Method and system for establishing normal software system behavior and departures from normal behavior
US7185367B2 · kind B2 · utility
Assignee
Inventor
Key dates
| Filing date | Jun 16, 2003 |
| Grant date | Feb 27, 2007 |
| Priority date | — |
| Expiry date | Sep 24, 2024 |
Classification
- Technology area (CPC G)Physics
- CPC primaryG06F21/55
- WIPO fieldComputer technology
- WIPO sectorElectrical engineering
Abstract
Detecting abnormal activity of a software system is based on behavioral information obtained from an instrumented computer program while it executes. As the program executes, it expresses information about the sequence and frequency with which program modules are called. Over time, this sequence and frequency defines the normal behavior of the program, and the information expressed on any given run is compared to this normal behavior. Statistical analysis of the differences between the normal behavior and the current run can be used to detect unauthorized or abusive use of the program. Program modules whose behavior is highly correlated can be grouped into a smaller number of virtual modules. Comparison between current and normal program behavior can then be made on the (smaller number of) virtual modules, thereby reducing the dimensionality of the problem of analyzing the differences between current and normal program behavior.
Source: USPTO / EPO open patent data. Objective bibliographic and citation counts.