Application-level anomaly detection
First Claim
1. A method, comprising:
- intercepting one or more activities performed by an application on a computing device, the intercepting using an instrumentation layer separating the application from an operating system on the computing device;
comparing the one or more activities performed by the application with one or more anomaly detection policies in a policy configuration file to detect or not detect presence of one or more anomalies in the application, wherein comparing further comprises using an anomaly detection method to determine whether information produced by the anomaly detection method meets criteria in the policy configuration file, wherein a comparison detects presence of the one or more anomalies in response to the information meeting the criteria; and
in response to the comparison detecting presence of one or more anomalies, storing one or more indications comprising the presence and characteristics of the one or more anomalies.
1 Assignment
0 Petitions
Accused Products
Abstract
An example includes intercepting one or more activities performed by an application on a computing device. The intercepting uses an instrumentation layer separating the application from an operating system on the computing device. The one or more activities are compared with one or more anomaly detection policies in a policy configuration file to detect or not detect presence of one or more anomalies. In response to the comparison detecting presence of one or more anomalies, indication(s) of the one or more anomalies are stored. Another example includes receiving indication(s) of anomaly(ies) experienced by an application on computing device(s) and analyzing the indication(s) of the anomaly(ies) to determine whether corrective action(s) should be issued. Responsive to a determination corrective action(s) should be issued based on the analyzing, the corrective action(s) are issued to the computing device(s). Methods, program products, and apparatus are disclosed.
62 Citations
19 Claims
-
1. A method, comprising:
-
intercepting one or more activities performed by an application on a computing device, the intercepting using an instrumentation layer separating the application from an operating system on the computing device; comparing the one or more activities performed by the application with one or more anomaly detection policies in a policy configuration file to detect or not detect presence of one or more anomalies in the application, wherein comparing further comprises using an anomaly detection method to determine whether information produced by the anomaly detection method meets criteria in the policy configuration file, wherein a comparison detects presence of the one or more anomalies in response to the information meeting the criteria; and in response to the comparison detecting presence of one or more anomalies, storing one or more indications comprising the presence and characteristics of the one or more anomalies. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
-
-
17. A method, comprising:
-
receiving one or more indications of presence and characteristics of one or more anomalies experienced by an application on one or more computing devices, wherein the one or more indications of one or more activities are determined by the one or more computing devices intercepting the one or more activities using an instrumentation layer separating the application from an operating system on the one or more computing devices, and wherein a presence of the one or more anomalies comprise being detected in response to the information produced by an anomaly detection method meets criteria in a policy configuration file; analyzing the one or more indications of the one or more anomalies in the application to determine whether one or more corrective actions concerning the application should be issued; and responsive to a determination one or more corrective actions should be issued based on the analyzing, issuing the one or more corrective actions to the one or more computing devices. - View Dependent Claims (18, 19)
-
Specification