| 发明名称 | Tuning of data loss prevention signature effectiveness | ||
| 摘要 | In at least one embodiment, a method and a system include capability to fine-tune a data loss prevention system. An example method includes gaining access to or creating an alert database and a signature set by an analytics module and an adjustment module, where the alert database includes an alert validity attribute for each alert; quantifying for each signature contained in the signature set an effect on the change in the number of alerts from its removal; determining with an analytics module whether any signature has a ratio of valid to false positive alerts less than a threshold; and when at least one signature has the ratio less than the first threshold identifying and removing with an adjustment module at least one signature from the signature database having a ratio less than the threshold where the signature is removed from the signature set, and repeating quantifying and determining. | ||
| 申请公布号 | US8769679(B1) | 申请公布日期 | 2014.07.01 |
| 申请号 | US201213717249 | 申请日期 | 2012.12.17 |
| 申请人 | International Business Machines Corporation | 发明人 | Lingafelt Charles Steven;Murray James William;Swantek James Thomas;Worley James Steven |
| 分类号 | G06F11/00 | 主分类号 | G06F11/00 |
| 代理机构 | Cahn & Samuels, LLP | 代理人 | Cahn & Samuels, LLP ;Percello, Esq. Louis J. |
| 主权项 | 1. A method comprising: processing a flow of packets with a data loss prevention sensor using a signature set; diverting any packet that matches at least one signature to an alert database; receiving an alert validity attribute into the alert database; quantifying for each signature contained in the signature set an effect on the change in the number of alerts from its removal; determining with an analytics module whether any signature has a ratio of valid to false positive alerts less than a first threshold; and when at least one signature has the ratio less than the threshold identifying and removing with an adjustment module at least one signature having a ratio less than the first threshold where the signature is removed from the signature set, and repeating quantifying and determining; the method further comprising: annotating at least one signature in the signature set with a signature weighting;including in the metadata for any alert the signature's signature weighting; andremoving from quantifying any signature having its signature weighting above a value threshold. | ||
| 地址 | Armonk NY US | ||