Systems and methods for anomaly detection in software-defined networks from observed host metrics

Abstract

Systems and methods for anomaly detection in software-defined networks from observed host metrics are disclosed. A method may include: (1) training a random forest model comprising a plurality of trees with historical metrics from a software defined network, the software defined network comprising a plurality of hosts; (2) receiving metrics for a plurality of features from the hosts in the software defined network; (3) providing the metrics to the trained random forest model; (4) receiving, from the trained random forest model, a prediction of an anomalous hosts for one of the hosts; (5) identifying a subset of the plurality of trees that contributed to the prediction; (6) generating feature scores for the feature from the subset of trees; (7) generating an anomaly score for the feature based on the feature scores and an explanation; and (8) executing an automated action in response to the anomaly score.

CPC Classifications