423 results about "Anomalous behavior" patented technology

A computer worm detection system orchestrates a sequence of network activities in a computer network and monitors the computer network to identify an anomalous behavior of the computer network. The computer worm detection system then determines whether the anomalous behavior is caused by the computer worm and can determine an identifier for detecting the computer worm based on the anomalous behavior. The computer worm detection system can also generate a recovery script for disabling the computer worm or repairing damage caused by the computer worm.

The present invention provides strategies for detecting intrusions in wireless environments, and the strategies are based on innovative applications of information analysis as well as other information correlating techniques. The key to detecting intrusions in a RF based environment is to understand the normal spectrum of behavior so that deviations can be detected and analyzed. For a wireless communications grid, this process requires empirical knowledge about how the radios work together as components of the information grid, and how this grid network is managed. Once normal behavior has been characterized, anomalous behavior can be identified. Potential intrusions into the wireless network can be analyzed and an attack model can be created. The attack model can be utilized as the basis for initiating appropriate adaptive responses.

According to one embodiment, a method comprises conducting an analysis for anomalous behavior on application software and generating a video of a display output produced by the application software. The video is to be displayed on an electronic device contemporaneously with display of one or more events detected by the analysis being performed on the application software.

Embodiments of the present invention provide a method and a system for analyzing and learning behavior based on an acquired stream of video frames. Objects depicted in the stream are determined based on an analysis of the video frames. Each object may have a corresponding search model used to track an object's motion frame-to-frame. Classes of the objects are determined and semantic representations of the objects are generated. The semantic representations are used to determine objects' behaviors and to learn about behaviors occurring in an environment depicted by the acquired video streams. This way, the system learns rapidly and in real-time normal and abnormal behaviors for any environment by analyzing movements or activities or absence of such in the environment and identifies and predicts abnormal and suspicious behavior based on what has been learned.

In an embodiment, a dynamic analysis engine is configured to receive an identifier associated with a source for network traffic including at least one object having at least a prescribed probability of being associated with an exploit. Deployed within a detection cloud, the dynamic analysis engine comprises one or more virtual machines and monitoring logic. The virtual machines are adapted to virtually process the identifier by establishing a communication session with a server hosting a website accessible by the identifier. In communication with the virtual machines, the monitoring logic is adapted to detect anomalous behaviors by the virtual machines during the communication session with the server.

A method for the detection of anomalous behaviors in a computer network, comprising the steps of: collecting data relating to connections in a plurality of nodes in a network, sending the data from said nodes to an ADS platform, computing from said data at least one value representative of the anomaly level of the connections of each said node and/or of applications initiating said connections and/or of users, computing a multidimensional chart for visualizing the behavior of a plurality of nodes, applications and/or users in said network, wherein said value representative of the anomaly level is used as a dimension in said chart.

One embodiment of an electronic device comprises a processor and a memory accessible by the processor. The memory comprises virtual execution logic and run-time classifier logic. The virtual execution logic includes at least one virtual machine that is configured to virtually process content within an object under analysis and monitor for anomalous behaviors during the virtual processing that are indicative of malware. The run-time classifier logic performs, during run-time, a first analysis on the monitored anomalous behaviors and a pre-stored identifier to determine if the monitored anomalous behaviors indicate that the object is malware belonging to a classified malware family. The pre-stored identifier is a collection of data associated with anomalous behaviors that uniquely identify the malware family.

Embodiments of the invention may include a sensor system and a method used to track the behaviors of targets in an area under surveillance. The invention may include a sensor array located in the area that is capable of sending messages to a user when behavior of a tracked target is determined to be anomalous. In making the determination of anomalous behavior, the sensor system and method may generate and continuously refine a pattern of life model that may examine, for example, the paths a target may take within the sensor array and the end points of the paths taken. The sensor system and method may also incorporate any user defined conditions for anomalous behavior.

A method of detecting an intrusion into (or an anomaly in a behavior of) a target software system begins by instrumenting the target software system to generate behavior data representing a current observation or observation aggregate. The method then determines whether the current observation or observation aggregate warrants a second level examination; preferably, this determination is made by processing the current observation or observation aggregate through a first level detection algorithm that provides a first, provisional indication of a possible intrusion. If a result of executing the first level detection algorithm indicates that the current observation or observation aggregate warrants a second level examination, the method continues by processing the current observation or observation aggregate through at least one or more second level detection algorithms to provide a second, more definite, fine grain indication of a possible intrusion. The observation aggregates used by the first and second level detection algorithms may be the same or different. The first and second level detection algorithms may be executed in the same or different systems, machines or processors. The target software system operation may be suspended as the current observation or observation aggregate is processed through the one or more second level detection algorithms. A given action (e.g., sending an alert, logging the event, activating a countermeasure, or the like) may be taken if the result of the second level examination indicates a possible intrusion. Multiple algorithms may be executed together within a single examination level, with the individual results then analyzed to obtain a composite result or output indicative of intrusive or anomalous behavior.

According to one embodiment, a computerized method comprises three operations. First, an incoming object is analyzed to determine if the incoming object is suspicious by having characteristics that suggest the object is an exploit. Next, a virtual machine is dynamically configured with a software image representing a current operating state of a targeted client device. The software image represents content and structure of a storage volume for the targeted client device at a time of configuring the virtual machine. Lastly, the object is processed by the virtual machine in order to detect any anomalous behaviors that may cause the object to be classified as an exploit.

