What technology area does this patent fall under?

Primary CPC classification H04L41/0645. Mapped technology areas include Electricity.

When was this patent published?

Publication date Thu Jan 13 2022 00:00:00 GMT+0000 (Coordinated Universal Time) (A1). Legal status and post-grant events are not shown on this page.

What related patents are in patentsdb?

We list 8 related publications on this page (citations in our corpus or others sharing the same primary CPC).

Remediating false positives of intrusion detection systems with guest introspection

US2022014425A1 · US · A1

Patent metadata
Field	Value
Publication number	US-2022014425-A1
Application number	US-202016927542-A
Country	US
Kind code	A1
Filing date	Jul 13, 2020
Priority date	Jul 13, 2020
Publication date	Jan 13, 2022
Grant date	—

How to read this patent

A practical reading order for non-experts. Skip the full description unless you need deep technical detail.

Title
What the patent document calls the invention.
Abstract
A short plain-language summary of the technical disclosure.
Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
Key dates
Filing, priority, publication, and grant dates set the timeline.
First independent claim
The legal scope of protection — read this for what is actually claimed.
CPC / IPC classifications
Technology tags used to group this patent with similar filings.
Citations and related patents
Prior art links and similar publications in this corpus.

Abstract

Official abstract text for this publication.

The disclosure provides an approach for remediating false positives for a network security monitoring component. Embodiments include receiving an alert related to network security for a virtual computing instance (VCI). Embodiments include collecting, in response to receiving the alert, context information from the VCI. Embodiments include providing a notification to a management plane based on the alert and the context information. Embodiments include receiving, from the management plane, in response to the notification, an indication of whether the alert is a false positive. Embodiments include training a model based on the alert, the context information, and the indication to determine whether a given alert is a false positive.

First claim

Opening claim text (preview).

