Detection of anomalous events
First Claim
1. A method comprising:
- detecting anomalous events using a first anomaly detector positioned in parallel with a second anomaly detector, the detecting comprising;
receiving a first log file including a first plurality of events from a first data source in the first anomaly detector including a first memory;
receiving a second log file including a second plurality of events from a second data source that is a different type than the first data source in the second anomaly detector including a second memory;
using the first log file, generating a first anomaly score, the generation being derived from an area associated with a probability density function of the first log file, wherein generating the first anomaly score includes using the formula Af(x)=−
logbPf(f(X)≦
f(x)) where b>
1;
using the second log file, generating a second anomaly score, the generation being derived from an area associated with a probability density function of the second log file; and
comparing the first and second anomaly scores so as to compare anomalies from the first data source to the second data source, which are of different types.
4 Assignments
0 Petitions
Accused Products
Abstract
A system is described for receiving a stream of events and scoring the events based on anomalousness and maliciousness (or other classification). The system can include a plurality of anomaly detectors that together implement an algorithm to identify low-probability events and detect atypical traffic patterns. The anomaly detector provides for comparability of disparate sources of data (e.g., network flow data and firewall logs.) Additionally, the anomaly detector allows for regulatability, meaning that the algorithm can be user configurable to adjust a number of false alerts. The anomaly detector can be used for a variety of probability density functions, including normal Gaussian distributions, irregular distributions, as well as functions associated with continuous or discrete variables.
30 Citations
30 Claims
-
1. A method comprising:
detecting anomalous events using a first anomaly detector positioned in parallel with a second anomaly detector, the detecting comprising; receiving a first log file including a first plurality of events from a first data source in the first anomaly detector including a first memory; receiving a second log file including a second plurality of events from a second data source that is a different type than the first data source in the second anomaly detector including a second memory; using the first log file, generating a first anomaly score, the generation being derived from an area associated with a probability density function of the first log file, wherein generating the first anomaly score includes using the formula Af(x)=−
logbPf(f(X)≦
f(x)) where b>
1;using the second log file, generating a second anomaly score, the generation being derived from an area associated with a probability density function of the second log file; and comparing the first and second anomaly scores so as to compare anomalies from the first data source to the second data source, which are of different types. - View Dependent Claims (2, 3, 4, 5)
-
6. A method comprising:
detecting anomalous events using a first anomaly detector positioned in parallel with a second anomaly detector, the detecting comprising; receiving a first log file including a first plurality of events from a first data source in the first anomaly detector including a first memory; receiving a second log file including a second plurality of events from a second data source that is a different type than the first data source in the second anomaly detector including a second memory; using the first log file, generating a first anomaly score, the generation being derived from an area associated with a probability density function of the first log file; using the second log file, generating a second anomaly score, the generation being derived from an area associated with a probability density function of the second log file; and comparing the first and second anomaly scores so as to compare anomalies from the first data source to the second data source, which are of different types; wherein generating the first anomaly score includes using the function Pf(Af(x)≧
α
)≦
b−
α
wherein α
is a tunable parameter to change a number of false alerts and b is any number >
1.- View Dependent Claims (7, 8, 9, 10)
-
11. A non-transitory computer-readable storage having instructions thereon for executing a method of detecting anomalous events, the method comprising:
-
receiving a plurality of input network events from disparate network sources in a plurality of anomaly detectors coupled in parallel; receiving a first log file including a first plurality of the input network events from a first data source in a first anomaly detector of the plurality of anomaly detectors including a first memory; receiving a second log file including a second plurality of the input network events from a second data source that is a different type than the first data source in a second anomaly detector of the plurality of anomaly detectors including a second memory; calculating multiple anomaly scores using the plurality of anomaly detectors for each of the plurality of input network events using a function formed at least in part by the expression Af(x)=−
logbPf(f(X)≦
f(x)) where b>
1 wherein f(X) is related to a probability of an occurrence of an event, f(x) is a current event being analyzed, and Pf is a probability determination so that the anomalous scores are comparable; andcomparing the multiple anomaly scores so as to compare anomalies from the first data source to the second data source. - View Dependent Claims (12, 13, 14, 15, 16, 17)
-
-
18. A non-transitory computer-readable storage having instructions thereon for executing a method, the method comprising:
detecting anomalous events, the detecting including; receiving a plurality of input network events from disparate network sources in a plurality of anomaly detectors coupled in parallel; receiving a first log file including a first plurality of input network events from a first data source in a first anomaly detector of the plurality of anomaly detectors; receiving a second log file including a second plurality of input network events from a second data source that is a different type than the first data source in a second anomaly detector of the plurality of anomaly detectors; generating multiple anomaly scores using the first and second of the plurality of anomaly detectors for each of the first and second plurality of input network events using a function Pf(Af(x)≧
α
)b−
α
wherein α
is a tunable parameter to change a number of false alerts and b is any number >
1.- View Dependent Claims (19, 20, 21, 22, 23, 24)
-
25. A system for detecting anomalous events, comprising:
-
a first anomaly detector for receiving a first log file; a second anomaly detector for receiving a second log file, the second anomaly detector coupled in parallel with the first anomaly detector, wherein both the first and second anomaly detectors include memory registers; wherein the first and second anomaly detectors calculate anomaly scores for the respective first and second log files, the anomaly detectors using a function formed at least in part by the expression Af(x)=−
logbPf(f(X)≦
f(x)) where b>
1, wherein f(X) is related to a probability of an occurrence of an event, f(x) is a current event being anal zed and Pf is a probability determination; anda hardware comparator coupled to the anomaly detectors for comparing the anomaly scores. - View Dependent Claims (26, 27)
-
-
28. A system for detecting anomalous events, comprising:
-
a first anomaly detector for receiving a first log file; a second anomaly detector for receiving a second log file, the second anomaly detector coupled in parallel with the first anomaly detector, wherein both the first and second anomaly detectors include memory registers; wherein the first and second anomaly detectors calculate anomaly scores for the respective first and second log files, the anomaly detectors using a function Pf(Af(x)≧
α
)b−
α
wherein α
is a tunable parameter to change a number of false alerts, b is any number >
1 and Pf is a probability determination; anda hardware comparator coupled to the anomaly detectors for comparing the anomaly scores. - View Dependent Claims (29, 30)
-
Specification