Security monitoring device, security monitoring method, and recording medium
US-2025103713-A1 · Mar 27, 2025 · US
Incident descriptions for extended detection and response to security anomalies
US2024356942A1 · US · A1
| Field | Value |
|---|---|
| Publication number | US-2024356942-A1 |
| Application number | US-202318231815-A |
| Country | US |
| Kind code | A1 |
| Filing date | Aug 9, 2023 |
| Priority date | Apr 24, 2023 |
| Publication date | Oct 24, 2024 |
| Grant date | — |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
Techniques described herein for extended detection and response to security anomalies in computing networks can perform automated analysis of anomalies occurring in different telemetry sources in a computer network, in order to synthesize the anomalies into analyst work units that are surfaced for further analysis by security response teams. Anomalies can initially be processed in order to identify and collect extended anomaly data. The extended anomaly data can then be used to group the anomalies according to a multi-stage grouping process which produces analyst work units. The analyst work units can be processed to produce analyst summaries that assist with analysis and response. Furthermore, the analyst work units can be prioritized for further analysis, and analyst interactions with the prioritized analyst work units can be used to influence subsequent anomaly grouping operations.
First claim
Opening claim text (preview).
What is claimed is: 1 . A method comprising: receiving an analyst work unit, the analyst work unit comprising one or more threat occurrence groups, and each of the one or more threat occurrence groups comprising one or more detected anomalies detected in a network comprising multiple different computing assets: identifying, within a data store comprising computing threat information, at least one similar threat that has higher similarity to the analyst work unit than one or more other threats identified in the data store, wherein identifying the at least one similar threat comprises performing a nearest neighbor search on the data store; and generating an analyst summary of the analyst work unit, wherein generating the analyst summary comprises using a neural network-based generator to process the analyst work unit and the at least one similar threat. 2 . The method of claim 1 , wherein the data store further comprises threat response play book information, and wherein generating the analyst summary further comprises generating, based on the threat response playbook information, a next action recommendation associated with the analyst work unit. 3 . The method of claim 1 , wherein the at least one similar threat is associated with a risk level, and wherein generating the analyst summary further comprises providing the risk level to the neural network-based generator. 4 . The method of claim 1 , wherein at least generating the analyst summary of the analyst work unit is performed by a server coupled to a local area network, and wherein the local area network further comprises the data store comprising computing threat information. 5 . The method of claim 1 , wherein the neural network-based generator is configured to use at least one of natural language processing or a large language model. 6 . The method of claim 1 , wherein using the neural network-based generator comprises providing, to the neural network-based generator: a natural language command: one or more first events based on the analyst work unit: one or more second events based on the at least one similar threat; and a risk level based on the at least one similar threat. 7 . The method of claim 6 , wherein the analyst summary of the analyst work unit comprises one or more different sections corresponding to the one or more first events. 8 . A device comprising: one or more processors: one or more computer-readable media storing computer-executable instructions that, when executed by the one or more processors, cause the one or more processors to perform operations comprising: receiving an analyst work unit, the analyst work unit comprising one or more threat occurrence groups, and each of the one or more threat occurrence groups comprising one or more detected anomalies detected in a network comprising multiple different computing assets: identifying, within a data store comprising computing threat information, at least one similar threat that has higher similarity to the analyst work unit than one or more other threats identified in the data store, wherein identifying the at least one similar threat comprises performing a nearest neighbor search on the data store; and generating an analyst summary of the analyst work unit, wherein generating the analyst summary comprises using a neural network-based generator to process the analyst work unit and the at least one similar threat. 9 . The device of claim 8 , wherein the data store further comprises threat response play book information, and wherein generating the analyst summary further comprises generating, based on the threat response playbook information, a next action recommendation associated with the analyst work unit. 10 . The device of claim 8 , wherein the at least one similar threat is associated with a risk level, and wherein generating the analyst summary further comprises providing the risk level to the neural network-based generator. 11 . The device of claim 8 , wherein at least generating the analyst summary of the analyst work unit is performed by a server coupled to a local area network, and wherein the local area network further comprises the data store comprising computing threat information. 12 . The device of claim 8 , wherein the neural network-based generator is configured to use at least one of natural language processing or a large language model. 13 . The device of claim 8 , wherein using the neural network-based generator comprises providing, to the neural network-based generator: a natural language command: one or more first events based on the analyst work unit: one or more second events based on the at least one similar threat; and a risk level based on the at least one similar threat. 14 . The device of claim 13 , wherein the analyst summary of the analyst work unit comprises one or more different sections corresponding to the one or more first events. 15 . A method comprising: receiving anomaly data associated with a security threat in a network: identifying, within a threat intelligence data store, at least one similar threat that has higher similarity to the security threat than one or more other threats identified in the threat intelligence data store, wherein identifying the at least one similar threat comprises performing a nearest neighbor search for the security threat in the threat intelligence data store; and generating an analyst summary of the security threat, wherein generating the analyst summary comprises using a large language model-based generator to process the security threat and the at least one similar threat. 16 . The method of claim 15 , wherein using the large language model-based generator comprises providing, to the large language model-based generator: a natural language command; first data based on the security threat; and second data based on the at least one similar threat. 17 . The method of claim 16 , wherein the analyst summary comprises one or more different sections corresponding to the second data. 18 . The method of claim 15 , wherein generating the analyst summary further comprises generating a next action recommendation associated with the security threat. 19 . The method of claim 15 , wherein the analyst summary comprises a risk level associated with the security threat. 20 . The method of claim 19 , wherein the risk level is based at least in part of a risk level associated with the at least one similar threat.
Assignees
Inventors
Classifications
Vulnerability analysis · CPC title
by monitoring network traffic (monitoring network traffic per se H04L43/00) · CPC title
for managing network security; network security policies in general (filtering policies H04L63/0227) · CPC title
- H04L63/1416Primary
Event detection, e.g. attack signature detection · CPC title
- H04L63/1425Primary
Traffic logging, e.g. anomaly detection · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US2024356942A1 cover?
- Techniques described herein for extended detection and response to security anomalies in computing networks can perform automated analysis of anomalies occurring in different telemetry sources in a computer network, in order to synthesize the anomalies into analyst work units that are surfaced for further analysis by security response teams. Anomalies can initially be processed in order to iden…
- Who is the assignee on this patent?
- Cisco Tech Inc
- What technology area does this patent fall under?
- Primary CPC classification H04L63/1416. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Thu Oct 24 2024 00:00:00 GMT+0000 (Coordinated Universal Time) (A1). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 2 related publications on this page (citations in our corpus or others sharing the same primary CPC).