| CPC H04L 63/1416 (2013.01) [H04L 41/22 (2013.01); H04L 63/1425 (2013.01)] | 20 Claims |
|
1. A method comprising:
receiving, by a processor, a set of monitoring events associated with a system, wherein the set of monitoring events is associated with a feature schema defining a first feature and a second feature;
determining, by the processor, a first entropy measure associated with the first feature and a second entropy measure associated with the second feature, wherein the first entropy measure falls below the second entropy measure, and wherein determining the first entropy measure comprises determining a first ratio of the set of monitoring events that are associated with a first value for the first feature and a second ratio of the set of monitoring events that are associated with a second value for the first feature;
based at least in part on determining that the first entropy measure falls below the second entropy measure, associating, by the processor, the first feature with a first layer of a tree structure and the second feature with a second layer of the tree structure;
generating, by the processor, the tree structure based on the first layer and the second layer, wherein:
the first layer represents a first subset of the set of monitoring events that are associated with the first value for the first feature and a second subset of the set of monitoring events that are associated with the second value for the first feature, and
the second layer represents a third subset of the first subset that are associated with a third value for the second feature and a fourth subset of the first subset that are associated with a fourth value for the second feature; and
displaying, by the processor, a representation of the tree structure using a system administrator platform associated with the system.
|