Detection dictionary system supporting anomaly detection across multiple operating environments

摘要

A detection dictionary system provides a framework for describing, detecting, and reporting anomalies across multiple operating environments each including multiple computing devices. An anomaly in an operating environment refers to one or more operations or activities in the operating environment that may be indicative of an attack on the operating environment by a malicious user or program. The framework includes guarantees, detections, properties, and detection instances. Guarantees are promises or assertions made to an entity (e.g., a business or other organization) that describes what the detection dictionary system will detect and alert on when a particular trend or anomaly is identified. A detection is a set of metadata describing how to fulfill a given guarantee. A property describes how to map the detection to a particular detection instance. A detection instance is a specific implementation of a detection as applied to a property.