This invention relates generally to cyber-security monitoring, and more particularly to monitoring incoming security events to determine the existence of security violations.
Current approaches for cyber-security monitoring can be divided into two broad classes: targeted event-based detection and behavioral anomaly detection. Targeted event-based detection involves the creation and maintenance of a set of event detectors for identifying behaviors that are suspicious (i.e., behaviors that are indicative of security violations). Examples of the targeted approach include pattern-based antivirus engines and network intrusion detection systems. Behavioral anomaly detection provides alerts based on behavioral anomalies or deviations from normal steady-state behaviors of users and/or entities in the network. Examples of the behavioral approach include alert correlation and traffic clustering.
The two approaches have their distinctive advantages and disadvantages. For example, targeted detectors produce high-precision alerts with a low rate of false positives. However, targeted detectors cannot automatically handle changes that occur over time in security threats as well as in the normal, steady state network traffic. Many security threats, such as malicious software (malware) evolve automatically and rapidly to evade existing detection mechanisms (e.g., via poly/metamorphism, fast fluxing, sandbox resistance, adversarial reverse engineering, bursty/zero-day attacks, etc.). As security threats evolve over time, targeted detectors require maintenance and updates through the extensive intervention of domain experts. In contrast, the behavioral anomaly detection approach can potentially uncover a broader set of security violations, as well as threats that evolve over time, while requiring a lesser degree of involvement from domain experts. However, behavioral detectors often suffer from higher rates of false positives compared to the targeted approach.