摘要 |
<p>A computer system arranged to detect an ineffective network device in a set of network devices for a computer network as a device ineffective at identifying an attack in the network, the computer system including: an input unit to receive events generated by the set of network devices for each of a plurality of time periods, each event including an attribute belonging to a class of attributes; a processing system having at least one processor and being arranged to: evaluate a normalised representative value of the attribute as a score for each network device for each of the plurality of time periods based on the received events; evaluating a measure of similarity of scores for each of a plurality of pairs of devices in the set of network devices for one or more time windows, each time window comprising two or more of the time periods; and identify a network device having evaluated similarity measures meeting a predetermined threshold as ineffective network devices.</p> |