IPC분류정보
국가/구분 |
United States(US) Patent
등록
|
국제특허분류(IPC7판) |
|
출원번호 |
US-0303102
(2011-11-22)
|
등록번호 |
US-8621631
(2013-12-31)
|
발명자
/ 주소 |
- Koelle, Katharina Veronika
- Midwinter, Wendy
|
출원인 / 주소 |
|
대리인 / 주소 |
Frommer Lawrence & Haug LLP
|
인용정보 |
피인용 횟수 :
0 인용 특허 :
109 |
초록
▼
A system, apparatus, and method are directed to evolving detectors in an Artificial Immune System for use in detecting unauthorized computing activities. In one embodiment, a population of detectors is generated with a matching value and expectation value of zero. The detectors are then compared to
A system, apparatus, and method are directed to evolving detectors in an Artificial Immune System for use in detecting unauthorized computing activities. In one embodiment, a population of detectors is generated with a matching value and expectation value of zero. The detectors are then compared to logged fragments of system calls within a computing device to modify the matching value. When the matching value for a given detector is equal to or greater than an expectation value, the detector's expectation value may be set to the matching value. The detectors may then evolve and/or generate other detectors using mutation, and/or recombination, or the like. Detectors continue to generate and/or to evolve until a detector's matching value reaches a determined value, in which case, the detector may be evaluated to determine if an unauthorized activity is detected. If an unauthorized activity is detected, a detection response may be performed.
대표청구항
▼
1. A network device for detecting an unauthorized activity by another network device, comprising: a transceiver that is configured to communicate over a network;a memory that is configured to store instructions; anda processor that is configured to execute instructions that enable actions, including
1. A network device for detecting an unauthorized activity by another network device, comprising: a transceiver that is configured to communicate over a network;a memory that is configured to store instructions; anda processor that is configured to execute instructions that enable actions, including: generating a plurality of detectors, wherein each detector includes a plurality of system calls;determining an initial matching value and an expectation value for each detector;comparing each detector to logged fragments of system calls that are associated with a computing process, and employing at least in part the comparison to determine a new matching value for each detector;when the new matching value for at least one detector is equal to or greater than the at least one detector's expectation value, evolving a child detector from the at least one parent detector;generating a value for the child detector that is based on a combination of common values from a plurality of detectors that are employed to evolve the child detector;associating a rate of mutation for each detector that corresponds to mutations in its evolved child detectors; andenabling a mutation in at least one child detector, wherein the mutation includes a change from a corresponding parent detector for at least one of a fragment length for each system call and a type of each system call. 2. The network device of claim 1, wherein generating the detector further comprises at least one action of: randomly generating the detector; andemploying at least one pattern of system calls associated with the computing process to generate the detector. 3. The network device of claim 1, further comprising the action of determining for each detector at least one of: an amount of corresponding child detectors, and a rate for evolving child detectors. 4. The network device of claim 1, further comprising the action of modifying the parent detector's expectation value based on at least a copy of the parent detector and at least one mutation. 5. The network device of claim 1, further comprising the action of modifying at least one child detector's expectation value and the new matching value based on another comparison to the logged fragments of the system calls. 6. The network device of claim 1, further comprising the action of when one expectation value for the detector or at least one of its corresponding child detectors exceeds a threshold value, evaluating the detector to determine when unauthorized activity is detected at the other network device. 7. A method for detecting an unauthorized activity at a network device, comprising the actions of enabling a processor to execute instructions that enable further actions, including: generating a plurality of detectors, wherein each detector includes a plurality of system calls;determining an initial matching value and an expectation value for each detector;comparing each detector to logged fragments of system calls that are associated with a computing process, and employing at least in part the comparison to determine a new matching value for each detector;when the new matching value for at least one detector is equal to or greater than the at least one detector's expectation value, evolving a child detector from the at least one parent detector;generating a value for the child detector that is based on a combination of common values from a plurality of detectors that are employed to evolve the child detector;associating a rate of mutation for each detector that corresponds to mutations in its evolved child detectors; andenabling a mutation in at least one child detector, wherein the mutation includes a change from a corresponding parent detector for at least one of a fragment length for each system call and a type of each system call. 8. The method of claim 7, wherein generating the detector further comprises at least one action of: randomly generating the detector; andemploying at least one pattern of system calls associated with the computing process to generate the detector. 9. The method of claim 7, further comprising the action of determining for each detector at least one of: an amount of corresponding child detectors, and a rate for evolving child detectors. 10. A non-transitive processor readable storage media that includes data and instructions, wherein execution of the instructions by a processor enables actions for detecting an unauthorized activity at a network device, the actions include: generating a plurality of detectors, wherein each detector includes a plurality of system calls;determining an initial matching value and an expectation value for each detector;comparing each detector to logged fragments of system calls that are associated with a computing process, and employing at least in part the comparison to determine a new matching value for each detector;when the new matching value for at least one detector is equal to or greater than the at least one detector's expectation value, evolving a child detector from the at least one parent detector;generating a value for the child detector that is based on a combination of common values from a plurality of detectors that are employed to evolve the child detector associating a rate of mutation for each detector that corresponds to mutations in its evolved child detectors; andenabling a mutation in at least one child detector, wherein the mutation includes a change from a corresponding parent detector for at least one of a fragment length for each system call and a type of each system call. 11. The media of claim 10, wherein generating the detector further comprises at least one action of: randomly generating the detector; andemploying at least one pattern of system calls associated with the computing process to generate the detector. 12. The media of claim 10, further comprising the action of determining for each detector at least one of: an amount of corresponding child detectors, and a rate for evolving child detectors. 13. A system for detecting an unauthorized computing activity, comprising: a server device that is configured to perform actions, including: generating a plurality of detectors, wherein each detector includes a plurality of system calls;determining an initial matching value and an expectation value for each detector;sending the plurality of detectors over a network to at least one client device;generating a value for the child detector that is based on a combination of common values from a plurality of detectors that are employed to evolve the child detector;associating a rate of mutation for each detector that corresponds to mutations in its evolved child detectors; andenabling a mutation in at least one child detector, wherein the mutation includes a change from a corresponding parent detector for at least one of a fragment length for each system call and a type of each system call; anda client device that is configured to perform actions, including: receiving the plurality of detectors;comparing each detector to logged fragments of system calls that are associated with a computing process, and employing at least in part the comparison to determine a new matching value for each detector; andwhen the new matching value for at least one detector is equal to or greater than the at least one detector's expectation value, evolving a child detector from the at least one parent detector. 14. The system of claim 13, wherein generating the detector further comprises at least one action of: randomly generating the detector; andemploying at least one pattern of system calls associated with the computing process to generate the detector. 15. The system of claim 13, further comprising the action by the server device of determining for each detector at least one of: an amount of corresponding child detectors, and a rate for evolving child detectors.
※ AI-Helper는 부적절한 답변을 할 수 있습니다.