software vulnerabilities by applying a rule set to test for vulnerabilities in computer software, the rule set comprising at least one vulnerability characterisation rule, the system incorporating computer apparatus incorporating a computer program stored in a hardware recording medium and being programmed by such computer program to carry out the steps of:
-
a) receiving a training data set of computer software incorporating positive and negative vulnerability examples and expressed as programs flagged to indicate either presence or absence of vulnerability, the programs comprising instructions each incorporating an identifier to indicate its associated program, the instruction'"'"'s address, an instruction operator and a list of instruction operands, b) receiving a rule generalisation which is processable to transform it into the at least one vulnerability characterisation rule, and c) processing the rule generalisation to transform it into a more specific rule generalisation by employing logic of at least First-Order and adding to the rule generalisation at least one of a condition, a variable, a constant, a unification of variables and a function based on the training data set and background knowledge relating to attributes of the training data set and consisting of at least one of concepts, facts of interest and functions for calculating values of interest from items of data, d) evaluating the more specific rule generalisation by applying it to the training data set to identify vulnerabilities, and e) incorporating the more specific rule generalisation in the rule set if it classifies vulnerabilities in the training data set adequately in terms of covering at least some of the positive vulnerability examples, f) applying the rule set to a test program for vulnerability detection therein, and g) providing an alert or a report to a user regarding vulnerability detection in the test program resulting from operation of the method in order to enable corrective action to be taken. - View Dependent Claims (7, 8, 9, 10)
-
-
11. A computer readable hardware medium which embodies computer readable instructions for controlling operation of computer apparatus to implement detection of software vulnerabilities by applying a rule set to test for vulnerabilities in computer software, the rule set comprising at least one vulnerability characterisation rule, wherein the instructions provide for control of the computer apparatus to carry out the steps of:
-
a) receiving a training data set of computer software incorporating positive and negative vulnerability examples and expressed as programs flagged to indicate either presence or absence of vulnerability, the programs comprising instructions each incorporating an identifier to indicate its associated program, the instruction'"'"'s address, an instruction operator and a list of instruction operands, b) receiving a rule generalisation which is processable to transform it into the at least one vulnerability characterisation rule, and c) processing the rule generalisation to transform it into a more specific rule generalisation by employing logic of at least First-Order and adding to the rule generalisation at least one of a condition, a variable, a constant, a unification of variables and a function based on the training data set and background knowledge relating to attributes of the training data set and consisting of at least one of concepts, facts of interest and functions for calculating values of interest from items of data, d) evaluating the more specific rule generalisation by applying it to the training data set to identify vulnerabilities, and e) incorporating the more specific rule generalisation in the rule set if it classifies vulnerabilities in the training data set adequately in terms of covering at least some of the positive vulnerability examples, f) applying the rule set to a test program for vulnerability detection therein, and g) providing an alert or a report to a user regarding vulnerability detection in the test program resulting from operation of the method in order to enable corrective action to be taken. - View Dependent Claims (12, 13, 14, 15)
-
Specification