Behavioral learning techniques have been used to provide security for computers and other processing systems. In a typical behavioral learning security system or process, the “baseline” or “normal” behavior of the system to be protected (e.g., the computer) is learned during a learning phase of fixed duration. In a subsequent protection phase, the actual behavior of the system being protected is monitored and compared against the baseline and responsive action is taken if a meaningful deviation from the expected/normal behavior is detected.
FIG. 1 is a time diagram illustrating learning phase and protection phase of a typical prior art behavioral learning security system or process. The normal or baseline behavior of the system to be protected is learned during learning phase 100 which starts at start time 104, lasts for a fixed duration 106, and stops at stop time 108. After this learning phase, the system is in protect phase 102 in which behavior that deviates from the behavior learned during the learning period is identified and appropriate action is taken.
Under the prior art, processes or sub-processes that do not occur during the learning period are missed, and subsequent occurrences of such processes during the protected phase may generate responsive action by the security system or process, because they deviate from the learned baseline, even though they are normal and/or expected. Extending the duration of the learning period to allow for more complete learning of the normal processes may not be practical or desirable, since the system being learned remains unprotected during the learning phase. In addition, such a security system or process is unfriendly to changes to the system being protected (e.g. software upgrades, system upgrades, or new software additions), because in the event of such a change the entire learning process has to be repeated to enable the security system or process to learn the new normal processes present on the system being protected as a result of the change.
Therefore, there is a need for a better way to use behavioral learning to provide security for a computer or other system, which enables the processes of the computer or other system to be learned more completely without leaving the system unprotected for a protracted learning period.