Prioritizing bayes network alerts
First Claim
1. In a computer network having an information security device that generates alerts when attacks or anomalous incidents are detected, a method for prioritizing alerts comprising the steps of:
- receiving alerts from the information security device;
examining the received alerts for the presence of one or more relevant features;
providing a summary or list of the features from at least a subset of the received alerts to a Bayes network for analysis; and
assigning relevance scores to at least a subset of the received alerts, the relevance scores based at least in part on the analysis performed by the Bayes network.
2 Assignments
0 Petitions
Accused Products
Abstract
This invention uses Bayesian techniques to prioritize alerts or alert groups generated by intrusion detection systems and other information security devices, such as network analyzers, network monitors, firewalls, antivirus software, authentication services, host and application security services, etc. In a preferred embodiment, alerts are examined for the presence of one or more relevant features, such as the type of an attack, the target of an attack, the outcome of an attack, etc. At least a subset of the features is then provided to a real-time Bayes network, which assigns relevance scores to the received alerts or alert groups. In another embodiment, a network manager (a person) can disagree with the relevance score assigned by the Bayes network, and give an alert or alert group a different relevance score. The Bayes network is then modified so that similar future alerts or alert groups will be assigned a relevance score that more closely matches the score given by the network manager.
182 Citations
7 Claims
-
1. In a computer network having an information security device that generates alerts when attacks or anomalous incidents are detected, a method for prioritizing alerts comprising the steps of:
-
receiving alerts from the information security device;
examining the received alerts for the presence of one or more relevant features;
providing a summary or list of the features from at least a subset of the received alerts to a Bayes network for analysis; and
assigning relevance scores to at least a subset of the received alerts, the relevance scores based at least in part on the analysis performed by the Bayes network. - View Dependent Claims (2, 3, 4, 5)
-
-
6. In a computer network that has a plurality of information security devices, each of which generates alerts when attacks or anomalous incidents are detected, a method for prioritizing groups of related alerts comprising the steps of:
-
receiving the groups of related alerts;
examining the received groups for the presence of one or more relevant features;
providing a summary or list of the features from at least a subset of the received groups to a Bayes network for analysis; and
assigning relevance scores to at least a subset of the received groups, the relevance scores based at least in part on the analysis performed by the Bayes network.
-
-
7. In a computer network having an information security device that generates alerts when attacks or anomalous incidents are detected, a method for assigning a relevance score to alerts comprising the steps of:
-
receiving a first alert;
examining the first alert for the presence of one or more relevant features;
providing a summary or list of the features from the first alert to a Bayes network for analysis;
assigning a relevance score to the first alert, the relevance score based at least in part on the analysis performed by the Bayes network;
receiving a second relevance score from a network operator; and
modifying the Bayes network such that when a subsequent alert similar to the first alert is analyzed by the Bayes network, the subsequent alert is assigned a relevance score that more closely matches the second relevance score.
-
Specification