发明名称 |
Tuning of data loss prevention signature effectiveness |
摘要 |
In at least one embodiment, a method and a system include capability to fine-tune a data loss prevention system. An example method includes gaining access to or creating an alert database and a signature set by an analytics module and an adjustment module, where the alert database includes an alert validity attribute for each alert; quantifying for each signature contained in the signature set an effect on the change in the number of alerts from its removal; determining with an analytics module whether any signature has a ratio of valid to false positive alerts less than a threshold; and when at least one signature has the ratio less than the first threshold identifying and removing with an adjustment module at least one signature from the signature database having a ratio less than the threshold where the signature is removed from the signature set, and repeating quantifying and determining. |
申请公布号 |
US8769679(B1) |
申请公布日期 |
2014.07.01 |
申请号 |
US201213717249 |
申请日期 |
2012.12.17 |
申请人 |
International Business Machines Corporation |
发明人 |
Lingafelt Charles Steven;Murray James William;Swantek James Thomas;Worley James Steven |
分类号 |
G06F11/00 |
主分类号 |
G06F11/00 |
代理机构 |
Cahn & Samuels, LLP |
代理人 |
Cahn & Samuels, LLP ;Percello, Esq. Louis J. |
主权项 |
1. A method comprising:
processing a flow of packets with a data loss prevention sensor using a signature set; diverting any packet that matches at least one signature to an alert database; receiving an alert validity attribute into the alert database; quantifying for each signature contained in the signature set an effect on the change in the number of alerts from its removal; determining with an analytics module whether any signature has a ratio of valid to false positive alerts less than a first threshold; and when at least one signature has the ratio less than the threshold
identifying and removing with an adjustment module at least one signature having a ratio less than the first threshold where the signature is removed from the signature set, and repeating quantifying and determining; the method further comprising:
annotating at least one signature in the signature set with a signature weighting;including in the metadata for any alert the signature's signature weighting; andremoving from quantifying any signature having its signature weighting above a value threshold. |
地址 |
Armonk NY US |