公开(公告)号：US20160036844A1

公开(公告)日：2016-02-04

申请号：US14879425

申请日：2015-10-09

Applicant: Cisco Technology, Inc.

Inventor： MARTIN KOPP ,  TOMAS PEVNY

IPC: H04L29/06 ,  G06N5/04 ,  G06N99/00 ,  G06F17/30

CPC classification number: H04L63/1425 ,  G06F17/30327 ,  G06N5/045 ,  G06N99/005 ,  H04L63/1416

Abstract: In an embodiment, the method comprises receiving an identification of an anomaly associated with a false positive identification of a security threat by the intrusion detection system, wherein a first set of feature data identifies features of the anomaly; creating a plurality of training sets each comprising identifications of a plurality of samples of network communications; for the anomaly and each training set of the plurality of training sets, training a decision tree that is stored in digital memory of the security analysis computer; based at least in part on the plurality of trained decision trees, extracting a set of features that distinguish the anomaly from the plurality of samples; generating one or more rules associated with the anomaly from the extracted set of features and causing programming the security analysis computer with the one or more rules.

Abstract translation: 在一个实施例中，该方法包括接收与入侵检测系统的安全威胁的假阳性识别相关联的异常的标识，其中第一组特征数据识别异常的特征; 创建多个训练集合，每个训练集合包括网络通信的多个样本的标识; 对于多个训练集的异常和每个训练集合，训练存储在安全分析计算机的数字存储器中的决策树; 至少部分地基于所述多个经过训练的决策树，提取区分所述异常与所述多个样本的一组特征; 从所提取的特征集合生成与所述异常相关联的一个或多个规则，并且使所述安全分析计算机对所述一个或多个规则进行编程。