Intrusion detection system alerts mechanism
First Claim
1. A method for analyzing Intrusion Detection System (IDS) alert data associated with a computer network, the method comprising:
- applying first association rules to obtained IDS alert data associated with a computer network;
processing the obtained IDS alert data with the first association rules;
receiving analyst feedback data associated with the processed obtained IDS alert data;
receiving a training data set from the analyst feedback data;
determining new association rules based upon the training data set; and
outputting the new association rules to a display of a computing device.
1 Assignment
0 Petitions
Accused Products
Abstract
A system and method for analyzing Intrusion Detection System (IDS) alert data associated with a computer network is described. The method includes applying first association rules to obtained IDS alert data associated with a computer network and processing the obtained IDS alert data with the first association rules. Analyst feedback data associated with the processed obtained IDS alert data is received, and a training data set from the analyst feedback data is received. New association rules are determined based upon the training data set, and the new association rules are outputted to a display of a computing device. Outputting the new association rules may include outputting patterns within the IDS alert data of false positive alerts. The new association rules may be applied back to the obtained IDS alert data.
-
Citations
20 Claims
-
1. A method for analyzing Intrusion Detection System (IDS) alert data associated with a computer network, the method comprising:
-
applying first association rules to obtained IDS alert data associated with a computer network; processing the obtained IDS alert data with the first association rules; receiving analyst feedback data associated with the processed obtained IDS alert data; receiving a training data set from the analyst feedback data; determining new association rules based upon the training data set; and outputting the new association rules to a display of a computing device. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A method for analyzing Intrusion Detection System (IDS) alert data associated with a computer network, the method comprising:
-
receiving a training data set with a single target variable and a group of categorical independent variables; for a target variable T, a variable set V={V1,V2, . . . Vn} and a cluster set for variable Vk={C1,C2, . . . Cj k }, where jk is the total number of clusters for variable Vk, clustering each variable Vi;receiving selected variables for processing; setting a combination depth of 1; for each cluster Ck of the selected variable Vi, checking each record in the training data set where record[Vi]=Ck and record[target]=T; generating a new association rule Ck→
T and purity is equated to m/n, wherein n is the count of records with record [Vi]=Ck, and m is the count of records with record [Vi]=Ck and record[target]=T; andoutputting the new association rule to a display of a computing device. - View Dependent Claims (10, 11, 12)
-
-
13. One or more computer readable media storing computer executable instructions that, when executed by at least one processor, cause the at least one processor to perform a method comprising:
-
applying first association rules to obtained IDS alert data associated with a computer network; processing the obtained IDS alert data with the first association rules; receiving analyst feedback data associated with the processed obtained IDS alert data; receiving a training data set from the analyst feedback data; determining new association rules based upon the training data set; and outputting the new association rules to a display of a computing device. - View Dependent Claims (14, 15, 16, 17)
-
-
18. A system comprising:
-
at least one database configured to maintain first association rules and new association rules; at least one computing device, operatively connected to the at least one database, configured to; apply the first association rules to obtained IDS alert data associated with a computer network; process the obtained IDS alert data with the first association rules; receive analyst feedback data associated with the processed obtained IDS alert data; receive a training data set from the analyst feedback data; determine the new association rules based upon the training data set; and output the new association rules to a display of a computing device. - View Dependent Claims (19, 20)
-
Specification