Systems and methods for automated memory and thread execution anomaly detection in a computer network
First Claim
1. A method for detecting an anomaly in a computer that is part of a population of networked computers, the method comprising:
- receiving snapshots from a plurality of computers within the population of computers, wherein individual snapshots include a state of assets and runtime processes of a respective computer;
generating an asset normalization model from the snapshots that serves as a baseline model for detecting an anomaly in the state of assets and runtime processes of a respective computer, wherein detecting an anomaly comprises detecting a behavioral anomaly comprising one or more of changes in code, changes in execution stack and changes in thread execution; and
comparing a snapshot from at least one of the computers to the asset normalization model to determine whether an anomaly is present in a state of static assets and runtime processes of the at least one of the computers.
4 Assignments
0 Petitions
Accused Products
Abstract
Systems and methods are provided for detecting an anomaly in a computer that is part of a population of networked computers. Snapshots are received from a plurality of computers within the population of computers, where individual snapshots include a state of assets and runtime processes of a respective computer. An asset normalization model is generated from the snapshots and serves as a baseline model for detecting an anomaly in the state of assets and runtime processes of a respective computer. A snapshot from at least one of the computers is compared to the asset normalization model in order to determine whether an anomaly is present in a state of static assets and runtime processes of the at least one of the computers.
99 Citations
35 Claims
-
1. A method for detecting an anomaly in a computer that is part of a population of networked computers, the method comprising:
-
receiving snapshots from a plurality of computers within the population of computers, wherein individual snapshots include a state of assets and runtime processes of a respective computer; generating an asset normalization model from the snapshots that serves as a baseline model for detecting an anomaly in the state of assets and runtime processes of a respective computer, wherein detecting an anomaly comprises detecting a behavioral anomaly comprising one or more of changes in code, changes in execution stack and changes in thread execution; and comparing a snapshot from at least one of the computers to the asset normalization model to determine whether an anomaly is present in a state of static assets and runtime processes of the at least one of the computers. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A system for detecting an anomaly in a computer that is part of a population of networked computers, comprising:
-
a network interface configured to receive snapshots from a plurality of computers within the population of computers, wherein individual snapshots include a state of assets and runtime processes of a respective computer; and a processor configured to; generate an asset normalization model from the snapshots that serves as a baseline model for detecting an anomaly in the state of assets and runtime processes of a respective computer, wherein detecting an anomaly comprises detecting a behavioral anomaly comprising one or more of changes in code, changes in execution stack and changes in thread execution; and compare a snapshot from at least one of the computers to the asset normalization model to determine whether an anomaly is present in a state of static assets and runtime processes of at least one of the computers. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
-
-
21. One or more computer readable storage media storing instructions for detecting an anomaly in a computer that is part of a population of networked computers, the instructions, when executed by a processor, cause the processor to:
-
receive snapshots from a plurality of computers within the population of computers, wherein individual snapshots include a state of assets and runtime processes of a respective computer; generate an asset normalization model from the snapshots that serves as a baseline model for detecting an anomaly in the state of assets and runtime processes of a respective computer, wherein detecting an anomaly comprises detecting a behavioral anomaly comprising one or more of changes in code, changes in execution stack and changes in thread execution; and compare a snapshot from at least one of the computers to the asset normalization model to determine whether an anomaly is present in a state of static assets and runtime processes of the at least one of the computers. - View Dependent Claims (22, 23, 24, 25, 26, 27, 28, 29)
-
-
30. A method for detecting an anomaly in a computer that is part of a population of networked computers, the method comprising:
-
searching the assets and runtime processes in order to find unique identifiers and related assets; adding found unique identifiers to a list of previously found unique identifiers and related assets; using the list to build a baseline of computer assets which contain these identifiers and related assets to scan during runtime operations in order to generate a snapshot; periodically updating the list of unique identifiers as assets and runtime processes are added and removed from a respective computer; receiving snapshots from a plurality of computers within the population of computers, wherein individual snapshots include a state of assets and runtime processes of a respective computer; generating an asset normalization model from the snapshots that serves as a baseline model for detecting an anomaly in the state of assets and runtime processes of a respective computer; and comparing a snapshot from at least one of the computers to the asset normalization model to determine whether an anomaly is present in a state of static assets and runtime processes of the at least one of the computers. - View Dependent Claims (31, 32, 33)
-
-
34. A system for detecting an anomaly in a computer that is part of a population of networked computers, comprising:
-
a network interface configured to receive snapshots from a plurality of computers within the population of computers, wherein individual snapshots include a state of assets and runtime processes of a respective computer; and a processor configured to; search the assets and runtime processes in order to find unique identifiers and related assets; add found unique identifiers to a list of previously found unique identifiers and related assets; use the list to build a baseline of computer assets which contain these identifiers and related assets to scan during runtime operations in order to generate a snapshot; periodically update the list of unique identifiers as assets and runtime processes are added and removed from a respective computer; generate an asset normalization model from the snapshots that serves as a baseline model for detecting an anomaly in the state of assets and runtime processes of a respective computer; and compare a snapshot from at least one of the computers to the asset normalization model to determine whether an anomaly is present in a state of static assets and runtime processes of at least one of the computers.
-
-
35. One or more computer readable storage media storing instructions for detecting an anomaly in a computer that is part of a population of networked computers, the instructions, when executed by a processor, cause the processor to:
-
search the assets and runtime processes in order to find unique identifiers and related assets; add found unique identifiers to a list of previously found unique identifiers and related assets; use the list to build a baseline of computer assets which contain these identifiers and related assets to scan during runtime operations in order to generate a snapshot; and periodically update the list of unique identifiers as assets and runtime processes are added and removed from a respective computer; receive snapshots from a plurality of computers within the population of computers, wherein individual snapshots include a state of assets and runtime processes of a respective computer; generate an asset normalization model from the snapshots that serves as a baseline model for detecting an anomaly in the state of assets and runtime processes of a respective computer; and compare a snapshot from at least one of the computers to the asset normalization model to determine whether an anomaly is present in a state of static assets and runtime processes of the at least one of the computers.
-
Specification