US Patent 9208323 Classifier-based security for computing devices

A security system receives attribute samples from one or more devices configured to simulate one or more states (such as attack states). The attribute samples are aggregated, normalized to a common format, and quantized to lower the resolution of the attribute samples. Outlier attribute samples and attribute samples determined to not be correlated to the simulated states are removed to form a pruned set of attribute samples. A set of classifiers is generated based on a first portion of the pruned set of attribute samples, and the set of classifiers is tested based on a second portion of the pruned set of attribute samples. A subset of the classifiers can be provided to a device configured to monitor attributes associated with the subset of classifiers and to identify an attack state based on the monitor attributes.