Apparatus and method for automatic handling of cyber-security risk events
First Claim
1. A method comprising:
- detecting, by a monitoring system, a first event associated with a device in a computing system;
in response to detecting the event, initializing a risk item corresponding to the first event, by the monitoring system, and setting the risk item to a full risk value;
determining, by the monitoring system, whether a second event, corresponding to the first event, has been detected, wherein the second event corresponds to the first event when the second event is a repeat of the first event, is a same type of event as the first event, or is generated by a same process, system, or device as the first event;
in response to determining, by the monitoring system, that no second event has been detected, reducing the risk value over time;
in response to determining, by the monitoring system, that multiple corresponding second events have been detected, increasing the risk value to value that is greater than the full risk value;
altering, by the monitoring system, when no second event has been detected, the risk value by reducing the risk value according to a decay function wherein the decay function is defined as;
For t<
P;
Risk=R*(1−
(t/P))
For t>
=P;
Risk=0,where Risk represents an adjusted risk value, R represents the full risk value, P represents a decay period of time, and t represents an amount of time that has passed since the first event occurred was detected;
determining, by the monitoring system, if the risk value for the risk item has passed a threshold; and
clearing the event, by the monitoring system, in response to the risk value passing the threshold.
1 Assignment
0 Petitions
Accused Products
Abstract
This disclosure provides an apparatus and method for automatic handling of cyber-security risk events and other risk events. A method includes detecting, by a monitoring system, a first event associated with a device in a computing system. The method includes initializing a risk item corresponding to the first event, and setting the risk item to a full risk value, in response to detecting the event. The method includes determining whether a second event, corresponding to the first event, has been detected. The method includes altering the risk value over time in response to determining that no second event has been detected. The method includes determining if the risk value for the risk item has passed a threshold. The method includes clearing the event in response to the risk value passing the threshold.
-
Citations
15 Claims
-
1. A method comprising:
-
detecting, by a monitoring system, a first event associated with a device in a computing system; in response to detecting the event, initializing a risk item corresponding to the first event, by the monitoring system, and setting the risk item to a full risk value; determining, by the monitoring system, whether a second event, corresponding to the first event, has been detected, wherein the second event corresponds to the first event when the second event is a repeat of the first event, is a same type of event as the first event, or is generated by a same process, system, or device as the first event; in response to determining, by the monitoring system, that no second event has been detected, reducing the risk value over time; in response to determining, by the monitoring system, that multiple corresponding second events have been detected, increasing the risk value to value that is greater than the full risk value; altering, by the monitoring system, when no second event has been detected, the risk value by reducing the risk value according to a decay function wherein the decay function is defined as;
For t<
P;
Risk=R*(1−
(t/P))
For t>
=P;
Risk=0,where Risk represents an adjusted risk value, R represents the full risk value, P represents a decay period of time, and t represents an amount of time that has passed since the first event occurred was detected; determining, by the monitoring system, if the risk value for the risk item has passed a threshold; and clearing the event, by the monitoring system, in response to the risk value passing the threshold. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A monitoring system, further comprising:
-
a processing device; a memory; and a network interface, wherein the processing device is configured to; detect a first event associated with a device in a computing system; in response to detecting the event, initialize a risk item corresponding to the first event and set the risk item to a full risk value; determine whether a second event, corresponding to the first event, has been detected, wherein the second event corresponds to a first event when the second event is a repeat of the first event, is a same type of event as the first event, or is generated by a same process, system, or device as the first event; in response to determining that no second event has been detected, alter the risk value over time; in response to determining that no second event has been detected, increase the risk value to a value that is greater than the full risk value; altering, by the monitoring system, when no second event has been detected, the risk value by reducing the risk value according to a decay function wherein the decay function is defined as;
For t<
P;
Risk=R*(1−
(t/P))
For t>
=P;
Risk=0,where Risk represents an adjusted risk value, R represents the full risk value, P represents a decay period of time, and t represents an amount of time that has passed since the first event occurred was detected; determine if the risk value for the risk item has passed a threshold; and clear the event in response to the risk value passing the threshold. - View Dependent Claims (8, 9, 10, 11)
-
-
12. A non-transitory computer-readable medium encoded with computer readable program code that, when executed, causes a monitoring system to:
-
detect a first event associated with a device in a computing system; in response to detecting the event, initialize a risk item corresponding to the first event and set the risk item to a full risk value; determine whether a second event, corresponding to the first event, has been detected, wherein the second event corresponds to the first event when the second event is a repeat of the first event, is a same type of event as the first event, or is generated by a same type of event as the first event, or is generated by same process, system, or device as the first event; in response to determining that no second event has been detected, alter the risk value over time; in response to determining that multiple corresponding second events have been detected, increase the risk value to a value that is greater than the full risk value; executing by the computer readable program code, when no second event has been detected, to reduce the risk value by reducing the risk value according to a decay function wherein the decay function is defined as;
For t<
P;
Risk=R*(1−
(t/P))
For t>
=P;
Risk=0,where Risk represents an adjusted risk value, R represents the full risk value, P represents a decay period of time, and t represents an amount of time that has passed since the first event occurred was detected; determine if the risk value for the risk item has passed a threshold; and clear the event in response to the risk value passing the threshold. - View Dependent Claims (13, 14, 15)
-
Specification