Method for evolving detectors to detect malign behavior in an artificial immune system

US 8,621,631 B2
Filed: 11/22/2011
Issued: 12/31/2013
Est. Priority Date: 09/23/2005
Status: Active Grant

First Claim

Patent Images

1. A network device for detecting an unauthorized activity by another network device, comprising:

a transceiver that is configured to communicate over a network;

a memory that is configured to store instructions; and

a processor that is configured to execute instructions that enable actions, including;

generating a plurality of detectors, wherein each detector includes a plurality of system calls;

determining an initial matching value and an expectation value for each detector;

comparing each detector to logged fragments of system calls that are associated with a computing process, and employing at least in part the comparison to determine a new matching value for each detector;

when the new matching value for at least one detector is equal to or greater than the at least one detector'"'"'s expectation value, evolving a child detector from the at least one parent detector;

generating a value for the child detector that is based on a combination of common values from a plurality of detectors that are employed to evolve the child detector;

associating a rate of mutation for each detector that corresponds to mutations in its evolved child detectors; and

enabling a mutation in at least one child detector, wherein the mutation includes a change from a corresponding parent detector for at least one of a fragment length for each system call and a type of each system call.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system, apparatus, and method are directed to evolving detectors in an Artificial Immune System for use in detecting unauthorized computing activities. In one embodiment, a population of detectors is generated with a matching value and expectation value of zero. The detectors are then compared to logged fragments of system calls within a computing device to modify the matching value. When the matching value for a given detector is equal to or greater than an expectation value, the detector'"'"'s expectation value may be set to the matching value. The detectors may then evolve and/or generate other detectors using mutation, and/or recombination, or the like. Detectors continue to generate and/or to evolve until a detector'"'"'s matching value reaches a determined value, in which case, the detector may be evaluated to determine if an unauthorized activity is detected. If an unauthorized activity is detected, a detection response may be performed.

125 Citations

15 Claims

1. A network device for detecting an unauthorized activity by another network device, comprising:
- a transceiver that is configured to communicate over a network;
  
  a memory that is configured to store instructions; and
  
  a processor that is configured to execute instructions that enable actions, including;
  
  generating a plurality of detectors, wherein each detector includes a plurality of system calls;
  
  determining an initial matching value and an expectation value for each detector;
  
  comparing each detector to logged fragments of system calls that are associated with a computing process, and employing at least in part the comparison to determine a new matching value for each detector;
  
  when the new matching value for at least one detector is equal to or greater than the at least one detector'"'"'s expectation value, evolving a child detector from the at least one parent detector;
  
  generating a value for the child detector that is based on a combination of common values from a plurality of detectors that are employed to evolve the child detector;
  
  associating a rate of mutation for each detector that corresponds to mutations in its evolved child detectors; and
  
  enabling a mutation in at least one child detector, wherein the mutation includes a change from a corresponding parent detector for at least one of a fragment length for each system call and a type of each system call.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The network device of claim 1, wherein generating the detector further comprises at least one action of:
    - randomly generating the detector; and
      
      employing at least one pattern of system calls associated with the computing process to generate the detector.
  - 3. The network device of claim 1, further comprising the action of determining for each detector at least one of:
    - an amount of corresponding child detectors, and a rate for evolving child detectors.
  - 4. The network device of claim 1, further comprising the action of modifying the parent detector'"'"'s expectation value based on at least a copy of the parent detector and at least one mutation.
  - 5. The network device of claim 1, further comprising the action of modifying at least one child detector'"'"'s expectation value and the new matching value based on another comparison to the logged fragments of the system calls.
  - 6. The network device of claim 1, further comprising the action of when one expectation value for the detector or at least one of its corresponding child detectors exceeds a threshold value, evaluating the detector to determine when unauthorized activity is detected at the other network device.

