Automated determination of relevance of a security alert to one or more other security alerts based on shared markers

US 10,263,998 B1
Filed: 12/14/2016
Issued: 04/16/2019
Est. Priority Date: 12/14/2016
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

obtaining a plurality of security alerts in a computer network;

processing the security alerts to extract a plurality of markers from each of the security alerts;

computing at least one relevance score relating a given one of the security alerts to another one of the security alerts based at least in part on distance measures computed between markers shared by the given security alert and the other security alert; and

adjusting at least one operating characteristic of a network security system of the computer network based at least in part on the relevance score;

wherein the distance measures comprise at least one of;

a first distance measure computed between markers comprising network addresses of user devices of the computer network, the first distance measure being computed at least in part utilizing a first distance function that measures distance between subnets of the network addresses; and

a second distance measure computed between markers comprising user identifiers of user devices of the computer network, the second distance measure being computed at least in part utilizing a second distance function that measures distance between associated organizations of the user identifiers;

wherein an instance of the first distance measure computed between two network addresses belonging to the same subnet is less than an instance of the first distance measure computed between two network addresses not belonging to the same subnet;

wherein an instance of the second distance measure computed between two user identifiers of respective users in the same organization is less than an instance of the second distance measure computed between two user identifiers of respective users in different organizations; and

wherein the method is performed by at least one processing device comprising a processor coupled to a memory.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A processing device in one embodiment comprises a processor coupled to a memory and is configured to obtain a plurality of security alerts in a computer network, to process the security alerts to extract a plurality of markers from each of the security alerts, to compute at least one relevance score relating a given one of the security alerts to another one of the security alerts based at least in part on distance measures computed between markers shared by the given security alert and the other security alert, and to adjust at least one operating characteristic of a network security system of the computer network based at least in part on the relevance score. The relevance score may be computed as a function of a number of markers shared by the given security alert and the other security alert.

Citations

20 Claims

1. A method comprising:
- obtaining a plurality of security alerts in a computer network;
  
  processing the security alerts to extract a plurality of markers from each of the security alerts;
  
  computing at least one relevance score relating a given one of the security alerts to another one of the security alerts based at least in part on distance measures computed between markers shared by the given security alert and the other security alert; and
  
  adjusting at least one operating characteristic of a network security system of the computer network based at least in part on the relevance score;
  
  wherein the distance measures comprise at least one of;
  
  a first distance measure computed between markers comprising network addresses of user devices of the computer network, the first distance measure being computed at least in part utilizing a first distance function that measures distance between subnets of the network addresses; and
  
  a second distance measure computed between markers comprising user identifiers of user devices of the computer network, the second distance measure being computed at least in part utilizing a second distance function that measures distance between associated organizations of the user identifiers;
  
  wherein an instance of the first distance measure computed between two network addresses belonging to the same subnet is less than an instance of the first distance measure computed between two network addresses not belonging to the same subnet;
  
  wherein an instance of the second distance measure computed between two user identifiers of respective users in the same organization is less than an instance of the second distance measure computed between two user identifiers of respective users in different organizations; and
  
  wherein the method is performed by at least one processing device comprising a processor coupled to a memory.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The method of claim 1 wherein obtaining a plurality of security alerts in the computer network further comprises receiving at least a subset of the security alerts in the network security system from one or more user devices of the computer network.
  - 3. The method of claim 1 wherein adjusting at least one operating characteristic of the network security system further comprises altering a visualization generated by the network security system to provide an indication of a threshold level of relevance between the given security alert and the other security alert.
  - 4. The method of claim 1 wherein processing the security alerts to extract a plurality of markers from each of the security alerts further comprises:
    - identifying at least one relationship set of markers having a specified relationship for one or more events of the security alert being processed;
      
      forming a marker array comprising the relationship set of markers having the specified relationship for the one or more events; and
      
