Features generation for use in computer network intrusion detection
First Claim
1. A method of detecting an intrusion into a computer system, the method comprising:
- gathering user activity data corresponding to activities performed by an individual user;
calculating historical values based on activities performed by users on the computer system;
calculating a feature using the historical values and the user activity data; and
utilizing the feature in a model to obtain a value indicating the likelihood of an intrusion whereby the historical values are adjusted according to shifts in normal behavior of users thereby enabling calculation of the feature to reflect changing characteristics of behavior of the users on the computer system.
2 Assignments
0 Petitions
Accused Products
Abstract
Detecting harmful or illegal intrusions into a computer network or into restricted portions of a computer network uses a features generator or builder to generate a feature reflecting changes in user and user group behavior over time. User and user group historical means and standard deviations are used to generate a feature that is not dependent on rigid or static rule sets. These statistical and historical values are calculated by accessing user activity data listing activities performed by users on the computer system. Historical information is then calculated based on the activities performed by users on the computer system. The feature is calculated using the historical information based on the user or group of users activities. The feature is then utilized by a model to obtain a value or score which indicates the likelihood of an intrusion into the computer network. The historical values are adjusted according to shifts in normal behavior of users of the computer system. This allows for calculation of the feature to reflect changing characteristics of the users on the computer system.
120 Citations
31 Claims
-
1. A method of detecting an intrusion into a computer system, the method comprising:
-
gathering user activity data corresponding to activities performed by an individual user;
calculating historical values based on activities performed by users on the computer system;
calculating a feature using the historical values and the user activity data; and
utilizing the feature in a model to obtain a value indicating the likelihood of an intrusion whereby the historical values are adjusted according to shifts in normal behavior of users thereby enabling calculation of the feature to reflect changing characteristics of behavior of the users on the computer system. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
retrieving user activity data corresponding to a predetermined time period.
-
-
4. A method as recited in claim 1 further comprising gathering peer historical data including cumulative data of activities performed by a peer group.
-
5. A method as recited in claim 1 wherein calculating historical values further includes:
calculating a user historical mean and a user historical standard deviation for a selected user.
-
6. A method as recited in claim 5 further comprising:
- calculating a peer historical mean and a peer historical standard deviation.
-
7. A method as recited in claim 5 wherein calculating a user historical mean and a user historical standard deviation further includes:
examining activities performed by the individual user.
-
8. A method as recited in claim 5 further comprising counting the number of times an activity is performed by the individual user.
-
9. A method as recited in claim 5 further including calculating a normalized user deviation from normal behavior of the individual user using the user activity data.
-
10. A method as recited in claim 1 wherein calculating historical values further includes accessing the user activity data at predetermined time intervals.
-
11. A method as recited in claim 1 wherein calculating a feature further includes:
-
retrieving the user historical mean and the user historical standard deviation; and
computing a first deviation of behavior of the selected user from the user historical mean.
-
-
12. A method as recited in claim 11 wherein calculating a feature further includes:
-
retrieving the peer historical mean and the peer historical standard deviation; and
computing a second deviation of behavior of the selected user from the peer historical mean.
-
-
13. A method as recited in claim 11 wherein the user historical mean for a particular activity is calculated based on a time-weighted user historical standard deviation.
-
14. A method as recited in claim 12 wherein the peer historical mean for a particular activity is calculated based on a time-weighted peer historical standard deviation.
-
15. A method of generating a feature to be used in a model, the method comprising:
-
collecting user-specific activity data for a plurality of activities;
generating user-specific historical data for a particular activity utilizing the user-specific activity data;
generating peer historical data for the particular activity;
utilizing the user-specific historical data and the peer historical data to generate a feature associated with the particular activity wherein the feature reflects current behavior and past behavior of a particular user and of a group of users on a computer system with respect to the particular activity. - View Dependent Claims (16, 17, 18, 19, 20, 21)
computing a user deviation from normal behavior of the particular user for the particular activity.
-
-
17. A method as recited in claim 15 wherein utilizing the user-specific historical data and the peer historical data to generate a feature further comprises:
computing a peer deviation from normal behavior of the particular user for the particular activity.
-
18. A method as recited in claim 15 wherein generating user-specific historical data for a particular activity utilizing the user-specific activity data further comprises:
-
determining a first count of the number of times the particular activity was performed by the user in a predetermined time period;
updating a previous user historical mean value associated with the particular activity using the first count thereby deriving a current user historical mean value; and
updating a previous user historical standard deviation value associated with the particular activity using the first count thereby deriving a current user historical standard deviation value.
-
-
19. A method as recited in claim 15 wherein determining a first count further comprises accessing the user-specific activity data.
-
20. A method as recited in claim 19 wherein the user-specific activity data includes a user identifier, an activity descriptor, and an activity timestamp.
-
21. A method as recited in claim 15 wherein generating peer historical data for the particular activity further includes
determining a second count of the number of times the particular activity was performed by the group of users in a predetermined time period; -
updating a previous peer historical mean value associated with the particular activity using the second count thereby deriving a current peer historical mean value; and
updating a previous peer historical standard deviation value associated with the particular activity using the second count thereby deriving a current peer historical standard deviation value.
-
-
22. A computer network intrusion detection system comprising:
-
a user activity data file containing user-specific data related to activities performed by a particular user;
a historical data file containing statistical data related to past behavior of a user and of a peer group; and
a features generator accepting as input the user-specific data and the statistical data related to past behavior of a user and of a peer group wherein the features generator calculates a feature based on current and past behavior of the user and current and past behavior of the peer group. - View Dependent Claims (23, 24, 25, 26, 27, 28)
a model trained to accept as input a feature generated by the features generator and to output a score indicating the likelihood that a particular activity is an intrusion.
-
-
24. A network intrusion detection system as recited in claim 22 further comprising:
a features list having a plurality of segments, a segment corresponding to a user and containing a plurality of values corresponding to activities performed on the system.
-
25. A network intrusion detection system as recited in claim 24 wherein a segment in the features list includes a first section storing a plurality of user-related values and a second section storing a plurality of peer-related values.
-
26. A network intrusion detection system as recited in claim 22 wherein the user activity data file further includes a user identifier, an activity description, and a timestamp.
-
27. A network intrusion detection system as recited in claim 22 wherein the historical data file further includes a user historical mean and a peer historical mean.
-
28. A network intrusion detection system as recited in claim 22 wherein the historical data file further includes a user historical standard deviation and a peer historical standard deviation.
-
29. A computer-readable medium containing programmed instructions arranged to detect an intrusion into a computer system, the computer-readable medium including programmed instructions for:
-
gathering user activity data corresponding to activities performed by an individual user;
calculating historical values based on activities performed by users on the computer system;
calculating a feature using the historical values and the user activity data; and
utilizing the feature in a model to obtain a value indicating the likelihood of an intrusion whereby the historical values are adjusted according to shifts in normal behavior of users thereby enabling calculation of the feature to reflect changing characteristics of behavior of the users on the computer system. - View Dependent Claims (30)
-
-
31. A computer-readable medium containing programmed instructions arranged to generate a feature to be used in a model, the computer-readable medium including programmed instructions for:
-
collecting user-specific activity data for a plurality of activities;
generating user-specific historical data for a particular activity utilizing the user-specific activity data;
generating peer historical data for the particular activity;
utilizing the user-specific historical data and the peer historical data to generate a feature associated with the particular activity wherein the feature reflects current behavior and past behavior of a particular user and of a group of users on a computer system with respect to the particular activity.
-
Specification