Autonomic incident triage prioritization by performance modifier and temporal decay parameters

US 10,609,045 B2
Filed: 06/29/2017
Issued: 03/31/2020
Est. Priority Date: 06/29/2017
Status: Active Grant

First Claim

Patent Images

1. A method for autonomic incident triage prioritization of incidents affecting a plurality of computer systems, the method performed by a computing module comprising:

receiving user defined parameters associated with each of the computer systems and receiving asset parameters associated with each asset contained within each of the computer systems;

receiving incidents affecting assets of the computer systems;

computing an incident asset score for each incident whereby the incident asset score for each incident is computed using the asset parameters associated with each asset contained within each computer system;

assigning incident severity values to each of the received incidents;

computing incident severity scores for each of the received incidents based on the incident severity value of the incident and the incident asset score of the incident;

generating a prioritized incident list based on the incident severity scores of the received incidents;

providing the prioritized incident list to security analysts;

retrieving, for each incident, identities of assets affected by the incident, wherein for each asset affected by the incident, retrieving identities of all the assets contained in a computer system related to the affected asset;

retrieving severity weightage values accorded to all the retrieved identities of assets wherein the severity weightage values are contained within the received asset parameters; and

computing the incident asset score for each incident by summing severity weightage values of assets contained in a computer system affected by the incident, summing the severity weightage values of all the assets in the computer system, and dividing the summed severity weightage values of assets contained in the computer system affected by the incident with the summed severity weightage values of all the assets in the computer system.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

This invention relates to a system and method for prioritizing an incident triage process in an autonomic manner. In particular, the system employs performance modifier indicators and temporal decay parameters to autonomously compile, adjust and demonstrate a list of prioritized incidents in a dynamic manner.

37 Citations

20 Claims

1. A method for autonomic incident triage prioritization of incidents affecting a plurality of computer systems, the method performed by a computing module comprising:
- receiving user defined parameters associated with each of the computer systems and receiving asset parameters associated with each asset contained within each of the computer systems;
  
  receiving incidents affecting assets of the computer systems;
  
  computing an incident asset score for each incident whereby the incident asset score for each incident is computed using the asset parameters associated with each asset contained within each computer system;
  
  assigning incident severity values to each of the received incidents;
  
  computing incident severity scores for each of the received incidents based on the incident severity value of the incident and the incident asset score of the incident;
  
  generating a prioritized incident list based on the incident severity scores of the received incidents;
  
  providing the prioritized incident list to security analysts;
  
  retrieving, for each incident, identities of assets affected by the incident, wherein for each asset affected by the incident, retrieving identities of all the assets contained in a computer system related to the affected asset;
  
  retrieving severity weightage values accorded to all the retrieved identities of assets wherein the severity weightage values are contained within the received asset parameters; and
  
  computing the incident asset score for each incident by summing severity weightage values of assets contained in a computer system affected by the incident, summing the severity weightage values of all the assets in the computer system, and dividing the summed severity weightage values of assets contained in the computer system affected by the incident with the summed severity weightage values of all the assets in the computer system.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 17, 18, 19)
- - 2. The method according to claim 1 wherein the assigning the incident severity values to each of the received incidents comprises:
    - identifying normalized incidents from the received incidents and allocating predetermined incident severity values to normalized incidents;
      
      identifying un-normalized incidents and determining, using a machine learning model, if the un-normalized incidents may be matched to normalized incidents;
      
      wherebyfor each un-normalized incident that matches a normalized incident, allocating the incident severity value of the normalized incident to the un-normalized incident;
      
      for each un-normalized incident that does not match a normalized incident, allocating a predetermined high incident severity value to the un-normalized incident whereby the high incident severity value comprises a value that is within an upper range of the predetermined incident severity values for normalized incidents.
  - 3. The method according to claim 1 wherein the assigning the incident severity values to each of the received incidents comprises:
    - identifying normalized incidents from the received incidents and allocating predetermined incident severity values to normalized incidents;
      
      identifying un-normalized incidents and determining, using a machine learning model, if the un-normalized incidents may be a close match to normalized incidents;
      
      wherebyfor each un-normalized incident that is a close match of a normalized incident, allocating a prorated incident severity value of the normalized incident to the un-normalized incident based on the percentage of the match between the un-normalized incident and the close matched normalized incident;
      
