BEHAVIORAL MODEL BASED ON SHORT AND LONG RANGE EVENT CORRELATIONS IN SYSTEM TRACES

摘要

A method of generating a behavioral model of a computer system. A processor partitions a system log of process events into a plurality of strands sharing common characteristics. The processor selects attributes from the strands and generates first distinct n-grams that include attributes from successive events within a strand. The processor generates a first plurality of n-gram groups, each including a plurality of the first distinct n-grams in which a first one of the plurality of first distinct n-grams coexists in a strand also containing a second one of the plurality of first distinct n-grams. The processor generates a first plurality of n-gram group arrangements, each containing a plurality of n-gram groups, and each of the n-gram groups included, in combination, in at least one strand, and the behavioral model containing the first distinct n-grams, the first plurality of n-gram groups, and the first plurality of n-gram group arrangements.

主权项

1. A method of generating a behavioral model of a computer system, the computer system having a system log that records events generated by a plurality of processes executing on the computer system, the method comprising the steps of:
one or more processors partitioning the system log into a plurality of strands, each strand including events that share a common characteristic, the events included as past activity of the computer system; the one or more processors selecting attributes from the plurality of strands; the one or more processors generating first distinct n-grams, each n-gram including attributes from successive events within a strand; the one or more processors generating a first plurality of n-gram groups, each n-gram group including a plurality of the first distinct n-grams in which a first one of the plurality of first distinct n-grams coexists in a strand also containing a second one of the plurality of first distinct n-grams; the one or more processors generating a first plurality of n-gram group arrangements, each n-gram group arrangement including a plurality of n-gram groups, each of the n-gram groups being found, in combination, in at least one strand; the one or more processors generating a behavioral model based on the past activity of the computer system, wherein the behavioral model contains the first distinct n-grams, the first plurality of n-gram groups, and the first plurality of n-gram group arrangements; and the one or more processors determining whether an anomaly of events occurs in the computer system, based on the behavior model.