Method and apparatus for computer intrusion detection
First Claim
Patent Images
1. A computer-implemented method performed by a computerized device having a processor, the method comprising:
- receiving a description of a computerized system, the description comprising indication of at least two entities, at least one attribute for each of the at least two entities and at least one statistical rule related to relationships between the at least two entities;
receiving data to be automatically analyzed related to monitored activity of the computerized system, the data comprising events containing at least an event related to an attack attempt and an event not related to an attack attempt;
grouping the events into at least two groups associated with the at least two entities;
classifying each entity by determining a probability of each entity being associated with the events within the data, and classifying the events based on when they occurred;
aggregating each group into at least two objects based on the classifications;
comparing the at least two objects to predetermined values which are based on at least one statistical rule, to identify a group from which an object was aggregated as not complying with the at least one statistical rule, wherein the non-compliance is not binary and degrees of non-compliance exist, wherein the non-compliant group may be identified as containing the event related to the attack attempt;
displaying or otherwise treating a plurality of events related to an attack attempt in order of their degree of non-compliance, identified via the steps of receiving the description, receiving the data, grouping, classifying, aggregating and comparing; and
wherein said receiving the description, receiving the data, groupings of classifying, comparing, and displaying or otherwise treating is performed by the processor.
6 Assignments
0 Petitions
Accused Products
Abstract
A method and apparatus for intrusion detection, the method comprising: receiving a description of a computerized system, the description comprising two or more entities, one or more attribute for each entity and one or more statistical rule related to relationship between the entities; receiving data related to activity of the computerized system, the data comprising two or more events; grouping the events into two or more groups associated with the entities; comparing the groups in accordance with the statistical rule, to identify a group not complying with any of the statistical rules.
-
Citations
23 Claims
-
1. A computer-implemented method performed by a computerized device having a processor, the method comprising:
-
receiving a description of a computerized system, the description comprising indication of at least two entities, at least one attribute for each of the at least two entities and at least one statistical rule related to relationships between the at least two entities; receiving data to be automatically analyzed related to monitored activity of the computerized system, the data comprising events containing at least an event related to an attack attempt and an event not related to an attack attempt; grouping the events into at least two groups associated with the at least two entities; classifying each entity by determining a probability of each entity being associated with the events within the data, and classifying the events based on when they occurred; aggregating each group into at least two objects based on the classifications; comparing the at least two objects to predetermined values which are based on at least one statistical rule, to identify a group from which an object was aggregated as not complying with the at least one statistical rule, wherein the non-compliance is not binary and degrees of non-compliance exist, wherein the non-compliant group may be identified as containing the event related to the attack attempt; displaying or otherwise treating a plurality of events related to an attack attempt in order of their degree of non-compliance, identified via the steps of receiving the description, receiving the data, grouping, classifying, aggregating and comparing; and wherein said receiving the description, receiving the data, groupings of classifying, comparing, and displaying or otherwise treating is performed by the processor. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
-
-
13. An apparatus having a processor and a storage device, the processor being adapted to perform the steps of:
-
receiving a description of a computerized system, the description comprising indication of at least two entities, at least one attribute for each of the at least two entities and at least one statistical rule related to relationships between the at least two entities; receiving data to be analyzed related to monitored activity of the computerized system, the data comprising at least an event related to an attack attempt an and event not related to an attack attempt; grouping the events into at least two groups associated with the at least two entities, then aggregating each group into an object; classifying each entity by determining a probability of each entity being associated with the events within the data, and classifying the events based on when they occurred; aggregating each of the at least two groups to obtain at least two objects based on the classifications; comparing the at least two objects to predetermined values which are based on at least one statistical rule, to identify a group from which an object was aggregated as not complying with the at least one statistical rule, wherein the non-compliance is not binary and degrees of non-compliance exist, wherein the non-compliant group comprises the event related to the attack attempt; and displaying or otherwise treating a plurality of events related to an attack attempt in order of their degree of non-compliance, identified via the steps of receiving the description, receiving the data, grouping, classifying, aggregating and comparing. - View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21)
-
-
22. A computer program product comprising:
- a non-transitory computer readable medium;
a first program instruction for receiving a description of a computerized system, the description comprising indication of at least two entities, at least one attribute for each of the at least two entities and at least one statistical rule related to relationships between the at least two entities; a second program instruction for receiving data to be analyzed related to monitored activity of the computerized system, the data comprising at least an event related to an attack attempt and an event not related to an attack attempt; a third program instruction for grouping the events into at least two groups associated with the at least two entities, a fourth program instruction for classifying each entity by determining a probability of an entity being associated with the events within the data, and classifying the events based on when they occurred; a fifth program instruction for aggregating each group into at least two objects based on the classifications; and a sixth program instruction for comparing the at least two objects to predetermined values which are based on at least one statistical rule, to identify a group from which an object was aggregated as not complying with the at least one statistical rule, wherein the non-compliance is not binary and degrees of non-compliance exist, wherein the non-compliant group may be identified as containing the event related to the attack attempt; a seventh program instruction for displaying or otherwise treating a plurality of events related to an attack attempt according to their degree of non-compliance, identified via the instructions for receiving the description, receiving the data, grouping, aggregating and comparing; wherein said first, second, third, fourth, fifth, sixth, and seventh program instructions are stored on said non-transitory computer readable medium and executed on a computing device. - View Dependent Claims (23)
- a non-transitory computer readable medium;
Specification