Feedback-based prioritized cognitive analysis
First Claim
1. A method for processing security event data in association with a cybersecurity knowledge graph having nodes and edges, comprising:
- receiving from a security system information representing an offense;
building an offense context graph based in part on context data extracted about the offense;
prioritizing for traversal given nodes and edges of the knowledge graph based on an encoding, the encoding being captured from a workflow; and
refining the offense context graph by traversing the nodes and edges of the knowledge graph according to a prioritization tailored at least in part by the encoding.
1 Assignment
0 Petitions
Accused Products
Abstract
An automated method for processing security event data in association with a cybersecurity knowledge graph having nodes and edges. It begins by receiving from a security system (e.g., a SIEM) information representing an offense. An offense context graph is built. Thereafter, and to enhance the offense context graph, given nodes and edges of the knowledge graph are prioritized for traversal based on an encoding captured from a security analyst workflow. This prioritization is defined in a set of weights associated to the graph nodes and edges, and these weights may be derived using machine learning. The offense context graph is then refined by traversing the nodes and edges of the knowledge graph according to a prioritization tailored at least in part by the encoding. In addition to using security analyst workflow to augment generation of weights, preferably the machine learning system provides recommendations back to the security analysts to thereby influence their workflow.
-
Citations
22 Claims
-
1. A method for processing security event data in association with a cybersecurity knowledge graph having nodes and edges, comprising:
-
receiving from a security system information representing an offense; building an offense context graph based in part on context data extracted about the offense; prioritizing for traversal given nodes and edges of the knowledge graph based on an encoding, the encoding being captured from a workflow; and refining the offense context graph by traversing the nodes and edges of the knowledge graph according to a prioritization tailored at least in part by the encoding. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. An apparatus for processing security event data in association with a cybersecurity knowledge graph having nodes and edges, comprising:
-
a processor; computer memory holding computer program instructions executed by the processor, the computer program instructions operative to; receive from a security system information representing an offense; build an offense context graph based in part on context data extracted about the offense; prioritize for traversal given nodes and edges of the knowledge graph based on an encoding, the encoding being captured from a workflow; and refine the offense context graph by traversing the nodes and edges of the knowledge graph according to a prioritization tailored at least in part by the encoding. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
-
15. A computer program product in a non-transitory computer readable medium for use in a data processing system for processing security event data in association with a cybersecurity knowledge graph having nodes and edges, the computer program product holding computer program instructions that, when executed by the data processing system, are operative to:
-
receive from a security system information representing an offense; build an offense context graph based in part on context data extracted about the offense; prioritize for traversal given nodes and edges of the knowledge graph based on an encoding, the encoding being captured from a workflow; and refine the offense context graph by traversing the nodes and edges of the knowledge graph according to a prioritization tailored at least in part by the encoding. - View Dependent Claims (16, 17, 18, 19, 20, 21)
-
-
22. A cybersecurity analytics platform, comprising:
-
one or more hardware processors; a data store holding a knowledge graph representing cybersecurity threat intelligence knowledge; and computer memory storing computer program instructions configured at least in part to; capture sets of actions of one or more security analysts as respective threats to a computer network are analyzed by the one or more security analyst; encode the sets of actions into one more sets of machine-readable domain knowledge; use the encoded actions to weight, based at least in part on machine learning, respective nodes and edges of the knowledge graph; generate, based on an automated analysis of an offense context graph, a set of knowledge graph investigation paths; and provide to the one or more security analysts the set of knowledge graph investigation paths, the set of knowledge graph investigative paths informing at least one set of actions captured; and augmenting the offense context graph based at least in part on information received by traversing the knowledge graph according to the weight.
-
Specification