US Patent 9009825 Anomaly detector for computer networks

A computer system includes a data collector and an anomaly detector. The data collector monitors network traffic/event log and sends monitoring data to the anomaly detector. The anomaly detector extracts values for a category of measure from the monitoring data and processes the values to generate a processed value. The anomaly detector predicts an expectation value of the category of measure based at least on time decayed residual processed values. The anomaly detector determines a deviation of the processed value from the expectation value to detect an anomaly event, and applies a security rule to the anomaly event to detect a security event.