Systems and methods for categorizing security incidents

US 10,341,377 B1
Filed: 10/13/2016
Issued: 07/02/2019
Est. Priority Date: 10/13/2016
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for categorizing security incidents, at least a portion of the method being performed by a computing device comprising at least one processor, the method comprising:

detecting, by an endpoint computing security program, a threat signature alert triggered at a client machine associated with a client;

identifying historical data that records how the client responded to previous reports of security incidents that were categorized to describe the security incidents;

assigning a category for a new security incident that corresponds to the detected threat signature alert based on an analysis of the historical data indicating that the client responded more frequently to the category than the client responded to a different category;

notifying the client, through an electronically transmitted security incident report, of both the new security incident and the category assigned to the new security incident based on the analysis of the historical data to enable the client to perform a security action to protect itself from a corresponding security threat; and

performing the security action based on the electronically transmitted security incident report, the security action comprising at least one of;

enabling one or more security settings;

applying a patch that is designed to resolve the corresponding security threat;

disabling, powering down, throttling, quarantining, sandboxing, and/ordisconnecting one or more computing resources;

updating a signature threat alert set of definitions;

orupgrading the endpoint computing security program.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The disclosed computer-implemented method for categorizing security incidents may include (i) generating, within a training dataset, a feature vector for each of a group of security incidents, the feature vector including features that describe the security incidents and the features including categories that were previously assigned to the security incidents as labels to describe the security incidents, (ii) training a supervised machine learning function on the training dataset such that the supervised machine learning function learns how to predict an assignment of future categories to future security incidents, (iii) assigning a category to a new security incident by applying the supervised machine learning function to a new feature vector that describes the new security incident, and (iv) notifying a client of the new security incident and the category assigned to the new security incident. Various other methods, systems, and computer-readable media are also disclosed.

Citations

20 Claims

1. A computer-implemented method for categorizing security incidents, at least a portion of the method being performed by a computing device comprising at least one processor, the method comprising:
- detecting, by an endpoint computing security program, a threat signature alert triggered at a client machine associated with a client;
  
  identifying historical data that records how the client responded to previous reports of security incidents that were categorized to describe the security incidents;
  
  assigning a category for a new security incident that corresponds to the detected threat signature alert based on an analysis of the historical data indicating that the client responded more frequently to the category than the client responded to a different category;
  
  notifying the client, through an electronically transmitted security incident report, of both the new security incident and the category assigned to the new security incident based on the analysis of the historical data to enable the client to perform a security action to protect itself from a corresponding security threat; and
  
  performing the security action based on the electronically transmitted security incident report, the security action comprising at least one of;
  
  enabling one or more security settings;
  
  applying a patch that is designed to resolve the corresponding security threat;
  
  disabling, powering down, throttling, quarantining, sandboxing, and/ordisconnecting one or more computing resources;
  
  updating a signature threat alert set of definitions;
  
  orupgrading the endpoint computing security program.
- View Dependent Claims (2, 3, 4)
- - 2. The computer-implemented method of claim 1, wherein assigning the category for the new security incident that corresponds to the detected threat signature alert comprises converting a category assignment from the different category to the category.
  - 3. The computer-implemented method of claim 1, wherein assigning the category is performed after determining that both the category and the different category are candidate categories for the new security incident from among a larger set of categories.
  - 4. The computer-implemented method of claim 1, further comprising:
    - assigning the different category to the new security incident in addition to assigning the category; and
      
      increasing a priority of the category over a priority of the different category in reporting the new security incident.

5. A non-transitory computer-readable medium comprising one or more computer-readable instructions that, when executed by at least one processor of a computing device, cause the computing device to:
- detect, as part of an endpoint computing security program, a threat signature alert triggered at a client machine associated with a client;
  
  identify historical data that records how the client responded to previous reports of security incidents that were categorized to describe the security incidents;
  
  assign a category for a new security incident that corresponds to the detected threat signature alert based on an analysis of the historical data indicating that the client responded more frequently to the category than the client responded to a different category;
  
  notify the client, through an electronically transmitted security incident report, of both the new security incident and the category assigned to the new security incident based on the analysis of the historical data to enable the client to perform a security action to protect itself from a corresponding security threat; and
  
  perform the security action based on the electronically transmitted security incident report, the security action comprising at least one of;
  
  enabling one or more security settings;
  
  applying a patch that is designed to resolve the corresponding security threat;
  
  disabling, powering down, throttling, quarantining, sandboxing, and/ordisconnecting one or more computing resources;
  
  updating a signature threat alert set of definitions;
  
