×

EXPLAINING NETWORK ANOMALIES USING DECISION TREES

  • US 20160036844A1
  • Filed: 10/09/2015
  • Published: 02/04/2016
  • Est. Priority Date: 07/15/2014
  • Status: Active Grant
First Claim
Patent Images

1. A method comprising:

  • using a security analysis computer, receiving, from an intrusion detection system, an identification of an anomaly associated with a false positive identification of a security threat by the intrusion detection system, wherein a first set of feature data identifies features of the anomaly;

    using the security analysis computer, creating a plurality of training sets each comprising identifications of a plurality of samples of network communications, wherein a different subset of the first set of feature data respectively identifies each sample of the plurality of samples;

    using the security analysis computer, for the anomaly and each training set of the plurality of training sets, training a decision tree that is stored in digital memory of the security analysis computer, resulting in storing in the memory a plurality of trained decision trees that are associated in the memory with the anomaly;

    using the security analysis computer, based at least in part on the plurality of trained decision trees, extracting a set of features that distinguish the anomaly from the plurality of samples; and

    using the security analysis computer, generating one or more rules associated with the anomaly from the extracted set of features and causing programming the security analysis computer with the one or more rules.

View all claims
  • 1 Assignment
Timeline View
Assignment View
    ×
    ×