Mining and integrating program-level context information into low-level system provenance graphs
US11741220B2 · kind B2 · utility
Assignee
Inventors
Key dates
| Filing date | Aug 10, 2021 |
| Grant date | Aug 29, 2023 |
| Priority date | — |
| Expiry date | Feb 12, 2042 |
Classification
- Technology area (CPC G)Physics
- CPC primaryG06N20/00
- WIPO fieldComputer technology
- WIPO sectorElectrical engineering
Abstract
A computer-implemented method is provided for computer intrusion detection. The method includes establishing a mapping from low-level system calls to user functions in computer programs. The user functions run in a user space of an operating system. The method further includes identifying, using a search algorithm inputting the mapping and a system-call trace captured at runtime, any of the user functions that trigger the low-level system calls in the system-call trace. The method further includes performing, by a processor device, intrusion detection responsive to a provenance graph with program contexts. The provenance graph has nodes formed from the user functions that trigger the low-level system calls in the system-call trace. Edges in the provenance graph have edge labels describing high-level system operations for low-level system call to high-level system operation correlation-based intrusion detection.
Source: USPTO / EPO open patent data. Objective bibliographic and citation counts.