  orupgrading the endpoint computing security program.
- View Dependent Claims (6, 7, 8, 9, 10)
- - 6. The non-transitory computer-readable medium of claim 5, wherein assigning the category for the new security incident that corresponds to the detected threat signature alert comprises converting a category assignment from the different category to the category.
  - 7. The non-transitory computer-readable medium of claim 5, wherein assigning the category is performed after determining that both the category and the different category are candidate categories for the new security incident from among a larger set of categories.
  - 8. The non-transitory computer-readable medium of claim 5, wherein the instructions further cause the computing device to:
    - assign the different category to the new security incident in addition to assigning the category; and
      
      increase a priority of the category over a priority of the different category in reporting the new security incident.
  - 9. The non-transitory computer-readable medium of claim 5, wherein identifying the historical data comprises identifying a rate, frequency, absolute number, and/or relative number indicating how the client responded to security incidents that were reported as having a specific category.
  - 10. The non-transitory computer-readable medium of claim 5, wherein assigning the category comprises selecting the category of the new security incident, based on the analysis of the historical data, in a manner that increases odds of the client actually responding to the new security incident based on a determination that the category assigned to the new security incident is a category to which the client has a relatively higher response rate.

11. A system comprising:
- a detection module, stored in memory that detects, as part of an endpoint computing security program, a threat signature alert triggered at a client machine associated with a client;
  
  an identification module, stored in memory, that identifies historical data that records how the client responded to previous reports of security incidents that were categorized to describe the security incidents;
  
  an assignment module, stored in memory, that assigns a category for a new security incident that corresponds to the detected threat signature alert based on an analysis of the historical data indicating that the client responded more frequently to the category than the client responded to a different category;
  
  a notification module, stored in memory, that;
  
  notifies the client, through an electronically transmitted security incident report, of both the new security incident and the category assigned to the new security incident based on the analysis of the historical data; and
  
  commands performance of a security action based on the electronically transmitted security incident report, the security action comprising at least one of;
  
  enabling one or more security settings;
  
  applying a patch that is designed to resolve a corresponding security threat;
  
  disabling, powering down, throttling, quarantining, sandboxing, and/ordisconnecting one or more computing resources;
  
  updating a signature threat alert set of definitions;
  
  orupgrading the endpoint computing security program; and
  
  at least one physical processor configured to execute the detection module, the identification module, the assignment module, and the notification module.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 12. The system of claim 11, wherein the assignment module assigns the category for the new security incident that corresponds to the detected threat signature alert at least in part by converting a category assignment from the different category to the category.
  - 13. The system of claim 11, wherein the assignment module assigns the category after determining that both the category and the different category are candidate categories for the new security incident from among a larger set of categories.
  - 14. The system of claim 11, wherein:
    - the assignment module assigns the different category to the new security incident in addition to assigning the category; and
      
      the assignment module increases a priority of the category over a priority of the different category in reporting the new security incident.
  - 15. The system of claim 11, wherein the identification module identifies a rate, frequency, absolute number, and/or relative number indicating how the client responded to security incidents that were reported as having a specific category.
  - 16. The system of claim 15, wherein the identification module derives the rate, frequency, absolute number, and/or relative number by analyzing the historical data.
  - 17. The system of claim 15, wherein the identification module retrieves the rate, frequency, absolute number, and/or relative number that was previously calculated and stored in computing memory.
  - 18. The system of claim 11, wherein the identification module computes a relative response rate, frequency, number, and/or amount by subtracting and/or dividing a response rate for one category with the response rate for another category.
  - 19. The system of claim 11, wherein the identification module compares response rates for two respective categories to derive data on which to base a decision on how to categorize the new security incident.
  - 20. The system of claim 11, wherein the assignment module selects the category of the new security incident, based on the analysis of the historical data, in a manner that increases odds of the client actually responding to the new security incident based on a determination that the category assigned to the new security incident is a category to which the client has a relatively higher response rate.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Gen Digital Inc.
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Dell'Amico, Matteo, Gates, Chris, Hart, Michael, Roundy, Kevin
Primary Examiner(s)
Arani, Taghi T
Assistant Examiner(s)
Chang, Lin

Application Number

US15/292,918
Time in Patent Office

992 Days
Field of Search

726 23, 726 24, 726 25
US Class Current
CPC Class Codes

G06N 20/00   Machine learning

G06N 20/20   Ensemble learning

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1433   Vulnerability analysis

H04L 63/1441   Countermeasures against mal...

H04L 63/1458   Denial of Service

H04L 67/01   Protocols

Systems and methods for categorizing security incidents

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods for categorizing security incidents

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links