Systems and methods for personalizing security incident reports

US 10,542,017 B1
Filed: 10/13/2016
Issued: 01/21/2020
Est. Priority Date: 10/13/2016
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for personalizing security incident reports, at least a portion of the method being performed by a computing device comprising at least one processor, the method comprising:

generating, within a training dataset, a feature vector for each of a group of security incidents, the feature vector including features that describe the security incidents and the features including response codes that a set of clients assigned to the security incidents as labels;

training a supervised machine learning function on the training dataset using the response codes that the set of clients assigned to the security incidents such that the supervised machine learning function learns how to predict an assignment of future response codes to future security incidents;

applying the trained supervised machine learning function to a feature vector that describes a new security incident, as one of the future security incidents, on the set of clients to predict that the set of clients will ignore the new security incident; and

personalizing a list of security incidents that is electronically reported to the set of clients by deprioritizing the new security incident based on applying the trained supervised machine learning function to the feature vector that describes the new security incident.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The disclosed computer-implemented method for personalizing security incident reports may include (i) generating, within a training dataset, a feature vector for each of a group of security incidents, the feature vector including features that describe the security incidents and the features including response codes that a set of clients previously assigned to the security incidents as labels, (ii) training a supervised machine learning function on the training dataset using the response codes that the set of clients previously assigned to the security incidents, (iii) applying the supervised machine learning function to a feature vector that describes a new security incident on the set of clients to predict that the set of clients will ignore the new security incident, and (iv) personalizing a list of security incidents that is electronically reported to the set of clients by deprioritizing the new security incident. Other methods, systems, and computer-readable media are also disclosed.

Citations

20 Claims

1. A computer-implemented method for personalizing security incident reports, at least a portion of the method being performed by a computing device comprising at least one processor, the method comprising:
- generating, within a training dataset, a feature vector for each of a group of security incidents, the feature vector including features that describe the security incidents and the features including response codes that a set of clients assigned to the security incidents as labels;
  
  training a supervised machine learning function on the training dataset using the response codes that the set of clients assigned to the security incidents such that the supervised machine learning function learns how to predict an assignment of future response codes to future security incidents;
  
  applying the trained supervised machine learning function to a feature vector that describes a new security incident, as one of the future security incidents, on the set of clients to predict that the set of clients will ignore the new security incident; and
  
  personalizing a list of security incidents that is electronically reported to the set of clients by deprioritizing the new security incident based on applying the trained supervised machine learning function to the feature vector that describes the new security incident.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The computer-implemented method of claim 1, wherein the feature vector for each of the security incidents specifies at least two of:
    - a company where the respective security incident occurred;
      
      at least one signature detection that triggered in correspondence to the respective security incident; and
      
      a severity code for the respective security incident.
  - 3. The computer-implemented method of claim 1, wherein the feature vector for each of the security incidents specifies at least one of:
    - timing information indicating a timing of the respective security incident; and
      
      at least one of source and destination information for a corresponding security threat.
  - 4. The computer-implemented method of claim 1, wherein the response codes that the set of clients assigned to the security incidents as labels specify at least two of:
    - no action;
      
      resolved;
      
      false positive;
      
      defer; and
      
      untouched.
  - 5. The computer-implemented method of claim 1, wherein:
    - the response codes were assigned to the security incidents within the training dataset by one client within the set of clients; and
      
      the new security incident occurred on a different client within the set of clients and the list of security incidents is electronically reported to the different client.
  - 6. The computer-implemented method of claim 1, wherein:
    - the response codes were assigned to the security incidents within the training dataset by one client within the set of clients; and
      
      the new security incident occurred on the same client within the set of clients and the personalized list of security incidents is electronically reported to the same client.
  - 7. The computer-implemented method of claim 1, wherein deprioritizing the new security incident comprises omitting the new security incident from the list of security incidents that is electronically reported to the set of clients.
  - 8. The computer-implemented method of claim 1, wherein training the supervised machine learning function on the training dataset using the response codes that the set of clients assigned to the security incidents comprises performing a grid search to ascertain numerical weights that minimize false negatives.
  - 9. The computer-implemented method of claim 1, wherein training a supervised machine learning function on the training dataset using the response codes that the set of clients assigned to the security incidents comprises performing a stochastic gradient descent.
  - 10. The computer-implemented method of claim 1, further comprising automatically performing a security action to protect the set of clients based on applying the supervised machine learning function to the feature vector that describes the new security incident.

