Patent · US Expired

Sequence-based anomaly detection using a distance matrix

US6742124B1 · kind B1 · utility

108Cited by

6References

16Claims

0Family size

Assignee

Networks Associates Technology, Inc. · US

Inventors

Douglas Kilpatrick · Seattle, US
Calvin Ko · San Jose, US
Stephen J. Kiernan · Herndon, US

Key dates

Filing date	May 8, 2000
Grant date	May 25, 2004
Priority date	—
Expiry date	May 8, 2020

Classification

Technology area (CPC G)Physics
CPC primaryG06F21/316
WIPO fieldDigital communication
WIPO sectorElectrical engineering

Abstract

A real-time sequence-based anomaly detection system is disclosed. In a preferred embodiment, the intrusion detection system is incorporated as part of a software wrapper. Event abstraction in the software wrapper enables the intrusion detection system to apply generically across various computing platforms. Real-time anomaly detection is enabled through the definition of a distance matrix that defines allowable separation distances between pairs of system calls. The distance matrix indirectly specifies known sequences of system calls and can be used to determine whether a sequence of system calls in an event window represents an anomaly. Anomalies that are detected are further analyzed through levenshtein distance calculations that also rely on the contents of the distance matrix.

Source: USPTO / EPO open patent data. Objective bibliographic and citation counts.