INCIDENT TRIAGE ENGINE

US 20140223567A1
Filed: 04/08/2014
Published: 08/07/2014
Est. Priority Date: 10/07/2011
Status: Active Grant

First Claim

Patent Images

1-5. -5. (canceled)

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An incident triage engine performs incident triage in a system by prioritizing responses to incidents within the system. One prioritization method may include receiving attributes of incidents and assets in the system, generating cumulative loss forecasts for the incidents, and prioritizing the responses to the incidents based on the cumulative loss forecasts for the incidents. Another prioritization method may include determining different arrangements of incidents within a response queue, calculating cumulative queue loss forecasts for the different arrangements of incidents within the response queue, and arranging the incidents in the response queue based on the arrangement of incidents that minimizes the total loss to the system over the resolution of all of the incidents present in the response queue.

16 Citations

View as Search Results

42 Claims

1-5. -5. (canceled)

6. A method of prioritizing responses to a plurality of incidents within a system, the method being performed by a processor connected to a memory, the method comprising:
- determining a plurality of different arrangements of the incidents within a response queue;
  
  calculating, for each of the plurality of different arrangements of the incidents within the response queue, a cumulative queue loss forecast based on the arrangement of the incidents within the response queue; and
  
  arranging the order of the incidents within the response queue according to the arrangement of the incidents within the response queue with the smallest cumulative queue loss forecast.
- View Dependent Claims (7, 8, 9, 10, 11, 12, 13, 14)
- - 7. The method according to claim 6, wherein the plurality of different arrangements of the incidents within the response queue includes all possible arrangements of the incidents within the response queue.
  - 8. The method according to claim 6, the method further comprising:
    - receiving, for each incident, a remediation time attribute based on the course of action associated with the incident, wherein;
      
      each incident is associated with a course of action for resolving the incident;
      
      the calculating further includes, for each of the incidents, calculating a loss forecast based on a total time to resolve the incident, the total time to resolve the incident being based on sum of the remediation time of the incident plus the remediation times of all of the incidents at an earlier position in the queue; and
      
      the cumulative queue loss forecast is the sum of the loss forecasts calculated for each of the incidents.
  - 9. The method according to claim 8, wherein machine learning is used to associate each incident with the course of action for resolving the incident.
  - 10. The method according to claim 8, the method further comprising:
    - after arranging the order of the incidents within the response queue, executing the course of action associated with the incident arranged first in the response queue.
  - 11. The method according to claim 8, wherein:
    - the receiving further includes receiving attributes of the system, attributes of assets within the system, and attributes of the incidents; and
      
      the determining, calculating, arranging and receiving are continuously performed, and the calculating is performed based on most recently received attributes of the courses of action and most recently received attributes of the system.
  - 12. The method according to claim 11, wherein:
    - the attributes of the system include an environmental factors attribute;
      
      the attributes of the incidents include one or more of the following;
      
      an incident morbidity attribute or an incident infectiousness attribute, where the incident morbidity attribute includes one or more of the following;
      
      a confidentiality impact of the incident, an integrity impact of the incident, an availability impact of the incident, a progression speed of the incident, or an incubation time of the incident, and where the incident infectiousness attribute includes one or more of the following;
      
      a potency of the incident, a transmission mode of the incident, or a latency period of the incident; and
      
      the attributes of the assets include one or more of the following;
      
      a value attribute or an immunity attribute, where the value attribute includes one or more of the following;
      
      a confidentiality value of the asset, an integrity value of the asset, an availability value of the asset, or a substitutability value of the asset, and where the immunity attribute includes a susceptibility value of the asset.
  - 13. The method according to claim 6, wherein the determining, calculating and arranging are repeated after one or more of the following:
    - an incident being added to the queue, or an incident being removed from the queue.
  - 14. The method according to claim 6, wherein:
    - the system is a computer network;
      
      the plurality of linked assets includes one or more of the following;
      
      a database server, an application server, a firewall, an intrusion detection system, a router, a switch, a bridge, a repeater, or an end point; and
      
      the incidents include one or more of the following;
      
      a denial of service attack, a virus, a worm, a trojan horse, a backdoor, or a cookie tracker.

