EXPLAINING NETWORK ANOMALIES USING DECISION TREES
First Claim
1. A method comprising:
- using a security analysis computer, receiving, from an intrusion detection system, an identification of an anomaly associated with a false positive identification of a security threat by the intrusion detection system, wherein a first set of feature data identifies features of the anomaly;
using the security analysis computer, creating a plurality of training sets each comprising identifications of a plurality of samples of network communications, wherein a different subset of the first set of feature data respectively identifies each sample of the plurality of samples;
using the security analysis computer, for the anomaly and each training set of the plurality of training sets, training a decision tree that is stored in digital memory of the security analysis computer, resulting in storing in the memory a plurality of trained decision trees that are associated in the memory with the anomaly;
using the security analysis computer, based at least in part on the plurality of trained decision trees, extracting a set of features that distinguish the anomaly from the plurality of samples; and
using the security analysis computer, generating one or more rules associated with the anomaly from the extracted set of features and causing programming the security analysis computer with the one or more rules.
1 Assignment
0 Petitions
Accused Products
Abstract
In an embodiment, the method comprises receiving an identification of an anomaly associated with a false positive identification of a security threat by the intrusion detection system, wherein a first set of feature data identifies features of the anomaly; creating a plurality of training sets each comprising identifications of a plurality of samples of network communications; for the anomaly and each training set of the plurality of training sets, training a decision tree that is stored in digital memory of the security analysis computer; based at least in part on the plurality of trained decision trees, extracting a set of features that distinguish the anomaly from the plurality of samples; generating one or more rules associated with the anomaly from the extracted set of features and causing programming the security analysis computer with the one or more rules.
-
Citations
20 Claims
-
1. A method comprising:
-
using a security analysis computer, receiving, from an intrusion detection system, an identification of an anomaly associated with a false positive identification of a security threat by the intrusion detection system, wherein a first set of feature data identifies features of the anomaly; using the security analysis computer, creating a plurality of training sets each comprising identifications of a plurality of samples of network communications, wherein a different subset of the first set of feature data respectively identifies each sample of the plurality of samples; using the security analysis computer, for the anomaly and each training set of the plurality of training sets, training a decision tree that is stored in digital memory of the security analysis computer, resulting in storing in the memory a plurality of trained decision trees that are associated in the memory with the anomaly; using the security analysis computer, based at least in part on the plurality of trained decision trees, extracting a set of features that distinguish the anomaly from the plurality of samples; and using the security analysis computer, generating one or more rules associated with the anomaly from the extracted set of features and causing programming the security analysis computer with the one or more rules. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A system comprising:
-
one or more processors; a non-transitory computer-readable medium having instructions stored thereon, the instructions, when executed by the one or more processors, cause; receiving, from an intrusion detection system, an identification of an anomaly associated with a false positive identification of a security threat by the intrusion detection system, wherein a first set of feature data identifies features of the anomaly; creating a plurality of training sets each comprising identifications of a plurality of samples of network communications, wherein a different subset of the first set of feature data respectively identifies each sample of the plurality of samples; using the security analysis computer, for the anomaly and each training set of the plurality of training sets, training a decision tree that is stored in digital memory of the security analysis computer, resulting in storing in the memory a plurality of trained decision trees that are associated in the memory with the anomaly; based at least in part on the plurality of trained decision trees, extracting a set of features that distinguish the anomaly from the plurality of samples; and generating one or more rules associated with the anomaly from the extracted set of features and causing programming the security analysis computer with the one or more rules. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
-
Specification