ANOMALY SELECTION USING DISTANCE METRIC-BASED DIVERSITY AND RELEVANCE
First Claim
1. A method comprising:
- receiving, at a device in a network, a notification of a particular anomaly detected by a distributed learning agent in the network that executes a machine learning-based anomaly detector to analyze traffic in the network;
computing, by the device, one or more distance scores between the particular anomaly and one or more previously detected anomalies;
computing, by the device, one or more relevance scores for the one or more previously detected anomalies;
determining, by the device, a reporting score for the particular anomaly based on the one or more distance scores and on the one or more relevance scores; and
reporting, by the device, the particular anomaly to a user interface based on the determined reporting score.
2 Assignments
0 Petitions
Accused Products
Abstract
In one embodiment, a device in a network receives a notification of a particular anomaly detected by a distributed learning agent in the network that executes a machine learning-based anomaly detector to analyze traffic in the network. The device computes one or more distance scores between the particular anomaly and one or more previously detected anomalies. The device also computes one or more relevance scores for the one or more previously detected anomalies. The device determines a reporting score for the particular anomaly based on the one or more distance scores and on the one or more relevance scores. The device reports the particular anomaly to a user interface based on the determined reporting score.
23 Citations
20 Claims
-
1. A method comprising:
-
receiving, at a device in a network, a notification of a particular anomaly detected by a distributed learning agent in the network that executes a machine learning-based anomaly detector to analyze traffic in the network; computing, by the device, one or more distance scores between the particular anomaly and one or more previously detected anomalies; computing, by the device, one or more relevance scores for the one or more previously detected anomalies; determining, by the device, a reporting score for the particular anomaly based on the one or more distance scores and on the one or more relevance scores; and reporting, by the device, the particular anomaly to a user interface based on the determined reporting score. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. An apparatus, comprising:
-
one or more network interfaces to communicate with a network; a processor coupled to the network interfaces and configured to execute one or more processes; and a memory configured to store a process executable by the processor, the process when executed operable to; receive a notification of a particular anomaly detected by a distributed learning agent in the network that executes a machine learning-based anomaly detector to analyze traffic in the network; compute one or more distance scores between the particular anomaly and one or more previously detected anomalies; compute one or more relevance scores for the one or more previously detected anomalies; determine a reporting score for the particular anomaly based on the one or more distance scores and on the one or more relevance scores; and report the particular anomaly to a user interface based on the determined reporting score. - View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
-
-
19. A tangible, non-transitory, computer-readable medium storing program instructions that cause a device in a network to execute a process comprising:
-
receiving, at the device, a notification of a particular anomaly detected by a distributed learning agent in the network that executes a machine learning-based anomaly detector to analyze traffic in the network; computing, by the device, one or more distance scores between the particular anomaly and one or more previously detected anomalies; computing, by the device, one or more relevance scores for the one or more previously detected anomalies; determining, by the device, a reporting score for the particular anomaly based on the one or more distance scores and on the one or more relevance scores; and reporting, by the device, the particular anomaly to a user interface based on the determined reporting score. - View Dependent Claims (20)
-
Specification