| CPC H04L 63/1441 (2013.01) [H04L 63/1416 (2013.01)] | 20 Claims |
|
1. A method for monitoring network traffic on one or more networks using one or more network monitoring computers (NMCs), wherein the one or more NMCs include one or more processors that execute instructions that are configured to cause performance of actions, comprising:
providing one or more triage scores based on one or more threat assessments that are associated with one or more anomaly classes and which are associated with one or more types of anomalous activity;
employing monitored network traffic to determine information associated with a detected anomaly, additional information determined for the detected anomaly, the one or more anomaly classes, the one or more triage scores, and one or more characteristics of the one or more anomaly classes to determine one or more triage models, wherein each triage score for each threat assessment is based on separate triage models for each of a plurality of separately weighted factors that include a defined range of values, and wherein the additional information is based on the monitored network traffic associated with one or more entities and the anomaly, and wherein the additional information further includes configuration information, cryptographic information, a metric determined by a service operating separate from collection of the monitored network traffic, and a timestamp, and wherein the metric is used to infer one or more activities associated with one or more other entities that are situated the same, at least in part, to the one or more entities and unassociated with the detected anomaly;
generating one or more user interfaces (UIs) to collect user activity and feedback information, from one or more users and one or more Application Programming Interfaces (APIs), related to the one or more anomalies and other feedback information related to an increase or a decrease in the one or more triage scores based on active and passive monitoring of the user activity with the one or more displayed elements in the UIs, network traffic and network activity associated with the one or more anomalies and one or more triage scores, wherein the feedback information includes one or more of natural language narratives, one or more entities affected by the detected anomaly, or severity of one or more effects related to the detected anomaly, and wherein the feedback information is employed to modify the one or more triage models;
modifying the one or more triage scores based on one or more modified triage models, the other feedback information, and historical information associated with the one or more anomaly classes, wherein the one or more modified triage scores are associated with the one or more anomaly classes; and
providing a report that includes one or more differences in observed behavior by one or more users in resolving the one or more threat assessments associated with lower triage scores than higher triage scores based on detection of one or more types of anomalous activity associated with the one or more anomaly classes in the monitored network traffic.
|