Anomalous behavior in a distributed system is automatically detected. Metrics are gathered for transactions, subsystems and/or components of the subsystems. The metrics can identify response times, error counts and/or CPU loads, for instance. Baseline metrics and associated deviation ranges are automatically determined and can be periodically updated. Metrics from specific transactions are compared to the baseline metrics to determine if an anomaly has occurred. A drill down approach can be used so that metrics for a subsystem are not examined unless the metrics for an associated transaction indicate an anomaly. Further, metrics for a component, application which includes one or more components, or process which includes one or more applications, are not examined unless the metrics for an associated subsystem indicate an anomaly. Multiple subsystems can report the metrics to a central manager, which can correlate the metrics to transactions using transaction identifiers or other transaction context data.

Provided are systems and methods for a cloud security system that learns patterns of user behavior and uses the patterns to detect anomalous behavior in a network. Techniques discussed herein include obtaining activity data from a service provider system. The activity data describes actions performed during use of a cloud service over a period of time. A pattern corresponding to a series of actions performed over a subset of time can be identified. The pattern can be added a model associated with the cloud service. The model represents usage of the cloud service by the one or more users. Additional activity data can be obtained from the service provider system. Using the model, a set of actions can be identified in the additional activity data that do not correspond to the model. The set of actions and an indicator that identifies the set of actions as anomalous can be output.

The invention relates to a movement human abnormal behavior identification method based on template matching, which mainly comprises the steps of: video image acquisition and behavior characteristic extraction. The movement human abnormal behavior identification method is a mode identification technology based on statistical learning of samples. The movement of a human is analyzed and comprehended by using a computer vision technology, the behavior identification is directly carried out based on geometric calculation of a movement region and recording and alarming are carried out; the Gaussian filtering denoising and the neighborhood denoising are combined for realizing the denoising, thereby improving the independent analysis property and the intelligent monitoring capacity of an intelligent monitoring system, achieving higher identification accuracy for abnormal behaviors, effectively removing the complex background and the noise of a vision acquired image, and improving the efficiency and the robustness of the detection algorithm. The invention has simple modeling, simple algorithm and accurate detection, can be widely applied to occasions of banks, museums and the like, and is also helpful to improve the safety monitoring level of public occasions.

A system for automated testing of functionally complex systems, comprising a test manager module operating on a server computer, a test data storage subsystem coupled to the test manager module and adapted to store at least test results, a test execution module operating on a server computer, and a test analysis module operating on a server computer and adapted to receive test data from the test data storage subsystem. The test manager module causes tests to be executed by the test execution engine, and on detection of an anomalous test result, the test manager module at least causes additional testing to be performed and causes the test analysis module to analyze the results of at least some of the additional testing in order to isolate at least one component exhibiting anomalous behavior.

Systems and methods implemented by a computer to detect abnormal behavior in a network include obtaining Performance Monitoring (PM) data including one or more of production PM data, lab PM data, and simulated PM data; determining a model based on machine learning training with the PM data; receiving live PM data from the network; utilizing the live PM data with the model to detect an anomaly in the network; and causing an action to address the anomaly.

The invention discloses a passenger abnormal behavior identification method based on a human skeleton sequence, which comprises the following steps: 1) shooting an escalator area monitoring video image by a camera; 2) detecting that passenger face through the SVM and trac the passenger face with the KCF to obtain the passenger motion trajectory in the escalator; 3) extracting that human skeleton from the image by using the OpenPose depth learn network; 4) matching that human skeleton to the corresponding passenger trajectory to construct the human skeleton sequence of the passenger; 5) detecting that abnormal behavior skeleton sequence from the passenger human skeleton sequence through template match; 6) using DTW to match it with various abnormal behavior skeleton sequence template to identify abnormal behavior. That invention can accurately and real-time identify a plurality of abnormal behavior of passengers in the escalator base on human skeleton sequence, according to the abnormalbehavior type to control the operation situation of the escalator, and avoid the occurrence of safety accident.

A method and apparatus for evaluating motivational and emotional circuitry in the brain during paradigms focused on specific motivational functions, to directly determine which components and how much the motivational and emotional brain circuitry responds. This circuitry response answers questions focused on normal and abnormal behavior, along with questions regarding the normal and abnormal function of the circuitry. The results of interrogating the motivational and emotional circuitry can be used for objectively measuring, in individual humans or animals, their preferences or responses to motivationally salient stimuli including but not limited to stimuli which are internal or external, conscious or non-conscious, pharmacological or non-pharmacological therapies, diseased based processes or not, financial or non-financial, etc. This method and apparatus for measuring brain activity during motivational and emotional functions can further be used to predict individual choices, preferences and planned behaviors, plus interpret internal experiences without recourse to the subjects participation or their voluntary description of these choices, preferences, planned behaviors, or internal experiences.

A technique for detecting an abnormal behavior by monitoring moving objects such as human being and a car. The place where the abnormal behavior of the moving objects occurs is deduced from the position of the moving object and the direction in which the moving object moves and presented to the car. An abnormal detector comprises means for determining the position of the moving object and the direction in which the moving object moves, means for determining the place where an abnormal incident causing an abnormal behavior of the moving object occurs on the basis of the determined position and direction, and means for displaying the place where the abnormal incident occurs. Therefore it is possible to immediately know the cause of the abnormal behavior of the moving object from the video information collected by observation monitoring moving objects such as a human being and a car.