Risk information output device, information output system, risk information output method, and recording medium
US-2024414180-A1 · Dec 12, 2024 · US
Incident triage engine
US9369481B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-9369481-B2 |
| Application number | US-201414247322-A |
| Country | US |
| Kind code | B2 |
| Filing date | Apr 8, 2014 |
| Priority date | Oct 7, 2011 |
| Publication date | Jun 14, 2016 |
| Grant date | Jun 14, 2016 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
An incident triage engine performs incident triage in a system by prioritizing responses to incidents within the system. One prioritization method may include receiving attributes of incidents and assets in the system, generating cumulative loss forecasts for the incidents, and prioritizing the responses to the incidents based on the cumulative loss forecasts for the incidents. Another prioritization method may include determining different arrangements of incidents within a response queue, calculating cumulative queue loss forecasts for the different arrangements of incidents within the response queue, and arranging the incidents in the response queue based on the arrangement of incidents that minimizes the total loss to the system over the resolution of all of the incidents present in the response queue.
First claim
Opening claim text (preview).
What is claimed is: 1. A method, comprising: storing, by a device, a response queue that includes a list of a plurality of incidents within a computer network, the computer network including a plurality of linked network devices, the plurality of incidents including one or more of: a denial of service attack, a virus, a worm, a Trojan horse, a backdoor, or a cookie tracker; determining, by the device, a plurality of different arrangements of the plurality of incidents within the list, of the plurality of incidents, included in the response queue, the plurality of different arrangements of the plurality of incidents including all possible arrangements of the plurality of incidents within the list; receiving, by the device and for each of the plurality of incidents, a remediation time associated with a course of action for resolving each of the plurality of incidents; calculating, by the device and for each of the plurality of incidents, a loss forecast based on a total time to resolve each of the plurality of incidents, the total time to resolve each of the plurality of incidents being based on sum of the remediation time of each of the plurality of incidents and remediation times of incidents, of the plurality of incidents, at earlier positions in the list of the plurality of incidents; calculating, by the device and for each of the plurality of different arrangements of the plurality of incidents, a cumulative queue loss forecast based on a sum of the loss forecasts calculated for each of the plurality of incidents; arranging, by the device, an order of the plurality of incidents within the list included in the response queue according to an arrangement of the plurality of incidents with a smallest cumulative queue loss forecast; executing, by the device, a particular course of action associated with a particular incident arranged first in the order of the plurality of incidents within the list included in the response queue; and repeating, by the device, the determining the plurality of different arrangements of the plurality of incidents, the calculating the cumulative queue loss forecast, and the arranging the order of the plurality of incidents within the list when a new incident is added to the list of the plurality of incidents or when an incident is removed from the list of the plurality of incidents. 2. The method according to claim 1 , wherein the plurality of linked network devices includes one or more of: a database server, an application server, a firewall, an intrusion detection system, a router, a switch, a bridge, a repeater, or an end point device. 3. The method according to claim 1 , the method further comprising: receiving attributes of the computer network, attributes of the plurality of linked network devices, and attributes of the plurality of incidents; and where calculating the cumulative queue loss forecast comprises: calculating the cumulative queue loss forecast based on the attributes of the computer network, the attributes of the plurality of linked network devices, and the attributes of the plurality of incidents. 4. The method according to claim 3 , wherein machine learning is used to associate each of the plurality of incidents with a course of action for resolving each of the plurality of incidents. 5. The method according to claim 3 , the method further comprising: executing courses of action, associated with the plurality of incidents, in the order of the plurality of incidents within the list included in the response queue. 6. The method according to claim 3 , wherein the determining the plurality of different arrangements of the plurality of incidents, the calculating the cumulative queue loss forecast, and the arranging the order of the plurality of incidents within the list are continuously performed. 7. The method according to claim 3 , wherein: the attributes of the computer network include an environmental factors attribute; the attributes of the plurality of incidents include one or more of an incident morbidity attribute or an incident infectiousness attribute, where the incident morbidity attribute includes one or more of a confidentiality impact of an incident, an integrity impact of an incident, an availability impact of an incident, a progression speed of an incident, or an incubation time of an incident, and where the incident infectiousness attribute includes one or more of a potency of an incident, a transmission mode of an incident, or a latency period of an incident; and the attributes of the plurality of linked network devices include one or more of a value attribute or an immunity attribute, where the value attribute includes one or more of a confidentiality value of a network device, an integrity value of a network device, an availability value of a network device, or a substitutability value of a network device, and where the immunity attribute includes a susceptibility value of a network device. 8. The method according to claim 7 , wherein the incident infectiousness attribute includes a value identifying an ability of an incident to spread to the plurality of linked network devices of the computer network. 9. The method according to claim 7 , wherein: the environmental factors attribute includes a value identifying an ability of the computer network to limit a spread of incidents to the plurality of linked network devices. 10. A non-transitory computer-readable storage medium storing instructions, the instructions comprising: one or more instructions which, when executed by at least one processor, cause the at least one processor to: store a response queue that includes a list of a plurality of incidents within a computer network, the computer network including a plurality of linked network devices, the plurality of incidents including one or more of: a denial of service attack, a virus, a worm, a Trojan horse, a backdoor, or a cookie tracker; determine a plurality of different arrangements of the plurality of incidents within the list, of the plurality of incidents, included in the response queue, the plurality of different arrangements of the plurality of incidents including all possible arrangements of the plurality of incidents within the list; receive, for each of the plurality of incidents, a remediation time associated with a course of action for resolving each of the plurality of incidents; calculate, for each of the plurality of incidents, a loss forecast based on a total time to resolve each of the plurality of incidents, the total time to resolve each of the plurality of incidents being based on sum of the remediation time of each of the plurality of incidents and remediation times of incidents, of the plurality of incidents, at earlier positions in the list of the plurality of incidents; calculate, for each of the plurality of different arrangements of the plurality of incidents, a cumulative queue loss forecast based on a sum of the loss forecasts calculated for each of the plurality of incidents; arrange an order of the plurality of incidents within the list included in the response queue according to an arrangement of the plurality of incidents with a smallest cumulative queue loss forecast; execute a particular course of action associated with a particular incident arranged first in the order of the plurality of incidents within the list included in the response queue; and repeat the determining the plurality of different arrangements of the plurality of incidents, the calculating the cumulative queue loss forecast, and the arranging the order of the plurality of incidents within the list when a new incident is added to the list of the plurality of
Assignees
Inventors
Classifications
Assessing vulnerabilities and evaluating computer system security · CPC title
Event detection, e.g. attack signature detection · CPC title
- H04L63/1433Primary
Vulnerability analysis · CPC title
Office automation; Time management · CPC title
involving event detection and direct action · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US9369481B2 cover?
- An incident triage engine performs incident triage in a system by prioritizing responses to incidents within the system. One prioritization method may include receiving attributes of incidents and assets in the system, generating cumulative loss forecasts for the incidents, and prioritizing the responses to the incidents based on the cumulative loss forecasts for the incidents. Another prioriti…
- Who is the assignee on this patent?
- Accenture Global Services Ltd
- What technology area does this patent fall under?
- Primary CPC classification H04L63/1433. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Tue Jun 14 2016 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 8 related publications on this page (citations in our corpus or others sharing the same primary CPC).