公开(公告)号：US20150222477A1

公开(公告)日：2015-08-06

申请号：US14172110

申请日：2014-02-04

Applicant: Cisco Technology, Inc

Inventor： Rajeev Ranjan ,  Manoj Kumar Kushwaha

IPC: H04L12/24

CPC classification number: H04L41/0613 ,  H04L41/0631

Abstract: In one embodiment, a device receives a plurality of network alerts over a time frame. A sliding transaction window is used across the time frame to associate each network alert occurring within the transaction window with one or more transactions. A pruning test is applied to subsets of the plurality of network alerts, with the network alerts in a given subset being associated with the same transaction. The pruning test is based in part on the number of co-occurrences of network alerts in a given subset for different transaction windows. The subsets of network alerts are assigned to network alert clusters based on the applied pruning test. The network alerts are then joined within a network alert cluster to identify the largest grouping of network alerts that pass the pruning test. A notification that the identified grouping of network alerts is associated with the same transaction is also provided.

Abstract translation: 在一个实施例中，设备在一个时间帧上接收多个网络警报。 跨越时间帧使用滑动事务窗口将事务窗口内发生的每个网络警报与一个或多个事务相关联。 修剪测试应用于多个网络警报的子集，其中给定子集中的网络警报与相同的事务相关联。 修剪测试部分地基于不同事务窗口的给定子集中的网络警报的共同出现次数。 基于应用的修剪测试，将网络警报的子集分配给网络警报群集。 网络警报随后加入到网络警报集群中，以确定通过修剪测试的最大的网络警报组。 还提供了所识别的网络警报分组与相同事务相关联的通知。

公开(公告)号：US09794113B2

公开(公告)日：2017-10-17

申请号：US14172110

申请日：2014-02-04

Applicant: Cisco Technology, Inc.

Inventor： Rajeev Ranjan ,  Manoj Kumar Kushwaha

IPC: G06F15/173 ,  H04L12/24

CPC classification number: H04L41/0613 ,  H04L41/0631

Abstract: In one embodiment, a device receives a plurality of network alerts over a time frame. A sliding transaction window is used across the time frame to associate each network alert occurring within the transaction window with one or more transactions. A pruning test is applied to subsets of the plurality of network alerts, with the network alerts in a given subset being associated with the same transaction. The pruning test is based in part on the number of co-occurrences of network alerts in a given subset for different transaction windows. The subsets of network alerts are assigned to network alert clusters based on the applied pruning test. The network alerts are then joined within a network alert cluster to identify the largest grouping of network alerts that pass the pruning test. A notification that the identified grouping of network alerts is associated with the same transaction is also provided.