METHODS AND SYSTEMS FOR ANOMALY DETECTION USING FUNCTION SPECIFICATIONS DERIVED FROM SERVER INPUT/OUTPUT (I/O) BEHAVIOR

摘要

Various embodiments include methods of protecting a computing device within a network from malware or other non-benign behaviors. A computing device may monitor inputs and outputs to a server, derive a functional specification from the monitored inputs and outputs, and use the functional specification for anomaly detection. Use of the derived functional specification for anomaly detection may include determining whether a behavior, activity, web application, process or software application program is non-benign. The computing device may be the server, and the functional specification may be used to determine whether the server is under attack. In some embodiments, the computing device may constrain the functional specification with a generic constraint, detect a new input-output pair, determine whether the detected input-output pair satisfies the constrained functional specification, and determine that the detected input-output pair is anomalous upon determining that the detected input-output pair (or request-response pair) satisfies the constrained functional specification.