Application-level anomaly detection
First Claim
1. A computing device comprising:
- one or more memories comprising computer-readable code; and
one or more processors, configured in response to executing the computer-readable code to cause the computing device to perform;
intercepting one or more activities performed by an application on a computing device, the intercepting using an instrumentation layer separating the application from an operating system on the computing device;
comparing the one or more activities with one or more anomaly detection policies in a policy configuration file to detect or not detect presence of one or more anomalies;
in response to the comparison detecting presence of one or more anomalies, storing one or more indications of the one or more anomalies;
in response to being in a first mode, sending the stored one or more indications of the anomalies over a network toward a server;
in response to being in a second mode;
analyzing the one or more indications of the one or more anomalies to determine whether one or more corrective actions should be implemented; and
responsive to a determination one or more corrective actions should be implemented based on the analyzing, implementing the one or more corrective actions; and
updating a model used to determine whether the one or more anomalies occurs based on the policy configuration file.
1 Assignment
0 Petitions
Accused Products
Abstract
An example includes intercepting one or more activities performed by an application on a computing device. The intercepting uses an instrumentation layer separating the application from an operating system on the computing device. The one or more activities are compared with one or more anomaly detection policies in a policy configuration file to detect or not detect presence of one or more anomalies. In response to the comparison detecting presence of one or more anomalies, indication(s) of the one or more anomalies are stored. Another example includes receiving indication(s) of anomaly(ies) experienced by an application on computing device(s) and analyzing the indication(s) of the anomaly(ies) to determine whether corrective action(s) should be issued. Responsive to a determination corrective action(s) should be issued based on the analyzing, the corrective action(s) are issued to the computing device(s). Methods, program products, and apparatus are disclosed.
33 Citations
22 Claims
-
1. A computing device comprising:
-
one or more memories comprising computer-readable code; and one or more processors, configured in response to executing the computer-readable code to cause the computing device to perform; intercepting one or more activities performed by an application on a computing device, the intercepting using an instrumentation layer separating the application from an operating system on the computing device; comparing the one or more activities with one or more anomaly detection policies in a policy configuration file to detect or not detect presence of one or more anomalies; in response to the comparison detecting presence of one or more anomalies, storing one or more indications of the one or more anomalies; in response to being in a first mode, sending the stored one or more indications of the anomalies over a network toward a server; in response to being in a second mode; analyzing the one or more indications of the one or more anomalies to determine whether one or more corrective actions should be implemented; and responsive to a determination one or more corrective actions should be implemented based on the analyzing, implementing the one or more corrective actions; and updating a model used to determine whether the one or more anomalies occurs based on the policy configuration file. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
-
-
15. A computing device comprising:
-
one or more memories comprising computer-readable code; and one or more processors, configured in response to executing the computer-readable code to cause the computing device to perform; receiving one or more indications of one or more anomalies experienced by an application on one or more computing devices; analyzing the one or more indications of the one or more anomalies to determine whether one or more corrective actions should be issued, wherein at least the analyzing is performed using a policy configuration file; responsive to a determination one or more corrective actions should be issued based on the analyzing, issuing the one or more corrective actions to the one or more computing devices; in response to being in a first mode, sending the stored one or more indications of the anomalies over a network toward a server; in response to being in a second mode; analyzing the one or more indications of the one or more anomalies to determine whether one or more corrective actions should be implemented; and responsive to a determination one or more corrective actions should be implemented based on the analyzing, implementing the one or more corrective actions; and updating a model used to determine whether the one or more anomalies occurs based on the policy configuration file. - View Dependent Claims (16, 17, 18)
-
-
19. A computer program product comprising a non-transitory computer readable storage medium having program code embodied therewith, the program code executable by a computing system to cause the computing system to perform:
-
intercepting one or more activities performed by an application on a computing device, the intercepting using an instrumentation layer separating the application from an operating system on the computing device; comparing the one or more activities with one or more anomaly detection policies in a policy configuration file to detect or not detect presence of one or more anomalies; in response to the comparison detecting presence of one or more anomalies, storing one or more indications of the one or more anomalies; in response to being in a first mode, sending the stored one or more indications of the anomalies over a network toward a server; in response to being in a second mode; analyzing the one or more indications of the one or more anomalies to determine whether one or more corrective actions should be implemented; and responsive to a determination one or more corrective actions should be implemented based on the analyzing, implementing the one or more corrective actions; and updating a model used to determine whether the one or more anomalies occurs based on the policy configuration file.
-
-
20. A computer program product comprising a non-transitory computer readable storage medium having program code embodied therewith, the program code executable by a computing system to cause the computing system to perform:
-
receiving one or more indications of one or more anomalies experienced by an application on one or more computing devices; analyzing the one or more indications of the one or more anomalies to determine whether one or more corrective actions should be issued, wherein at least the analyzing is performed using a policy configuration file; responsive to a determination one or more corrective actions should be issued based on the analyzing, issuing the one or more corrective actions to the one or more computing devices; in response to being in a first mode, sending the stored one or more indications of the anomalies over a network toward a server; in response to being in a second mode; analyzing the one or more indications of the one or more anomalies to determine whether one or more corrective actions should be implemented; and responsive to a determination one or more corrective actions should be implemented based on the analyzing, implementing the one or more corrective actions; and updating a model used to determine whether the one or more anomalies occurs based on the policy configuration file.
-
-
21. A method, comprising:
-
intercepting one or more activities performed by an application on a computing device, the intercepting using an instrumentation layer separating the application from an operating system on the computing device; comparing the one or more activities with one or more anomaly detection policies in a policy configuration file to detect or not detect presence of one or more anomalies; in response to the comparison detecting presence of one or more anomalies, storing one or more indications of the one or more anomalies; in response to being in a first mode, sending the stored one or more indications of the anomalies over a network toward a server; in response to being in a second mode; analyzing the one or more indications of the one or more anomalies to determine whether one or more corrective actions should be implemented; and responsive to a determination one or more corrective actions should be implemented based on the analyzing, implementing the one or more corrective actions; and updating a model used to determine whether the one or more anomalies occurs based on the policy configuration file.
-
-
22. A method, comprising:
-
receiving one or more indications of one or more anomalies experienced by an application on one or more computing devices; analyzing the one or more indications of the one or more anomalies to determine whether one or more corrective actions should be issued, wherein at least the analyzing is performed using a policy configuration file; responsive to a determination one or more corrective actions should be issued based on the analyzing, issuing the one or more corrective actions to the one or more computing devices; in response to being in a first mode, sending the stored one or more indications of the anomalies over a network toward a server; in response to being in a second mode; analyzing the one or more indications of the one or more anomalies to determine whether one or more corrective actions should be implemented; and responsive to a determination one or more corrective actions should be implemented based on the analyzing, implementing the one or more corrective actions; and updating a model used to determine whether the one or more anomalies occurs based on the policy configuration file.
-
Specification