Systems and methods for categorizing security incidents
First Claim
1. A computer-implemented method for categorizing security incidents, at least a portion of the method being performed by a computing device comprising at least one processor, the method comprising:
- detecting, by an endpoint computing security program, a threat signature alert triggered at a client machine associated with a client;
identifying historical data that records how the client responded to previous reports of security incidents that were categorized to describe the security incidents;
assigning a category for a new security incident that corresponds to the detected threat signature alert based on an analysis of the historical data indicating that the client responded more frequently to the category than the client responded to a different category;
notifying the client, through an electronically transmitted security incident report, of both the new security incident and the category assigned to the new security incident based on the analysis of the historical data to enable the client to perform a security action to protect itself from a corresponding security threat; and
performing the security action based on the electronically transmitted security incident report, the security action comprising at least one of;
enabling one or more security settings;
applying a patch that is designed to resolve the corresponding security threat;
disabling, powering down, throttling, quarantining, sandboxing, and/ordisconnecting one or more computing resources;
updating a signature threat alert set of definitions;
orupgrading the endpoint computing security program.
6 Assignments
0 Petitions
Accused Products
Abstract
The disclosed computer-implemented method for categorizing security incidents may include (i) generating, within a training dataset, a feature vector for each of a group of security incidents, the feature vector including features that describe the security incidents and the features including categories that were previously assigned to the security incidents as labels to describe the security incidents, (ii) training a supervised machine learning function on the training dataset such that the supervised machine learning function learns how to predict an assignment of future categories to future security incidents, (iii) assigning a category to a new security incident by applying the supervised machine learning function to a new feature vector that describes the new security incident, and (iv) notifying a client of the new security incident and the category assigned to the new security incident. Various other methods, systems, and computer-readable media are also disclosed.
-
Citations
20 Claims
-
1. A computer-implemented method for categorizing security incidents, at least a portion of the method being performed by a computing device comprising at least one processor, the method comprising:
-
detecting, by an endpoint computing security program, a threat signature alert triggered at a client machine associated with a client; identifying historical data that records how the client responded to previous reports of security incidents that were categorized to describe the security incidents; assigning a category for a new security incident that corresponds to the detected threat signature alert based on an analysis of the historical data indicating that the client responded more frequently to the category than the client responded to a different category; notifying the client, through an electronically transmitted security incident report, of both the new security incident and the category assigned to the new security incident based on the analysis of the historical data to enable the client to perform a security action to protect itself from a corresponding security threat; and performing the security action based on the electronically transmitted security incident report, the security action comprising at least one of; enabling one or more security settings; applying a patch that is designed to resolve the corresponding security threat; disabling, powering down, throttling, quarantining, sandboxing, and/or disconnecting one or more computing resources; updating a signature threat alert set of definitions;
orupgrading the endpoint computing security program. - View Dependent Claims (2, 3, 4)
-
-
5. A non-transitory computer-readable medium comprising one or more computer-readable instructions that, when executed by at least one processor of a computing device, cause the computing device to:
-
detect, as part of an endpoint computing security program, a threat signature alert triggered at a client machine associated with a client; identify historical data that records how the client responded to previous reports of security incidents that were categorized to describe the security incidents; assign a category for a new security incident that corresponds to the detected threat signature alert based on an analysis of the historical data indicating that the client responded more frequently to the category than the client responded to a different category; notify the client, through an electronically transmitted security incident report, of both the new security incident and the category assigned to the new security incident based on the analysis of the historical data to enable the client to perform a security action to protect itself from a corresponding security threat; and perform the security action based on the electronically transmitted security incident report, the security action comprising at least one of; enabling one or more security settings; applying a patch that is designed to resolve the corresponding security threat; disabling, powering down, throttling, quarantining, sandboxing, and/or disconnecting one or more computing resources; updating a signature threat alert set of definitions;
orupgrading the endpoint computing security program. - View Dependent Claims (6, 7, 8, 9, 10)
-
-
11. A system comprising:
-
a detection module, stored in memory that detects, as part of an endpoint computing security program, a threat signature alert triggered at a client machine associated with a client; an identification module, stored in memory, that identifies historical data that records how the client responded to previous reports of security incidents that were categorized to describe the security incidents; an assignment module, stored in memory, that assigns a category for a new security incident that corresponds to the detected threat signature alert based on an analysis of the historical data indicating that the client responded more frequently to the category than the client responded to a different category; a notification module, stored in memory, that; notifies the client, through an electronically transmitted security incident report, of both the new security incident and the category assigned to the new security incident based on the analysis of the historical data; and commands performance of a security action based on the electronically transmitted security incident report, the security action comprising at least one of; enabling one or more security settings; applying a patch that is designed to resolve a corresponding security threat; disabling, powering down, throttling, quarantining, sandboxing, and/or disconnecting one or more computing resources; updating a signature threat alert set of definitions;
orupgrading the endpoint computing security program; and at least one physical processor configured to execute the detection module, the identification module, the assignment module, and the notification module. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
-
Specification