	US 12,328,327 B2
	System and method for anomaly detection interpretation
Yuval Friedlander, Petah Tiqwa (IL); Ron Shoham, Tel Aviv (IL); Gil Ben Zvi, Hod Hasharon (IL); and Tom Hanetz, Tel Aviv (IL)
Assigned to ARMIS SECURITY LTD., Tel Aviv-Jaffa (IL)
Filed by ARMIS SECURITY LTD., Tel Aviv-Jaffa (IL)
Filed on Oct. 11, 2023, as Appl. No. 18/485,297.
Application 18/485,297 is a continuation of application No. 17/093,915, filed on Nov. 10, 2020, granted, now 11,824,877.
Prior Publication US 2024/0154984 A1, May 9, 2024
This patent is subject to a terminal disclaimer.
Int. Cl. H04L 9/40 (2022.01)

CPC H04L 63/1425 (2013.01) [H04L 63/1441 (2013.01)]

19 Claims

1. A method for anomaly interpretation and mitigation, comprising:

extracting an input feature vector from observation data indicating anomalous behavior of a connected device;

applying an isolation forest to the input feature vector, wherein the isolation forest includes a plurality of estimators, wherein each estimator is a decision tree, wherein an output of each estimator is a split-path of a plurality of split-paths, each split-path having a path-length and including name and a corresponding value for a respective output feature of a plurality of output features, wherein each output feature represents at least a portion of a description of why the observation was determined to indicate anomalous behavior;

generating a mapping object based on an application of the isolation forest to the feature vector, wherein the mapping object includes the plurality of split-paths;

removing a number of split-paths from the mapping object based at least in part on a predetermined ratio of a total number of the plurality of estimators;

determining additional context data determined from remaining split-paths; and

determining at least one mitigation action.