15-19. -19. (canceled)

20. A non-transitory computer-readable storage medium storing computer program instructions for prioritizing responses to a plurality of incidents within a system according to a method, the method comprising:
- determining a plurality of different arrangements of the incidents within a response queue;
  
  calculating, for each of the plurality of different arrangements of the incidents within the response queue, a cumulative queue loss forecast based on the arrangement of the incidents within the response queue; and
  
  arranging the order of the incidents within the response queue according to the arrangement of the incidents within the response queue with the smallest cumulative queue loss forecast.
- View Dependent Claims (21, 22, 23, 24, 25, 26, 27, 28)
- - 21. The computer-readable storage medium according to claim 20, wherein the plurality of different arrangements of the incidents within the response queue includes all possible arrangements of the incidents within the response queue.
  - 22. The computer-readable storage medium according to claim 20, the method further comprising:
    - receiving, for each incident, a remediation time attribute based on the course of action associated with the incident, wherein;
      
      each incident is associated with a course of action for resolving the incident;
      
      the calculating further includes, for each of the incidents, calculating a loss forecast based on a total time to resolve the incident, the total time to resolve the incident being based on sum of the remediation time of the incident plus the remediation times of all of the incidents at an earlier position in the queue; and
      
      the cumulative queue loss forecast is the sum of the loss forecasts calculated for each of the incidents.
  - 23. The computer-readable storage medium according to claim 22, wherein machine learning is used to associate each incident with the course of action for resolving the incident.
  - 24. The computer-readable storage medium according to claim 22, the method further comprising:
    - after arranging the order of the incidents within the response queue, executing the course of action associated with the incident arranged first in the response queue.
  - 25. The computer-readable storage medium according to claim 22, wherein:
    - the receiving further includes receiving attributes of the system, attributes of assets within the system, and attributes of the incidents; and
      
      the determining, calculating, arranging and receiving are continuously performed, and the calculating is performed based on most recently received attributes of the courses of action and most recently received attributes of the system.
  - 26. The computer-readable storage medium according to claim 25, wherein:
    - the attributes of the system include an environmental factors attribute;
      
      the attributes of the incidents include one or more of the following;
      
      an incident morbidity attribute or an incident infectiousness attribute, where the incident morbidity attribute includes one or more of the following;
      
      a confidentiality impact of the incident, an integrity impact of the incident, an availability impact of the incident, a progression speed of the incident, or an incubation time of the incident, and where the incident infectiousness attribute includes one or more of the following;
      
      a potency of the incident, a transmission mode of the incident, or a latency period of the incident; and
      
      the attributes of the assets include one or more of the following;
      
      a value attribute or an immunity attribute, where the value attribute includes one or more of the following;
      
      a confidentiality value of the asset, an integrity value of the asset, an availability value of the asset, or a substitutability value of the asset, and where the immunity attribute includes a susceptibility value of the asset.
  - 27. The computer-readable storage medium according to claim 20, wherein the determining, calculating and arranging are repeated after one or more of the following:
    - an incident being added to the queue, or an incident being removed from the queue.
  - 28. The computer-readable storage medium according to claim 20, wherein:
    - the system is a computer network;
      
      the plurality of linked assets includes one or more of the following;
      
      a database server, an application server, a firewall, an intrusion detection system, a router, a switch, a bridge, a repeater, or an end point; and
      
      the incidents include one or more of the following;
      
      a denial of service attack, a virus, a worm, a trojan horse, a backdoor, or a cookie tracker.

