The rise of computing and mobile devices has been accompanied by a rise in malicious software or malware (e.g., computer viruses, ransomware, worms, trojan horses, spyware, adware), information and identity theft, snooping, eavesdropping, and other unsavory acts. Thus, there is a need to develop improved systems and techniques for monitoring computing device activity, quickly and accurately identifying threats, and responding accordingly.
Intrusion detection systems (IDS) have been developed to detect unauthorized use of information and resources and to help uncover attempts to gain access to computer networks and the information stored therein. There are two complementary approaches to detecting intrusions, namely, knowledge-based approaches and behavior-based approaches.
Knowledge-based intrusion detection techniques compare captured data to information regarding existing techniques to exploit vulnerabilities. An alarm is triggered when a match is detected.
Behavior-based intrusion detection techniques attempt to spot intrusions by observing deviations from normal or expected behaviors of the system or the users. An alarm is generated when a suspected deviation is observed. Traditional security systems use rules to correlate events and these rules may be used to analyze and correlate user and events to identify intrusions.
The systems and methods described herein provide non-rule based correlation system and method that improves on the rules-based correlation developed by traditional security systems.