Unsupervised aggregation of security rules
US9325733B1 · kind B1 · utility
Assignee
Inventors
Key dates
| Filing date | Oct 31, 2014 |
| Grant date | Apr 26, 2016 |
| Priority date | — |
| Expiry date | Oct 31, 2034 |
Classification
- Technology area (CPC H)Electricity
- CPC primaryH04L63/02
- WIPO fieldDigital communication
- WIPO sectorElectrical engineering
Abstract
A processing device comprises a processor coupled to a memory and is configured to obtain at least one rule set utilized to detect malicious activity in a computer network, to determine one or more trigger conditions for each of a plurality of rules of the at least one rule set, to identify alerts generated responsive to the determined trigger conditions, to compute correlations between respective pairs of the plurality of rules based on the identified alerts, and to aggregate groups of two or more of the plurality of rules into respective aggregated rules based at least in part on the computed correlations. The aggregated rules are illustratively applied in conjunction with remaining unaggregated ones of the plurality of rules of the one or more rule sets to detect malicious activity in the computer network. The processing device may be implemented in a computer network or network security system.
Source: USPTO / EPO open patent data. Objective bibliographic and citation counts.