7. A method for detecting an unauthorized activity at a network device, comprising the actions of enabling a processor to execute instructions that enable further actions, including:
- generating a plurality of detectors, wherein each detector includes a plurality of system calls;
  
  determining an initial matching value and an expectation value for each detector;
  
  comparing each detector to logged fragments of system calls that are associated with a computing process, and employing at least in part the comparison to determine a new matching value for each detector;
  
  when the new matching value for at least one detector is equal to or greater than the at least one detector'"'"'s expectation value, evolving a child detector from the at least one parent detector;
  
  generating a value for the child detector that is based on a combination of common values from a plurality of detectors that are employed to evolve the child detector;
  
  associating a rate of mutation for each detector that corresponds to mutations in its evolved child detectors; and
  
  enabling a mutation in at least one child detector, wherein the mutation includes a change from a corresponding parent detector for at least one of a fragment length for each system call and a type of each system call.
- View Dependent Claims (8, 9)
- - 8. The method of claim 7, wherein generating the detector further comprises at least one action of:
    - randomly generating the detector; and
      
      employing at least one pattern of system calls associated with the computing process to generate the detector.
  - 9. The method of claim 7, further comprising the action of determining for each detector at least one of:
    - an amount of corresponding child detectors, and a rate for evolving child detectors.

10. A non-transitive processor readable storage media that includes data and instructions, wherein execution of the instructions by a processor enables actions for detecting an unauthorized activity at a network device, the actions include:
- generating a plurality of detectors, wherein each detector includes a plurality of system calls;
  
  determining an initial matching value and an expectation value for each detector;
  
  comparing each detector to logged fragments of system calls that are associated with a computing process, and employing at least in part the comparison to determine a new matching value for each detector;
  
  when the new matching value for at least one detector is equal to or greater than the at least one detector'"'"'s expectation value, evolving a child detector from the at least one parent detector;
  
  generating a value for the child detector that is based on a combination of common values from a plurality of detectors that are employed to evolve the child detector associating a rate of mutation for each detector that corresponds to mutations in its evolved child detectors; and
  
  enabling a mutation in at least one child detector, wherein the mutation includes a change from a corresponding parent detector for at least one of a fragment length for each system call and a type of each system call.
- View Dependent Claims (11, 12)
- - 11. The media of claim 10, wherein generating the detector further comprises at least one action of:
    - randomly generating the detector; and
      
      employing at least one pattern of system calls associated with the computing process to generate the detector.
  - 12. The media of claim 10, further comprising the action of determining for each detector at least one of:
    - an amount of corresponding child detectors, and a rate for evolving child detectors.

13. A system for detecting an unauthorized computing activity, comprising:
- a server device that is configured to perform actions, including;
  
  generating a plurality of detectors, wherein each detector includes a plurality of system calls;
  
  determining an initial matching value and an expectation value for each detector;
  
  sending the plurality of detectors over a network to at least one client device;
  
  generating a value for the child detector that is based on a combination of common values from a plurality of detectors that are employed to evolve the child detector;
  
  associating a rate of mutation for each detector that corresponds to mutations in its evolved child detectors; and
  
  enabling a mutation in at least one child detector, wherein the mutation includes a change from a corresponding parent detector for at least one of a fragment length for each system call and a type of each system call; and
  
  a client device that is configured to perform actions, including;
  
  receiving the plurality of detectors;
  
  comparing each detector to logged fragments of system calls that are associated with a computing process, and employing at least in part the comparison to determine a new matching value for each detector; and
  
  when the new matching value for at least one detector is equal to or greater than the at least one detector'"'"'s expectation value, evolving a child detector from the at least one parent detector.
- View Dependent Claims (14, 15)
- - 14. The system of claim 13, wherein generating the detector further comprises at least one action of:
    - randomly generating the detector; and
      
      employing at least one pattern of system calls associated with the computing process to generate the detector.
  - 15. The system of claim 13, further comprising the action by the server device of determining for each detector at least one of:
    - an amount of corresponding child detectors, and a rate for evolving child detectors.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Google LLC (Alphabet Inc.)
Original Assignee
Google Inc. (Alphabet Inc.)
Inventors
Koelle, Katharina Veronika, Midwinter, Wendy
Primary Examiner(s)
Hailu, Teshome

Application Number

US13/303,102
Publication Number

US 20120072987A1
Time in Patent Office

770 Days
Field of Search

726/23, 726/22, 726/24, 726/25
US Class Current

726/23
CPC Class Codes

G06F 21/566   Dynamic detection, i.e. det...

G06F 2221/2115   Third party

G06N 3/126   Evolutionary algorithms, e....

G06N 5/043   Distributed expert systems;...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/145   the attack involving the pr...

Method for evolving detectors to detect malign behavior in an artificial immune system

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

125 Citations

15 Claims

Specification

Solutions

Use Cases

Quick Links

Method for evolving detectors to detect malign behavior in an artificial immune system

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

125 Citations

15 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links