      storing the marker array for the security alert in a security alert database associated with the network security system.
  - 5. The method of claim 4 wherein the one or more events of the security alert comprise respective occurrences of at least one of an activity and a change of state relating to at least one user device of the computer network.
  - 6. The method of claim 1 wherein computing at least one relevance score relating a given one of the security alerts to another one of the security alerts further comprises:
    - generating a plurality of relevance scores each relating the given security alert to a different one of a plurality of other ones of the security alerts;
      
      wherein a first one of the relevance scores relates the given security alert to another security alert that was generated prior in time to the given security alert;
      
      wherein a second one of the relevance scores relates the given security alert to another security alert that was generated subsequent in time to the given security alert.
  - 7. The method of claim 1 wherein the markers comprise one or more of a user identifier, a source IP address, a source domain, a destination IP address and a destination domain.
  - 8. The method of claim 1 wherein computing at least one relevance score comprises computing the relevance score as a function of a number of markers shared by the given security alert and the other security alert such that the relevance score increases with an increasing number of markers shared by the given security alert and the other security alert.
  - 9. The method of claim 1 wherein computing at least one relevance score comprises computing the relevance score in accordance with the following equation:
  - 10. The method of claim 1 wherein a given one of the distance measures computed between markers shared by the given security alert and the other security alert is computed in accordance with the following equation:
    - Δ
      
      _k=ƒ
      
      _k(R₁[k],R₂[k])where Δ
      
      _kdenotes a distance measure computed as a function ƒ
      
      _kbetween corresponding k-th markers shared by the given security alert and the other security alert, and wherein R₁[k] and R₂[k] denote respective k-th markers in respective relationship sets R₁and R₂.
  - 11. The method of claim 10 wherein a given one of the distance measures computed between markers shared by the given security alert and the other security alert is computed in accordance with the following equation:
  - 12. The method of claim 1 wherein different functions are utilized to compute distance measures between markers of different types.
  - 13. The method of claim 1 wherein computing at least one relevance score relating a given one of the security alerts to another one of the security alerts further comprises:
    - implementing map-reduce processing to compute a plurality of relevance scores relating the given security alert to respective other security alerts;
      
      wherein a map function of the map-reduce processing executes on a subset of the security alerts falling within a predefined time range encompassing the given security alert and determines for each of the security alerts in the subset a corresponding maximum_match_count of markers shared with the given security alert; and
      
      wherein a reduce function of the map-reduce processing outputs respective identifiers of the security alerts of the subset in association with their respective maximum_match counts.

14. A computer program product comprising a non-transitory processor-readable storage medium having stored therein program code of one or more software programs, wherein the program code when executed by at least one processing device causes said at least one processing device:
- to obtain a plurality of security alerts in a computer network;
  
  to process the security alerts to extract a plurality of markers from each of the security alerts;
  
  to compute at least one relevance score relating a given one of the security alerts to another one of the security alerts based at least in part on distance measures computed between markers shared by the given security alert and the other security alert; and
  
  to adjust at least one operating characteristic of a network security system of the computer network based at least in part on the relevance score;
  
  wherein the distance measures comprise at least one of;
  
  a first distance measure computed between markers comprising network addresses of user devices of the computer network, the first distance measure being computed at least in part utilizing a first distance function that measures distance between subnets of the network addresses; and
  
  a second distance measure computed between markers comprising user identifiers of user devices of the computer network, the second distance measure being computed at least in part utilizing a second distance function that measures distance between associated organizations of the user identifiers;
  
  wherein an instance of the first distance measure computed between two network addresses belonging to the same subnet is less than an instance of the first distance measure computed between two network addresses not belonging to the same subnet; and
  
  wherein an instance of the second distance measure computed between two user identifiers of respective users in the same organization is less than an instance of the second distance measure computed between two user identifiers of respective users in different organizations.
- View Dependent Claims (15, 16)
- - 15. The computer program product of claim 14 wherein the program code when executed by said at least one processing device causes said at least one processing device:
    - to generate a plurality of relevance scores each relating the given security alert to a different one of a plurality of other ones of the security alerts;
      
