Intrusion detection system alerts mechanism

US 7,991,726 B2
Filed: 11/30/2007
Issued: 08/02/2011
Est. Priority Date: 11/30/2007
Status: Active Grant

First Claim

Patent Images

1. A method for analyzing Intrusion Detection System (IDS) alert data associated with a computer network, the method comprising:

applying first association rules to obtained IDS alert data associated with a computer network;

processing the obtained IDS alert data with the first association rules;

receiving analyst feedback data associated with the processed obtained IDS alert data;

receiving a training data set from the analyst feedback data;

determining new association rules based upon the training data set; and

outputting the new association rules to a display of a computing device.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for analyzing Intrusion Detection System (IDS) alert data associated with a computer network is described. The method includes applying first association rules to obtained IDS alert data associated with a computer network and processing the obtained IDS alert data with the first association rules. Analyst feedback data associated with the processed obtained IDS alert data is received, and a training data set from the analyst feedback data is received. New association rules are determined based upon the training data set, and the new association rules are outputted to a display of a computing device. Outputting the new association rules may include outputting patterns within the IDS alert data of false positive alerts. The new association rules may be applied back to the obtained IDS alert data.

Citations

20 Claims

1. A method for analyzing Intrusion Detection System (IDS) alert data associated with a computer network, the method comprising:
- applying first association rules to obtained IDS alert data associated with a computer network;
  
  processing the obtained IDS alert data with the first association rules;
  
  receiving analyst feedback data associated with the processed obtained IDS alert data;
  
  receiving a training data set from the analyst feedback data;
  
  determining new association rules based upon the training data set; and
  
  outputting the new association rules to a display of a computing device.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, further comprising obtaining the IDS alert data associated with the computer network.
  - 3. The method of claim 1, further comprising applying the new association rules back to the obtained IDS alert data.
  - 4. The method of claim 1, further comprising receiving a group of categorical independent variables, wherein the determining new association rules is further based upon the group of categorical independent variables.
  - 5. The method of claim 1, wherein the outputting the new association rules includes outputting patterns within the IDS alert data of false positive alerts.
  - 6. The method of claim 5, wherein the outputting patterns includes providing a percentage of false positives.
  - 7. The method of claim 5, further comprising receiving selected variables for the determining new association rules.
  - 8. The method of claim 1, further comprising setting a combination depth for the determining new association rules.

9. A method for analyzing Intrusion Detection System (IDS) alert data associated with a computer network, the method comprising:
- receiving a training data set with a single target variable and a group of categorical independent variables;
  
  for a target variable T, a variable set V={V₁,V₂, . . . V_n} and a cluster set for variable V_k={C₁,C₂, . . . C_j_k}, where j_kis the total number of clusters for variable V_k, clustering each variable V_i;
  
  receiving selected variables for processing;
  
  setting a combination depth of 1;
  
  for each cluster C_kof the selected variable V_i, checking each record in the training data set where record[V_i]=C_kand record[target]=T;
  
  generating a new association rule C_k→
  
  T and purity is equated to m/n, wherein n is the count of records with record [V_i]=C_k, and m is the count of records with record [V_i]=C_kand record[target]=T; and
  
  outputting the new association rule to a display of a computing device.
- View Dependent Claims (10, 11, 12)
- - 10. The method of claim 9, further comprising increasing the combination depth by 1.
  - 11. The method of claim 10, further comprising:
    - for each two combination set {V_i,V_j} of the selected variable set V, checking each record in the training data set where record [V_i]=C_i_k, record[V_j]=C_j_t, and record[target]=T, where C_i_kis a cluster from variable V_iand C_j_tis a cluster from variable V_j;
      
      generating a new association rule [C_i_k, C_j_t]→
      
      T and purity is equated to m/n, wherein n is the count of records with record [V_i]=C_kand record [V_j]=C_t, and m is the count of records with record [V_i]=C_k, record [V_j]=C_t, and record[target]=T.
  - 12. The method of claim 11, further comprising increasing the combination depth to k, where k is greater than 2.

13. One or more computer readable media storing computer executable instructions that, when executed by at least one processor, cause the at least one processor to perform a method comprising:
- applying first association rules to obtained IDS alert data associated with a computer network;
  
  processing the obtained IDS alert data with the first association rules;
  
  receiving analyst feedback data associated with the processed obtained IDS alert data;
  
  receiving a training data set from the analyst feedback data;
  
  determining new association rules based upon the training data set; and
  
  outputting the new association rules to a display of a computing device.
- View Dependent Claims (14, 15, 16, 17)
- - 14. The one or more computer readable media of claim 13, the method further comprising applying the new association rules back to the obtained IDS alert data.
  - 15. The one or more computer readable media of claim 13, the method further comprising receiving a group of categorical independent variables, wherein the determining new association rules is further based upon the group of categorical independent variables.
  - 16. The one or more computer readable media of claim 13,wherein the outputting the new association rules includes outputting patterns within the IDS alert data of false positive alerts,wherein the outputting patterns includes providing a percentage of false positives.
  - 17. The one or more computer readable media of claim 13, the method further comprising receiving a setting for a combination depth for the determining new association rules.

18. A system comprising:
- at least one database configured to maintain first association rules and new association rules;
  
  at least one computing device, operatively connected to the at least one database, configured to;
  
  apply the first association rules to obtained IDS alert data associated with a computer network;
  
  process the obtained IDS alert data with the first association rules;
  
  receive analyst feedback data associated with the processed obtained IDS alert data;
  
  receive a training data set from the analyst feedback data;
  
  determine the new association rules based upon the training data set; and
  
  output the new association rules to a display of a computing device.
- View Dependent Claims (19, 20)
- - 19. The system of claim 18, the at least one computing device further configured to apply the new association rules back to the obtained IDS alert data.
  - 20. The system of claim 18,wherein the output the new association rules includes being configured to output patterns within the IDS alert data of false positive alerts,wherein the output patterns includes being configured to output a percentage of false positives.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Bank of America Corp.
Original Assignee
Bank of America Corp.
Inventors
Catlett, Sean Kenric, Zhou, Mian
Primary Examiner(s)
HOLMES, MICHAEL B

Application Number

US11/948,538
Publication Number

US 20090144216A1
Time in Patent Office

1,341 Days
Field of Search

706/47
US Class Current

706/47
CPC Class Codes

H04L 63/1416 Event detection, e.g. attac...

Intrusion detection system alerts mechanism

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Intrusion detection system alerts mechanism

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links