A method of detecting an intrusion into (or an anomaly in a behavior of) a target
software system begins by instrumenting the target
software system to generate behavior data representing a current observation or observation aggregate. The method then determines whether the current observation or observation aggregate warrants a second level examination; preferably, this determination is made by
processing the current observation or observation aggregate through a first level detection
algorithm that provides a first, provisional indication of a possible intrusion. If a result of executing the first level detection
algorithm indicates that the current observation or observation aggregate warrants a second level examination, the method continues by
processing the current observation or observation aggregate through at least one or more second level detection algorithms to provide a second, more definite,
fine grain indication of a possible intrusion. The observation aggregates used by the first and second level detection algorithms may be the same or different. The first and second level detection algorithms may be executed in the same or different systems, machines or processors. The target
software system operation may be suspended as the current observation or observation aggregate is processed through the one or more second level detection algorithms. A given action (e.g., sending an alert,
logging the event, activating a
countermeasure, or the like) may be taken if the result of the second level examination indicates a possible intrusion. Multiple algorithms may be executed together within a single examination level, with the individual results then analyzed to obtain a composite result or output indicative of intrusive or
anomalous behavior.