Method for evolving detectors to detect malign behavior in an artificial immune system
First Claim
1. A network device for detecting an unauthorized activity by another network device, comprising:
- a transceiver that is configured to communicate over a network;
a memory that is configured to store instructions; and
a processor that is configured to execute instructions that enable actions, including;
generating a plurality of detectors, wherein each detector includes a plurality of system calls;
determining an initial matching value and an expectation value for each detector;
comparing each detector to logged fragments of system calls that are associated with a computing process, and employing at least in part the comparison to determine a new matching value for each detector;
when the new matching value for at least one detector is equal to or greater than the at least one detector'"'"'s expectation value, evolving a child detector from the at least one parent detector;
generating a value for the child detector that is based on a combination of common values from a plurality of detectors that are employed to evolve the child detector;
associating a rate of mutation for each detector that corresponds to mutations in its evolved child detectors; and
enabling a mutation in at least one child detector, wherein the mutation includes a change from a corresponding parent detector for at least one of a fragment length for each system call and a type of each system call.
3 Assignments
0 Petitions
Accused Products
Abstract
A system, apparatus, and method are directed to evolving detectors in an Artificial Immune System for use in detecting unauthorized computing activities. In one embodiment, a population of detectors is generated with a matching value and expectation value of zero. The detectors are then compared to logged fragments of system calls within a computing device to modify the matching value. When the matching value for a given detector is equal to or greater than an expectation value, the detector'"'"'s expectation value may be set to the matching value. The detectors may then evolve and/or generate other detectors using mutation, and/or recombination, or the like. Detectors continue to generate and/or to evolve until a detector'"'"'s matching value reaches a determined value, in which case, the detector may be evaluated to determine if an unauthorized activity is detected. If an unauthorized activity is detected, a detection response may be performed.
-
Citations
15 Claims
-
1. A network device for detecting an unauthorized activity by another network device, comprising:
-
a transceiver that is configured to communicate over a network; a memory that is configured to store instructions; and a processor that is configured to execute instructions that enable actions, including; generating a plurality of detectors, wherein each detector includes a plurality of system calls; determining an initial matching value and an expectation value for each detector; comparing each detector to logged fragments of system calls that are associated with a computing process, and employing at least in part the comparison to determine a new matching value for each detector; when the new matching value for at least one detector is equal to or greater than the at least one detector'"'"'s expectation value, evolving a child detector from the at least one parent detector; generating a value for the child detector that is based on a combination of common values from a plurality of detectors that are employed to evolve the child detector; associating a rate of mutation for each detector that corresponds to mutations in its evolved child detectors; and enabling a mutation in at least one child detector, wherein the mutation includes a change from a corresponding parent detector for at least one of a fragment length for each system call and a type of each system call. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A method for detecting an unauthorized activity at a network device, comprising the actions of enabling a processor to execute instructions that enable further actions, including:
-
generating a plurality of detectors, wherein each detector includes a plurality of system calls; determining an initial matching value and an expectation value for each detector; comparing each detector to logged fragments of system calls that are associated with a computing process, and employing at least in part the comparison to determine a new matching value for each detector; when the new matching value for at least one detector is equal to or greater than the at least one detector'"'"'s expectation value, evolving a child detector from the at least one parent detector; generating a value for the child detector that is based on a combination of common values from a plurality of detectors that are employed to evolve the child detector; associating a rate of mutation for each detector that corresponds to mutations in its evolved child detectors; and enabling a mutation in at least one child detector, wherein the mutation includes a change from a corresponding parent detector for at least one of a fragment length for each system call and a type of each system call. - View Dependent Claims (8, 9)
-
-
10. A non-transitive processor readable storage media that includes data and instructions, wherein execution of the instructions by a processor enables actions for detecting an unauthorized activity at a network device, the actions include:
-
generating a plurality of detectors, wherein each detector includes a plurality of system calls; determining an initial matching value and an expectation value for each detector; comparing each detector to logged fragments of system calls that are associated with a computing process, and employing at least in part the comparison to determine a new matching value for each detector; when the new matching value for at least one detector is equal to or greater than the at least one detector'"'"'s expectation value, evolving a child detector from the at least one parent detector; generating a value for the child detector that is based on a combination of common values from a plurality of detectors that are employed to evolve the child detector associating a rate of mutation for each detector that corresponds to mutations in its evolved child detectors; and enabling a mutation in at least one child detector, wherein the mutation includes a change from a corresponding parent detector for at least one of a fragment length for each system call and a type of each system call. - View Dependent Claims (11, 12)
-
-
13. A system for detecting an unauthorized computing activity, comprising:
-
a server device that is configured to perform actions, including; generating a plurality of detectors, wherein each detector includes a plurality of system calls; determining an initial matching value and an expectation value for each detector; sending the plurality of detectors over a network to at least one client device; generating a value for the child detector that is based on a combination of common values from a plurality of detectors that are employed to evolve the child detector; associating a rate of mutation for each detector that corresponds to mutations in its evolved child detectors; and enabling a mutation in at least one child detector, wherein the mutation includes a change from a corresponding parent detector for at least one of a fragment length for each system call and a type of each system call; and a client device that is configured to perform actions, including; receiving the plurality of detectors; comparing each detector to logged fragments of system calls that are associated with a computing process, and employing at least in part the comparison to determine a new matching value for each detector; and when the new matching value for at least one detector is equal to or greater than the at least one detector'"'"'s expectation value, evolving a child detector from the at least one parent detector. - View Dependent Claims (14, 15)
-
Specification