11. A system for personalizing security incident reports, the system comprising:
- a generation module, stored in memory, that generates, within a training dataset, a feature vector for each of a group of security incidents, the feature vector including features that describe the security incidents and the features including response codes that a set of clients assigned to the security incidents as labels;
  
  a training module, stored in memory, that trains a supervised machine learning function on the training dataset using the response codes that the set of clients assigned to the security incidents such that the supervised machine learning function learns how to predict an assignment of future response codes to future security incidents;
  
  an application module, stored in memory, that applies the trained supervised machine learning function to a feature vector that describes a new security incident, as one of the future security incidents, on the set of clients to predict that the set of clients will ignore the new security incident;
  
  a personalizing module, stored in memory, that personalizes a list of security incidents that is electronically reported to the set of clients by deprioritizing the new security incident based on applying the trained supervised machine learning function to the new security incident; and
  
  at least one physical processor configured to execute the generation module, the training module, the application module, and the personalizing module.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19)
- - 12. The system of claim 11, wherein the feature vector for each of the security incidents specifies at least two of:
    - a company where the respective security incident occurred;
      
      at least one signature detection that triggered in correspondence to the respective security incident; and
      
      a severity code for the respective security incident.
  - 13. The system of claim 11, wherein the feature vector for each of the security incidents specifies at least one of:
    - timing information indicating a timing of the respective security incident; and
      
      at least one of source and destination information for a corresponding security threat.
  - 14. The system of claim 11, wherein the response codes that the set of clients assigned to the security incidents as labels specify at least two of:
    - no action;
      
      resolved;
      
      false positive;
      
      defer; and
      
      untouched.
  - 15. The system of claim 11, wherein:
    - the response codes were assigned to the security incidents within the training dataset by one client within the set of clients; and
      
      the new security incident occurred on a different client within the set of clients and the personalizing module is configured such that the list of security incidents is electronically reported to the different client.
  - 16. The system of claim 11, wherein:
    - the response codes were assigned to the security incidents within the training dataset by one client within the set of clients; and
      
      the new security incident occurred on the same client within the set of clients and the personalizing module is configured such that the personalized list of security incidents is electronically reported to the same client.
  - 17. The system of claim 11, wherein the personalizing module deprioritizes the new security incident by omitting the new security incident from the list of security incidents that is electronically reported to the set of clients.
  - 18. The system of claim 11, wherein the training module trains the supervised machine learning function on the training dataset using the response codes that the set of clients assigned to the security incidents by performing a grid search to ascertain numerical weights that minimize false negatives.
  - 19. The system of claim 11, wherein the training module trains a supervised machine learning function on the training dataset using the response codes that the set of clients assigned to the security incidents by performing a stochastic gradient descent.

20. A non-transitory computer-readable medium comprising one or more computer-readable instructions that, when executed by at least one processor of a computing device, cause the computing device to:
- generate, within a training dataset, a feature vector for each of a group of security incidents, the feature vector including features that describe the security incidents and the features including response codes that a set of clients assigned to the security incidents as labels;
  
  train a supervised machine learning function on the training dataset using the response codes that the set of clients assigned to the security incidents such that the supervised machine learning function learns how to predict an assignment of future response codes to future security incidents;
  
  apply the trained supervised machine learning function to a feature vector that describes a new security incident, as one of the future security incidents, on the set of clients to predict that the set of clients will ignore the new security incident; and
  
  personalize a list of security incidents that is electronically reported to the set of clients by deprioritizing the new security incident based on applying the trained supervised machine learning function to the feature vector that describes the new security incident.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Gen Digital Inc.
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Gates, Chris, Hart, Michael, Roundy, Kevin
Primary Examiner(s)
Lwin, Maung T
Assistant Examiner(s)
Bucknor, Olanrewaju J.

Application Number

US15/292,874
Time in Patent Office

1,195 Days
Field of Search

None
US Class Current
CPC Class Codes

G06N 20/00   Machine learning

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1433   Vulnerability analysis

H04L 67/01   Protocols

Systems and methods for personalizing security incident reports

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods for personalizing security incident reports

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links