29-33. -33. (canceled)

34. A system including a processor and a memory, the memory storing instructions operable with the processor for prioritizing responses to a plurality of incidents within an environment, the instructions associated with a plurality of devices, the devices comprising:
- a determining device that determines a plurality of different arrangements of the incidents within a response queue;
  
  a calculating device that calculates, for each of the plurality of different arrangements of the incidents within the response queue, a cumulative queue loss forecast based on the arrangement of the incidents within the response queue; and
  
  an arranging device that arranges the order of the incidents within the response queue according to the arrangement of the incidents within the response queue with the smallest cumulative queue loss forecast.
- View Dependent Claims (35, 36, 37, 38, 39, 40, 41, 42)
- - 35. The system according to claim 34, wherein the plurality of different arrangements of the incidents within the response queue determined by the determining device includes all possible arrangements of the incidents within the response queue.
  - 36. The system according to claim 34 further comprising:
    - a receiving device that receives, for each incident, a remediation time attribute based on the course of action associated with the incident; and
      
      an associating device that associates each incident with a course of action for resolving the incident;
      
      wherein;
      
      the calculating further includes, for each of the incidents, calculating a loss forecast based on a total time to resolve the incident, the total time to resolve the incident being based on sum of the remediation time of the incident plus the remediation times of all of the incidents at an earlier position in the queue; and
      
      the cumulative queue loss forecast is the sum of the loss forecasts calculated for each of the incidents.
  - 37. The system according to claim 36, wherein machine learning is used to associate each incident with the course of action for resolving the incident.
  - 38. The system according to claim 36 further comprising:
    - an executing device that, after arranging the order of the incidents within the response queue, executes the course of action associated with the incident arranged first in the response queue.
  - 39. The system according to claim 36, wherein:
    - the receiving further includes receiving attributes of the environment, attributes of assets within the environment, and attributes of the incidents; and
      
      the determining by the determining device, the calculating by the calculating device, the arranging by the arranging device and the receiving by the receiving device are continuously performed, and the calculating is performed based on most recently received attributes of the courses of action and most recently received attributes of the environment.
  - 40. The system according to claim 39, wherein:
    - the attributes of the environment include an environmental factors attribute;
      
      the attributes of the incidents include one or more of the following;
      
      an incident morbidity attribute or an incident infectiousness attribute, where the incident morbidity attribute includes one or more of the following;
      
      a confidentiality impact of the incident, an integrity impact of the incident, an availability impact of the incident, a progression speed of the incident, or an incubation time of the incident, and where the incident infectiousness attribute includes one or more of the following;
      
      a potency of the incident, a transmission mode of the incident, or a latency period of the incident; and
      
      the attributes of the assets include one or more of the following;
      
      a value attribute or an immunity attribute, where the value attribute includes one or more of the following;
      
      a confidentiality value of the asset, an integrity value of the asset, an availability value of the asset, or a substitutability value of the asset, and where the immunity attribute includes a susceptibility value of the asset.
  - 41. The system according to claim 34, wherein determining by the determining device, the calculating by the calculating device, and the arranging by the arranging device are repeated after one or more of the following:
    - an incident being added to the queue, or an incident being removed from the queue.
  - 42. The system according to claim 34, wherein:
    - the environment is a computer network;
      
      the plurality of linked assets includes one or more of the following;
      
      a database server, an application server, a firewall, an intrusion detection system, a router, a switch, a bridge, a repeater, or an end point; and
      
      the incidents include one or more of the following;
      
      a denial of service attack, a virus, a worm, a trojan horse, a backdoor, or a cookie tracker.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Accenture Global Services Limited (Accenture PLC)
Original Assignee
Accenture Global Services Limited (Accenture PLC)
Inventors
HOWES, Joshua Z., NEGM, Walid, SOLDERITSCH, James J., JOTWANI, Ashish, CARVER, Matthew

Granted Patent

US 9,369,481 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/25
CPC Class Codes

G06F 21/554   involving event detection a...

G06F 21/577   Assessing vulnerabilities a...

G06Q 10/10   Office automation; Time man...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1433   Vulnerability analysis

INCIDENT TRIAGE ENGINE

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

16 Citations

42 Claims

Specification

Use Cases

Quick Links

Others

INCIDENT TRIAGE ENGINE

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

16 Citations

42 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others