Anomaly detection in a network coupling state information with machine learning outputs
First Claim
Patent Images
1. A method, comprising:
- receiving, at a device in a network, an output of an anomaly detection model produced by a machine learning algorithm, wherein the anomaly detection model detects anomalies in network traffic behavior;
retrieving, by the device, state information surrounding the output of the anomaly detection model, wherein the state information is information about the network retrieved from one or more devices in the network;
correlating, by the device, the retrieved state information with the output of the anomaly detection model produced by the machine learning algorithm;
based on the correlation, determining, by the device, whether the state information supports the output of the anomaly detection model to assess a performance of the anomaly detection model output, wherein the state information comprises information that was not used as input to the anomaly detection model;
detecting, by the device, a false positive in the anomaly detection model output based on the retrieved state information not supporting the anomaly detection output; and
dynamically retraining the anomaly detection model, by the device, to adjust the anomaly detection model produced by the machine learning algorithm when the false positive is detected.
1 Assignment
0 Petitions
Accused Products
Abstract
In one embodiment, a device in a network receives an output of an anomaly detection model. The device receives state information surrounding the output of the anomaly detection model. The device determines whether the state information supports the output of the anomaly detection model. The device causes the anomaly detection model to be adjusted based on a determination that the state information does not support the output of the anomaly detection model.
20 Citations
19 Claims
-
1. A method, comprising:
-
receiving, at a device in a network, an output of an anomaly detection model produced by a machine learning algorithm, wherein the anomaly detection model detects anomalies in network traffic behavior; retrieving, by the device, state information surrounding the output of the anomaly detection model, wherein the state information is information about the network retrieved from one or more devices in the network; correlating, by the device, the retrieved state information with the output of the anomaly detection model produced by the machine learning algorithm; based on the correlation, determining, by the device, whether the state information supports the output of the anomaly detection model to assess a performance of the anomaly detection model output, wherein the state information comprises information that was not used as input to the anomaly detection model; detecting, by the device, a false positive in the anomaly detection model output based on the retrieved state information not supporting the anomaly detection output; and dynamically retraining the anomaly detection model, by the device, to adjust the anomaly detection model produced by the machine learning algorithm when the false positive is detected. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. An apparatus, comprising:
-
one or more network interfaces to communicate with a network; a processor coupled to the network interfaces and adapted to execute one or more processes; and a memory configured to store a process executable by the processor, the process when executed configured to; receive an output of an anomaly detection model produced by a machine learning algorithm, wherein the anomaly detection model detects anomalies in network traffic behavior; retrieve state information surrounding the output of the anomaly detection model, wherein the state information is information about the network retrieved from one or more devices in the network; correlate the retrieved state information with the output of the anomaly detection model produced by the machine learning algorithm; based on the correlation, determine whether the state information supports the output of the anomaly detection model to assess a performance of the anomaly detection model output, wherein the state information comprises information that was not used as input to the anomaly detection model; detect a false positive in the anomaly detection model output based on the retrieved state information not supporting the anomaly detection output; and dynamically retraining the anomaly detection model to adjust the anomaly detection model produced by the machine learning algorithm when the false positive is detected. - View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
-
-
19. A tangible, non-transitory, computer-readable media having software encoded thereon, the software when executed by a processor of a device configured to:
-
receive an output of an anomaly detection model produced by a machine learning algorithm, wherein the anomaly detection model detects anomalies in network traffic behavior; retrieve state information surrounding the output of the anomaly detection model, wherein the state information is information about the network retrieved from one or more devices in the network; correlate the retrieved state information with the output of the anomaly detection model produced by the machine learning algorithm; based on the correlation, determine whether the state information supports the output of the anomaly detection model to assess a performance of the anomaly detection model output, wherein the state information comprises information that was not used as input to the anomaly detection model; detect a false positive in the anomaly detection model output based on the retrieved state information not supporting the anomaly detection output; and dynamically retraining the anomaly detection model to adjust the anomaly detection model produced by the machine learning algorithm when the false positive is detected.
-
Specification