Automatic baselining of anomalous event activity in time series data
First Claim
1. A computer-implemented method comprising:
- receiving values of one or more attributes of a computing system, wherein the values of the one or more attributes correspond to one or more time periods;
determining a first set of statistical thresholds for the received values of the one or more attributes, wherein the received values of the one or more attributes include one or more values that exceed the first set of statistical thresholds for the received values of the one or more attributes;
determining a second set of statistical thresholds for a first subset of values of the received values of the one or more attributes, wherein each value of the first subset exceeds the first set of statistical thresholds for the received values of the one or more attributes;
determining a baseline pattern for the one or more attributes based, at least in part, on the determined first set of statistical thresholds for the received values of the one or more attributes and the determined second set of statistical thresholds for the first subset of values that exceed the first set of statistical thresholds for the received values of the one or more attributes;
utilizing an anti-gaming mechanism for preventing undetected malicious activity on the computing system, wherein the anti-gaming mechanism randomly determines a start time of one or more additional time periods to prevent potential attackers of the computing system from utilizing knowledge of the first set of statistical thresholds, the second set of statistical thresholds, and/or the baseline pattern to avoid detection of malicious activity;
receiving additional values of the one or more attributes of the computing system, wherein the additional values of the one or more attributes correspond to the one or more additional time periods; and
in response to identifying anomalous values in the received additional values based on the determined baseline pattern, sending an alert to a user of the computing system that a potential intrusion in the computing system has occurred.
2 Assignments
0 Petitions
Accused Products
Abstract
Software that automatically creates baselines from time series data of computer system activity, thereby providing immediate value from observed system data. The software performs the following operations: (i) receiving values of one or more attributes of a computing system that correspond to one or more time periods; (ii) determining a first set of statistical thresholds for the received values, wherein the received values include a subset of values that exceed the first set of statistical thresholds; (iii) determining a second set of statistical thresholds for the subset of values that exceed the first set of statistical thresholds; and (iv) determining a baseline pattern for the one or more attributes based, at least in part, on the determined first set of statistical thresholds and the determined second set of statistical thresholds.
73 Citations
17 Claims
-
1. A computer-implemented method comprising:
-
receiving values of one or more attributes of a computing system, wherein the values of the one or more attributes correspond to one or more time periods; determining a first set of statistical thresholds for the received values of the one or more attributes, wherein the received values of the one or more attributes include one or more values that exceed the first set of statistical thresholds for the received values of the one or more attributes; determining a second set of statistical thresholds for a first subset of values of the received values of the one or more attributes, wherein each value of the first subset exceeds the first set of statistical thresholds for the received values of the one or more attributes; determining a baseline pattern for the one or more attributes based, at least in part, on the determined first set of statistical thresholds for the received values of the one or more attributes and the determined second set of statistical thresholds for the first subset of values that exceed the first set of statistical thresholds for the received values of the one or more attributes; utilizing an anti-gaming mechanism for preventing undetected malicious activity on the computing system, wherein the anti-gaming mechanism randomly determines a start time of one or more additional time periods to prevent potential attackers of the computing system from utilizing knowledge of the first set of statistical thresholds, the second set of statistical thresholds, and/or the baseline pattern to avoid detection of malicious activity; receiving additional values of the one or more attributes of the computing system, wherein the additional values of the one or more attributes correspond to the one or more additional time periods; and in response to identifying anomalous values in the received additional values based on the determined baseline pattern, sending an alert to a user of the computing system that a potential intrusion in the computing system has occurred. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A computer program product comprising a computer readable storage medium having stored thereon:
-
program instructions programmed to receive values of one or more attributes of a computing system, wherein the values of the one or more attributes correspond to one or more time periods; program instructions programmed to determine a first set of statistical thresholds for the received values of the one or more attributes, wherein the received values of the one or more attributes include one or more values that exceed the first set of statistical thresholds for the received values of the one or more attributes; program instructions programmed to determine a second set of statistical thresholds for a first subset of values of the received values of the one or more attributes, wherein each value of the first subset exceeds the first set of statistical thresholds for the received values of the one or more attributes; program instructions programmed to determine a baseline pattern for the one or more attributes based, at least in part, on the determined first set of statistical thresholds for the received values of the one or more attributes and the determined second set of statistical thresholds for the first subset of values that exceed the first set of statistical thresholds for the received values of the one or more attributes; program instructions programmed to utilize an anti-gaming mechanism for preventing undetected malicious activity on the computing system, wherein the anti-gaming mechanism randomly determines a start time of one or more additional time periods to prevent potential attackers of the computing system from utilizing knowledge of the first set of statistical thresholds, the second set of statistical thresholds, and/or the baseline pattern to avoid detection of malicious activity; program instructions programmed to receive additional values of the one or more attributes of the computing system, wherein the additional values of the one or more attributes correspond to the one or more additional time periods; and program instructions programmed to, in response to identifying anomalous values in the received additional values based on the determined baseline pattern, send an alert to a user of the computing system that a potential intrusion in the computing system has occurred. - View Dependent Claims (9, 10, 11, 12)
-
-
13. A computer system comprising:
-
a processor(s) set; and a computer readable storage medium; wherein; the processor set is structured, located, connected and/or programmed to run program instructions stored on the computer readable storage medium; and the program instructions include; program instructions programmed to receive values of one or more attributes of a computing system, wherein the values of the one or more attributes correspond to one or more time periods; program instructions programmed to determine a first set of statistical thresholds for the received values of the one or more attributes, wherein the received values of the one or more attributes include one or more values that exceed the first set of statistical thresholds for the received values of the one or more attributes; program instructions programmed to determine a second set of statistical thresholds for a first subset of values of the received values of the one or more attributes, wherein each value of the first subset exceeds the first set of statistical thresholds for the received values of the one or more attributes; program instructions programmed to determine a baseline pattern for the one or more attributes based, at least in part, on the determined first set of statistical thresholds for the received values of the one or more attributes and the determined second set of statistical thresholds for the first subset of values that exceed the first set of statistical thresholds for the received values of the one or more attributes; program instructions programmed to utilize an anti-gaming mechanism for preventing undetected malicious activity on the computing system, wherein the anti-gaming mechanism randomly determines a start time of one or more additional time periods to prevent potential attackers of the computing system from utilizing knowledge of the first set of statistical thresholds, the second set of statistical thresholds, and/or the baseline pattern to avoid detection of malicious activity; program instructions programmed to receive additional values of the one or more attributes of the computing system, wherein the additional values of the one or more attributes correspond to the one or more additional time periods; and program instructions programmed to, in response to identifying anomalous values in the received additional values based on the determined baseline pattern, send an alert to a user of the computing system that a potential intrusion in the computing system has occurred. - View Dependent Claims (14, 15, 16, 17)
-
Specification