      for each un-normalized incident that does not match a normalized incident, allocating a predetermined high incident severity value to the un-normalized incident whereby the high incident severity value comprises a value that is within an upper range of the predetermined incident severity values for normalized incidents.
  - 4. The method according to claim 1 wherein the user defined parameters comprises service level values associated with each of the computer systems and whereby the computing the incident severity scores for each of the received incidents based on the incident severity value of the incident and the incident asset score of the incident comprises:
    - applying the service level values associated with each computer system to incident severity scores of incidents that affect assets of the computer system.
  - 5. The method according to claim 1 wherein the computing the incident severity scores for each of the received incidents based on the incident severity value of the incident and the incident asset score of the incident comprises:
    - plotting a normalized plot using the incident severity scores of the received incidents;
      
      determining outlier incidents using the normalized plot; and
      
      applying a positive reputation coefficient to the incident severity scores of the outlier incidents, whereby the positive reputation coefficient causes incident severity scores of the outlier incidents to increase.
  - 6. The method according to claim 5 further comprising:
    - determining from the normalized plot commonly occurring incidents; and
      
      applying a negative reputation coefficient to the incident severity scores of the commonly occurring incidents whereby the negative reputation coefficient causes incident severity scores of the commonly occurring incidents to decrease.
  - 7. The method according to claim 1 wherein the user defined parameters comprises base response time parameters that are associated with each of the computer systems, the method further comprising:
    - computing an incident response time for each of the received incidents based on the base response time parameter of the computer system associated with each incident and the incident severity score of each received incident, the incident response time being determined as;
      
      Incident Response Time=Base Response time×
      
      2^{(α
      
      -Incident Severity Score)}where α
      
      is a constant having a value equivalent to a largest computed incident severity score for received incidents.
  - 8. The method according to claim 7 further comprising:
    - receiving elapsed time for the received incidents from the security analysts;
      
      determining, for each received incident, if the elapsed time of the incident exceeds the incident response time of the incident;
      
      tagging incidents having elapsed time that exceeds the incident response time of the incident with an expired flag; and
      
      optimizing the predetermined incident severity values of normalized incidents tagged with expired flags.
  - 9. The method according to claim 8 wherein the optimizing the predetermined incident severity values of normalized incidents tagged with expired flags comprises:
    - applying a positive reputation coefficient to the incident severity value of incidents tagged with the expired flag to cause these incident severity values to increase.
  - 10. The method according to claim 1 further comprising:
    - receiving an unresolved incident list from the intelligence analysts wherein the unresolved incident list comprises incidents that remain unresolved;
      
      notifying a system administrator of the unresolved incidents in the unresolved incident list; and
      
      removing the unresolved incidents from the computing module.
  - 17. The system according to claim 10 wherein the user defined parameters comprises base response time parameters that are associated with each of the computer systems, the method further comprising:
    - instructions for directing the processing unit to;
      
      compute an incident response time for each of the received incidents based on the base response time parameter of the computer system associated with each incident and the incident severity score of each received incident, the incident response time being determined as;
      
      Incident Response Time=Base Response time×
      
      2^{(α
      
      -Incident Severity Score)}where α
      
      is a constant having a value equivalent to a largest computed incident severity score for received incidents.
  - 18. The system according to claim 17 further comprising:
    - instructions for directing the processing unit to;
      
      receive elapsed time for the received incidents from the security analysts;
      
      determine, for each received incident, if the elapsed time of the incident exceeds the incident response time of the incident;
      
      tag incidents having elapsed time that exceeds the incident response time of the incident with an expired flag; and
      
      optimize the predetermined incident severity values of normalized incidents tagged with expired flags.
  - 19. The system according to claim 18 wherein the instructions to optimize the predetermined incident severity values of normalized incidents tagged with expired flags comprises:
    - instructions for directing the processing unit to;
      
      apply a positive reputation coefficient to the incident severity value of incidents tagged with the expired flag to cause these incident severity values to increase.

11. A system for autonomic incident triage prioritization of incidents affecting a plurality of computer systems, the system comprising:
- a processing unit; and
  
  a non-transitory media readable by the processing unit, the media storing instructions that when executed by the processing unit, cause the processing unit to;
  
  receive user defined parameters associated with each of the computer systems and receiving asset parameters associated with each asset contained within each of the computer systems;
  
  receive incidents affecting assets of the computer systems;
  
  compute an incident asset score for each incident whereby the incident asset score for each incident is computed using the asset parameters associated with each asset contained within each computer system;
  
  assign incident severity values to each of the received incidents;
  
  compute incident severity scores for each of the received incidents based on the incident severity value of the incident and the incident asset score of the incident;
  
  generate a prioritized incident list based on the incident severity scores of the received incidents;
  
  provide the prioritized incident list to security analysts;
  
  instructions for directing the processing unit to;
  
