Automatic baselining of anomalous event activity in time series data
First Claim
1. A computer-implemented method comprising:
- determining a baseline pattern for one or more attributes of a computing system based, at least in part, on a first set of statistical thresholds determined for received values of the one or more attributes, wherein the received values correspond to one or more time periods, and on a second set of statistical thresholds determined for a first subset of values of the received values of the one or more attributes, wherein each value of the first subset exceeds the first set of statistical thresholds;
monitoring additional values of the one or more attributes for anomalous activity, using the determined baseline pattern, wherein the monitored additional values correspond to one or more additional time periods, and wherein a start time of the one or more additional time periods is randomly determined, as part of an anti-gaming mechanism for preventing undetected malicious activity on the computing system, to prevent potential attackers of the computing system from utilizing knowledge of the first set of statistical thresholds, the second set of statistical thresholds, and/or the baseline pattern to avoid detection of malicious activity; and
in response to identifying, based, at least in part, on the determined baseline pattern, anomalous values in the monitored additional values of the one or more attributes, sending an alert to a user of the computing system indicating that a potential intrusion in the computing system has occurred.
2 Assignments
0 Petitions
Accused Products
Abstract
Software that automatically detects anomalous attributes indicative of a potential intrusion in a computing system. The software performs the following operations: (i) determining a baseline pattern for one or more attributes of a computing system, based on a first set of statistical thresholds determined for received values of the one or more attributes, wherein the received values correspond to one or more time periods, and on a second set of statistical thresholds determined for a first subset of values of the received values of the one or more attributes, wherein each value of the first subset exceeds the first set of statistical thresholds; and (ii) in response to identifying, based on the determined baseline pattern, anomalous values in monitored additional values of the one or more attributes, sending an alert to a user of the computing system indicating that a potential intrusion in the computing system has occurred.
-
Citations
20 Claims
-
1. A computer-implemented method comprising:
-
determining a baseline pattern for one or more attributes of a computing system based, at least in part, on a first set of statistical thresholds determined for received values of the one or more attributes, wherein the received values correspond to one or more time periods, and on a second set of statistical thresholds determined for a first subset of values of the received values of the one or more attributes, wherein each value of the first subset exceeds the first set of statistical thresholds; monitoring additional values of the one or more attributes for anomalous activity, using the determined baseline pattern, wherein the monitored additional values correspond to one or more additional time periods, and wherein a start time of the one or more additional time periods is randomly determined, as part of an anti-gaming mechanism for preventing undetected malicious activity on the computing system, to prevent potential attackers of the computing system from utilizing knowledge of the first set of statistical thresholds, the second set of statistical thresholds, and/or the baseline pattern to avoid detection of malicious activity; and in response to identifying, based, at least in part, on the determined baseline pattern, anomalous values in the monitored additional values of the one or more attributes, sending an alert to a user of the computing system indicating that a potential intrusion in the computing system has occurred. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A computer program product comprising a computer readable storage medium having stored thereon:
-
program instructions programmed to determine a baseline pattern for one or more attributes of a computing system based, at least in part, on a first set of statistical thresholds determined for received values of the one or more attributes, wherein the received values correspond to one or more time periods, and on a second set of statistical thresholds determined for a first subset of values of the received values of the one or more attributes, wherein each value of the first subset exceeds the first set of statistical thresholds; program instructions programmed to monitor additional values of the one or more attributes for anomalous activity, using the determined baseline pattern, wherein the monitored additional values correspond to one or more additional time periods, and wherein a start time of the one or more additional time periods is randomly determined, as part of an anti-gaming mechanism for preventing undetected malicious activity on the computing system, to prevent potential attackers of the computing system from utilizing knowledge of the first set of statistical thresholds, the second set of statistical thresholds, and/or the baseline pattern to avoid detection of malicious activity; and program instructions programmed to, in response to identifying, based, at least in part, on the determined baseline pattern, anomalous values in the monitored additional values of the one or more attributes, send an alert to a user of the computing system indicating that a potential intrusion in the computing system has occurred. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
-
15. A computer system comprising:
-
a processor(s) set; and a computer readable storage medium; wherein; the processor set is structured, located, connected and/or programmed to run program instructions stored on the computer readable storage medium; and the program instructions include; program instructions programmed to determine a baseline pattern for one or more attributes of a computing system based, at least in part, on a first set of statistical thresholds determined for received values of the one or more attributes, wherein the received values correspond to one or more time periods, and on a second set of statistical thresholds determined for a first subset of values of the received values of the one or more attributes, wherein each value of the first subset exceeds the first set of statistical thresholds; program instructions programmed to monitor additional values of the one or more attributes for anomalous activity, using the determined baseline pattern, wherein the monitored additional values correspond to one or more additional time periods, and wherein a start time of the one or more additional time periods is randomly determined, as part of an anti-gaming mechanism for preventing undetected malicious activity on the computing system, to prevent potential attackers of the computing system from utilizing knowledge of the first set of statistical thresholds, the second set of statistical thresholds, and/or the baseline pattern to avoid detection of malicious activity; and program instructions programmed to, in response to identifying, based, at least in part, on the determined baseline pattern, anomalous values in the monitored additional values of the one or more attributes, send an alert to a user of the computing system indicating that a potential intrusion in the computing system has occurred. - View Dependent Claims (16, 17, 18, 19, 20)
-
Specification