Anomaly detection at the level of run time data structures

Abstract

A useful embodiment of the invention is directed to a method associated with a computer program comprising one or more basic blocks, wherein the program defines and uses multiple data structures, such as the list of all customers of a bank along with their account information. The method includes identifying one or more invariants, wherein each invariant is associated with one of the data structures. The method further includes determining at specified times whether an invariant has been violated. Responsive to detecting a violation of one of the invariants, the detected violation is flagged as an anomaly.

Description

[0001]This application is a continuation of and claims the benefit of priority to U.S. patent application Ser. No. 13 / 587,335, filed on Aug. 16, 2012 and entitled “Anomaly Detection at the Level of Run Time Data Structures”. The contents of which are hereby incorporated by reference.BACKGROUND[0002]1. Field[0003]The invention disclosed and claimed herein generally pertains to a method of anomaly detection at the code level of a computer program. More particularly, the invention pertains to a method of the above type, wherein invariants associated with data structures of the program's concrete state are used to detect anomalies.[0004]2. Description of the Related Art[0005]Anomaly detection is the act of detecting patterns in a given data set that do not conform to an established normal behavior. Anomaly detection is a highly active area of research and development in academia as well as in industry, and breaks into two subareas. One subarea is rule-based anomaly detection, which is t...

AI Technical Summary

Benefits of technology

The invention is about detecting abnormalities in a computer program by analyzing the data structures used by the program, rather than the control of the program. The method identifies specific rules or standards that are associated with each data structure and checks if those rules are being followed during runtime. If a deviation is detected, the method flags it as an anomaly. This helps to quickly identify and address any issues in the program.

Problems solved by technology

While the current state of the art as represented by the Swaddler approach has been shown, quite convincingly, to be of practical value, it is still characterized by a number of limitations.

These include issues pertaining to expressiveness, portability, overhead and accuracy.

In regard to expressiveness, Swaddler cannot capture invariants across more than one control flow.

Regarding portability, letting each basic block in the program be anomaly aware has the undesirable effect of making the detection system highly sensitive to code changes.

Regarding overhead, performing anomaly checks at each basic block is highly expensive.

It is difficult to see how the Swaddler solution can scale to enterprise applications comprising on the order of hundreds of millions of lines of code, including their library dependencies.

Finally, in regard to accuracy, a further negative byproduct of testing for anomalies at each basic block is that the system is more likely to issue false alarms.

The more checks there are, the more likely it is for statistical reasoning to come to the wrong conclusion.

Images