      wherein a first one of the relevance scores relates the given security alert to another security alert that was generated prior in time to the given security alert; and
      
      wherein a second one of the relevance scores relates the given security alert to another security alert that was generated subsequent in time to the given security alert.
  - 16. The computer program product of claim 14 wherein the program code when executed by said at least one processing device causes said at least one processing device:
    - to implement map-reduce processing to compute a plurality of relevance scores relating the given security alert to respective other security alerts;
      
      wherein a map function of the map-reduce processing executes on a subset of the security alerts falling within a predefined time range encompassing the given security alert and determines for each of the security alerts in the subset a corresponding maximum_match_count of markers shared with the given security alert; and
      
      wherein a reduce function of the map-reduce processing outputs respective identifiers of the security alerts of the subset in association with their respective maximum_match counts.

17. An apparatus comprising:
- at least one processing device comprising a processor coupled to a memory;
  
  said at least one processing device being configured;
  
  to obtain a plurality of security alerts in a computer network;
  
  to process the security alerts to extract a plurality of markers from each of the security alerts;
  
  to compute at least one relevance score relating a given one of the security alerts to another one of the security alerts based at least in part on distance measures computed between markers shared by the given security alert and the other security alert; and
  
  to adjust at least one operating characteristic of a network security system of the computer network based at least in part on the relevance score;
  
  wherein the distance measures comprise at least one of;
  
  a first distance measure computed between markers comprising network addresses of user devices of the computer network, the first distance measure being computed at least in part utilizing a first distance function that measures distance between subnets of the network addresses; and
  
  a second distance measure computed between markers comprising user identifiers of user devices of the computer network, the second distance measure being computed at least in part utilizing a second distance function that measures distance between associated organizations of the user identifiers;
  
  wherein an instance of the first distance measure computed between two network addresses belonging to the same subnet is less than an instance of the first distance measure computed between two network addresses not belonging to the same subnet; and
  
  an instance of the second distance measure computed between two user identifiers of respective users in the same organization is less than an instance of the second distance measure computed between two user identifiers of respective users in different organizations.
- View Dependent Claims (18, 19, 20)
- - 18. The apparatus of claim 17 wherein said at least one processing device is further configured:
    - to generate a plurality of relevance scores each relating the given security alert to a different one of a plurality of other ones of the security alerts;
      
      wherein a first one of the relevance scores relates the given security alert to another security alert that was generated prior in time to the given security alert; and
      
      wherein a second one of the relevance scores relates the given security alert to another security alert that was generated subsequent in time to the given security alert.
  - 19. The apparatus of claim 17 wherein said at least one processing device is further configured:
    - to implement map-reduce processing to compute a plurality of relevance scores relating the given security alert to respective other security alerts;
      
      wherein a map function of the map-reduce processing executes on a subset of the security alerts falling within a predefined time range encompassing the given security alert and determines for each of the security alerts in the subset a corresponding maximum_match_count of markers shared with the given security alert; and
      
      wherein a reduce function of the map-reduce processing outputs respective identifiers of the security alerts of the subset in association with their respective maximum_match counts.
  - 20. The apparatus of claim 17 wherein different functions are utilized to compute distance measures between markers of different types.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Emc IP Holding Company LLC (Dell Technologies Inc.)
Original Assignee
Emc IP Holding Company LLC (Dell Technologies Inc.)
Inventors
Bhatt, Nitin, Bruk, Vadim
Primary Examiner(s)
Zand, Kambiz
Assistant Examiner(s)
Tran, Tongoc

Application Number

US15/378,336
Time in Patent Office

853 Days
Field of Search
US Class Current
CPC Class Codes

G06N 20/00   Machine learning

G06N 7/00   Computing arrangements base...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1433   Vulnerability analysis

Automated determination of relevance of a security alert to one or more other security alerts based on shared markers

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Automated determination of relevance of a security alert to one or more other security alerts based on shared markers

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links