COMPUTER SECURITY ATTACK DETECTION USING DISTRIBUTION DEPARTURE

摘要

Described technologies automatically detect computing system security attacks. Departure of occurrence distributions, which are based on leading digit(s) of digital item occurrence data, from model distributions that correspond to particular data sources, indicates a presence likelihood for particular attack types. Some model distributions exhibit Benford's Phenomenon. Described mechanisms detect security attack types such as ransomware, bitcoin mining, and others, using particular corresponding data sources such as file extensions, processor statistics, etc. Mechanisms detect security attacks without a captured baseline of healthy normal behavior, and without relying on malware code signatures. When an item occurrence distribution departs from a model distribution by at least a predefined degree, the technology electronically raises a security attack alert. Then countermeasures may be asserted for a possible type X security attack on the computing system. Countermeasures may include more computationally intensive tests for determining the precise extent or precise nature of an attack, for instance.