Customizable courses of action for responding to incidents in information technology environments
US-11182163-B1 · Nov 23, 2021 · US
Remediating false positives of intrusion detection systems with guest introspection
US11463300B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-11463300-B2 |
| Application number | US-202016927542-A |
| Country | US |
| Kind code | B2 |
| Filing date | Jul 13, 2020 |
| Priority date | Jul 13, 2020 |
| Publication date | Oct 4, 2022 |
| Grant date | Oct 4, 2022 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
The disclosure provides an approach for remediating false positives for a network security monitoring component. Embodiments include receiving an alert related to network security for a virtual computing instance (VCI). Embodiments include collecting, in response to receiving the alert, context information from the VCI. Embodiments include providing a notification to a management plane based on the alert and the context information. Embodiments include receiving, from the management plane, in response to the notification, an indication of whether the alert is a false positive. Embodiments include training a model based on the alert, the context information, and the indication to determine whether a given alert is a false positive.
First claim
Opening claim text (preview).
We claim: 1. A method of remediating false positives for a network security monitoring component, comprising: receiving, by a host, an alert related to network security for a virtual computing instance (VCI) on the host, wherein the alert was generated by an intrusion detection system (IDS) running on the host based on a signature associated with a potential security threat; collecting, by the host, in response to receiving the alert, context information from the VCI; providing, by the host, a notification to a management plane based on the alert and the context information; receiving, by the host, from the management plane, in response to the notification, an indication of whether the alert is a false positive; and training, by the host, a machine learning model based on the alert, the context information, and the indication to determine whether a given alert is a false positive, wherein the training comprises: providing inputs to the machine learning model based on the alert and the context information; receiving, from the machine learning model, based on the inputs, one or more outputs indicating whether the alert is a false positive; comparing the one or more outputs to the indication; and adjusting one or more parameters of the machine learning model based on the comparing until an output of the one or more outputs matches the indication or until one or more other conditions are met. 2. The method of claim 1 , wherein the context information comprises one or more of: files read; files written; user information; application information; an operating system; version information; a protocol; a network event; or a process event. 3. The method of claim 1 , wherein the context information is collected via a multiplexer (MUX). 4. The method of claim 1 , further comprising registering with a thin agent in the VCI, wherein the context information is collected from the thin agent. 5. The method of claim 1 , further comprising: receiving a new alert related to network security for the VCI; providing features related to the new alert as inputs to the machine learning model; and receiving a given output from the machine learning model indicating whether the new alert is a false positive. 6. The method of claim 5 , further comprising: determining that the given output from the machine learning model indicates that the new alert is a false positive; and performing one or more of: discarding the new alert; or notifying the management plane that the new alert is a false positive. 7. The method of claim 5 , further comprising: determining that the given output from the machine learning model indicates that the new alert is not a false positive; and notifying the management plane of the new alert. 8. The method of claim 1 , further comprising notifying the management plane based on a given output from the machine learning model indicating that a new alert is a false positive. 9. The method of claim 8 , wherein notifying the management plane based on the given output from the machine learning model is further based on determining that a plurality of alerts generated by the IDS based on the signature are indicated, by a plurality of outputs from the machine learning model, to be false positives. 10. An apparatus for remediating false positives, comprising: an event and correlation engine of a host, the event and correlation engine configured to: receive an alert related to network security for a virtual computing instance (VCI) on the host, wherein the alert was generated by an intrusion detection system (IDS) running on the host based on a signature associated with a potential security threat; collect, in response to receiving the alert, context information from the VCI; and provide a notification to a management plane based on the alert and the context information; and a machine learning engine of the host, the machine learning engine configured to: receive, from the management plane, based on the notification, an indication of whether the alert is a false positive; and train a machine learning model based on the alert, the context information, and the indication to determine whether a given alert is a false positive, wherein the training comprises: providing inputs to the machine learning model based on the alert and the context information; receiving, from the machine learning model, based on the inputs, one or more outputs indicating whether the alert is a false positive; comparing the one or more outputs to the indication; and adjusting one or more parameters of the machine learning model based on the comparing until an output of the one or more outputs matches the indication or until one or more other conditions are met. 11. The apparatus of claim 10 , wherein the context information comprises one or more of: files read; files written; user information; application information; an operating system; version information; a protocol; a network event; or a process event. 12. The apparatus of claim 10 , wherein the context information is collected via a multiplexer (MUX). 13. The apparatus of claim 10 , wherein the event and correlation engine is further configured to register with a thin agent in the VCI, wherein the context information is collected from the thin agent. 14. The apparatus of claim 10 , wherein the machine learning engine is further configured to: receive a new alert related to network security for the VCI; provide features related to the new alert as inputs to the machine learning model; and receive a given output from the machine learning model indicating whether the new alert is a false positive. 15. The apparatus of claim 14 , wherein the machine learning engine is further configured to: determine that the given output from the machine learning model indicates that the new alert is a false positive; and perform one or more of: discarding the new alert; or notifying the management plane that the new alert is a false positive. 16. The apparatus of claim 14 , wherein the machine learning engine is further configured to: determine that the given output from the machine learning model indicates that the new alert is not a false positive; and notify the management plane of the new alert. 17. A non-transitory computer-readable medium comprising instructions that, when executed by one or more processors of a computing system, cause the computing system to perform a method for remediating false positives for a network security monitoring component, comprising: receiving, by a host, an alert related to network security for a virtual computing instance (VCI) on the host, wherein the alert was generated by an intrusion detection system (IDS) running on the host based on a sig nature associated with a potential security threat; collecting, by the host, in response to receiving the alert, context information from the VCI; providing, by the host, a notification to a management plane based on the alert and the context information; receiving, by the host, from the management plane, in response to the notification, an indication of whether the alert is a false positive; and training, by the host, a machine learning model based on the alert, the context information, and the indication to determine whether a given alert is a false positive, wherein the training comprises: providing inputs to the machine learning model based on the alert and the context information; receiving, from the machine learning model, based on the inputs, one or more outputs indicating whether the alert is a f
Assignees
Inventors
Classifications
Event detection, e.g. attack signature detection · CPC title
the faulty arrangement being the maintenance, administration or management system · CPC title
- H04L41/145Primary
involving simulating, designing, planning or modelling of a network · CPC title
using virtualisation of network functions or resources, e.g. SDN or NFV entities · CPC title
Configuration of triggering conditions · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US11463300B2 cover?
- The disclosure provides an approach for remediating false positives for a network security monitoring component. Embodiments include receiving an alert related to network security for a virtual computing instance (VCI). Embodiments include collecting, in response to receiving the alert, context information from the VCI. Embodiments include providing a notification to a management plane based on…
- Who is the assignee on this patent?
- Vmware Inc
- What technology area does this patent fall under?
- Primary CPC classification H04L41/145. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Tue Oct 04 2022 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 7 related publications on this page (citations in our corpus or others sharing the same primary CPC).