Automated determination of relevance of a security alert to one or more other security alerts based on shared markers
First Claim
1. A method comprising:
- obtaining a plurality of security alerts in a computer network;
processing the security alerts to extract a plurality of markers from each of the security alerts;
computing at least one relevance score relating a given one of the security alerts to another one of the security alerts based at least in part on distance measures computed between markers shared by the given security alert and the other security alert; and
adjusting at least one operating characteristic of a network security system of the computer network based at least in part on the relevance score;
wherein the distance measures comprise at least one of;
a first distance measure computed between markers comprising network addresses of user devices of the computer network, the first distance measure being computed at least in part utilizing a first distance function that measures distance between subnets of the network addresses; and
a second distance measure computed between markers comprising user identifiers of user devices of the computer network, the second distance measure being computed at least in part utilizing a second distance function that measures distance between associated organizations of the user identifiers;
wherein an instance of the first distance measure computed between two network addresses belonging to the same subnet is less than an instance of the first distance measure computed between two network addresses not belonging to the same subnet;
wherein an instance of the second distance measure computed between two user identifiers of respective users in the same organization is less than an instance of the second distance measure computed between two user identifiers of respective users in different organizations; and
wherein the method is performed by at least one processing device comprising a processor coupled to a memory.
7 Assignments
0 Petitions
Accused Products
Abstract
A processing device in one embodiment comprises a processor coupled to a memory and is configured to obtain a plurality of security alerts in a computer network, to process the security alerts to extract a plurality of markers from each of the security alerts, to compute at least one relevance score relating a given one of the security alerts to another one of the security alerts based at least in part on distance measures computed between markers shared by the given security alert and the other security alert, and to adjust at least one operating characteristic of a network security system of the computer network based at least in part on the relevance score. The relevance score may be computed as a function of a number of markers shared by the given security alert and the other security alert.
-
Citations
20 Claims
-
1. A method comprising:
-
obtaining a plurality of security alerts in a computer network; processing the security alerts to extract a plurality of markers from each of the security alerts; computing at least one relevance score relating a given one of the security alerts to another one of the security alerts based at least in part on distance measures computed between markers shared by the given security alert and the other security alert; and adjusting at least one operating characteristic of a network security system of the computer network based at least in part on the relevance score; wherein the distance measures comprise at least one of; a first distance measure computed between markers comprising network addresses of user devices of the computer network, the first distance measure being computed at least in part utilizing a first distance function that measures distance between subnets of the network addresses; and a second distance measure computed between markers comprising user identifiers of user devices of the computer network, the second distance measure being computed at least in part utilizing a second distance function that measures distance between associated organizations of the user identifiers; wherein an instance of the first distance measure computed between two network addresses belonging to the same subnet is less than an instance of the first distance measure computed between two network addresses not belonging to the same subnet; wherein an instance of the second distance measure computed between two user identifiers of respective users in the same organization is less than an instance of the second distance measure computed between two user identifiers of respective users in different organizations; and wherein the method is performed by at least one processing device comprising a processor coupled to a memory. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
-
-
14. A computer program product comprising a non-transitory processor-readable storage medium having stored therein program code of one or more software programs, wherein the program code when executed by at least one processing device causes said at least one processing device:
-
to obtain a plurality of security alerts in a computer network; to process the security alerts to extract a plurality of markers from each of the security alerts; to compute at least one relevance score relating a given one of the security alerts to another one of the security alerts based at least in part on distance measures computed between markers shared by the given security alert and the other security alert; and to adjust at least one operating characteristic of a network security system of the computer network based at least in part on the relevance score; wherein the distance measures comprise at least one of; a first distance measure computed between markers comprising network addresses of user devices of the computer network, the first distance measure being computed at least in part utilizing a first distance function that measures distance between subnets of the network addresses; and a second distance measure computed between markers comprising user identifiers of user devices of the computer network, the second distance measure being computed at least in part utilizing a second distance function that measures distance between associated organizations of the user identifiers; wherein an instance of the first distance measure computed between two network addresses belonging to the same subnet is less than an instance of the first distance measure computed between two network addresses not belonging to the same subnet; and wherein an instance of the second distance measure computed between two user identifiers of respective users in the same organization is less than an instance of the second distance measure computed between two user identifiers of respective users in different organizations. - View Dependent Claims (15, 16)
-
-
17. An apparatus comprising:
-
at least one processing device comprising a processor coupled to a memory; said at least one processing device being configured; to obtain a plurality of security alerts in a computer network; to process the security alerts to extract a plurality of markers from each of the security alerts; to compute at least one relevance score relating a given one of the security alerts to another one of the security alerts based at least in part on distance measures computed between markers shared by the given security alert and the other security alert; and to adjust at least one operating characteristic of a network security system of the computer network based at least in part on the relevance score; wherein the distance measures comprise at least one of; a first distance measure computed between markers comprising network addresses of user devices of the computer network, the first distance measure being computed at least in part utilizing a first distance function that measures distance between subnets of the network addresses; and a second distance measure computed between markers comprising user identifiers of user devices of the computer network, the second distance measure being computed at least in part utilizing a second distance function that measures distance between associated organizations of the user identifiers; wherein an instance of the first distance measure computed between two network addresses belonging to the same subnet is less than an instance of the first distance measure computed between two network addresses not belonging to the same subnet; and an instance of the second distance measure computed between two user identifiers of respective users in the same organization is less than an instance of the second distance measure computed between two user identifiers of respective users in different organizations. - View Dependent Claims (18, 19, 20)
-
Specification