Summary: We present techniques for machine learning of program behavior by observing application level events to support runtime anomaly detection. We exploit two key relationships among event sequences: their edit distance proximity and state information embedded in event data. We integrate two techniques that employ these relationships to reduce both false positives and false negatives. Our techniques consider event sequences in their entirety, and thus better leverage correlations among events over longer time periods than most other techniques that use small, fixed length sliding windows over such sequences. We employ cluster signatures that minimize adverse effects of noise in anomaly detection, thereby further reducing false positives. We leverage state information in event data to summarize loop structures in sequences which, in turn, leads to better classification of program behavior. We have performed initial validations of these techniques using Asterisk\(^{\circledR}\), a widely deployed, open source digital PBX.
For the entire collection see [Zbl 1181.68006].