06963983 is referenced by 75 patents and cites 31 patents.

A real-time approach for detecting aberrant modes of system behavior induced by abnormal and unauthorized system activities that are indicative of an intrusive, undesired access of the system. This detection methodology is based on behavioral information obtained from a suitably instrumented computer program as it is executing. The theoretical foundation for the present invention is founded on a study of the internal behavior of the software system. As a software system is executing, it expresses a set of its many functionalities as sequential events. Each of these functionalities has a characteristic set of modules that is executed to implement the functionality. These module sets execute with clearly defined and measurable execution profiles, which change as the executed functionalities change. Over time, the normal behavior of the system will be defined by the boundary of the profiles. An attempt to violate the security of the system will result in behavior that is outside the normal activity of the system and thus result in a perturbation of the system in a manner outside the scope of the normal profiles. Such violations are detected by an analysis and comparison of the profiles generated from an instrumented software system against a set of known intrusion profiles and a varying criterion level of potential new intrusion events.

Title
Method of and system for detecting an anomalous operation of a computer system
Application Number
10/755948
Publication Number
6963983 (B2)
Application Date
January 13, 2004
Publication Date
November 8, 2005
Inventor
Sebastian G Elbaum
Moscow
ID, US
John C Munson
Moscow
ID, US
Agent
David H Judson
Assignee
Cylant
MA, US
IPC
G06F 011/30
View Original Source