Threat disposition analysis and modeling using supervised machine learning
First Claim
1. A method for threat disposition analysis, comprising:
- responsive to receipt of a security threat, retrieving a threat disposition score (TDS), the threat disposition score generated from a machine learning scoring model built from information about historical security threats, including historical disposition of one or more alerts associated with the historical security threats;
augmenting an alert to include the threat disposition score to generate an enriched alert; and
presenting the enriched alert for further handling.
1 Assignment
0 Petitions
Accused Products
Abstract
An enhanced threat disposition analysis technique is provided. In response to receipt of a security threat, a threat disposition score (TDS) is retrieved. The threat disposition score is generated from a machine learning scoring model that is built from information about historical security threats, including historical disposition of one or more alerts associated with the historical security threats. The system augments an alert to include the threat disposition score, optionally together with a confidence level, to generate an enriched alert. The enriched alert is then presented to the security analyst for handling directly. Depending on the TDS (and its confidence level), the analyst may be able to respond to the threat immediately, i.e., without further detailed investigation. Preferably, the machine learning model is updated continuously as the system handles security threats, thereby increasing the predictive benefit of the TDS scoring.
-
Citations
25 Claims
-
1. A method for threat disposition analysis, comprising:
-
responsive to receipt of a security threat, retrieving a threat disposition score (TDS), the threat disposition score generated from a machine learning scoring model built from information about historical security threats, including historical disposition of one or more alerts associated with the historical security threats; augmenting an alert to include the threat disposition score to generate an enriched alert; and presenting the enriched alert for further handling. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. An apparatus, comprising:
-
a processor; computer memory holding computer program instructions executed by the processor for threat disposition analysis, the computer program instructions operative to; retrieve a threat disposition score (TDS) in response to receipt of a security threat, the threat disposition score generated from a machine learning scoring model built from information about historical security threats, including historical disposition of one or more alerts associated with the historical security threats; augment an alert to include the threat disposition score to generate an enriched alert; and present the enriched alert for further handling. - View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
-
-
17. A computer program product in a non-transitory computer readable medium for use in a data processing system for threat disposition analysis, the computer program product holding computer program instructions that, when executed by the data processing system, are operative to:
-
retrieve a threat disposition score (TDS) in response to receipt of a security threat, the threat disposition score generated from a machine learning scoring model built from information about historical security threats, including historical disposition of one or more alerts associated with the historical security threats; augment an alert to include the threat disposition score to generate an enriched alert; and present the enriched alert for further handling. - View Dependent Claims (18, 19, 20, 21, 22, 23, 24)
-
-
25. A security threat analysis platform, comprising:
-
one or more hardware processors; a data store holding a knowledge base of alert data, and historical alert disposition handling information; and computer memory storing computer program instructions configured to; compute a scoring model by applying machine learning to information derived from the knowledge base, the information including historical security threats, including historical disposition of one or more alerts associated with the historical security threats; respond to receipt of a new security threat, using the scoring model to generate an alert having an associated threat disposition score and confidence level; and receive and respond to handling information for the alert.
-
Specification