ACTIVE LEARNING USING A DISCRIMINATIVE CLASSIFIER AND A GENERATIVE MODEL TO DETECT AND/OR PREVENT MALICIOUS BEHAVIOR
First Claim
1. A method comprising:
- automatically classifying each of multiple entries into one of multiple categories using a multi-class classifier;
collecting entries that are ambiguously classified;
collecting entries that do not fit a model of the automatically classified category of the entry;
ranking collected entries;
selecting at least some of the collected entries based on the ranking;
presenting at least some of the selected entries to a human analyst for labeling;
receiving an indication of a category from the human analyst for each of at least some of the presented entries; and
improving the multi-class classifier and one or more models based on the indicated labels.
2 Assignments
0 Petitions
Accused Products
Abstract
A malicious behavior detection/prevention system, such as an intrusion detection system, is provided that uses active learning to classify entries into multiple classes. A single entry can correspond to either the occurrence of one or more events or the non-occurrence of one or more events. During a training phase, entries are automatically classified into one of multiple classes. After classifying the entry, a generated model for the determined class is utilized to determine how well an entry corresponds to the model. Ambiguous classifications along with entries that do not fit the model well for the determined class are selected for labeling by a human analyst The selected entries are presented to a human analyst for labeling. These labels are used to further train the classifier and the models. During an evaluation phase, entries are automatically classified using the trained classifier and a policy associated with determined class is applied.
-
Citations
20 Claims
-
1. A method comprising:
-
automatically classifying each of multiple entries into one of multiple categories using a multi-class classifier; collecting entries that are ambiguously classified; collecting entries that do not fit a model of the automatically classified category of the entry; ranking collected entries; selecting at least some of the collected entries based on the ranking; presenting at least some of the selected entries to a human analyst for labeling; receiving an indication of a category from the human analyst for each of at least some of the presented entries; and improving the multi-class classifier and one or more models based on the indicated labels. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. An intrusion detection/prevention system comprising:
-
a memory; an event acquiring component that receives an indication of multiple events; a clustering component that aggregates multiple events together into a single entry; a classifier component that automatically classifies at least some of the indicated entries into multiple event classes using one or more classifiers; multiple event models, one event model for each of multiple entry classes; an anomaly detection component that utilizes an event model for an entry class to detect potential anomalies within that class; a human labeling component that selects one or more entries for a human analyst to label, indicates at least some of the selected entries to a human analyst and receives an indication of an event class from the human analyst, the selected entries indicated are at least one of a potential anomaly or an ambiguously classified entry; and a training component that trains the one or more classifiers using one or more events that are classified by the human analyst. - View Dependent Claims (10, 11, 12, 13)
-
-
14. A computer-readable storage medium comprising a trained classifier that was previously trained by performing the method of:
-
receiving an indication of multiple entries; for each of multiple iterations, automatically classifying each entry into one of multiple classes using a classifier; for each of at least some classes, updating a model for the class; and utilizing the model to detect potential anomalies within the class; selecting one or more entries to be labeled by a human user; indicating each of the selected entries to a human user; receiving an indication of a label for each of the selected entries from the human user; and training the classifier using the indicated labels. - View Dependent Claims (15, 16, 17, 18, 19, 20)
-
Specification