| US 7,475,405 B2 | ||
| Method and system for detecting unusual events and application thereof in computer intrusion detection | ||
| Stefanos Manganaris, Durham, N.C. (US); and Keith Hermiz, Arlington, Va. (US) | ||
| Assigned to International Business Machines Corporation, Armonk, N.Y. (US) | ||
| Filed on Dec. 27, 2000, as Appl. No. 9/749,095. | ||
| Claims priority of provisional application 60/230486, filed on Sep. 06, 2000. | ||
| Prior Publication US 2002/0082886 A1, Jun. 27, 2002 | ||
| Int. Cl. G06F 3/00 (2006.01); G06F 9/44 (2006.01); G06F 9/46 (2006.01); G06F 13/00 (2006.01); G06F 17/00 (2006.01); G06F 11/00 (2006.01); G06F 12/14 (2006.01); G06F 12/16 (2006.01); G06F 15/18 (2006.01); G06N 5/00 (2006.01); G06N 5/02 (2006.01); G08B 23/00 (2006.01) | ||
| U.S. Cl. 719—318 [706/45; 706/46; 706/47; 706/48; 726/22; 726/23; 714/26] | 6 Claims |
| 1. A computer-implemented method of adaptively generating frequent event patterns as an expected behavior model by processing
event data to detect the occurrence of unusual events, said method comprising the steps of:
receiving a historical event data set wherein said historical event data comprises individual event alarms, a series of event
alarm groupings or a combination of single event and event groupings as well as context information including historic conditions
present when an event occurred;
identifying a context in which each event in said historical event data set occurred and categorizing each event according
to its identified context;
performing pattern analysis on said historical event data set and the identified context of the events in said historical
data set to generate frequent event patterns based on said historic event data wherein said pattern analysis step comprises:
performing association analysis on said historical event data set and the identified context of the events in said historical
event data set to generate association rules and frequent itemsets based on the event occurrences within a window of event
activity as said frequent event patterns;
performing sequential pattern analysis on said historical event data set and the identified context of the events in said
historical event data set to generate commonly occurring sequence of data events or data patterns as said frequent event patterns,
wherein the association analysis and sequential pattern analysis are perform serially;
receiving a current event data set wherein said current event data set comprises new input data;
identifying a context in which each event in said current event data set occurred and categorizing each event according to
its identified context;
comparing said frequent event patterns to said current event data set and the identified context of the events in said current
event data set to identify event occurrences in said current event data set that do not correspond to any of said frequent
event patterns, wherein said comparing step comprises applying said commonly occurring sequence of data events or data patterns,
said association rules and frequent itemsets to said current event data set including an analysis of the context in which
an event occurred as compared to historic conditions of when similar events occurred; and
outputting an unusual event indication whenever an event occurrence in the current event data set that does not correspond
to any of said frequent event patterns is identified.
|