Methods of unsupervised anomaly detection using a geometric framework
First Claim
Patent Images
1. A method for unsupervised detection of an anomaly in the operation of a computer system comprising the steps of:
- (a) receiving a set of unlabeled data instances which do not indicate any anomaly occurrence, the set of unlabeled data instances corresponding to a computer operation and having features;
(b) implicitly mapping the set of unlabeled data instances to a feature space;
(c) calculating one or more sparse regions in the feature space; and
(d) designating one or more data instances from the set of unlabeled data instances as an anomaly if said one or more data instances is located in said one or more sparse regions of the feature space.
1 Assignment
0 Petitions
Accused Products
Abstract
A method for unsupervised anomaly detection, which are algorithms that are designed to process unlabeled data. Data elements are mapped to a feature space which is typically a vector space . Anomalies are detected by determining which points lies in sparse regions of the feature space. Two feature maps are used for mapping data elements to a feature apace. A first map is a data-dependent normalization feature map which we apply to network connections. A second feature map is a spectrum kernel which we apply to system call traces.
138 Citations
58 Claims
-
1. A method for unsupervised detection of an anomaly in the operation of a computer system comprising the steps of:
-
(a) receiving a set of unlabeled data instances which do not indicate any anomaly occurrence, the set of unlabeled data instances corresponding to a computer operation and having features; (b) implicitly mapping the set of unlabeled data instances to a feature space; (c) calculating one or more sparse regions in the feature space; and (d) designating one or more data instances from the set of unlabeled data instances as an anomaly if said one or more data instances is located in said one or more sparse regions of the feature space. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23)
-
-
24. A method for unsupervised detection of an anomaly in the operation of a computer system based on a set of unlabeled data instances corresponding to computer operation and having features, comprising the steps of
(a) receiving a set of unlabeled data instances which do not indicate any anomaly occurrence; -
(b) implicitly mapping the set of unlabeled data instances to a feature space comprising normalizing the set of unlabeled data instances based on respective values of the features; (c) calculating one or more sparse regions in the feature space; and (d) designating one or more data instances from the set of unlabeled data instances as an anomaly if said one or more data instances is located in said one or more sparse regions of the feature space. - View Dependent Claims (25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42)
-
-
43. A method for unsupervised detection of an anomaly in the operation of a computer system based on a set of unlabeled data instances corresponding to computer operation and having features, comprising the step of:
-
(a) receiving a set of unlabeled data instances which do not indicate any anomaly occurrence, the set of unlabeled data instances corresponding to a computer operation and having features; (b) implicitly mapping the set of unlabeled data instances to a feature space comprising applying a string kernel to the set of unlabeled data instances; (c) calculating one or more sparse regions in the feature space; and (d) designating one or more data instances from the set of unlabeled data instances as an anomaly if said one or more data instances is located in said one or more sparse regions of the feature space. - View Dependent Claims (44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58)
-
Specification