Threat disposition analysis and modeling using supervised machine learning

US 20180367561A1
Filed: 06/14/2017
Published: 12/20/2018
Est. Priority Date: 06/14/2017
Status: Active Grant

First Claim

Patent Images

1. A method for threat disposition analysis, comprising:

responsive to receipt of a security threat, retrieving a threat disposition score (TDS), the threat disposition score generated from a machine learning scoring model built from information about historical security threats, including historical disposition of one or more alerts associated with the historical security threats;

augmenting an alert to include the threat disposition score to generate an enriched alert; and

presenting the enriched alert for further handling.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An enhanced threat disposition analysis technique is provided. In response to receipt of a security threat, a threat disposition score (TDS) is retrieved. The threat disposition score is generated from a machine learning scoring model that is built from information about historical security threats, including historical disposition of one or more alerts associated with the historical security threats. The system augments an alert to include the threat disposition score, optionally together with a confidence level, to generate an enriched alert. The enriched alert is then presented to the security analyst for handling directly. Depending on the TDS (and its confidence level), the analyst may be able to respond to the threat immediately, i.e., without further detailed investigation. Preferably, the machine learning model is updated continuously as the system handles security threats, thereby increasing the predictive benefit of the TDS scoring.

Citations

25 Claims

1. A method for threat disposition analysis, comprising:
- responsive to receipt of a security threat, retrieving a threat disposition score (TDS), the threat disposition score generated from a machine learning scoring model built from information about historical security threats, including historical disposition of one or more alerts associated with the historical security threats;
  
  augmenting an alert to include the threat disposition score to generate an enriched alert; and
  
  presenting the enriched alert for further handling.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method as described in claim 1 wherein enriched alert also includes historical information about how the security threat has been handled previously.
  - 3. The method as described in claim 1 wherein the historical disposition comprises one of:
    - an action taken by a security analyst in response to an alert associated with the historical security threat, and feedback on handling of the alert associated with the historical security threat.
  - 4. The method as described in claim 1 further including building the machine learning scoring model, wherein the machine learning scoring model also is built from a set of attributes regarding an alert.
  - 5. The method as described in claim 1 further including receiving data configuring the set of attributes.
  - 6. The method as described in claim 1 further including updating the machine learning scoring model.
  - 7. The method as described in claim 1, further comprising:
    - providing a confidence level associated with the TDS; and
      
      responsive to the confidence level reaching a threshold, automatically performing a set of one or more actions to ameliorate the security threat.
  - 8. The method as described in claim 1 wherein the further handling is one of:
    - closing the security threat as a false position, and escalating the security threat.

9. An apparatus, comprising:
- a processor;
  
  computer memory holding computer program instructions executed by the processor for threat disposition analysis, the computer program instructions operative to;
  
  retrieve a threat disposition score (TDS) in response to receipt of a security threat, the threat disposition score generated from a machine learning scoring model built from information about historical security threats, including historical disposition of one or more alerts associated with the historical security threats;
  
  augment an alert to include the threat disposition score to generate an enriched alert; and
  
  present the enriched alert for further handling.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The apparatus as described in claim 9 wherein enriched alert also includes historical information about how the security threat has been handled previously.
  - 11. The apparatus as described in claim 9 wherein the historical disposition comprises one of:
    - an action taken by a security analyst in response to an alert associated with the historical security threat, and feedback on handling of the alert associated with the historical security threat.
  - 12. The apparatus as described in claim 9 wherein the computer program instructions are further operative to build the machine learning scoring model, wherein the machine learning scoring model also is built from a set of attributes regarding an alert.
  - 13. The apparatus as described in claim 9 wherein the computer program instructions also are operative to receive data configuring the set of attributes.
  - 14. The apparatus as described in claim 9 wherein the computer program instructions also are operative to update the machine learning scoring model.
  - 15. The apparatus as described in claim 9 wherein the computer program instructions also are operative to:
    - provide a confidence level associated with the TDS; and
      
      responsive to the confidence level reaching a threshold, automatically perform a set of one or more actions to ameliorate the security threat.
  - 16. The apparatus as described in claim 9 wherein the further handling is one of:
    - closing the security threat as a false position, and escalating the security threat.

17. A computer program product in a non-transitory computer readable medium for use in a data processing system for threat disposition analysis, the computer program product holding computer program instructions that, when executed by the data processing system, are operative to:
- retrieve a threat disposition score (TDS) in response to receipt of a security threat, the threat disposition score generated from a machine learning scoring model built from information about historical security threats, including historical disposition of one or more alerts associated with the historical security threats;
  
  augment an alert to include the threat disposition score to generate an enriched alert; and
  
  present the enriched alert for further handling.
- View Dependent Claims (18, 19, 20, 21, 22, 23, 24)
- - 18. The computer program product as described in claim 17 wherein enriched alert also includes historical information about how the security threat has been handled previously.
  - 19. The computer program product as described in claim 17 wherein the historical disposition comprises one of:
    - an action taken by a security analyst in response to an alert associated with the historical security threat, and feedback on handling of the alert associated with the historical security threat.
  - 20. The computer program product as described in claim 17 wherein the computer program instructions are further operative to build the machine learning scoring model, wherein the machine learning scoring model also is built from a set of attributes regarding an alert.
  - 21. The computer program product as described in claim 17 wherein the computer program instructions also are operative to receive data configuring the set of attributes.
  - 22. The computer program product as described in claim 17 wherein the computer program instructions also are operative to update the machine learning scoring model.
  - 23. The computer program product as described in claim 17 wherein the computer program instructions also are operative to:
    - provide a confidence level associated with the TDS; and
      
      responsive to the confidence level reaching a threshold, automatically perform a set of one or more actions to ameliorate the security threat.
  - 24. The computer program product as described in claim 17 wherein the further handling is one of:
    - closing the security threat as a false position, and escalating the security threat.

25. A security threat analysis platform, comprising:
- one or more hardware processors;
  
  a data store holding a knowledge base of alert data, and historical alert disposition handling information; and
  
  computer memory storing computer program instructions configured to;
  
  compute a scoring model by applying machine learning to information derived from the knowledge base, the information including historical security threats, including historical disposition of one or more alerts associated with the historical security threats;
  
  respond to receipt of a new security threat, using the scoring model to generate an alert having an associated threat disposition score and confidence level; and
  
  receive and respond to handling information for the alert.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Givental, Gary I., Bhatia, Aankur, Dwyer, Paul J.

Granted Patent

US 11,888,883 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/552   involving long-term monitor...

G06N 20/00   Machine learning

G06N 5/04   Inference or reasoning models

H04L 63/1408   by monitoring network traff...

H04L 63/1433   Vulnerability analysis

Threat disposition analysis and modeling using supervised machine learning

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

25 Claims

Specification

Solutions

Use Cases

Quick Links

Threat disposition analysis and modeling using supervised machine learning

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

25 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links