Volatility-based classifier for security solutions
First Claim
1. A computer-implemented method comprising:
- producing usage data associated with an online service, the usage data being associated with online service interactions comprising synthetic attack patterns and describing interaction with the online service;
producing operational data associated with the online service, the operational data being associated with the online service interactions and describing hardware and software operations of a datacenter hosting the online service;
processing the usage data and the operational data to produce a measure of behavioral changes over time;
correlating behavioral changes of the usage data and the operational data; and
processing the correlated behavioral changes to recognize one or more events in which usage and operational behavioral changes deviate from historical data of the online service.
2 Assignments
0 Petitions
Accused Products
Abstract
Various embodiments provide an approach to classifying security events based on the concept of behavior change detection or “volatility.” Behavior change detection is utilized, in place of a pre-defined patterns approach, to look at a system'"'"'s behavior and detect any variances from what would otherwise be normal operating behavior. In operation, machine learning techniques are utilized as an event classification mechanism which facilitates implementation scalability. The machine learning techniques are iterative and continue to learn over time. Operational scalability issues are addressed by using the computed volatility of the events in a time series as input for a classifier. During a learning process (i.e., the machine learning process), the system identifies relevant features that are affected by security incidents. When in operation, the system evaluates those features in real-time and provides a probability that an incident is about to occur.
90 Citations
17 Claims
-
1. A computer-implemented method comprising:
-
producing usage data associated with an online service, the usage data being associated with online service interactions comprising synthetic attack patterns and describing interaction with the online service; producing operational data associated with the online service, the operational data being associated with the online service interactions and describing hardware and software operations of a datacenter hosting the online service; processing the usage data and the operational data to produce a measure of behavioral changes over time; correlating behavioral changes of the usage data and the operational data; and processing the correlated behavioral changes to recognize one or more events in which usage and operational behavioral changes deviate from historical data of the online service. - View Dependent Claims (2, 3, 4, 5)
-
-
6. One of an optical storage device, a magnetic storage device or a memory storage device configured to store computer readable instructions which, when executed, perform operations comprising:
-
providing a recognizer that has been trained using one or more synthetic attack patterns with usage data describing interaction with an online service, and operational data describing hardware and software operations of a datacenter hosting the online service; processing received usage data and operational data to recognize one or more events in which usage and operational behavioral changes deviate from historical data; scoring the recognized one or more events to identify one of false positives and false negatives; and using the one of false positives and false negatives to further train the recognizer. - View Dependent Claims (7, 8, 9, 10, 11, 12)
-
-
13. A computing device comprising:
-
one or more microprocessors; one or more computer readable storage device storing computer readable instructions which, when executed by the one or more microprocessors, implement; one or more online services; a user traffic module configured to provide user interactions with the one or more online services; a synthetic attack generator configured to generate synthetic attacks on the one or more online services; and a recognizer configured to; process received usage data and operational data to recognize one or more events in which usage and operational behavioral changes deviate from historical data; score recognized events to identify false positives and false negatives; and use the false positives and false negatives to further train the recognizer, wherein the one or more online services are configured to produce, from the user interactions with the user traffic module and the synthetic attack generator, usage data and operational data. - View Dependent Claims (14, 15, 16, 17)
-
Specification