  retrieve, for each incident, identities of assets affected by the incident, wherein for each asset affected by the incident, retrieving identities of all the assets contained in a computer system related to the affected asset;
  
  retrieve severity weightage values accorded to all the retrieved identities of assets wherein the severity weightage values are contained within the received asset parameters;
  
  compute the incident asset score for each incident by summing severity weightage values of assets contained in a computer system affected by the incident, summing the severity weightage values of all the assets in the computer system, and divide the summed severity weightage values of assets contained in the computer system affected by the incident with the summed severity weightage values of all the assets in the computer system.
- View Dependent Claims (12, 13, 14, 15, 16, 20)
- - 12. The system according to claim 11 wherein the instructions to assign the incident severity values to each of the received incidents comprises:
    - instructions for directing the processing unit to;
      
      identify normalized incidents from the received incidents and allocating predetermined incident severity values to normalized incidents;
      
      identify un-normalized incidents and determining, using a machine learning model, if the un-normalized incidents may be matched to normalized incidents;
      
      wherebyfor each un-normalized incident that matches a normalized incident, allocating the incident severity value of the normalized incident to the un-normalized incident;
      
      for each un-normalized incident that does not match a normalized incident, allocating a predetermined high incident severity value to the un-normalized incident whereby the high incident severity value comprises a value that is within an upper range of the predetermined incident severity values for normalized incidents.
  - 13. The system according to claim 11 wherein the instructions to assign the incident severity values to each of the received incidents comprises:
    - instructions for directing the processing unit to;
      
      identify normalized incidents from the received incidents and allocating predetermined incident severity values to normalized incidents;
      
      identify un-normalized incidents and determining, using a machine learning model, if the un-normalized incidents may be a close match to normalized incidents;
      
      wherebyfor each un-normalized incident that is a close match of a normalized incident, allocating a prorated incident severity value of the normalized incident to the un-normalized incident based on the percentage of the match between the un-normalized incident and the close matched normalized incident;
      
      for each un-normalized incident that does not match a normalized incident, allocating a predetermined high incident severity value to the un-normalized incident whereby the high incident severity value comprises a value that is within an upper range of the predetermined incident severity values for normalized incidents.
  - 14. The system according to claim 11 wherein the user defined parameters comprises service level values associated with each of the computer systems and whereby the instructions to compute the incident severity scores for each of the received incidents based on the incident severity value of the incident and the incident asset score of the incident comprises:
    - instructions for directing the processing unit to;
      
      apply the service level values associated with each computer system to incident severity scores of incidents that affect assets of the computer system.
  - 15. The system according to claim 11 wherein the instructions to compute the incident severity scores for each of the received incidents based on the incident severity value of the incident and the incident asset score of the incident comprises:
    - instructions for directing the processing unit to;
      
      plot a normalized plot using the incident severity scores of the received incidents;
      
      determine outlier incidents using the normalized plot; and
      
      apply a positive reputation coefficient to the incident severity scores of the outlier incidents, whereby the positive reputation coefficient causes incident severity scores of the outlier incidents to increase.
  - 16. The system according to claim 15 further comprising:
    - instructions for directing the processing unit to;
      
      determine from the normalized plot commonly occurring incidents; and
      
      apply a negative reputation coefficient to the incident severity scores of the commonly occurring incidents whereby the negative reputation coefficient causes incident severity scores of the commonly occurring incidents to decrease.
  - 20. The system according to claim 11 further comprising:
    - instructions for directing the processing unit to;
      
      receive an unresolved incident list from the intelligence analysts wherein the unresolved incident list comprises incidents that remain unresolved;
      
      notify a system administrator of the unresolved incidents in the unresolved incident list; and
      
      remove the unresolved incidents from the computing module.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Certis Cisco Security Pte Limited (Temasek Holdings Pte Ltd. (Investment Management))
Original Assignee
Certis Cisco Security Pte Limited (Temasek Holdings Pte Ltd. (Investment Management))
Inventors
Lim, Keng Leng Albert
Primary Examiner(s)
Zarrineh, Shahriar

Application Number

US15/741,182
Publication Number

US 20190098025A1
Time in Patent Office

1,006 Days
Field of Search

726 22
US Class Current
CPC Class Codes

G06F 21/554   involving event detection a...

G06N 20/00   Machine learning

H04L 41/0609   based on severity or priority

H04L 41/0613   based on the type or catego...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1441   Countermeasures against mal...

H04L 63/20   for managing network securi...

Autonomic incident triage prioritization by performance modifier and temporal decay parameters

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

37 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Autonomic incident triage prioritization by performance modifier and temporal decay parameters

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

37 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links