Cold start mechanism to prevent compromise of automatic anomaly detection systems
First Claim
Patent Images
1. A method, comprising:
- analyzing, by a device in a network, data indicative of a behavior of the network using a supervised anomaly detection model, wherein the supervised anomaly detection model was trained using a set of labels applied to a set of input network metrics from a second network;
determining, by the device, whether the supervised anomaly detection model detected an anomaly in the network from the analyzed data; and
training, by the device, an unsupervised anomaly detection model, based on a determination that no anomalies were detected by the supervised anomaly detection model, wherein training the unsupervised anomaly detection model comprises;
observing, by the device, network behavior, in response to the determination that no anomalies were detected by the supervised anomaly detection model, andusing the observed network behavior of the network as a non-anomalous baseline for the unsupervised anomaly detection model.
1 Assignment
0 Petitions
Accused Products
Abstract
In one embodiment, a device in a network analyzes data indicative of a behavior of a network using a supervised anomaly detection model. The device determines whether the supervised anomaly detection model detected an anomaly in the network from the analyzed data. The device trains an unsupervised anomaly detection model, based on a determination that no anomalies were detected by the supervised anomaly detection model.
39 Citations
18 Claims
-
1. A method, comprising:
-
analyzing, by a device in a network, data indicative of a behavior of the network using a supervised anomaly detection model, wherein the supervised anomaly detection model was trained using a set of labels applied to a set of input network metrics from a second network; determining, by the device, whether the supervised anomaly detection model detected an anomaly in the network from the analyzed data; and training, by the device, an unsupervised anomaly detection model, based on a determination that no anomalies were detected by the supervised anomaly detection model, wherein training the unsupervised anomaly detection model comprises; observing, by the device, network behavior, in response to the determination that no anomalies were detected by the supervised anomaly detection model, and using the observed network behavior of the network as a non-anomalous baseline for the unsupervised anomaly detection model. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. An apparatus, comprising:
-
one or more network interfaces to communicate with a network; a processor coupled to the network interfaces and adapted to execute one or more processes; and a memory configured to store a process executable by the processor, the process when executed configured to; analyze data indicative of a behavior of the network using a supervised anomaly detection model, wherein the supervised anomaly detection model was trained using a set of labels applied to a set of input network metrics from a second network; determine whether the supervised anomaly detection model detected an anomaly in the network from the analyzed data; and train an unsupervised anomaly detection model, based on a determination that no anomalies were detected by the supervised anomaly detection model, wherein training the unsupervised anomaly detection model comprises; observing, by the device, network behavior, in response to the determination that no anomalies were detected by the supervised anomaly detection model, and using the observed network behavior of the network as a non-anomalous baseline for the unsupervised anomaly detection model. - View Dependent Claims (11, 12, 13, 14, 15, 16, 17)
-
-
18. A tangible, non-transitory, computer-readable media having software encoded thereon, the software when executed by a processor configured to:
-
analyze data indicative of a behavior of a network using a supervised anomaly detection model, wherein the supervised anomaly detection model was trained using a set of labels applied to a set of input network metrics from a second network; determine whether the supervised anomaly detection model detected an anomaly in the network from the analyzed data; and train an unsupervised anomaly detection model, based on a determination that no anomalies were detected by the supervised anomaly detection model, wherein training the unsupervised anomaly detection model comprises; observing, by the device, network behavior, in response to the determination that no anomalies were detected by the supervised anomaly detection model, and using the observed network behavior of the network as a non-anomalous baseline for the unsupervised anomaly detection model.
-
Specification