Scoring for threat observables
US-2016378978-A1 · Dec 29, 2016 · US
Corroborating threat assertions by consolidating security and threat intelligence with kinetics data
US10686830B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-10686830-B2 |
| Application number | US-201715848337-A |
| Country | US |
| Kind code | B2 |
| Filing date | Dec 20, 2017 |
| Priority date | Dec 20, 2017 |
| Publication date | Jun 16, 2020 |
| Grant date | Jun 16, 2020 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
A cognitive security analytics platform is enhanced by providing a computationally- and storage-efficient data mining technique to improve the confidence and support for one or more hypotheses presented to a security analyst. The approach herein enables the security analyst to more readily validate a hypothesis and thereby corroborate threat assertions to identify the true causes of a security offense or alert. The data mining technique is entirely automated but involves an efficient search strategy that significantly reduces the number of data queries to be made against a data store of historical data. To this end, the algorithm makes use of maliciousness information attached to each hypothesis, and it uses a confidence schema to sequentially test indicators of a given hypothesis to generate a rank-ordered (by confidence) list of hypotheses to be presented for analysis and response by the security analyst.
First claim
Opening claim text (preview).
Having described the invention, what we claim is as follows: 1. An automated method of corroborating and acting upon a threat assessment, the threat assessment comprising a security offense defined by a set of observable features in a collection of events associated to the security offense, comprising: providing a set of hypotheses to account for the set of observable features, wherein each hypothesis is a possible cause of the collection of events and has associated therewith a confidence value, together with a set of indicators whose presence in the set of observable features is unknown; rank ordering the set of hypotheses initially according to the confidence values; for each hypothesis in the set of hypotheses, adjusting the confidence value based on an extent to which each indicator in the set of indicators for the hypothesis occurs in the collection of events; adjusting the rank ordering of the set of hypotheses based on the adjusted confidence values; and using the adjusted rank-ordered set of hypotheses to facilitate providing of a response to the security offense. 2. The method as described in claim 1 wherein the set of indicators in each hypothesis are tested for occurrence in the collection of events sequentially, beginning with a highest ranked indicator. 3. The method as described in claim 2 wherein the testing generates a cumulative confidence value for the hypothesis, and the rank ordering of the set of hypotheses is adjusted based on the cumulative confidence values of respective hypotheses. 4. The method as described in claim 1 wherein at least one hypothesis in the set of hypotheses has associated therewith a maliciousness value. 5. The method as described in claim 1 further including outputting to a security analyst the adjusted rank-ordered set of hypotheses together with the set of observables and the adjusted confidence values. 6. The method as described in claim 2 further including removing any hypothesis from the rank ordering whose tested indicators do not occur in the collection of events. 7. The method as described in claim 1 wherein the confidence values are adjusted according to a confidence schema. 8. An apparatus, comprising: a processor; computer memory holding computer program instructions executed by the processor to corroborate and act upon a threat assessment, the threat assessment comprising a security offense defined by a set of observable features in a collection of events associated to the security offense, the computer program instructions including program code configured to: provide a set of hypotheses to account for the set of observable features, wherein each hypothesis is a possible cause of the collection of events and has associated therewith a confidence value, together with a set of indicators whose presence in the set of observable features is unknown; rank order the set of hypotheses initially according to the confidence values; for each hypothesis in the set of hypotheses, adjust the confidence value based on an extent to which each indicator in the set of indicators for the hypothesis occurs in the collection of events; adjust the rank ordering of the set of hypotheses based on the adjusted confidence values; and use the adjusted rank-ordered set of hypotheses to facilitate providing a response to the security offense. 9. The apparatus as described in claim 8 wherein the set of indicators in each hypothesis are tested for occurrence in the collection of events sequentially, beginning with a highest ranked indicator. 10. The apparatus as described in claim 9 wherein the testing generates a cumulative confidence value for the hypothesis, and the rank ordering of the set of hypotheses is adjusted based on the cumulative confidence values of respective hypotheses. 11. The apparatus as described in claim 8 wherein at least one hypothesis in the set of hypotheses has associated therewith a maliciousness value. 12. The apparatus as described in claim 8 wherein the program code is further configured to output to a security analyst the adjusted rank-ordered set of hypotheses together with the set of observables and the adjusted confidence values. 13. The apparatus as described in claim 9 wherein the program code is further configured to remove any hypothesis from the rank ordering whose tested indicators do not occur in the collection of events. 14. The apparatus as described in claim 8 wherein the confidence values are adjusted according to a confidence schema. 15. A computer program product in a non-transitory computer readable medium for use in a data processing system to corroborate and act upon a threat assessment, the threat assessment comprising a security offense defined by a set of observable features in a collection of events associated to the security offense, the computer program product holding computer program instructions that, when executed by the data processing system, are configured to: provide a set of hypotheses to account for the set of observable features, wherein each hypothesis is a possible cause of the collection of events and has associated therewith a confidence value, together with a set of indicators whose presence in the set of observable features is unknown; rank order the set of hypotheses initially according to the confidence values; for each hypothesis in the set of hypotheses, adjust the confidence value based on an extent to which each indicator in the set of indicators for the hypothesis occurs in the collection of events; adjust the rank ordering of the set of hypotheses based on the adjusted confidence values; and use the adjusted rank-ordered set of hypotheses to facilitate providing a response to the security offense. 16. The computer program product as described in claim 15 wherein the set of indicators in each hypothesis are tested for occurrence in the collection of events sequentially, beginning with a highest ranked indicator. 17. The computer program product as described in claim 16 wherein the testing generates a cumulative confidence value for the hypothesis, and the rank ordering of the set of hypotheses is adjusted based on the cumulative confidence values of respective hypotheses. 18. The computer program product as described in claim 15 wherein at least one hypothesis in the set of hypotheses has associated therewith a maliciousness value. 19. The computer program product as described in claim 15 wherein the program code is further configured to output to a security analyst the adjusted rank-ordered set of hypotheses together with the set of observables and the adjusted confidence values. 20. The computer program product as described in claim 16 wherein the program code is further configured to remove any hypothesis from the rank ordering whose tested indicators do not occur in the collection of events. 21. The computer program product as described in claim 15 wherein the confidence values are adjusted according to a confidence schema.
Assignees
Inventors
Classifications
Probabilistic graphical models, e.g. probabilistic networks · CPC title
Traffic logging, e.g. anomaly detection · CPC title
Query processing support for facilitating data mining operations in structured databases · CPC title
Machine learning · CPC title
- H04L63/1441Primary
Countermeasures against malicious traffic (countermeasures against attacks on cryptographic mechanisms H04L9/002) · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US10686830B2 cover?
- A cognitive security analytics platform is enhanced by providing a computationally- and storage-efficient data mining technique to improve the confidence and support for one or more hypotheses presented to a security analyst. The approach herein enables the security analyst to more readily validate a hypothesis and thereby corroborate threat assertions to identify the true causes of a security …
- Who is the assignee on this patent?
- IBM
- What technology area does this patent fall under?
- Primary CPC classification H04L63/1441. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Tue Jun 16 2020 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 1 related publication on this page (citations in our corpus or others sharing the same primary CPC).