| 发明名称 |
USING CALL STACK SNAPSHOTS TO DETECT ANOMALOUS COMPUTER BEHAVIOR |
| 摘要 |
Detecting computer anomalies by determining probabilities of encountering call stack configurations at various depths, the call stacks being associated with software application instances on computers having the same operating system, where snapshots of the call stacks are recorded on the computers responsive to detecting predefined software application events, determining entropies of call stack configurations at various call stack depths using their associated probabilities, determining stack frame rarity scores of call stack configurations at various depths based on their associated stack frame entropies in accordance with a predefined rarity function, determining a call stack rarity score of any given call stack configuration as the maximum stack frame rarity score of the given configuration, and detecting an anomaly associated with any given one of the computers where any of the snapshots recorded on the given computer is of a call stack whose call stack rarity score meets a predefined anomaly condition. |
| 申请公布号 |
US2017124319(A1) |
申请公布日期 |
2017.05.04 |
| 申请号 |
US201514948328 |
申请日期 |
2015.11.22 |
| 申请人 |
INTERNATIONAL BUSINESS MACHINES CORPORATION |
发明人 |
PELEG RON;RONEN AMIR;SALMAN TAMER;REGEV SHMUEL;AHARONI EHUD |
| 分类号 |
G06F21/52;G06F21/56;G06F21/55 |
主分类号 |
G06F21/52 |
| 代理机构 |
|
代理人 |
|
| 主权项 |
1. A computer anomaly detection method comprising:
determining stack frame probabilities of encountering various configurations of multiple call stacks at various call stack depths,
wherein the call stacks are associated with multiple instances of a software application on multiple computers having the same operating system, andwherein multiple snapshots of the call stacks are recorded on the computers responsive to detecting a predefined event in connection with the software application; determining stack frame entropies of various configurations of the call stacks at various call stack depths based on their associated stack frame probabilities; determining stack frame rarity scores of various configurations of the call stacks at various call stack depths based on their associated stack frame entropies in accordance with a predefined rarity function; determining a call stack rarity score of any given configuration of the call stacks as the maximum stack frame rarity score of the given configuration; and detecting an anomaly associated with any given one of the computers wherein any of the snapshots recorded on the given computer is of a call stack whose call stack rarity score meets a predefined anomaly condition. |
| 地址 |
ARMONK NY US |
