Identifying Service Issues By Analyzing Anomalies
US-2020344252-A1 · Oct 29, 2020 · US
Systems and methods for detecting behavioral anomalies in applications
US11513878B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-11513878-B2 |
| Application number | US-202117180912-A |
| Country | US |
| Kind code | B2 |
| Filing date | Feb 22, 2021 |
| Priority date | Jun 26, 2020 |
| Publication date | Nov 29, 2022 |
| Grant date | Nov 29, 2022 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
Aspects of the disclosure relate to the field of detecting a behavioral anomaly in an application. In one exemplary aspect, a method may comprise retrieving and identifying at least one key metric from historical usage information for an application on a computing device. The method may comprise generating a regression model configured to predict usage behavior associated with the application and generating a statistical model configured to identify outliers in the data associated with the at least one key metric. The method may comprise receiving usage information in real-time for the application. The method may comprise predicting, using the regression model, a usage pattern for the application indicating expected values of the at least one key metric. In response to determining that the usage information does not correspond to the predicted usage pattern and does not comprise a known outlier, the method may comprise detecting the behavioral anomaly.
First claim
Opening claim text (preview).
The invention claimed is: 1. A method for detecting a behavioral anomaly in an application, the method comprising: retrieving, by a security application, historical usage information for an application on a computing device; identifying, by the security application, at least one key metric from the historical usage information; generating, by the security application, a regression model configured to predict usage behavior associated with the application based on data associated with the at least one key metric; generating, by the security application, a statistical model configured to identify outliers in the data associated with the at least one key metric; subsequent to generating the regression model and the statistical model, receiving, by the security application, usage information in real-time for the application; predicting, using the regression model of the security application, a usage pattern for the application indicating expected values of the at least one key metric; in response to determining that the usage information received in real-time does not correspond to the predicted usage pattern, determining via the statistical model of the security application whether the usage information comprises a known outlier; in response to determining that the usage information does not comprise the known outlier, detecting, by the security application, the behavioral anomaly; and generating, by the security application for output on the computing device, an alert indicative of the behavioral anomaly. 2. The method of claim 1 , wherein the historical usage information occurred within a time interval that is periodic, and wherein predicting the usage pattern further comprises using a version of the regression model associated with the time interval. 3. The method of claim 1 , wherein the statistical model is a probability distribution that highlights data points associated with the at least one metric that are not anomalous. 4. The method of claim 1 , wherein the at least one key metric comprises at least one of: (1) client connections, (2) latency, (3) number of account lookups, (4) bytes read, and (5) number of file lookups. 5. The method of claim 1 , further comprising: in response to determining that the usage information received in real-time corresponds to the predicted usage pattern or that the usage information comprises the known outlier, determining that the behavioral anomaly has not occurred and not generating the alert. 6. The method of claim 1 , wherein determining that the usage information received in real-time does not correspond to the predicted usage pattern further comprises: determining that an average difference, between values of the at least one key metric from the usage information received in real-time and the expected values of the at least key metric according to the predicted usage pattern, exceeds a threshold difference. 7. The method of claim 6 , further comprising: receiving a response to the alert indicating that the behavioral anomaly is a false positive; automatically increasing the threshold difference. 8. The method of claim 1 , further comprising: receiving a response to the alert indicating that the behavioral anomaly is a false positive; adjusting both the regression model and the statistical model based on the usage information received in real-time, wherein the regression model is retrained on an updated dataset and the statistical model indicates an updated outlier. 9. A system for detecting a behavioral anomaly in an application, the system comprising: a hardware processor configured to execute a security application, wherein the security application is configured to: retrieve historical usage information for an application on a computing device; identify at least one key metric from the historical usage information; generate a regression model configured to predict usage behavior associated with the application based on data associated with the at least one key metric; generate a statistical model configured to identify outliers in the data associated with the at least one key metric; subsequent to generating the regression model and the statistical model, receive usage information in real-time for the application; predict, using the regression model, a usage pattern for the application indicating expected values of the at least one key metric; in response to determining that the usage information received in real-time does not correspond to the predicted usage pattern, determine via the statistical model whether the usage information comprises a known outlier; in response to determining that the usage information does not comprise the known outlier, detect the behavioral anomaly; and generate, for output on the computing device, an alert indicative of the behavioral anomaly. 10. The system of claim 9 , wherein the historical usage information occurred within a time interval that is periodic, and wherein predicting the usage pattern further comprises using a version of the regression model associated with the time interval. 11. The system of claim 9 , wherein the statistical model is a probability distribution that highlights data points associated with the at least one metric that are not anomalous. 12. The system of claim 9 , wherein the at least one key metric comprises at least one of: (1) client connections, (2) latency, (3) number of account lookups, (4) bytes read, and (5) number of file lookups. 13. The system of claim 9 , wherein the hardware processor is further configured to: in response to determining that the usage information received in real-time corresponds to the predicted usage pattern or that the usage information comprises the known outlier, determine that the behavioral anomaly has not occurred and not generating the alert. 14. The system of claim 9 , wherein the hardware processor is configured to determine that the usage information received in real-time does not correspond to the predicted usage pattern by: determining that an average difference, between values of the at least one key metric from the usage information received in real-time and the expected values of the at least key metric according to the predicted usage pattern, exceeds a threshold difference. 15. The system of claim 14 , wherein the hardware processor is further configured to: receive a response to the alert indicating that the behavioral anomaly is a false positive; automatically increase the threshold difference. 16. The system of claim 9 , wherein the hardware processor is further configured to: receive a response to the alert indicating that the behavioral anomaly is a false positive; adjust both the regression model and the statistical model based on the usage information received in real-time, wherein the regression model is retrained on an updated dataset and the statistical model indicates an updated outlier. 17. A non-transitory computer readable storage medium storing thereon computer executable instructions for detecting a behavioral anomaly in an application, including instructions for: retrieving, by a security application, historical usage information for an application on a computing device; identifying, by the security application, at least one key metric from the historical usage information; generating, by the security application, a regression model configured to predict usage behavior associated with the application based on data associated with the at least one key metric; generating, by the security application, a statistical model configured to identify outliers in the data associated with the
Assignees
Inventors
Classifications
Probabilistic graphical models, e.g. probabilistic networks · CPC title
monitoring of user actions (tracking the activity of the user H04L67/535) · CPC title
Test or assess software · CPC title
Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities · CPC title
Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US11513878B2 cover?
- Aspects of the disclosure relate to the field of detecting a behavioral anomaly in an application. In one exemplary aspect, a method may comprise retrieving and identifying at least one key metric from historical usage information for an application on a computing device. The method may comprise generating a regression model configured to predict usage behavior associated with the application a…
- Who is the assignee on this patent?
- Acronis Int Gmbh
- What technology area does this patent fall under?
- Primary CPC classification G06F21/552. Mapped technology areas include Physics.
- When was this patent published?
- Publication date Tue Nov 29 2022 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 7 related publications on this page (citations in our corpus or others sharing the same primary CPC).