Systems and methods for detecting security blind spots
US-10091231-B1 · Oct 2, 2018 · US
Threat disposition analysis and modeling using supervised machine learning
US11888883B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-11888883-B2 |
| Application number | US-201715623125-A |
| Country | US |
| Kind code | B2 |
| Filing date | Jun 14, 2017 |
| Priority date | Jun 14, 2017 |
| Publication date | Jan 30, 2024 |
| Grant date | Jan 30, 2024 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
An enhanced threat disposition analysis technique is provided. In response to receipt of a security threat, a threat disposition score (TDS) is retrieved. The threat disposition score is generated from a machine learning scoring model that is built from information about historical security threats, including historical disposition of one or more alerts associated with the historical security threats. The system augments an alert to include the threat disposition score, optionally together with a confidence level, to generate an enriched alert. The enriched alert is then presented to the security analyst for handling directly. Depending on the TDS (and its confidence level), the analyst may be able to respond to the threat immediately, i.e., without further detailed investigation. Preferably, the machine learning model is updated continuously as the system handles security threats, thereby increasing the predictive benefit of the TDS scoring.
First claim
Opening claim text (preview).
Having described the invention, what we claim is as follows: 1. A method for threat disposition analysis, comprising: responsive to receipt of a security threat identified in an alert, retrieving a threat disposition score (TDS), the threat disposition score generated from a machine learning scoring model built from information about historical security threats, including historical disposition of one or more alerts associated with the historical security threats, the TDS based in part on an effectiveness of a prior calculated TDS to predict a particular historical disposition associated with the alert; augmenting the alert to include the threat disposition score to generate an enriched alert; and presenting the enriched alert for further handling; wherein the historical disposition of at least one alert comprises feedback from a second security analyst on handling of the at least one alert by a first security analyst. 2. The method as described in claim 1 wherein enriched alert also includes historical information about how the security threat has been handled previously. 3. The method as described in claim 1 wherein the feedback is generated following the at least one alert having been escalated from the first security analyst to the second security analyst. 4. The method as described in claim 1 further including building the machine learning scoring model, wherein the machine learning scoring model also is built from a set of attributes regarding an alert. 5. The method as described in claim 4 further including receiving data configuring the set of attributes. 6. The method as described in claim 1 further including updating the machine learning scoring model. 7. The method as described in claim 1 , further comprising: providing a confidence level associated with the TDS; and responsive to the confidence level reaching a threshold, automatically performing a set of one or more actions to respond to the security threat. 8. The method as described in claim 1 wherein the further handling is one of: closing the security threat as a false positive, and escalating the security threat. 9. An apparatus, comprising: a processor; computer memory holding computer program instructions executed by the processor for threat disposition analysis, the computer program instructions operative to: retrieve a threat disposition score (TDS) in response to receipt of a security threat identified in an alert, the threat disposition score generated from a machine learning scoring model built from information about historical security threats, including historical disposition of one or more alerts associated with the historical security threats, the TDS based in part on an effectiveness of a prior calculated TDS to predict a particular historical disposition associated with the alert; augment the alert to include the threat disposition score to generate an enriched alert; and present the enriched alert for further handling; wherein the historical disposition of at least one alert comprises feedback from a second security analyst on handling of the at least one alert by a first security analyst. 10. The apparatus as described in claim 9 wherein enriched alert also includes historical information about how the security threat has been handled previously. 11. The apparatus as described in claim 9 wherein the feedback is generated following the at least one alert having been escalated from the first security analyst to the second security analyst. 12. The apparatus as described in claim 9 wherein the computer program instructions are further operative to build the machine learning scoring model, wherein the machine learning scoring model also is built from a set of attributes regarding an alert. 13. The apparatus as described in claim 12 wherein the computer program instructions also are operative to receive data configuring the set of attributes. 14. The apparatus as described in claim 9 wherein the computer program instructions also are operative to update the machine learning scoring model. 15. The apparatus as described in claim 9 wherein the computer program instructions also are operative to: provide a confidence level associated with the TDS; and responsive to the confidence level reaching a threshold, automatically perform a set of one or more actions to respond to the security threat. 16. The apparatus as described in claim 9 wherein the further handling is one of: closing the security threat as a false positive, and escalating the security threat. 17. A computer program product in a non-transitory computer readable medium for use in a data processing system for threat disposition analysis, the computer program product holding computer program instructions that, when executed by the data processing system, are operative to: retrieve a threat disposition score (TDS) in response to receipt of a security threat identified in an alert, the threat disposition score generated from a machine learning scoring model built from information about historical security threats, including historical disposition of one or more alerts associated with the historical security threats, the TDS based in part on an effectiveness of a prior calculated TDS to predict a particular historical disposition associated with the alert; augment the alert to include the threat disposition score to generate an enriched alert; and present the enriched alert for further handling; wherein the historical disposition of at least one alert comprises feedback from a second security analyst on handling of the at least one alert by a first security analyst. 18. The computer program product as described in claim 17 wherein enriched alert also includes historical information about how the security threat has been handled previously. 19. The computer program product as described in claim 17 wherein the feedback is generated following the at least one alert having been escalated from the first security analyst to the second security analyst. 20. The computer program product as described in claim 17 wherein the computer program instructions are further operative to build the machine learning scoring model, wherein the machine learning scoring model also is built from a set of attributes regarding an alert. 21. The computer program product as described in claim 20 wherein the computer program instructions also are operative to receive data configuring the set of attributes. 22. The computer program product as described in claim 17 wherein the computer program instructions also are operative to update the machine learning scoring model. 23. The computer program product as described in claim 17 wherein the computer program instructions also are operative to: provide a confidence level associated with the TDS; and responsive to the confidence level reaching a threshold, automatically perform a set of one or more actions to respond to the security threat. 24. The computer program product as described in claim 17 wherein the further handling is one of: closing the security threat as a false positive, and escalating the security threat. 25. A security threat analysis platform, comprising: one or more hardware processors; a data store holding a knowledge base of alert data, and historical alert disposition handling information; and computer memory storing computer program instructions configured to; compute a scoring model by applying machine le
Assignees
Inventors
Classifications
- H04L63/1433Primary
Vulnerability analysis · CPC title
involving long-term monitoring or reporting · CPC title
Machine learning · CPC title
by monitoring network traffic (monitoring network traffic per se H04L43/00) · CPC title
Inference or reasoning models · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US11888883B2 cover?
- An enhanced threat disposition analysis technique is provided. In response to receipt of a security threat, a threat disposition score (TDS) is retrieved. The threat disposition score is generated from a machine learning scoring model that is built from information about historical security threats, including historical disposition of one or more alerts associated with the historical security t…
- Who is the assignee on this patent?
- IBM
- What technology area does this patent fall under?
- Primary CPC classification H04L63/1433. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Tue Jan 30 2024 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 6 related publications on this page (citations in our corpus or others sharing the same primary CPC).