Feedback-based prioritized cognitive analysis

US 10,681,061 B2
Filed: 06/14/2017
Issued: 06/09/2020
Est. Priority Date: 06/14/2017
Status: Active Grant

First Claim

Patent Images

1. A method for processing security event data in association with a cybersecurity knowledge graph having nodes and edges, comprising:

receiving from a security system information representing an offense;

building an offense context graph based in part on context data extracted about the offense;

prioritizing for traversal given nodes and edges of the knowledge graph based on an encoding, the encoding being captured from a workflow; and

refining the offense context graph by traversing the nodes and edges of the knowledge graph according to a prioritization tailored at least in part by the encoding.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An automated method for processing security event data in association with a cybersecurity knowledge graph having nodes and edges. It begins by receiving from a security system (e.g., a SIEM) information representing an offense. An offense context graph is built. Thereafter, and to enhance the offense context graph, given nodes and edges of the knowledge graph are prioritized for traversal based on an encoding captured from a security analyst workflow. This prioritization is defined in a set of weights associated to the graph nodes and edges, and these weights may be derived using machine learning. The offense context graph is then refined by traversing the nodes and edges of the knowledge graph according to a prioritization tailored at least in part by the encoding. In addition to using security analyst workflow to augment generation of weights, preferably the machine learning system provides recommendations back to the security analysts to thereby influence their workflow.

Citations

22 Claims

1. A method for processing security event data in association with a cybersecurity knowledge graph having nodes and edges, comprising:
- receiving from a security system information representing an offense;
  
  building an offense context graph based in part on context data extracted about the offense;
  
  prioritizing for traversal given nodes and edges of the knowledge graph based on an encoding, the encoding being captured from a workflow; and
  
  refining the offense context graph by traversing the nodes and edges of the knowledge graph according to a prioritization tailored at least in part by the encoding.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method as described in claim 1 wherein the workflow represents a set of domain knowledge captured from an interactive human-driven investigation of the offense context graph by a security analyst.
  - 3. The method as described in claim 2 further including:
    - identifying a set of knowledge graph investigation paths; and
      
      providing the security analyst, as a recommendation, the set of knowledge graph investigation paths.
  - 4. The method as described in claim 3 wherein the workflow is further based at least in part on information received as a result of the security analyst investigating the set of knowledge graph investigation paths.
  - 5. The method as described in claim 1 wherein the given nodes and edges of the knowledge graph are prioritized for traversal using machine learning.
  - 6. The method as described in claim 5 wherein the prioritization of the nodes and edges in the knowledge graph are represented by a set of weights.
  - 7. The method as described in claim 1 wherein the encoding is continuously updated.

8. An apparatus for processing security event data in association with a cybersecurity knowledge graph having nodes and edges, comprising:
- a processor;
  
  computer memory holding computer program instructions executed by the processor, the computer program instructions operative to;
  
  receive from a security system information representing an offense;
  
  build an offense context graph based in part on context data extracted about the offense;
  
  prioritize for traversal given nodes and edges of the knowledge graph based on an encoding, the encoding being captured from a workflow; and
  
  refine the offense context graph by traversing the nodes and edges of the knowledge graph according to a prioritization tailored at least in part by the encoding.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The apparatus as described in claim 8 wherein the workflow represents a set of domain knowledge captured from an interactive human-driven investigation of the offense context graph a security analyst.
  - 10. The apparatus as described in claim 9 wherein the computer program instructions are further operative to:
    - identify a set of knowledge graph investigation paths; and
      
      provide the security analyst, as a recommendation, the set of knowledge graph investigation paths.
  - 11. The apparatus as described in claim 10 wherein the workflow is further based at least in part on information received as a result of the security analyst investigating the set of knowledge graph investigation paths.
  - 12. The apparatus as described in claim 8 wherein the computer program instructions to prioritize given nodes and edges of the knowledge graph implement a machine learning algorithm.
  - 13. The apparatus as described in claim 12 wherein the prioritization of the nodes and edges in the knowledge graph is represented by a set of weights.
  - 14. The apparatus as described in claim 8 wherein the computer program instructions continuously update the encoding.

15. A computer program product in a non-transitory computer readable medium for use in a data processing system for processing security event data in association with a cybersecurity knowledge graph having nodes and edges, the computer program product holding computer program instructions that, when executed by the data processing system, are operative to:
- receive from a security system information representing an offense;
  
  build an offense context graph based in part on context data extracted about the offense;
  
  prioritize for traversal given nodes and edges of the knowledge graph based on an encoding, the encoding being captured from a workflow; and
  
  refine the offense context graph by traversing the nodes and edges of the knowledge graph according to a prioritization tailored at least in part by the encoding.
- View Dependent Claims (16, 17, 18, 19, 20, 21)
- - 16. The computer program product as described in claim 15 wherein the workflow represents a set of domain knowledge captured from an interactive human-driven investigation of the offense context graph a security analyst.
  - 17. The computer program product as described in claim 16 wherein the computer program instructions are further operative to:
    - identify a set of knowledge graph investigation paths; and
      
      provide the security analyst, as a recommendation, the set of knowledge graph investigation paths.
  - 18. The computer program product as described in claim 17 wherein the workflow is further based at least in part on information received as a result of the security analyst investigating the set of knowledge graph investigation paths.
  - 19. The computer program product as described in claim 15 wherein the computer program instructions to prioritize given nodes and edges of the knowledge graph implement a machine learning algorithm.
  - 20. The computer program product as described in claim 19 wherein the prioritization of the nodes and edges in the knowledge graph is represented by a set of weights.
  - 21. The computer program product as described in claim 15 wherein the computer program instructions continuously update the encoding.

22. A cybersecurity analytics platform, comprising:
- one or more hardware processors;
  
  a data store holding a knowledge graph representing cybersecurity threat intelligence knowledge; and
  
  computer memory storing computer program instructions configured at least in part to;
  
  capture sets of actions of one or more security analysts as respective threats to a computer network are analyzed by the one or more security analyst;
  
  encode the sets of actions into one more sets of machine-readable domain knowledge;
  
  use the encoded actions to weight, based at least in part on machine learning, respective nodes and edges of the knowledge graph;
  
  generate, based on an automated analysis of an offense context graph, a set of knowledge graph investigation paths; and
  
  provide to the one or more security analysts the set of knowledge graph investigation paths, the set of knowledge graph investigative paths informing at least one set of actions captured; and
  
  augmenting the offense context graph based at least in part on information received by traversing the knowledge graph according to the weight.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Jang, Jiyong, Kirat, Dhilung Hang, Stoecklin, Marc Philippe
Primary Examiner(s)
Revak, Christopher A

Application Number

US15/623,062
Publication Number

US 20180367549A1
Time in Patent Office

1,091 Days
Field of Search

None
US Class Current
CPC Class Codes

G06F 16/9024   Graphs; Linked lists G06F16...

G06N 20/00   Machine learning

G06N 5/01   Dynamic search techniques; ...

G06N 5/022   Knowledge engineering; Know...

G06N 5/04   Inference or reasoning models

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1433   Vulnerability analysis

H04L 63/1441   Countermeasures against mal...

Feedback-based prioritized cognitive analysis

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

Feedback-based prioritized cognitive analysis

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links