摘要 |
A method for detecting malicious activity in a computer network including deploying one or more suspicious event sensors, each sensor operative to detect a predefined suspicious event on at least one computer, logging any suspicious events detected by the sensors during normal operation of the network when no malicious activity is present, calculating a statistical distribution of the logged events, comparing the results of the event sensors to the statistical distribution and determining the probability of the result against a predefined threshold, and activating any of an alarm and a defense mechanism where the probability exceeds the predefined threshold.
|