The present invention relates to the capture of correlations for use in behavioral models and more particularly to the capture of correlations between activity and non-activity attributes using n-grams.
In data processing security, anomaly detection is a technique of comparing new activity in a computer system with known “normal” activity patterns in the computer system. Typically, normal activity is learned from past operation of the computer system. Various prior art techniques differ in the model of “normal” behavior they use.
N-grams are useful in implementing approximate matching of current activity and past activity of the computer system. Further information about n-grams can be found at http://en.wikipedia.org/wiki/N-gram. In the past, it has been shown that n-gram models can be used to implement anomaly detection.