Monitoring for anomalies in a computing environment
First Claim
Patent Images
1. A method of monitoring for anomalies in a computing environment comprising:
- by a processor, building an anomaly detection system based on topology guided statistical analysis, comprising;
by the processor executing a monitoring application, determining transaction and performance data of a number of configuration items in a topology of a web application executed within the computing environment correlated with data associated with the topology of the web application; and
by the processor, identifying a number of metrics for each of the configuration items; and
by the processor, storing, in a performance management database (PMDB), the transaction and performance data of the configuration items, correlated data associated with the topology of the web application, and the metrics of the configuration items;
by the processor, determining if a first metric of the number of metrics deviates from a metric baseline;
by the processor, responsive to a determination that the first metric deviates from the metric baseline, flagging the first metric as a potential malicious anomaly;
by the processor, creating a number of correlation rules to detect a number of intrusions, the correlation rules based on the transaction and performance data of the configuration items, correlated data associated with the topology of the web application, the metrics of the configuration items, the flagged anomaly, and information provided by a security alerts database, the security alert database comprising stored data regarding security alerts reported from a security management software product;
by the processor, applying the correlation rules to detect the intrusions in the computing environment;
by the processor, determining if a suspicious session is reported within the security alerts stored in the security alert database;
by the processor, responsive to a determination that the suspicious session is reported within the security alerts stored in the security alert database, classifying the flagged anomaly as a first intrusion in the computing environment and classifying the suspicious session as the first intrusion; and
by the processor, responsive to a determination that the suspicious session is not reported within the security alerts stored in the security alert database, classifying the flagged anomaly as an intrusion in the computing environment detected through statistical analysis.
2 Assignments
0 Petitions
Accused Products
Abstract
A method of monitoring for anomalies in a computing environment comprises, with a processor building an anomaly detection system based on topology guided statistical analysis, and creating a number of correlation rules based on a number of detected anomalies and information provided by a security alerts database.
22 Citations
10 Claims
-
1. A method of monitoring for anomalies in a computing environment comprising:
-
by a processor, building an anomaly detection system based on topology guided statistical analysis, comprising; by the processor executing a monitoring application, determining transaction and performance data of a number of configuration items in a topology of a web application executed within the computing environment correlated with data associated with the topology of the web application; and by the processor, identifying a number of metrics for each of the configuration items; and by the processor, storing, in a performance management database (PMDB), the transaction and performance data of the configuration items, correlated data associated with the topology of the web application, and the metrics of the configuration items; by the processor, determining if a first metric of the number of metrics deviates from a metric baseline; by the processor, responsive to a determination that the first metric deviates from the metric baseline, flagging the first metric as a potential malicious anomaly; by the processor, creating a number of correlation rules to detect a number of intrusions, the correlation rules based on the transaction and performance data of the configuration items, correlated data associated with the topology of the web application, the metrics of the configuration items, the flagged anomaly, and information provided by a security alerts database, the security alert database comprising stored data regarding security alerts reported from a security management software product; by the processor, applying the correlation rules to detect the intrusions in the computing environment; by the processor, determining if a suspicious session is reported within the security alerts stored in the security alert database; by the processor, responsive to a determination that the suspicious session is reported within the security alerts stored in the security alert database, classifying the flagged anomaly as a first intrusion in the computing environment and classifying the suspicious session as the first intrusion; and by the processor, responsive to a determination that the suspicious session is not reported within the security alerts stored in the security alert database, classifying the flagged anomaly as an intrusion in the computing environment detected through statistical analysis. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A hybrid intrusion detection system (IDS), comprising:
-
a configuration management database to store data regarding a number of configuration items within a computing environment; a performance management database to store data related to a number of resource usage metrics; a security alert database to store data associated with a number of security alerts reported from a security management software product; and a computing device comprising; a processor that implements computer-readable instructions stored in a data storage device to perform functionality that; detects a number of anomalies using topology guided statistical analysis; determines the resource usage metrics correlated with data associated with a topology of a web application, the resource usage metrics comprising transaction and performance data of the configuration items in the topology of the web application executed within the computing environment; determines if a first resource usage metric of the number of resource usage metrics deviates from a metric baseline; responsive to a determination that the first resource usage metric deviates from the metric baseline, flags the first resource usage metric as a potential malicious anomaly; creates a number of correlation rules based on the resource usage metrics, correlated data associated with the topology of the web application, the data regarding the configuration items, the flagged anomaly, and the data associated with the number of security alerts provided by the security alerts database; applies the correlation rules to detect intrusions within the computing device; determines if a suspicious session is reported within the security alerts stored in the security alert database; responsive to a determination that the suspicious session is reported within the security alerts stored in the security alert database, classifies the flagged anomaly as a first intrusion in the computing environment and classifies the suspicious session as the first intrusion; and responsive to a determination that the suspicious session is not reported within the security alerts stored in the security alert database, classifies the flagged anomaly as an intrusion detected through statistical analysis. - View Dependent Claims (9)
-
-
10. A computer program product for monitoring for anomalies in a computing environment, the computer program product comprising:
a non-transitory computer readable storage medium comprising computer usable program code embodied therewith, the computer usable program code that, when executed by a processor, causes a computing device in the computing environment to; identify a number of metrics for each of a number of configuration items in a topology of a web application executed within the computing environment; determine a metric baseline for the metrics; determine a relationship baseline for a number of relationships between the metrics of the configuration items; determine if a first metric of the number of metrics deviates from the metric baseline; responsive to a determination that the first metric deviates from the metric baseline, flags the first metric as a potential malicious anomaly; create a number of correlation rules based on transaction and performance data correlated with the topology data of the web, the metrics of the configuration items, the flagged anomaly, and security alert information provided by a security alerts database, the security alert database comprising stored data regarding security alerts reported from a security management software product; apply the correlation rules to detect intrusions within the computing environment; determine if a suspicious session is reported within the security alerts stored in a security alert database; responsive to a determination that the suspicious session is reported within the security alerts stored in the security alert database, classify the flagged anomaly as a first intrusion in the computing environment and classify the suspicious session as the first intrusion; and responsive to a determination that the suspicious session is not reported within the security alerts stored in the security alert database, classify the flagged anomaly as an intrusion in the computing environment detected through statistical analysis.
Specification