1. Field of the Invention
Embodiments of the present invention generally relate to anomaly detection systems and, more particularly, to a method and apparatus for detecting anomalous activities in a communications network, such as an enterprise environment.
2. Description of the Related Art
Background
Presently, there is a constant need for enterprise environments to identify suspicious and potentially harmful network activity. Consequently, security event detection rules need to be continuously running in order to detect events that occur in the short-term. However, commonly used state models that support security event detection rules are limited by the span of time, the number of data keys and amount of supporting information that can be maintained in states. Although suppliers of commercially available systems continue to try to increase the amount of memory available to the state based modeling environment, this course of action still does not satisfy the requirements needed to employ a large-scale, data inspection process. Similarly, attempts have been made to limit the number of objects in state and/or the number of attributes per object. These attempts not only reduce overall system usefulness, but also only provide temporary relief that is subsequently consumed in the event of an increase in scale.
Thus, there is a need in the art for a method and apparatus for detecting suspicious long-term (e.g., low and slow) network activities.