×

Automated determination of relevance of a security alert to one or more other security alerts based on shared markers

  • US 10,263,998 B1
  • Filed: 12/14/2016
  • Issued: 04/16/2019
  • Est. Priority Date: 12/14/2016
  • Status: Active Grant
First Claim
Patent Images

1. A method comprising:

  • obtaining a plurality of security alerts in a computer network;

    processing the security alerts to extract a plurality of markers from each of the security alerts;

    computing at least one relevance score relating a given one of the security alerts to another one of the security alerts based at least in part on distance measures computed between markers shared by the given security alert and the other security alert; and

    adjusting at least one operating characteristic of a network security system of the computer network based at least in part on the relevance score;

    wherein the distance measures comprise at least one of;

    a first distance measure computed between markers comprising network addresses of user devices of the computer network, the first distance measure being computed at least in part utilizing a first distance function that measures distance between subnets of the network addresses; and

    a second distance measure computed between markers comprising user identifiers of user devices of the computer network, the second distance measure being computed at least in part utilizing a second distance function that measures distance between associated organizations of the user identifiers;

    wherein an instance of the first distance measure computed between two network addresses belonging to the same subnet is less than an instance of the first distance measure computed between two network addresses not belonging to the same subnet;

    wherein an instance of the second distance measure computed between two user identifiers of respective users in the same organization is less than an instance of the second distance measure computed between two user identifiers of respective users in different organizations; and

    wherein the method is performed by at least one processing device comprising a processor coupled to a memory.

View all claims
  • 7 Assignments
Timeline View
Assignment View
    ×
    ×