Hierarchical event detection in a computer network
US-2015193696-A1 · Jul 9, 2015 · US
Dynamic installation of behavioral white labels
US9923910B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-9923910-B2 |
| Application number | US-201514874591-A |
| Country | US |
| Kind code | B2 |
| Filing date | Oct 5, 2015 |
| Priority date | Oct 5, 2015 |
| Publication date | Mar 20, 2018 |
| Grant date | Mar 20, 2018 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
In one embodiment, a device in a network analyzes data regarding a detected anomaly in the network. The device determines whether the detected anomaly is a false positive. The device generates a white label for the detected anomaly based on a determination that the detected anomaly is a false positive. The device causes one or more alerts regarding the detected anomaly to be suppressed using the generated white label for the anomaly.
First claim
Opening claim text (preview).
What is claimed is: 1. A method, comprising: analyzing, by a device in a network, data regarding a detected anomaly at a distributed learning agent (DLA) of a plurality of DLAs in the network; determining, by the device, whether the detected anomaly is a false positive; generating, by the device, a white label for the detected anomaly based on a determination that the detected anomaly is a false positive; selecting, by the device, a subset of the plurality of DLAs to receive the white label based on each DLA of the subset observing traffic in the network from similar vantage points, wherein the subset of DLAs is selected based on topology information regarding the network and potential network overhead attributable to the one or more distributed learning agents sending alerts in response to detecting the anomaly; and causing, by the device, one or more alerts regarding the detected anomaly to be suppressed at the subset of DLAs using the generated white label for the anomaly. 2. The method as in claim 1 , wherein analyzing the data regarding the detected anomaly comprises: receiving, at the device, the data regarding the detected anomaly from the DLA via an anomaly detection alert. 3. The method as in claim 1 , wherein determining whether the detected anomaly is a false positive comprises: providing, by the device, the data regarding the detected anomaly to a user interface; and receiving, at the device, an indication as to whether or not the detected anomaly is a false positive. 4. The method as in claim 1 , wherein the white label is configured to cause the subset of DLAs in the network to at least one of: suppress every alert matching the white label, suppress alerts matching the white label sent at a rate that is below a threshold alert rate, or suppress alerts matching the white label for a time period. 5. The method as in claim 1 , further comprising: selecting, the subset of DLAs to receive the white label based on the device receiving one or more alerts regarding the anomaly from the one or more selected distributed learning agents. 6. The method as in claim 1 , wherein causing the one or more alerts regarding the detected anomaly to be suppressed comprises: suppressing, by the device, an alert received by the device regarding the anomaly based on the generated white label. 7. The method as in claim 1 , wherein determining whether the detected anomaly is a false positive comprises: determining, by the device, whether the detected anomaly is correlated to one or more other detected anomalies in the network. 8. An apparatus, comprising: one or more network interfaces to communicate with a network; a processor coupled to the network interfaces and adapted to execute one or more processes; and a memory configured to store a process executable by the processor, the process when executed configured to: analyze data regarding a detected anomaly at a distributed learning agent (DLA) of a plurality of DLAs in the network; determine whether the detected anomaly is a false positive; generate a white label for the detected anomaly based on a determination that the detected anomaly is a false positive; select a subset of the plurality of DLAs to receive the white label based on each DLA of the subset observing traffic in the network from similar vantage points, wherein the subset of DLAs is selected based on topology information regarding the network and potential network overhead attributable to the one or more distributed learning agents sending alerts in response to detecting the anomaly; and cause one or more alerts regarding the detected anomaly to be suppressed at the subset of DLAs using the generated white label for the anomaly. 9. The apparatus as in claim 8 , wherein the apparatus analyzes the data regarding the detected anomaly by receiving the data regarding the detected anomaly from the DLA via an anomaly detection alert. 10. The apparatus as in claim 8 , wherein the apparatus determines whether the detected anomaly is a false positive by: providing the data regarding the detected anomaly to a user interface; and receiving an indication as to whether or not the detected anomaly is a false positive. 11. The apparatus as in claim 8 , wherein the white label is configured to cause the subset of DLAs to at least one of: suppress every alert matching the white label, suppress alerts matching the white label sent at a rate that is below a threshold alert rate, or suppress alerts matching the white label for a time period. 12. The apparatus as in claim 8 , wherein the process when executed further configured to: select the subset of DLAs to receive the white label based on the device receiving one or more alerts regarding the anomaly from the one or more selected distributed learning agents. 13. The apparatus as in claim 8 , wherein the apparatus is configured to suppress locally an alert received by the apparatus regarding the anomaly based on the generated white label. 14. The apparatus as in claim 8 , wherein the apparatus determines whether the detected anomaly is a false positive by determining whether the detected anomaly is correlated to one or more other detected anomalies in the network. 15. A tangible, non-transitory, computer-readable media having software encoded thereon, the software when executed by a processor configured to: analyze data regarding a detected anomaly at a distributed learning agent (DLA) of a plurality of DLAs in the network; determine whether the detected anomaly is a false positive; generate a white label for the detected anomaly based on a determination that the detected anomaly is a false positive; select a subset of the plurality of DLAs to receive the white label based on each DLA of the subset observing traffic in the network from similar vantage points, wherein the subset of DLAs is selected based on topology information regarding the network and potential network overhead attributable to the one or more distributed learning agents sending alerts in response to detecting the anomaly; and cause one or more alerts regarding the detected anomaly to be suppressed at the subset of DLAs using the generated white label for the anomaly. 16. The tangible, non-transitory, computer-readable media as in claim 15 , wherein the white label is configured to cause the subset of DLAs to at least one of: suppress every alert matching the white label, suppress alerts matching the white label sent at a rate that is below a threshold alert rate, or suppress alerts matching the white label for a time period. 17. The tangible, non-transitory, computer-readable media as in claim 15 , wherein the process when executed further configured to: select the subset of DLAs to receive the white label based on the device receiving one or more alerts regarding the anomaly from the one or more selected distributed learning agents.
Assignees
Inventors
Classifications
- H04L63/1425Primary
Traffic logging, e.g. anomaly detection · CPC title
Event detection, e.g. attack signature detection · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US9923910B2 cover?
- In one embodiment, a device in a network analyzes data regarding a detected anomaly in the network. The device determines whether the detected anomaly is a false positive. The device generates a white label for the detected anomaly based on a determination that the detected anomaly is a false positive. The device causes one or more alerts regarding the detected anomaly to be suppressed using th…
- Who is the assignee on this patent?
- Cisco Tech Inc
- What technology area does this patent fall under?
- Primary CPC classification H04L63/1425. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Tue Mar 20 2018 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 1 related publication on this page (citations in our corpus or others sharing the same primary CPC).