1 . A method of remediating false positives for a network security monitoring component, comprising: receiving an alert related to network security for a virtual computing instance (VCI); collecting, in response to receiving the alert, context information from the VCI; providing a notification to a management plane based on the alert and the context information; receiving, from the management plane, in response to the notification, an indication of whether the alert is a false positive; and training a machine learning model based on the alert, the context information, and the indication to determine whether a given alert is a false positive, wherein the training comprises: providing inputs to the machine learning model based on the alert and the context information; receiving, from the machine learning model based on the inputs, one or more outputs indicating whether the alert is a false positive; comparing the one or more outputs to the indication; and adjusting one or more parameters of the machine learning model based on the comparing until an output of the one or more outputs matches the indication or until one or more other conditions are met. 2 . The method of claim 1 , wherein the context information comprises one or more of: files read; files written; user information; application information; an operating system; version information; a protocol; a network event; or a process event. 3 . The method of claim 1 , wherein the context information is collected via a multiplexer (MUX). 4 . The method of claim 1 , further comprising registering with a thin agent in the VCI, wherein the context information is collected from the thin agent. 5 . The method of claim 1 , further comprising: receiving a new alert related to network security for the VCI; providing features related to the new alert as inputs to the machine learning model; and receiving an output from the machine learning model indicating whether the new alert is a false positive. 6 . The method of claim 5 , further comprising: determining that the output from the machine learning model indicates that the new alert is a false positive; and performing one or more of: discarding the new alert; or notifying the management plane that the new alert is a false positive. 7 . The method of claim 5 , further comprising: determining that the output from the machine learning model indicates that the new alert is not a false positive; and notifying the management plane of the new alert. 8 . An apparatus for remediating false positives, comprising: an event and correlation engine configured to: receive an alert related to network security for a virtual computing instance (VCI); collect, in response to receiving the alert, context information from the VCI; and provide a notification to a management plane based on the alert and the context information; and a machine learning engine configured to: receive, from the management plane, based on the notification, an indication of whether the alert is a false positive; and train a machine learning model based on the alert, the context information, and the indication to determine whether a given alert is a false positive, wherein the training comprises: providing inputs to the machine learning model based on the alert and the context information; receiving, from the machine learning model, based on the inputs, one or more outputs indicating whether the alert is a false positive; comparing the one or more outputs to the indication; and adjusting one or more parameters of the machine learning model based on the comparing until an output of the one or more outputs matches the indication or until one or more other conditions are met. 9 . The apparatus of claim 8 , wherein the context information comprises one or more of: files read; files written; user information; application information; an operating system; version information; a protocol; a network event; or a process event. 10 . The apparatus of claim 8 , wherein the context information is collected via a multiplexer (MUX). 11 . The apparatus of claim 8 , wherein the event and correlation engine is further configured to register with a thin agent in the VCI, wherein the context information is collected from the thin agent. 12 . The apparatus of claim 8 , wherein the machine learning engine is further configured to: receive a new alert related to network security for the VCI; provide features related to the new alert as inputs to the machine learning model; and receive an output from the machine learning model indicating whether the new alert is a false positive. 13 . The apparatus of claim 12 , wherein the machine learning engine is further configured to: determine that the output from the machine learning model indicates that the new alert is a false positive; and perform one or more of: discarding the new alert; or notifying the management plane that the new alert is a false positive. 14 . The apparatus of claim 12 , wherein the machine learning engine is further configured to: determine that the output from the machine learning model indicates that the new alert is not a false positive; and notify the management plane of the new alert. 15 . A non-transitory computer-readable medium comprising instructions that, when executed by one or more processors of a computing system, causes the computing system to perform a method for remediating false positives for a network security monitoring component, comprising: receiving an alert related to network security for a virtual computing instance (VCI); collecting, in response to receiving the alert, context information from the VCI; providing a notification to a management plane based on the alert and the context information; receiving, from the management plane, in response to the notification, an indication of whether the alert is a false positive; and training a machine learning model based on the alert, the context information, and the indication to determine whether a given alert is a false positive, wherein the training comprises: providing inputs to the machine learning model based on the alert and the context information; receiving, from the machine learning model, based on the inputs, one or more outputs indicating whether the alert is a false positive; comparing the one or more outputs to the indication; and adjusting one or more parameters of the machine learning model based on the comparing until an output of the one or more outputs matches the indication or until one or more other conditions are met. 16 . The non-transitory computer-readable medium of claim 15 , wherein the context information comprises one or more of: files read; files written; user information; application information; an operating system; version information; a protocol; a network event; or a process event. 17 . The non-transitory computer-readable medium of claim 15 , wherein the context information is collected via a multiplexer (MUX). 18 . The non-transitory computer-readable medium of claim 15 , wherein the method further comprises registering with a thin agent in the VCI, wherein the context information is collected from the thin agent. 19 . The non-transitory computer-readable medium of claim 15 , wherein the method further comprises: receiving a new alert related to network security for the VCI; providing features related to the new alert as inputs to the machine learning model; and receiving an output fro

Assignees

Vmware Inc

Inventors

Classifications

H04L41/122
of virtualised topologies, e.g. software-defined networks [SDN] or network function virtualisation [NFV] · CPC title
H04L41/40
using virtualisation of network functions or resources, e.g. SDN or NFV entities · CPC title
H04L41/0645Primary
by additionally acting on or stimulating the network after receiving notifications · CPC title
H04L41/145Primary
involving simulating, designing, planning or modelling of a network · CPC title
H04L63/1416
Event detection, e.g. attack signature detection · CPC title

Patent family

Related publications grouped by family.

View patent family 79173330

External sources

Frequently asked questions

Answers are generated from the same data shown on this page.

What does patent US2022014425A1 cover?: The disclosure provides an approach for remediating false positives for a network security monitoring component. Embodiments include receiving an alert related to network security for a virtual computing instance (VCI). Embodiments include collecting, in response to receiving the alert, context information from the VCI. Embodiments include providing a notification to a management plane based on…
Who is the assignee on this patent?: Vmware Inc
What technology area does this patent fall under?: Primary CPC classification H04L41/0645. Mapped technology areas include Electricity.
When was this patent published?: Publication date Thu Jan 13 2022 00:00:00 GMT+0000 (Coordinated Universal Time) (A1). Legal status and post-grant events are not shown on this page.
What related patents are in patentsdb?: We list 8 related publications on this page (citations in our corpus or others sharing the same primary CPC).