Capturing correlations between activity and non-activity attributes using N-grams
First Claim
1. A method for identifying correlations between events recorded in a system log of a computer, the recorded events generated by a plurality of processes executing on the computer, the method comprising:
- partitioning, by the computer, a system log into a plurality of segments, each segment associated with a characteristic found in an event, each segment including one or more events having a same characteristic value;
selecting, by the computer, a plurality of attributes of the one or more events in a segment, wherein the plurality of attributes do not describe an action of the event;
generating, by the computer, one or more distinct n-grams, each distinct n-gram including the selected attributes from successive events within the segment, wherein a distinct n-gram is distinct from all other generated n-grams;
identifying, by the computer, a correlation for each first selected attribute of each of the successive events of an n-gram with all other second selected attributes from each of the successive events of the n-gram;
generating, by the computer, a correlation metric as a function of the number of correlated first selected attributes and the total number of selected attributes of each of the successive events of the n-gram, wherein generating the correlation metric includes;
incrementing, by the computer, a count of n-gram instances in which the first selected attribute of each of the successive events of the n-gram correlates with one of the second selected attributes of each of the successive events of the n-gram; and
dividing, by the computer, the count by a total number of possible correlations between the first selected attributes and the second selected attributes; and
recording, by the computer, the correlations for each first selected attribute.
2 Assignments
0 Petitions
Accused Products
Abstract
Identifying correlations between events recorded in a computer system log, the recorded events are generated by a plurality of processes executing on the computer. A system log is partitioned into a plurality of segments, each segment associated with a characteristic found in an event, each segment including one or more events having a same characteristic value. A plurality of attributes of the events in a segment are selected. The attributes selected do not describe an action of the event. One or more distinct n-grams are generated, each distinct n-gram including the selected attributes from successive events within the segment. A distinct n-gram is distinct from all other generated n-grams. A correlation is identified for each first selected attribute of each successive event of an n-gram with all other second selected attributes from each successive event of the n-gram, and the correlations are recorded for each first selected attribute.
9 Citations
4 Claims
-
1. A method for identifying correlations between events recorded in a system log of a computer, the recorded events generated by a plurality of processes executing on the computer, the method comprising:
-
partitioning, by the computer, a system log into a plurality of segments, each segment associated with a characteristic found in an event, each segment including one or more events having a same characteristic value; selecting, by the computer, a plurality of attributes of the one or more events in a segment, wherein the plurality of attributes do not describe an action of the event; generating, by the computer, one or more distinct n-grams, each distinct n-gram including the selected attributes from successive events within the segment, wherein a distinct n-gram is distinct from all other generated n-grams; identifying, by the computer, a correlation for each first selected attribute of each of the successive events of an n-gram with all other second selected attributes from each of the successive events of the n-gram; generating, by the computer, a correlation metric as a function of the number of correlated first selected attributes and the total number of selected attributes of each of the successive events of the n-gram, wherein generating the correlation metric includes; incrementing, by the computer, a count of n-gram instances in which the first selected attribute of each of the successive events of the n-gram correlates with one of the second selected attributes of each of the successive events of the n-gram; and dividing, by the computer, the count by a total number of possible correlations between the first selected attributes and the second selected attributes; and recording, by the computer, the correlations for each first selected attribute. - View Dependent Claims (2, 3, 4)
-
Specification
-
- Resources
-
Current AssigneeCrowdstrike, Inc. (CrowdStrike Holdings Incorporated)
-
Original AssigneeInternational Business Machines Corporation
-
InventorsPieczul, Olgierd S.
-
Primary Examiner(s)Rashid, Harunur
-
Assistant Examiner(s)TAYLOR, SAKINAH W
-
Application NumberUS15/145,105Publication NumberTime in Patent Office287 DaysField of Search726/23US Class Current1/1CPC Class CodesG06F 16/24554 Unary operations; Data part...G06F 21/552 involving long-term monitor...G06F 21/554 involving event detection a...G06F 21/56 Computer malware detection ...G06F 2221/034 Test or assess a computer o...H04L 63/1416 Event detection, e.g. attac...H04L 63/1425 Traffic logging, e.g. anoma...
